[apparmor] [PATCH] apparmor: audit mqueue-via-path access as getattr instead of unlink

Ryan Lee ryan.lee at canonical.com
Thu Nov 28 21:58:38 UTC 2024


Running `ls /dev/mqueue` under a profile that does not include mqueue
rules would produce apparmor logs like

apparmor="DENIED" operation="unlink" class="posix_mqueue"
profile="mqueue_testing" name="/" pid=4791 comm="ls"
requested="getattr" denied="getattr"

that audit the denial as an unlink instead of as a getattr.

Not only was apparmor_inode_getattr passing in a hardcoded OP_UNLINK
to the common_mqueue_path_perm helper, but the helper was also discarding
the op argument and auditing as a hardcoded OP_UNLINK. This patch fixes
both of these issues.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/lsm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 245207b005e7..c6a06d504b1e 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -470,7 +470,7 @@ static int common_mqueue_path_perm(const char *op, u32 request,
 
 	label = begin_current_label_crit_section();
 	if (!unconfined(label))
-		error = aa_mqueue_perm(OP_UNLINK, current_cred(), label, path,
+		error = aa_mqueue_perm(op, current_cred(), label, path,
 				       request);
 
 	end_current_label_crit_section(label);
@@ -482,7 +482,7 @@ static int apparmor_inode_getattr(const struct path *path)
 {
 	if (is_mqueue_dentry(path->dentry))
 		/* TODO: fn() for d_parent */
-		return common_mqueue_path_perm(OP_UNLINK, AA_MAY_GETATTR, path);
+		return common_mqueue_path_perm(OP_GETATTR, AA_MAY_GETATTR, path);
 
 	return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
 }
-- 
2.43.0




More information about the AppArmor mailing list