[apparmor] [PATCH] apparmor: audit mqueue-via-path access as getattr instead of unlink
Ryan Lee
ryan.lee at canonical.com
Thu Nov 28 21:58:38 UTC 2024
Running `ls /dev/mqueue` under a profile that does not include mqueue
rules would produce apparmor logs like
apparmor="DENIED" operation="unlink" class="posix_mqueue"
profile="mqueue_testing" name="/" pid=4791 comm="ls"
requested="getattr" denied="getattr"
that audit the denial as an unlink instead of as a getattr.
Not only was apparmor_inode_getattr passing in a hardcoded OP_UNLINK
to the common_mqueue_path_perm helper, but the helper was also discarding
the op argument and auditing as a hardcoded OP_UNLINK. This patch fixes
both of these issues.
Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
security/apparmor/lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 245207b005e7..c6a06d504b1e 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -470,7 +470,7 @@ static int common_mqueue_path_perm(const char *op, u32 request,
label = begin_current_label_crit_section();
if (!unconfined(label))
- error = aa_mqueue_perm(OP_UNLINK, current_cred(), label, path,
+ error = aa_mqueue_perm(op, current_cred(), label, path,
request);
end_current_label_crit_section(label);
@@ -482,7 +482,7 @@ static int apparmor_inode_getattr(const struct path *path)
{
if (is_mqueue_dentry(path->dentry))
/* TODO: fn() for d_parent */
- return common_mqueue_path_perm(OP_UNLINK, AA_MAY_GETATTR, path);
+ return common_mqueue_path_perm(OP_GETATTR, AA_MAY_GETATTR, path);
return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
}
--
2.43.0
More information about the AppArmor
mailing list