[SRU][N][PATCH 2/2] UBUNTU: SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px lookup failure for complain

[Ryan Lee]

BugLink: https://bugs.launchpad.net/bugs/2086210

mode profiles

When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
Signed-off-by: John Johansen <john.johansen at canonical.com>
Signed-off-by: Timo Aaltonen <timo.aaltonen at canonical.com>
(cherry picked from commit 62bd5d5f21495c300939475bc491af545755bf10)
Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/domain.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dd457eaedab8..b2937dce4b8f 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -686,12 +686,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 			/* hack ix fallback - improve how this is detected */
 			goto audit;
 		} else if (!new) {
-			error = -EACCES;
 			info = "profile transition not found";
-			/* remove MAY_EXEC to audit as failure */
+			/* remove MAY_EXEC to audit as failure or complaint */
 			perms.allow &= ~MAY_EXEC;
+			if (COMPLAIN_MODE(profile)) {
+				/* create null profile instead of failing */
+				goto create_learning_profile;
+			}
+			error = -EACCES;
 		}
 	} else if (COMPLAIN_MODE(profile)) {
+create_learning_profile:
 		/* no exec permission - learning mode */
 		struct aa_profile *new_profile = NULL;
 
-- 
2.43.0