When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
From 010a01ba597eeae87d34617da453664d84e696b1 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan....@canonical.com>
Date: Fri, 23 Aug 2024 10:14:02 -0700
Subject: [PATCH] apparmor: properly handle cx/px lookup failure for complain
mode profiles
When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/domain.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dd457eaedab8..9914a2b130de 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -686,12 +686,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
- error = -EACCES;
info = "profile transition not found";
- /* remove MAY_EXEC to audit as failure */
+ /* remove MAY_EXEC to audit as failure or complaint */
perms.allow &= ~MAY_EXEC;
+ if (COMPLAIN_MODE(profile)) {
+ /* create null profile instead of failing */
+ goto create_learning_profile;
+ }
+ error = -EACCES;
}
} else if (COMPLAIN_MODE(profile)) {
+create_learning_profile:
/* no exec permission - learning mode */
struct aa_profile *new_profile = NULL;
--
2.43.0
