Inheritance of fd's triggers the lookup logic, and O_PATH fd's are checked
with an empty request set. If the O_PATH fd corresponds to a disconnected
path for an application with a profile in complain mode, we have an error
without a request bit set in aa_audit_file. Until we can handle O_PATH fd
inheritance better, the best we can do for now is disable the AA_BUG line.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/file.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index c430e031db31..3267a597526e 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -271,7 +271,18 @@ int aa_audit_file(const struct cred *subj_cred,
} else {
/* only report permissions that were denied */
ad.request = ad.request & ~perms->allow;
- AA_BUG(!ad.request);
+
+ /*
+ * Inheritance of fd's across execution boundaries causes the
+ * path name lookup logic to be triggered for all the fd's.
+ * This includes O_PATH fd's for which the original requested
+ * set is empty. An O_PATH fd with a disconnected path results
+ * in a lookup error, which in complain mode, means we reach
+ * this branch with an empty request. Until we have a better
+ * way to detect and handle this case, we have to disable this
+ * AA_BUG line.
+ */
+ // AA_BUG(!ad.request);
if (ad.request & perms->kill)
type = AUDIT_APPARMOR_KILL;
--
2.43.0
