profile_path_perm does the path lookup for file operations. If in complain
mode, don't return early upon path lookup failure, but instead proceed to
file path mediation. Because of the sentinel character replacement, the
mediation will fail, and the subsequent audit mechanisms will allow the
operation to proceed while generating a complain-mode audit log.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 5e0cadb75651..c430e031db31 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -403,7 +403,7 @@ static int profile_path_perm(const char *op, const struct
cred *subj_cred,
error = path_name(op, subj_cred, &profile->label, path,
flags | profile->path_flags, buffer, &name, cond,
request);
- if (error)
+ if (error && !COMPLAIN_MODE(profile))
return error;
error = __aa_path_perm(op, subj_cred, profile, name, request, cond,
flags, perms, prompt);
--
2.43.0
