Hello,
Am Dienstag, 4. März 2025, 21:55 schrieb Ryan Lee:
> Inheritance of fd's triggers the lookup logic, and O_PATH fd's are
> checked with an empty request set. If the O_PATH fd corresponds to a
> disconnected path for an application with a profile in complain mode,
> we have an error without a request bit set in aa_audit_file. Until we
> can handle O_PATH fd inheritance better, the best we can do for now
> is disable the AA_BUG line.
>
> Signed-off-by: Ryan Lee <ryan....@canonical.com>
> ---
> security/apparmor/file.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index c430e031db31..3267a597526e 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -271,7 +271,18 @@ int aa_audit_file(const struct cred *subj_cred,
> } else {
> /* only report permissions that were denied */
> ad.request = ad.request & ~perms->allow;
> - AA_BUG(!ad.request);
> +
> + /*
> + * Inheritance of fd's across execution boundaries causes the
> + * path name lookup logic to be triggered for all the fd's.
> + * This includes O_PATH fd's for which the original requested
> + * set is empty. An O_PATH fd with a disconnected path results
> + * in a lookup error, which in complain mode, means we reach
> + * this branch with an empty request. Until we have a better
> + * way to detect and handle this case, we have to disable this
> + * AA_BUG line.
> + */
> + // AA_BUG(!ad.request);
Assuming I got your description right, this AA_BUG will only "explode"
in complain mode.
Would it be possible to do something like (pseudocode)
if !complain_mode
AA_BUG(!ad.request);
so that AA_BUG only gets skipped for complain mode profiles, instead of
completely commenting it out?
Regards,
Christian Boltz
--
What you need is a list of all unknown bugs. ;-)
[James Knott in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
