AppArmor was previously blocking operations with disconnected paths, even
when the profile was loaded in complain mode. Instead, this patchset audits
the disconnected path as being prefixed with a '#' sentinel, and updates
the other code doing path lookups to continue with mediation with complain
mode profiles.
Similar checks will be needed for disconnection in the IPC case, once that
code is ready.
v1 -> v2:
- "apparmor: create new learning profile in complain mode upon disconnect
exec": fix grammar nit identified by Christian Boltz
- "apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
inheritance": only skip the AA_BUG line in complain mode
Ryan Lee (5):
apparmor: pass complain-mode information to aa_path_name path lookup
apparmor: don't return early in profile_path_perm for disconnected
paths in complain mode
apparmor: create new learning profile in complain mode upon disconnect
exec
apparmor: don't bail early in mount on disconnected paths in complain
mode
apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
inheritance
security/apparmor/domain.c | 40 ++++++++++++++++++++++++--------
security/apparmor/file.c | 21 +++++++++++++----
security/apparmor/include/path.h | 4 ++--
security/apparmor/mount.c | 19 +++++++++------
security/apparmor/path.c | 37 +++++++++++++++++++----------
5 files changed, 86 insertions(+), 35 deletions(-)
--
2.43.0
