Followed up with a v2 patchset
On Tue, Mar 4, 2025 at 12:56 PM Ryan Lee <ryan....@canonical.com> wrote:
>
> AppArmor was previously blocking operations with disconnected paths, even
> when the profile was loaded in complain mode. Instead, this patchset audits
> the disconnected path as being prefixed with a '#' sentinel, and updates
> the other code doing path lookups to continue with mediation with complain
> mode profiles.
>
> Similar checks will be needed for disconnection in the IPC case, once that
> code is ready.
>
> Ryan Lee (5):
> apparmor: pass complain-mode information to aa_path_name path lookup
> apparmor: don't return early in profile_path_perm for disconnected
> paths in complain mode
> apparmor: create new learning profile in complain mode upon disconnect
> exec
> apparmor: don't bail early in mount on disconnected paths in complain
> mode
> apparmor: disable aa_audit_file AA_BUG(!ad.request) due to fd
> inheritance
>
> security/apparmor/domain.c | 40 ++++++++++++++++++++++++--------
> security/apparmor/file.c | 21 +++++++++++++----
> security/apparmor/include/path.h | 4 ++--
> security/apparmor/mount.c | 19 +++++++++------
> security/apparmor/path.c | 37 +++++++++++++++++++----------
> 5 files changed, 86 insertions(+), 35 deletions(-)
>
> --
> 2.43.0
>
