Inheritance of fd's triggers the lookup logic, and O_PATH fd's are checked
with an empty request set. If the O_PATH fd corresponds to a disconnected
path for an application with a profile in complain mode, we have an error
without a request bit set in aa_audit_file. Until we can handle O_PATH fd
inheritance better, the best we can do for now is disable the AA_BUG line
when the profile is in complain mode.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
v1 -> v2: only skip the AA_BUG line in complain mode
security/apparmor/file.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index c430e031db31..60d6273713f9 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -271,7 +271,19 @@ int aa_audit_file(const struct cred *subj_cred,
} else {
/* only report permissions that were denied */
ad.request = ad.request & ~perms->allow;
- AA_BUG(!ad.request);
+
+ /*
+ * Inheritance of fd's across execution boundaries causes the
+ * path name lookup logic to be triggered for all the fd's.
+ * This includes O_PATH fd's for which the original requested
+ * set is empty. An O_PATH fd with a disconnected path results
+ * in a lookup error, which in complain mode, means we reach
+ * this branch with an empty request. Until we have a better
+ * way to detect and handle this case, we have to disable this
+ * AA_BUG line when in complain mode.
+ */
+ if (!COMPLAIN_MODE(profile))
+ AA_BUG(!ad.request);
if (ad.request & perms->kill)
type = AUDIT_APPARMOR_KILL;
--
2.43.0
