On 6/13/25 09:32, Ryan Lee wrote:
Conflicting attachment paths are an error state that result in the
binary in question executing under an unexpected ix/ux fallback. As such,
it should be audited to record the occurrence of conflicting attachments.
Signed-off-by: Ryan Lee <[email protected]>
Ryan,
your original patch made it into apparmor-next for the 6.16 that never
happened.
Ideally we wouldn't rebase for this. Can you apply this to apparmor-next
and send it as a
Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from
confined")
patch
---
This is a v2 of https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html.
v1 -> v2: remove redundant perms.allow |= MAY_EXEC (which was also incorrectly
outside of the intended conditional)
security/apparmor/domain.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index e8cd9badfb54..b33ce6be9427 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct
cred *subj_cred,
@@ -727,6 +727,16 @@ static struct aa_label *profile_transition(const struct
cred *subj_cred,
new = x_to_label(profile, bprm, name, perms.xindex, &target,
&info);
if (new && new->proxy == profile->label.proxy && info) {
+ /* Force audit on conflicting attachment fallback
+ * Because perms is never used again after this audit
+ * we don't need to care about clobbering it
+ *
+ * Because perms.allow MAY_EXEC bit is already set
+ * we don't have to set it again
+ */
+ if (info == CONFLICTING_ATTACH_STR_IX
+ || info == CONFLICTING_ATTACH_STR_UX)
+ perms.audit |= MAY_EXEC;
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
