From 40c3d5fba317e43740c57bfeda74e95c0882332f Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Thu, 7 Nov 2024 17:38:26 -0800 Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px lookup failure for complain mode profiles BugLink: https://bugs.launchpad.net/bugs/2086210 When a cx/px lookup fails, apparmor would deny execution of the binary even in complain mode (where it would audit as allowing execution while actually denying it). Instead, in complain mode, create a new learning profile, just as would have been done if the cx/px line wasn't there. Signed-off-by: Ryan Lee Signed-off-by: John Johansen Signed-off-by: Timo Aaltonen (cherry picked from commit 62bd5d5f21495c300939475bc491af545755bf10 oracular:linux) Signed-off-by: Ryan Lee Acked-by: Stefan Bader Acked-by: Guoqing Jiang Signed-off-by: Roxana Nicolescu --- security/apparmor/domain.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index dd457eaedab8..b2937dce4b8f 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -686,12 +686,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { - error = -EACCES; info = "profile transition not found"; - /* remove MAY_EXEC to audit as failure */ + /* remove MAY_EXEC to audit as failure or complaint */ perms.allow &= ~MAY_EXEC; + if (COMPLAIN_MODE(profile)) { + /* create null profile instead of failing */ + goto create_learning_profile; + } + error = -EACCES; } } else if (COMPLAIN_MODE(profile)) { +create_learning_profile: /* no exec permission - learning mode */ struct aa_profile *new_profile = NULL;