When policy specifies a transition to a profile that is not currently loaded, it result in exec being denied. However the failure is not being audited correctly because the audit code is treating this as an allowed permission and thus not reporting it.
Signed-off-by: John Johansen <[email protected]> Acked-By: Steve Beattie <[email protected]> --- security/apparmor/domain.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 60f0c76..168c601 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) } else { error = -ENOENT; info = "profile not found"; + /* remove MAY_EXEC to audit as failure */ + perms.allow &= ~MAY_EXEC; } } } else if (COMPLAIN_MODE(profile)) { -- 1.7.10.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
