diff options
| author |   Ryan Lee <ryan.lee@canonical.com> | 2025-05-01 17:55:46 -0700 |
|---|---|---|
| committer |   John Johansen <john.johansen@canonical.com> | 2025-05-25 20:15:01 -0700 |
| commit | 16916b17b4f80f99aad2ad29ad112313539ad219 (patch) | |
| tree | 0c1053f92a6b8793f41c468cc28cafa9084f0696 | |
| parent | apparmor: include conflicting attachment info for confined ix/ux fallback (diff) | |
| download | wireguard-linux-16916b17b4f80f99aad2ad29ad112313539ad219.tar.xz wireguard-linux-16916b17b4f80f99aad2ad29ad112313539ad219.zip | |
apparmor: force auditing of conflicting attachment execs from confined
Conflicting attachment paths are an error state that result in the
binary in question executing under an unexpected ix/ux fallback. As such,
it should be audited to record the occurrence of conflicting attachments.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/domain.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b5e1defbd4ac..f9370a63a83c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -729,6 +729,15 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, new = x_to_label(profile, bprm, name, perms.xindex, &target, &info); if (new && new->proxy == profile->label.proxy && info) { + /* Force audit on conflicting attachment fallback + * Because perms is never used again after this audit + * we don't need to care about clobbering it + */ + if (info == CONFLICTING_ATTACH_STR_IX + || info == CONFLICTING_ATTACH_STR_UX) { + perms.audit |= MAY_EXEC; + perms.allow |= MAY_EXEC; + } /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { |