apparmor: properly handle cx/px lookup failure for complain

mode profiles

When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Ryan Lee 2024-08-23 10:14:02 -07:00 committed by John Johansen
parent 2b05c4cd52
commit ee650b3820

View File

@ -681,12 +681,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
error = -EACCES;
info = "profile transition not found";
/* remove MAY_EXEC to audit as failure */
/* remove MAY_EXEC to audit as failure or complaint */
perms.allow &= ~MAY_EXEC;
if (COMPLAIN_MODE(profile)) {
/* create null profile instead of failing */
goto create_learning_profile;
}
error = -EACCES;
}
} else if (COMPLAIN_MODE(profile)) {
create_learning_profile:
/* no exec permission - learning mode */
struct aa_profile *new_profile = NULL;