apparmor: properly handle cx/px lookup failure for complain

mode profiles When a cx/px lookup fails, apparmor would deny execution of the binary even in complain mode (where it would audit as allowing execution while actually denying it). Instead, in complain mode, create a new learning profile, just as would have been done if the cx/px line wasn't there. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: Ryan Lee <ryan.lee@canonical.com> 2024-08-23 10:14:02 -0700
committer: John Johansen <john.johansen@canonical.com> 2024-11-26 19:21:05 -0800
commit: db93ca15e5aefe868ef095ee830a205f70f38b6e (patch)
tree: 8d5f43d7d52a2e809f56302b909d7fb77462f466 /security
parent: 17d0d04f3c999e7784648bad70ce1766c3b49d69 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 2bc34dce9a46..55f250f5e2ac 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -680,12 +680,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 			/* hack ix fallback - improve how this is detected */
 			goto audit;
 		} else if (!new) {
-			error = -EACCES;
 			info = "profile transition not found";
-			/* remove MAY_EXEC to audit as failure */
+			/* remove MAY_EXEC to audit as failure or complaint */
 			perms.allow &= ~MAY_EXEC;
+			if (COMPLAIN_MODE(profile)) {
+				/* create null profile instead of failing */
+				goto create_learning_profile;
+			}
+			error = -EACCES;
 		}
 	} else if (COMPLAIN_MODE(profile)) {
+create_learning_profile:
 		/* no exec permission - learning mode */
 		struct aa_profile *new_profile = NULL;
author	Ryan Lee <ryan.lee@canonical.com>	2024-08-23 10:14:02 -0700
committer	John Johansen <john.johansen@canonical.com>	2024-11-26 19:21:05 -0800
commit	db93ca15e5aefe868ef095ee830a205f70f38b6e (patch)
tree	8d5f43d7d52a2e809f56302b909d7fb77462f466 /security
parent	17d0d04f3c999e7784648bad70ce1766c3b49d69 (diff)