Commit 4ce7d3cf authored by Ryan Lee's avatar Ryan Lee Committed by John Johansen
Browse files

apparmor: remove redundant perms.allow MAY_EXEC bitflag set 



This section of profile_transition that occurs after x_to_label only
happens if perms.allow already has the MAY_EXEC bit set, so we don't need
to set it again.

Fixes: 16916b17 ("apparmor: force auditing of conflicting attachment execs from confined")
Signed-off-by: default avatarRyan Lee <ryan.lee@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent da0edaba

security/apparmor/domain.c

+1 −3
Original line number Diff line number Diff line
@@ -734,10 +734,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, 
			 * we don't need to care about clobbering it

			 */

			if (info == CONFLICTING_ATTACH_STR_IX

			    || info == CONFLICTING_ATTACH_STR_UX) {

			    || info == CONFLICTING_ATTACH_STR_UX)

				perms.audit |= MAY_EXEC;

				perms.allow |= MAY_EXEC;

			}

			/* hack ix fallback - improve how this is detected */

			goto audit;

		} else if (!new) {