Commit 75c77e9e authored by John Johansen's avatar John Johansen
Browse files

apparmor: provide separate audit messages for file and policy checks 



Improve policy load failure messages by identifying which dfa the
verification check failed in.

Reviewed-by: default avatarGeorgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 90c436a6

security/apparmor/policy_unpack.c

+11 −5
Original line number Diff line number Diff line
@@ -1240,12 +1240,18 @@ static int verify_profile(struct aa_profile *profile) 
	if (!rules)

		return 0;



	if ((rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,

							 rules->file.size)) ||

	    (rules->policy.dfa &&

	     !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size))) {

	if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,

							rules->file.size)) {

		audit_iface(profile, NULL, NULL,

			    "Unpack: Invalid named transition", NULL, -EPROTO);

			    "Unpack: file Invalid named transition", NULL,

			    -EPROTO);

		return -EPROTO;

	}

	if (rules->policy.dfa &&

	    !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {

		audit_iface(profile, NULL, NULL,

			    "Unpack: policy Invalid named transition", NULL,

			    -EPROTO);

		return -EPROTO;

	}