Commit b824b5f8 authored by Ryan Lee's avatar Ryan Lee Committed by John Johansen
Browse files

apparmor: include conflicting attachment info for confined ix/ux fallback 



Instead of silently overwriting the conflicting profile attachment string,
include that information in the ix/ux fallback string that gets set as info
instead. Also add a warning print if some other info is set that would be
overwritten by the ix/ux fallback string or by the profile not found error.

Signed-off-by: default avatarRyan Lee <ryan.lee@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent e76d733b

security/apparmor/domain.c

+33 −2
Original line number Diff line number Diff line
@@ -29,6 +29,10 @@ 
#include "include/policy_ns.h"



static const char * const CONFLICTING_ATTACH_STR = "conflicting profile attachments";

static const char * const CONFLICTING_ATTACH_STR_IX =

	"conflicting profile attachments - ix fallback";

static const char * const CONFLICTING_ATTACH_STR_UX =

	"conflicting profile attachments - ux fallback";



/**

 * may_change_ptraced_domain - check if can change profile on ptraced task
@@ -577,6 +581,8 @@ static struct aa_label *x_to_label(struct aa_profile *profile, 
	struct aa_label *stack = NULL;

	struct aa_ns *ns = profile->ns;

	u32 xtype = xindex & AA_X_TYPE_MASK;

	/* Used for info checks during fallback handling */

	const char *old_info = NULL;



	switch (xtype) {

	case AA_X_NONE:
@@ -613,14 +619,34 @@ static struct aa_label *x_to_label(struct aa_profile *profile, 
			/* (p|c|n)ix - don't change profile but do

			 * use the newest version

			 */

			if (*info == CONFLICTING_ATTACH_STR) {

				*info = CONFLICTING_ATTACH_STR_IX;

			} else {

				old_info = *info;

				*info = "ix fallback";

			}

			/* no profile && no error */

			new = aa_get_newest_label(&profile->label);

		} else if (xindex & AA_X_UNCONFINED) {

			new = aa_get_newest_label(ns_unconfined(profile->ns));

			if (*info == CONFLICTING_ATTACH_STR) {

				*info = CONFLICTING_ATTACH_STR_UX;

			} else {

				old_info = *info;

				*info = "ux fallback";

			}

		}

		/* We set old_info on the code paths above where overwriting

		 * could have happened, so now check if info was set by

		 * find_attach as well (i.e. whether we actually overwrote)

		 * and warn accordingly.

		 */

		if (old_info && old_info != CONFLICTING_ATTACH_STR) {

			pr_warn_ratelimited(

				"AppArmor: find_attach (from profile %s) audit info \"%s\" dropped",

				profile->base.hname, old_info);

		}

	}



	if (new && stack) {

		/* base the stack on post domain transition */
@@ -706,6 +732,11 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, 
			/* hack ix fallback - improve how this is detected */

			goto audit;

		} else if (!new) {

			if (info) {

				pr_warn_ratelimited(

					"AppArmor: %s (from profile %s) audit info \"%s\" dropped on missing transition",

					__func__, profile->base.hname, info);

			}

			info = "profile transition not found";

			/* remove MAY_EXEC to audit as failure or complaint */

			perms.allow &= ~MAY_EXEC;