Commit 8acf7ad0 authored by Ryan Lee's avatar Ryan Lee Committed by John Johansen
Browse files

apparmor: replace misleading 'scrubbing environment' phrase in debug print 

The wording of 'scrubbing environment' implied that all environment
variables would be removed, when instead secure-execution mode only
removes a small number of environment variables. This patch updates the
wording to describe what actually occurs instead: setting AT_SECURE for
ld.so's secure-execution mode.

Link: https://gitlab.com/apparmor/apparmor/-/merge_requests/1315

 is a
merge request that does similar updating for apparmor userspace.

Signed-off-by: default avatarRyan Lee <ryan.lee@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 9133493a

security/apparmor/domain.c

+8 −8
Original line number Diff line number Diff line
@@ -714,8 +714,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, 


	if (!(perms.xindex & AA_X_UNSAFE)) {

		if (DEBUG_ON) {

			dbg_printk("apparmor: scrubbing environment variables"

				   " for %s profile=", name);

			dbg_printk("apparmor: setting AT_SECURE for %s profile=",

				   name);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}
@@ -794,8 +794,8 @@ static int profile_onexec(const struct cred *subj_cred, 


	if (!(perms.xindex & AA_X_UNSAFE)) {

		if (DEBUG_ON) {

			dbg_printk("apparmor: scrubbing environment "

				   "variables for %s label=", xname);

			dbg_printk("apparmor: setting AT_SECURE for %s label=",

				   xname);

			aa_label_printk(onexec, GFP_KERNEL);

			dbg_printk("\n");

		}
@@ -951,8 +951,8 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) 


	if (unsafe) {

		if (DEBUG_ON) {

			dbg_printk("scrubbing environment variables for %s "

				   "label=", bprm->filename);

			dbg_printk("setting AT_SECURE for %s label=",

				   bprm->filename);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}
@@ -962,8 +962,8 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) 
	if (label->proxy != new->proxy) {

		/* when transitioning clear unsafe personality bits */

		if (DEBUG_ON) {

			dbg_printk("apparmor: clearing unsafe personality "

				   "bits. %s label=", bprm->filename);

			dbg_printk("apparmor: clearing unsafe personality bits. %s label=",

				   bprm->filename);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}