apparmor/apparmor-2.5.1-unconfined-fixes

38 lines
1.5 KiB
Plaintext

From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
+
+ # The version of AppArmor that was accepted into the mainline kernel
+ # issues audit events for things like change_hat while unconfined.
+ # Previous versions just returned -EPERM without the audit so the
+ # events wouldn't have been picked up here.
+ return if (!$e->{profile});
+
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.