]>
Commit | Line | Data |
---|---|---|
4d1e5b62 AF |
1 | From: John Johansen <jjohansen@suse.de> |
2 | Subject: fix enforcement of deny rules in complain mode | |
3 | Patch-mainline: no | |
4 | References: bnc#426159 | |
5 | ||
6 | Fix enforcement of deny rules so that they are not enforced in complain | |
7 | mode. This is necessary so that application behavior is not changed by | |
8 | the presence of the deny rule. | |
9 | ||
10 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
11 | ||
12 | --- | |
13 | security/apparmor/main.c | 2 +- | |
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
15 | ||
16 | --- a/security/apparmor/main.c | |
17 | +++ b/security/apparmor/main.c | |
18 | @@ -325,7 +325,7 @@ static int aa_audit_file(struct aa_profi | |
19 | } else { | |
20 | int mask = AUDIT_QUIET_MASK(sa->audit_mask); | |
21 | ||
22 | - if (!(sa->denied_mask & ~mask)) | |
23 | + if (!(sa->denied_mask & ~mask) && !PROFILE_COMPLAIN(profile)) | |
24 | return sa->error_code; | |
25 | ||
26 | /* mask off perms whose denial is being silenced */ |