From: John Johansen <john.johansen@canonical.com>
Date: Mon, 17 Apr 2023 10:27:36 +0000 (-0700)
Subject: apparmor: provide separate audit messages for file and policy checks
X-Git-Tag: v6.7-rc1~81^2~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=75c77e9e0713fddbe99a21a036aa6482402f9e34;p=thirdparty%2Fkernel%2Flinux.git

apparmor: provide separate audit messages for file and policy checks

Improve policy load failure messages by identifying which dfa the
verification check failed in.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index cb8b5c4978121..1eb98d6994e85 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1240,12 +1240,18 @@ static int verify_profile(struct aa_profile *profile)
 	if (!rules)
 		return 0;
 
-	if ((rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
-							 rules->file.size)) ||
-	    (rules->policy.dfa &&
-	     !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size))) {
+	if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
+							rules->file.size)) {
 		audit_iface(profile, NULL, NULL,
-			    "Unpack: Invalid named transition", NULL, -EPROTO);
+			    "Unpack: file Invalid named transition", NULL,
+			    -EPROTO);
+		return -EPROTO;
+	}
+	if (rules->policy.dfa &&
+	    !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {
+		audit_iface(profile, NULL, NULL,
+			    "Unpack: policy Invalid named transition", NULL,
+			    -EPROTO);
 		return -EPROTO;
 	}