[ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / fix-complain.diff

From: John Johansen <jjohansen@suse.de>
Subject: fix enforcement of deny rules in complain mode
Patch-mainline: no
References: bnc#426159

Fix enforcement of deny rules so that they are not enforced in complain
mode.  This is necessary so that application behavior is not changed by
the presence of the deny rule.

Signed-off-by: John Johansen <jjohansen@suse.de>

---
 security/apparmor/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -325,7 +325,7 @@ static int aa_audit_file(struct aa_profi
 	} else {
 		int mask = AUDIT_QUIET_MASK(sa->audit_mask);
 
-		if (!(sa->denied_mask & ~mask))
+		if (!(sa->denied_mask & ~mask) && !PROFILE_COMPLAIN(profile))
 			return sa->error_code;
 
 		/* mask off perms whose denial is being silenced */
Commit	Line	Data
6a930a95 BS	1	From: John Johansen <jjohansen@suse.de>
	2	Subject: fix enforcement of deny rules in complain mode
	3	Patch-mainline: no
	4	References: bnc#426159
	5
	6	Fix enforcement of deny rules so that they are not enforced in complain
	7	mode. This is necessary so that application behavior is not changed by
	8	the presence of the deny rule.
	9
	10	Signed-off-by: John Johansen <jjohansen@suse.de>
	11
	12	---
	13	security/apparmor/main.c \| 2 +-
	14	1 file changed, 1 insertion(+), 1 deletion(-)
	15
	16	--- a/security/apparmor/main.c
	17	+++ b/security/apparmor/main.c
	18	@@ -325,7 +325,7 @@ static int aa_audit_file(struct aa_profi
	19	} else {
	20	int mask = AUDIT_QUIET_MASK(sa->audit_mask);
	21
	22	- if (!(sa->denied_mask & ~mask))
	23	+ if (!(sa->denied_mask & ~mask) && !PROFILE_COMPLAIN(profile))
	24	return sa->error_code;
	25
	26	/* mask off perms whose denial is being silenced */