src/patches/suse-2.6.27.31/patches.apparmor/fix-complain.diff

   1 From: John Johansen <jjohansen@suse.de>
   2 Subject: fix enforcement of deny rules in complain mode
   3 Patch-mainline: no
   4 References: bnc#426159
   5
   6 Fix enforcement of deny rules so that they are not enforced in complain
   7 mode.  This is necessary so that application behavior is not changed by
   8 the presence of the deny rule.
   9
  10 Signed-off-by: John Johansen <jjohansen@suse.de>
  11
  12 ---
  13  security/apparmor/main.c |    2 +-
  14  1 file changed, 1 insertion(+), 1 deletion(-)
  15
  16 --- a/security/apparmor/main.c
  17 +++ b/security/apparmor/main.c
  18 @@ -325,7 +325,7 @@ static int aa_audit_file(struct aa_profi
  19         } else {
  20                 int mask = AUDIT_QUIET_MASK(sa->audit_mask);
  21
  22 -               if (!(sa->denied_mask & ~mask))
  23 +               if (!(sa->denied_mask & ~mask) && !PROFILE_COMPLAIN(profile))
  24                         return sa->error_code;
  25
  26                 /* mask off perms whose denial is being silenced */