apparmor: provide separate audit messages for file and policy checks

Improve policy load failure messages by identifying which dfa the
verification check failed in.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index cb8b5c497812104f1b20c07f8d509fced8a6791d..1eb98d6994e85db7395bfd573edaa80983e8fc1f 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1240,12 +1240,18 @@ static int verify_profile(struct aa_profile *profile)
        if (!rules)
                return 0;
 
-       if ((rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
-                                                        rules->file.size)) ||
-           (rules->policy.dfa &&
-            !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size))) {
+       if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
+                                                       rules->file.size)) {
                audit_iface(profile, NULL, NULL,
-                           "Unpack: Invalid named transition", NULL, -EPROTO);
+                           "Unpack: file Invalid named transition", NULL,
+                           -EPROTO);
+               return -EPROTO;
+       }
+       if (rules->policy.dfa &&
+           !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {
+               audit_iface(profile, NULL, NULL,
+                           "Unpack: policy Invalid named transition", NULL,
+                           -EPROTO);
                return -EPROTO;
        }