From: Ryan Lee Date: Fri, 2 May 2025 00:55:43 +0000 (-0700) Subject: apparmor: force audit on unconfined exec if info is set by find_attach X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89a3561e69e5187fcce302eef429acd38aec1277;p=thirdparty%2Fkernel%2Flinux.git apparmor: force audit on unconfined exec if info is set by find_attach find_attach may set info if something unusual happens during that process (currently only used to signal conflicting attachments, but this could be expanded in the future). This is information that should be propagated to userspace via an audit message. Signed-off-by: Ryan Lee Signed-off-by: John Johansen --- diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index a7447d976a315..4263bb1ee4a8e 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -670,6 +670,22 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, if (profile_unconfined(profile)) { new = find_attach(bprm, profile->ns, &profile->ns->base.profiles, name, &info); + /* info set -> something unusual that we should report + * Currently this is only conflicting attachments, but other + * infos added in the future should also be logged by default + * and only excluded on a case-by-case basis + */ + if (info) { + /* Because perms is never used again after this audit + * we don't need to care about clobbering it + */ + perms.audit |= MAY_EXEC; + perms.allow |= MAY_EXEC; + /* Don't cause error if auditing fails */ + (void) aa_audit_file(subj_cred, profile, &perms, + OP_EXEC, MAY_EXEC, name, target, new, cond->uid, + info, error); + } if (new) { AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label"); return new;