diff mbox

[14/14] UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing

Message ID 1471943154-14507-15-git-send-email-john.johansen@canonical.com
State New
Headers show

Commit Message

John Johansen Aug. 23, 2016, 9:05 a.m. UTC 
change_hat using probing to find and transition to the first available
hat. Hats missing as part of this probe are expected and should not
be logged except in complain mode.

BugLink: http://bugs.launchpad.net/bugs/1615893

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)
diff mbox

Patch

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b71bfde..40b0e8b 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -931,12 +931,20 @@  static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
 	error = -ECHILD;
 
 fail:
-	fn_for_each_in_ns(label, profile,
-		/* no target as it has failed to be found or built */
+	label_for_each_in_ns(it, labels_ns(label), label, profile) {
+		/*
+		 * no target as it has failed to be found or built
+		 *
+		 * change_hat uses probing and should not log failures
+		 * related to missing hats
+		 */
 		/* TODO: get rid of GLOBAL_ROOT_UID */
-		aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
-			      AA_MAY_CHANGEHAT, name, NULL, NULL,
-			      GLOBAL_ROOT_UID, info, error));
+		if (count > 1 || COMPLAIN_MODE(profile)) {
+			aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
+				      AA_MAY_CHANGEHAT, name, NULL, NULL,
+				      GLOBAL_ROOT_UID, info, error);
+		}
+	}
 	return (ERR_PTR(error));
 
 build: