Update: turns out that this patch has a small but critical typographical error (both the perms modification lines should be under the conditional in braces), so we'll be sending a fixed patch as a v2.
On Thu, May 1, 2025 at 5:56 PM Ryan Lee <[email protected]> wrote: > > Conflicting attachment paths are an error state that result in the > binary in question executing under an unexpected ix/ux fallback. As such, > it should be audited to record the occurrence of conflicting attachments. > > Signed-off-by: Ryan Lee <[email protected]> > --- > security/apparmor/domain.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > index e8cd9badfb54..b33ce6be9427 100644 > --- a/security/apparmor/domain.c > +++ b/security/apparmor/domain.c > @@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct > cred *subj_cred, > new = x_to_label(profile, bprm, name, perms.xindex, &target, > &info); > if (new && new->proxy == profile->label.proxy && info) { > + /* Force audit on conflicting attachment fallback > + * Because perms is never used again after this audit > + * we don't need to care about clobbering it > + */ > + if (info == CONFLICTING_ATTACH_STR_IX > + || info == CONFLICTING_ATTACH_STR_UX) > + perms.audit |= MAY_EXEC; > + perms.allow |= MAY_EXEC; > /* hack ix fallback - improve how this is detected */ > goto audit; > } else if (!new) { > -- > 2.43.0 >
