Conflicting attachment paths are an error state that result in the binary in question executing under an unexpected ix/ux fallback. As such, it should be audited to record the occurrence of conflicting attachments.
Signed-off-by: Ryan Lee <[email protected]> --- This is a v2 of https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html. v1 -> v2: remove redundant perms.allow |= MAY_EXEC (which was also incorrectly outside of the intended conditional) security/apparmor/domain.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index e8cd9badfb54..b33ce6be9427 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -724,6 +724,14 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, @@ -727,6 +727,16 @@ static struct aa_label *profile_transition(const struct cred *subj_cred, new = x_to_label(profile, bprm, name, perms.xindex, &target, &info); if (new && new->proxy == profile->label.proxy && info) { + /* Force audit on conflicting attachment fallback + * Because perms is never used again after this audit + * we don't need to care about clobbering it + * + * Because perms.allow MAY_EXEC bit is already set + * we don't have to set it again + */ + if (info == CONFLICTING_ATTACH_STR_IX + || info == CONFLICTING_ATTACH_STR_UX) + perms.audit |= MAY_EXEC; /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { -- 2.43.0
