File apparmor-2.5.1-unconfined-fixes of Package apparmor.import4816

Overview Repositories Revisions Requests Users Attributes Meta

File apparmor-2.5.1-unconfined-fixes of Package apparmor.import4816

From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes

The version of AppArmor that was accepted into the mainline kernel
 issues audit events for things like change_hat while unconfined.
 Previous versions just returned -EPERM without the audit.

This results in logprof and friends spewing uninitialized value errors
 when it hits events like:
 type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron

... which happen any time an unconfined process does something with pam
 when pam_apparmor is installed.

This patch skips those events.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 utils/SubDomain.pm |   20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
     return if ($e->{operation} =~ /profile_set/);
 
     my ($profile, $hat);
+
+    # The version of AppArmor that was accepted into the mainline kernel
+    # issues audit events for things like change_hat while unconfined.
+    # Previous versions just returned -EPERM without the audit so the
+    # events wouldn't have been picked up here.
+    return if (!$e->{profile});
+
     # just convert new null profile style names to old before we begin processing
     # profile and name can contain multiple layers of null- but all we care about
     # currently is single level.

Places

File apparmor-2.5.1-unconfined-fixes of Package apparmor.import4816

Places