mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-09 02:41:03 +01:00
32 lines
1,002 B
Diff
32 lines
1,002 B
Diff
From: John Johansen <jjohansen@suse.de>
|
|
Subject: fix enforcement of deny rules in complain mode
|
|
Patch-mainline: no
|
|
References: bnc#426159
|
|
|
|
Fix enforcement of deny rules so that they are not enforced in complain
|
|
mode. This is necessary so that application behavior is not changed by
|
|
the presence of the deny rule.
|
|
|
|
Signed-off-by: John Johansen <jjohansen@suse.de>
|
|
|
|
---
|
|
security/apparmor/main.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -325,11 +325,12 @@ static int aa_audit_file(struct aa_profi
|
|
} else {
|
|
int mask = AUDIT_QUIET_MASK(sa->audit_mask);
|
|
|
|
- if (!(sa->denied_mask & ~mask))
|
|
+ if (!(sa->denied_mask & ~mask) && !PROFILE_COMPLAIN(profile))
|
|
return sa->error_code;
|
|
|
|
/* mask off perms whose denial is being silenced */
|
|
- sa->denied_mask &= (~mask) | ALL_AA_EXEC_TYPE;
|
|
+ if (!PROFILE_COMPLAIN(profile))
|
|
+ sa->denied_mask &= (~mask) | ALL_AA_EXEC_TYPE;
|
|
}
|
|
|
|
return aa_audit(profile, sa);
|