mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
Do not switch to the NULL profile in enforce mode: this only screws
|
|
the calling process; it wouldn't have a reasonable way of finding
|
|
out when a hat doesn't exist.
|
|
|
|
Index: b/security/apparmor/main.c
|
|
===================================================================
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -1105,14 +1105,6 @@ static inline int do_change_hat(const ch
|
|
aa_switch_to_profile(cxt, sub, hat_magic);
|
|
aa_put_profile(sub);
|
|
} else {
|
|
- /* There is no such subprofile change to a NULL profile.
|
|
- * The NULL profile grants no file access.
|
|
- *
|
|
- * This feature is used by changehat_apache.
|
|
- *
|
|
- * N.B from the null-profile the task can still changehat back
|
|
- * out to the parent profile (assuming magic != 0)
|
|
- */
|
|
if (APPARMOR_COMPLAIN(cxt)) {
|
|
LOG_HINT(cxt->profile, GFP_ATOMIC, HINT_UNKNOWN_HAT,
|
|
"%s pid=%d "
|
|
@@ -1132,7 +1124,15 @@ static inline int do_change_hat(const ch
|
|
cxt->profile->name);
|
|
error = -EACCES;
|
|
}
|
|
- aa_switch_to_profile(cxt, cxt->profile->null_profile, hat_magic);
|
|
+ /*
|
|
+ * Switch to the NULL profile: it grants no accesses, so in
|
|
+ * learning mode all accesses will get logged, and in enforce
|
|
+ * mode all accesses will be denied.
|
|
+ *
|
|
+ * In learning mode, this allows us to learn about new hats.
|
|
+ */
|
|
+ aa_switch_to_profile(cxt, cxt->profile->null_profile,
|
|
+ hat_magic);
|
|
}
|
|
|
|
return error;
|