apparmor: properly handle cx/px lookup failure for complain

mode profiles

When a cx/px lookup fails, apparmor would deny execution of the binary
even in complain mode (where it would audit as allowing execution while
actually denying it). Instead, in complain mode, create a new learning
profile, just as would have been done if the cx/px line wasn't there.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 2bc34dce9a4688206216ab0ec775d0c20b6b025b..55f250f5e2acc4fbf9e50506976dacd64e5e2b09 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -680,12 +680,17 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
                        /* hack ix fallback - improve how this is detected */
                        goto audit;
                } else if (!new) {
-                       error = -EACCES;
                        info = "profile transition not found";
-                       /* remove MAY_EXEC to audit as failure */
+                       /* remove MAY_EXEC to audit as failure or complaint */
                        perms.allow &= ~MAY_EXEC;
+                       if (COMPLAIN_MODE(profile)) {
+                               /* create null profile instead of failing */
+                               goto create_learning_profile;
+                       }
+                       error = -EACCES;
                }
        } else if (COMPLAIN_MODE(profile)) {
+create_learning_profile:
                /* no exec permission - learning mode */
                struct aa_profile *new_profile = NULL;