UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing

change_hat using probing to find and transition to the first available hat. Hats missing as part of this probe are expected and should not be logged except in complain mode. BugLink: http://bugs.launchpad.net/bugs/1615893 Signed-off-by: John Johansen <[email protected]> Acked-by: Tim Gardner <[email protected]> Signed-off-by: Kamal Mostafa <[email protected]>
powervm · Aug 23, 2016 · cb38c4b · cb38c4b
1 parent 5de0db7
commit cb38c4b
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
@@ -931,12 +931,20 @@ static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
 	error = -ECHILD;
 
 fail:
-	fn_for_each_in_ns(label, profile,
-		/* no target as it has failed to be found or built */
+	label_for_each_in_ns(it, labels_ns(label), label, profile) {
+		/*
+		 * no target as it has failed to be found or built
+		 *
+		 * change_hat uses probing and should not log failures
+		 * related to missing hats
+		 */
 		/* TODO: get rid of GLOBAL_ROOT_UID */
-		aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
-			      AA_MAY_CHANGEHAT, name, NULL, NULL,
-			      GLOBAL_ROOT_UID, info, error));
+		if (count > 1 || COMPLAIN_MODE(profile)) {
+			aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
+				      AA_MAY_CHANGEHAT, name, NULL, NULL,
+				      GLOBAL_ROOT_UID, info, error);
+		}
+	}
 	return (ERR_PTR(error));
 
 build: