From cb38c4bf583a36814b732a96a77b21d6e7888075 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 23 Aug 2016 02:05:54 -0700 Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing change_hat using probing to find and transition to the first available hat. Hats missing as part of this probe are expected and should not be logged except in complain mode. BugLink: http://bugs.launchpad.net/bugs/1615893 Signed-off-by: John Johansen Acked-by: Tim Gardner Signed-off-by: Kamal Mostafa --- security/apparmor/domain.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b71bfde665811f..40b0e8bb9e23f5 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -931,12 +931,20 @@ static struct aa_label *change_hat(struct aa_label *label, const char *hats[], error = -ECHILD; fail: - fn_for_each_in_ns(label, profile, - /* no target as it has failed to be found or built */ + label_for_each_in_ns(it, labels_ns(label), label, profile) { + /* + * no target as it has failed to be found or built + * + * change_hat uses probing and should not log failures + * related to missing hats + */ /* TODO: get rid of GLOBAL_ROOT_UID */ - aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, - AA_MAY_CHANGEHAT, name, NULL, NULL, - GLOBAL_ROOT_UID, info, error)); + if (count > 1 || COMPLAIN_MODE(profile)) { + aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, + AA_MAY_CHANGEHAT, name, NULL, NULL, + GLOBAL_ROOT_UID, info, error); + } + } return (ERR_PTR(error)); build: