Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ade3ddc0 authored by John Johansen's avatar John Johansen
Browse files

AppArmor: Fix dropping of allowed operations that are force audited 



The audit permission flag, that specifies an audit message should be
provided when an operation is allowed, was being ignored in some cases.

This is because the auto audit mode (which determines the audit mode from
system flags) was incorrectly assigned the same value as audit mode. The
shared value would result in messages that should be audited going through
a second evaluation as to whether they should be audited based on the
auto audit, resulting in some messages being dropped.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarKees Cook <kees@ubuntu.com>
parent cdbd2884

security/apparmor/audit.c

+1 −0
Original line number Original line Diff line number Diff line
@@ -89,6 +89,7 @@ static char *aa_audit_type[] = { 
	"STATUS",

	"STATUS",

	"ERROR",

	"ERROR",

	"KILLED"

	"KILLED"

	"AUTO"

};

};





/*

/*

security/apparmor/include/audit.h

+2 −3
Original line number Original line Diff line number Diff line
@@ -28,8 +28,6 @@ struct aa_profile; 
extern const char *audit_mode_names[];

extern const char *audit_mode_names[];

#define AUDIT_MAX_INDEX 5

#define AUDIT_MAX_INDEX 5





#define AUDIT_APPARMOR_AUTO 0	/* auto choose audit message type */



enum audit_mode {

enum audit_mode {

	AUDIT_NORMAL,		/* follow normal auditing of accesses */

	AUDIT_NORMAL,		/* follow normal auditing of accesses */

	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */

	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */
@@ -45,7 +43,8 @@ enum audit_type { 
	AUDIT_APPARMOR_HINT,

	AUDIT_APPARMOR_HINT,

	AUDIT_APPARMOR_STATUS,

	AUDIT_APPARMOR_STATUS,

	AUDIT_APPARMOR_ERROR,

	AUDIT_APPARMOR_ERROR,

	AUDIT_APPARMOR_KILL

	AUDIT_APPARMOR_KILL,

	AUDIT_APPARMOR_AUTO

};

};





extern const char *op_table[];

extern const char *op_table[];