Thread (241 messages) 241 messages, 3 authors, 2017-02-02
STALE3449d REVIEWED: 1 (0M)

[PATCH 3.12 205/235] apparmor: exec should not be returning ENOENT when it denies

From: Jiri Slaby <hidden>
Date: 2017-01-27 11:27:58
Also in: lkml
Subsystem: apparmor security module, security subsystem, the rest · Maintainers: John Johansen, Georgia Garcia, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9049a7922124d843a2cd26a02b1d00a17596ec0c upstream.

The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <redacted>
Signed-off-by: Jiri Slaby <redacted>
---
 security/apparmor/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0c23888b9816..a59766fe3b7a 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -437,7 +437,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 				new_profile = aa_get_newest_profile(ns->unconfined);
 				info = "ux fallback";
 			} else {
-				error = -ENOENT;
+				error = -EACCES;
 				info = "profile not found";
 				/* remove MAY_EXEC to audit as failure */
 				perms.allow &= ~MAY_EXEC;
-- 
2.11.0
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help