[patch added to 3.12-stable] apparmor: exec should not be returning ENOENT... | stable

[patch added to 3.12-stable] IB/mlx4: Set traffic class in AH · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] mtd: nand: xway: disable module support · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] clockevents/drivers/exynos_mct: Remove unneeded container_of() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] vmxnet3: Wake queue from reset work · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable · Jiri Slaby <hidden> · 2017-01-27
Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable · Aurélien Aptel <hidden> · 2017-01-31
Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable · Jiri Slaby <hidden> · 2017-01-31
Re: [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable · Ben Hutchings <hidden> · 2017-10-08
[patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] Compare prepaths when comparing superblocks · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] Move check for prefix path to within cifs_get_root() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] Fix memory leaks in cifs_do_mount() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] Fix regression which breaks DFS mounting · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: ensure the target profile name is always audited · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() · Jiri Slaby <hidden> · 2017-01-27
Re: [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() · Vegard Nossum <hidden> · 2017-01-27
Re: [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] bna: Add synchronization for tx ring. · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] [media] xc2028: avoid use after free · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] apparmor: do not expose kernel stack · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] xc2028: Fix use-after-free bug properly · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] fuse: do not use iocb after it may have been freed · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() · Jiri Slaby <hidden> · 2017-01-27
[patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery · Jiri Slaby <hidden> · 2017-01-27

STALE3184d REVIEWED: 1 (0M)

[patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies

From: Jiri Slaby <hidden>
Date: 2017-01-27 10:49:29
Subsystem: apparmor security module, security subsystem, the rest · Maintainers: John Johansen, Georgia Garcia, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

From: John Johansen <john.johansen@canonical.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 9049a7922124d843a2cd26a02b1d00a17596ec0c upstream.

The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <redacted>
Signed-off-by: Jiri Slaby <redacted>
---
 security/apparmor/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0c23888b9816..a59766fe3b7a 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c

@@ -437,7 +437,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 				new_profile = aa_get_newest_profile(ns->unconfined);
 				info = "ux fallback";
 			} else {
-				error = -ENOENT;
+				error = -EACCES;
 				info = "profile not found";
 				/* remove MAY_EXEC to audit as failure */
 				perms.allow &= ~MAY_EXEC;

-- 
2.11.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help