Commit 38305a4bab4be5d278443b057f7f5e97afb07f26

Authored by John Johansen
1 parent 8b964eae20

AppArmor: fix mapping of META_READ to audit and quiet flags

The mapping of AA_MAY_META_READ for the allow mask was also being mapped
to the audit and quiet masks. This would result in some operations being
audited when the should not.

This flaw was hidden by the previous audit bug which would drop some
messages that where supposed to be audited.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>

Showing 1 changed file with 1 additions and 2 deletions Side-by-side Diff

security/apparmor/file.c
... ... @@ -173,8 +173,6 @@
173 173 if (old & 0x40) /* AA_EXEC_MMAP */
174 174 new |= AA_EXEC_MMAP;
175 175  
176   - new |= AA_MAY_META_READ;
177   -
178 176 return new;
179 177 }
180 178  
... ... @@ -212,6 +210,7 @@
212 210 perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
213 211 perms.xindex = dfa_other_xindex(dfa, state);
214 212 }
  213 + perms.allow |= AA_MAY_META_READ;
215 214  
216 215 /* change_profile wasn't determined by ownership in old mapping */
217 216 if (ACCEPT_TABLE(dfa)[state] & 0x80000000)