@@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label,
error = fn_for_each_not_in_set(flabel, label, profile,
profile_path_perm(op, profile, &file->f_path, buffer,
request, &cond, flags, &perms));
- if (denied) {
+ if (denied && !error) {
/* check every profile in file label that was not tested
* in the initial check above.
*/
/* TODO: cache full perms so this only happens because of
* conditionals */
/* TODO: don't audit here */
- last_error(error,
- fn_for_each_not_in_set(label, flabel, profile,
+ if (label == flabel)
+ error = fn_for_each(label, profile,
+ profile_path_perm(op, profile, &file->f_path,
+ buffer, request, &cond, flags,
+ &perms));
+ else
+ error = fn_for_each_not_in_set(label, flabel, profile,
profile_path_perm(op, profile, &file->f_path,
buffer, request, &cond, flags,
- &perms)));
+ &perms));
}
if (!error)
update_file_ctx(file_ctx(file), label, request);
When an open file with cached permissions is checked for the flock permission. The cache check fails and falls through to no error instead of auditing, and returning an error. For the fall through to do a permission check, so it will audit the failed flock permission check. BugLink: http://bugs.launchpad.net/bugs/1658219 Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/file.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)