UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check

When an open file with cached permissions is checked for the flock
permission. The cache check fails and falls through to no error instead
of auditing, and returning an error.

For the fall through to do a permission check, so it will audit the
failed flock permission check.

BugLink: http://bugs.launchpad.net/bugs/1658219
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 95bb2eb7183acea11bb8a8f3625ee464819d5f56..1d049da7cc37a72c766c91b4e02a7774e6b5f8d6 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label,
        error = fn_for_each_not_in_set(flabel, label, profile,
                        profile_path_perm(op, profile, &file->f_path, buffer,
                                          request, &cond, flags, &perms));
-       if (denied) {
+       if (denied && !error) {
                /* check every profile in file label that was not tested
                 * in the initial check above.
                 */
                /* TODO: cache full perms so this only happens because of
                 * conditionals */
                /* TODO: don't audit here */
-               last_error(error,
-                       fn_for_each_not_in_set(label, flabel, profile,
+               if (label == flabel)
+                       error = fn_for_each(label, profile,
+                               profile_path_perm(op, profile, &file->f_path,
+                                                 buffer, request, &cond, flags,
+                                                 &perms));
+               else
+                       error = fn_for_each_not_in_set(label, flabel, profile,
                                profile_path_perm(op, profile, &file->f_path,
                                                  buffer, request, &cond, flags,
-                                                 &perms)));
+                                                 &perms));
        }
        if (!error)
                update_file_ctx(file_ctx(file), label, request);