UBUNTU: SAUCE: apparmor: special case unconfined when determining the mode

when viewing a stack involving unconfined from across a ns boundary
the mode is reported as mixed.

Eg.
lxc-container-default//&:lxdns1://unconfined (mixed)

This is because the unconfined profile is in the special unconfined
mode. Which will result in a (mixed) mode for any stack with profiles
in enforcing or complain mode.

This can however lead to confusion as to what mode is being used as
mixed is also used for enforcing stacked with complain. Since unconfined
doesn't affect the stack just special case it.

BugLink: http://bugs.launchpad.net/bugs/1615890
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index c11ca99af8e1ca089fa4813f57bbda9605b706e2..ce150a8b1d661da99ae0cb518965079af57759d1 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1535,25 +1535,31 @@ static const char *label_modename(struct aa_ns *ns, struct aa_label *label,
 {
        struct aa_profile *profile;
        struct label_it i;
-       const char *modestr = NULL;
-       int count = 0;
+       int mode = -1, count = 0;
 
        label_for_each(i, label, profile) {
                if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) {
-                       const char *tmp_modestr;
+                       if (profile->mode == APPARMOR_UNCONFINED)
+                               /* special case unconfined so stacks with
+                                * unconfined don't report as mixed. ie.
+                                * profile_foo//&:ns1://unconfined (mixed)
+                                */
+                               continue;
                        count++;
-                       tmp_modestr = aa_profile_mode_names[profile->mode];
-                       if (!modestr)
-                               modestr = tmp_modestr;
-                       else if (modestr != tmp_modestr)
+                       if (mode == -1)
+                               mode = profile->mode;
+                       else if (mode != profile->mode)
                                return "mixed";
                }
        }
 
        if (count == 0)
                return "-";
+       if (mode == -1)
+               /* everything was unconfined */
+               mode = APPARMOR_UNCONFINED;
 
-       return modestr;
+       return aa_profile_mode_names[mode];
 }
 
 /* if any visible label is not unconfined the display_mode returns true */