git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commit

author	John Johansen <john.johansen@canonical.com>
	Sat, 12 Nov 2016 00:06:25 +0000 (16:06 -0800)
committer	Tim Gardner <tim.gardner@canonical.com>
	Mon, 20 Feb 2017 03:57:58 +0000 (20:57 -0700)
commit	78bc9645c765a9395f07b5bd079c51c3ea66347b
tree	347eb92810f3f01e35e1dae41eb534a86f20f5cc	tree
parent	a8b020484d09c14d2228ffaca4e43cf5e908356c	commit \| diff

UBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file

When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd (eg stdin/stdout etc). This results in
a denial message like
[32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536

Further access to the fd is resultin in the rather useless denial message
of
[32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0

since we have the original denial, the noisy and useless .null based
denials can be skipped.

BugLink: http://bugs.launchpad.net/bugs/1660836
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>