]>
Commit | Line | Data |
---|---|---|
c3701be9 DM |
1 | From ee0073a1e7b0ec172273a6211a3b117d024e5949 Mon Sep 17 00:00:00 2001 |
2 | From: John Johansen <john.johansen@canonical.com> | |
3 | Date: Fri, 29 Jun 2012 17:34:00 -0700 | |
4 | Subject: [PATCH 3/4] apparmor: Fix quieting of audit messages for network | |
5 | mediation | |
6 | ||
7 | If a profile specified a quieting of network denials for a given rule by | |
8 | either the quiet or deny rule qualifiers, the resultant quiet mask for | |
9 | denied requests was applied incorrectly, resulting in two potential bugs. | |
10 | 1. The misapplied quiet mask would prevent denials from being correctly | |
11 | tested against the kill mask/mode. Thus network access requests that | |
12 | should have resulted in the application being killed did not. | |
13 | ||
14 | 2. The actual quieting of the denied network request was not being applied. | |
15 | This would result in network rejections always being logged even when | |
16 | they had been specifically marked as quieted. | |
17 | ||
18 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
19 | --- | |
20 | security/apparmor/net.c | 2 +- | |
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
22 | ||
23 | diff --git a/security/apparmor/net.c b/security/apparmor/net.c | |
24 | index 003dd18..6e6e5c9 100644 | |
25 | --- a/security/apparmor/net.c | |
26 | +++ b/security/apparmor/net.c | |
27 | @@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, | |
28 | } else { | |
29 | u16 quiet_mask = profile->net.quiet[sa.u.net->family]; | |
30 | u16 kill_mask = 0; | |
31 | - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; | |
32 | + u16 denied = (1 << sa.aad->net.type); | |
33 | ||
34 | if (denied & kill_mask) | |
35 | audit_type = AUDIT_APPARMOR_KILL; | |
36 | -- | |
37 | 1.8.3.2 | |
38 |