summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2023-04-17 12:27:36 +0200
committerJohn Johansen <john.johansen@canonical.com>2023-10-19 00:30:43 +0200
commit75c77e9e0713fddbe99a21a036aa6482402f9e34 (patch)
tree265cbe6cf8c69bcc8ac645831867ec676055e1d5 /security
parentapparmor: pass cred through to audit info. (diff)
downloadlinux-75c77e9e0713fddbe99a21a036aa6482402f9e34.tar.xz
linux-75c77e9e0713fddbe99a21a036aa6482402f9e34.zip
apparmor: provide separate audit messages for file and policy checks
Improve policy load failure messages by identifying which dfa the verification check failed in. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy_unpack.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index cb8b5c497812..1eb98d6994e8 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1240,12 +1240,18 @@ static int verify_profile(struct aa_profile *profile)
if (!rules)
return 0;
- if ((rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
- rules->file.size)) ||
- (rules->policy.dfa &&
- !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size))) {
+ if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
+ rules->file.size)) {
audit_iface(profile, NULL, NULL,
- "Unpack: Invalid named transition", NULL, -EPROTO);
+ "Unpack: file Invalid named transition", NULL,
+ -EPROTO);
+ return -EPROTO;
+ }
+ if (rules->policy.dfa &&
+ !verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {
+ audit_iface(profile, NULL, NULL,
+ "Unpack: policy Invalid named transition", NULL,
+ -EPROTO);
return -EPROTO;
}