apparmor: fix auditing of domain transition failures due to incomplete policy

When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly because the audit code is treating this as an allowed
permission and thus not reporting it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 859abdaac1eafb62fddb202eb6fcdf3777e9daa2..7bc85c7f4573d1eaaf5d60a832514e1dedc8e2b0 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                        } else {
                                error = -ENOENT;
                                info = "profile not found";
+                               /* remove MAY_EXEC to audit as failure */
+                               perms.allow &= ~MAY_EXEC;
                        }
                }
        } else if (COMPLAIN_MODE(profile)) {