archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 01:04:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/security
History
John Johansen 4a134723f9 apparmor: move check for aa_null file to cover all cases 
files with a dentry pointing aa_null.dentry where already rejected as
part of file_inheritance. Unfortunately the check in
common_file_perm() is insufficient to cover all cases causing
unnecessary audit messages without the original files context.

Eg.
[ 442.886474] audit: type=1400 audit(1704822661.616:329): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec"

Further examples of this are in the logs of
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2120439
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1952084
https://bugs.launchpad.net/snapd/+bug/2049099

These messages have no value and should not be sent to the logs.
AppArmor was already filtering the out in some cases but the original
patch did not catch all cases. Fix this by push the existing check
down into two functions that should cover all cases.

Link: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2122743
Fixes: 192ca6b55a ("apparmor: revalidate files during exec")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-01-29 01:27:54 -08:00
..
apparmor apparmor: move check for aa_null file to cover all cases 2026-01-29 01:27:54 -08:00
bpf lsm: replace the name field with a pointer to the lsm_id struct 2025-10-22 19:24:18 -04:00
integrity integrity-v6.19 2025-12-03 11:08:03 -08:00
ipe ipe/stable-6.19 PR 20251202 2025-12-03 11:19:34 -08:00
keys tpm2-sessions: Open code tpm_buf_append_hmac_session() 2025-12-05 06:42:51 +02:00
landlock Landlock update for v6.19-rc1 2025-12-06 09:52:41 -08:00
loadpin loadpin: move initcalls to the LSM framework 2025-10-22 19:24:25 -04:00
lockdown lockdown: move initcalls to the LSM framework 2025-10-22 19:24:27 -04:00
safesetid safesetid: move initcalls to the LSM framework 2025-10-22 19:24:26 -04:00
selinux Some filesystems use a kinda-sorta controlled dentry refcount leak to pin 2025-12-05 14:36:21 -08:00
smack Some filesystems use a kinda-sorta controlled dentry refcount leak to pin 2025-12-05 14:36:21 -08:00
tomoyo Trivial optimization. 2025-12-14 15:21:02 +12:00
yama lsm: replace the name field with a pointer to the lsm_id struct 2025-10-22 19:24:18 -04:00
commoncap.c Capabilities patch for v6.19 2025-12-04 20:10:28 -08:00
device_cgroup.c device_cgroup: Refactor devcgroup_seq_show to use seq_put* helpers 2025-11-11 19:47:24 -05:00
inode.c Some filesystems use a kinda-sorta controlled dentry refcount leak to pin 2025-12-05 14:36:21 -08:00
Kconfig lsm: CONFIG_LSM can depend on CONFIG_SECURITY 2025-09-11 16:32:04 -04:00
Kconfig.hardening rust: add bitmap API. 2025-09-22 15:52:44 -04:00
lsm.h lsm: consolidate all of the LSM framework initcalls 2025-10-22 19:24:28 -04:00
lsm_audit.c net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
lsm_init.c lsm: use unrcu_pointer() for current->cred in security_init() 2025-11-19 10:32:06 -05:00
lsm_notifier.c lsm: split the notifier code out into lsm_notifier.c 2025-10-22 19:24:15 -04:00
lsm_syscalls.c lsm: rework lsm_active_cnt and lsm_idlist[] 2025-10-22 19:24:19 -04:00
Makefile lsm: split the init code out into lsm_init.c 2025-10-22 19:24:16 -04:00
min_addr.c lsm: consolidate all of the LSM framework initcalls 2025-10-22 19:24:28 -04:00
security.c lsm: cleanup the debug and console output in lsm_init.c 2025-10-22 19:24:23 -04:00