AppArmor: Fix dropping of allowed operations that are force audited

The audit permission flag, that specifies an audit message should be provided when an operation is allowed, was being ignored in some cases. This is because the auto audit mode (which determines the audit mode from system flags) was incorrectly assigned the same value as audit mode. The shared value would result in messages that should be audited going through a second evaluation as to whether they should be audited based on the auto audit, resulting in some messages being dropped. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
git-mirror · Feb 27, 2012 · ade3ddc · ade3ddc
1 parent cdbd288
commit ade3ddc
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
@@ -89,6 +89,7 @@ static char *aa_audit_type[] = {
 	"STATUS",
 	"ERROR",
 	"KILLED"
+	"AUTO"
 };
 
 /*

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
@@ -28,8 +28,6 @@ struct aa_profile;
 extern const char *audit_mode_names[];
 #define AUDIT_MAX_INDEX 5
 
-#define AUDIT_APPARMOR_AUTO 0	/* auto choose audit message type */
-
 enum audit_mode {
 	AUDIT_NORMAL,		/* follow normal auditing of accesses */
 	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */
@@ -45,7 +43,8 @@ enum audit_type {
 	AUDIT_APPARMOR_HINT,
 	AUDIT_APPARMOR_STATUS,
 	AUDIT_APPARMOR_ERROR,
-	AUDIT_APPARMOR_KILL
+	AUDIT_APPARMOR_KILL,
+	AUDIT_APPARMOR_AUTO
 };
 
 extern const char *op_table[];
-Original file line number
+Diff line change
@@ Expand Up / @@ -89,6 +89,7 @@ static char *aa_audit_type[] = { @@
     	"STATUS",
     	"ERROR",
     	"KILLED"
+    	"AUTO"
     };
     /*
@@ Expand Down @@