When profile attachment fails due to conflicting attachments, confinement
silently
falls back onto either unconfined (if transitioning from unconfined) or onto
ix/ux
(if transitioning via a pix/pux rule in a profile). However, conflicting
attachments
are an error condition, so such occurences should be audited unconditionally.
This
patchset implements such auditing.
Ryan Lee (4):
apparmor: force audit on unconfined exec if info is set by find_attach
apparmor: move the "conflicting profile attachments" infostr to a
const declaration
apparmor: include conflicting attachment info for confined ix/ux
fallback
apparmor: force auditing of conflicting attachment execs from confined
security/apparmor/domain.c | 59 ++++++++++++++++++++++++++++++++++++--
1 file changed, 56 insertions(+), 3 deletions(-)
--
2.43.0
