This section of profile_transition that occurs after x_to_label only
happens if perms.allow already has the MAY_EXEC bit set, so we don't need
to set it again.
Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs
from confined")
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
This is a follow-up to the patch sent here:
https://lists.ubuntu.com/archives/apparmor/2025-May/013613.html
The original patch I sent contained a missing braces typo that was fixed
in the version of the patch that was actually applied, but the applied
version still has the redundant bitflag set operation.
security/apparmor/domain.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index f9370a63a83c..d689597f253b 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -734,10 +734,8 @@ static struct aa_label *profile_transition(const struct
cred *subj_cred,
* we don't need to care about clobbering it
*/
if (info == CONFLICTING_ATTACH_STR_IX
- || info == CONFLICTING_ATTACH_STR_UX) {
+ || info == CONFLICTING_ATTACH_STR_UX)
perms.audit |= MAY_EXEC;
- perms.allow |= MAY_EXEC;
- }
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
base-commit: 1fdb22c54a5f64fb9c8a78b0dc36afea87245c15
--
2.43.0
