From 4c8d4490cb7d3a82f54af31a87fc73f28dec8cad Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Tue, 15 Feb 2011 11:16:28 -0800 Subject: [PATCH] From: Jeff Mahoney Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes The version of AppArmor that was accepted into the mainline kernel issues audit events for things like change_hat while unconfined. Previous versions just returned -EPERM without the audit. This results in logprof and friends spewing uninitialized value errors when it hits events like: type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron ... which happen any time an unconfined process does something with pam when pam_apparmor is installed. This patch skips those events. [Note that the second half of the OpenSUSE patch had already been applied.] Signed-off-by: Jeff Mahoney Acked-By: Steve Beattie --- utils/Immunix/AppArmor.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/utils/Immunix/AppArmor.pm b/utils/Immunix/AppArmor.pm index fd3bfbdf3..e803b6b64 100755 --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -2788,6 +2788,13 @@ sub add_event_to_tree ($) { return if ($e->{operation} =~ /profile_set/); my ($profile, $hat); + + # The version of AppArmor that was accepted into the mainline kernel + # issues audit events for things like change_hat while unconfined. + # Previous versions just returned -EPERM without the audit so the + # events wouldn't have been picked up here. + return if (!$e->{profile}); + # just convert new null profile style names to old before we begin processing # profile and name can contain multiple layers of null- but all we care about # currently is single level.