mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00
Code Issues Releases Wiki Activity

This patch fixes some audit error messages that apparmor generates in 2.6.18.

Browse Source 
It turns out that audit and selinux were modified to slightly change the
behavior of getprocattr.

The changes are:
1.  when the audit subsystem calls security_getprocattr it only allows
    for a return code of EINVAL

2.  when the audit subsystem calls security_getprocattr with the size
    paramter set to 0.  It expects the returned size to be the size
    that would be put in the buffer.

    This behavior is undocumented in LSM but the changes showed up in
    audit and selinux.


This patch fixes AA so that when 0 is passed it will return the size
that would have been read.  This in turn fixes the problem where the
audit system spits out a ton of
error in audit_log_task_context messages

the AA getprocattr handling can still return error messages that are
not EINVAL but these should not happen in the audit log context unless
audit makes an error.

The possible places are:
- audit passes a buffer that is to small - this shouldn't happen since
  audit uses the return value from a prob with parameter size == 0
- audit task context is trying to read a /proc/<pid>/attr/current that is
  the current tasks context.
  This shouldn't happen since the task context is for the current task.
- memory allocation fails
  This one will generate the message but the audit code its self will
  generate the message if its allocation fails.
This commit is contained in:
John Johansen 2007-01-04 08:30:08 +00:00
parent bbe0bbfe50
commit c60fb0e392
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
module/lsm.c
View File

@ -667,11 +667,6 @@ static int subdomain_getprocattr(struct task_struct *p, char *name, void *value,
goto out;
}
if (!size) {
error = -ERANGE;
goto out;
}
/* must be task querying itself or admin */
if (current != p && !capable(CAP_SYS_ADMIN)) {
error = -EPERM;

4
module/procattr.c
View File

@ -52,6 +52,8 @@ size_t sd_getprocattr(struct subdomain *sd, char *str, size_t size)
str += lenm;
*str++ = '\n';
error = len;
} else if (size == 0) {
error = len;
} else {
error = -ERANGE;
}
@ -63,6 +65,8 @@ size_t sd_getprocattr(struct subdomain *sd, char *str, size_t size)
if (len <= size) {
memcpy(str, unconstrained_str, len);
error = len;
} else if (size == 0) {
error = len;
} else {
error = -ERANGE;
}