AppArmor: fix mapping of META_READ to audit and quiet flags The mapping of AA_MAY_META_READ for the allow mask was also being mapped to the audit and quiet masks. This would result in some operations being audited when the should not. This flaw was hidden by the previous audit bug which would drop some messages that where supposed to be audited. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>

commit: 38305a4bab4be5d278443b057f7f5e97afb07f26 [log] [tgz]
author: John Johansen <john.johansen@canonical.com> Wed Feb 22 00:42:08 2012 -0800
committer: John Johansen <john.johansen@canonical.com> Mon Feb 27 11:38:22 2012 -0800
tree: 06122a0380bc06de07c2b462bfa2f306ab12af87
parent: 8b964eae204d791421677ec56b94a7b18cf8740d [diff] [blame]
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 7312db7..bba875c 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c

@@ -173,8 +173,6 @@
 	if (old & 0x40)	/* AA_EXEC_MMAP */
 		new |= AA_EXEC_MMAP;
 
-	new |= AA_MAY_META_READ;
-
 	return new;
 }
 
@@ -212,6 +210,7 @@
 		perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
 		perms.xindex = dfa_other_xindex(dfa, state);
 	}
+	perms.allow |= AA_MAY_META_READ;
 
 	/* change_profile wasn't determined by ownership in old mapping */
 	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
commit	38305a4bab4be5d278443b057f7f5e97afb07f26	[log] [tgz]
author	John Johansen <john.johansen@canonical.com>	Wed Feb 22 00:42:08 2012 -0800
committer	John Johansen <john.johansen@canonical.com>	Mon Feb 27 11:38:22 2012 -0800
tree	06122a0380bc06de07c2b462bfa2f306ab12af87
parent	8b964eae204d791421677ec56b94a7b18cf8740d [diff] [blame]