Commit bf15cf0c authored by John Johansen's avatar John Johansen

apparmor: fix log failures for all profiles in a set

currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent f351841f
...@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname, ...@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
*/ */
ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
{ {
const char *ns_name, *name = NULL, *info = NULL; const char *ns_name, *info = NULL;
struct aa_namespace *ns = NULL; struct aa_namespace *ns = NULL;
struct aa_load_ent *ent, *tmp; struct aa_load_ent *ent, *tmp;
int op = OP_PROF_REPL; int op = OP_PROF_REPL;
...@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) ...@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
/* released below */ /* released below */
ns = aa_prepare_namespace(ns_name); ns = aa_prepare_namespace(ns_name);
if (!ns) { if (!ns) {
info = "failed to prepare namespace"; error = audit_policy(op, GFP_KERNEL, ns_name,
error = -ENOMEM; "failed to prepare namespace", -ENOMEM);
name = ns_name; goto free;
goto fail;
} }
mutex_lock(&ns->lock); mutex_lock(&ns->lock);
/* setup parent and ns info */ /* setup parent and ns info */
list_for_each_entry(ent, &lh, list) { list_for_each_entry(ent, &lh, list) {
struct aa_policy *policy; struct aa_policy *policy;
name = ent->new->base.hname;
error = __lookup_replace(ns, ent->new->base.hname, noreplace, error = __lookup_replace(ns, ent->new->base.hname, noreplace,
&ent->old, &info); &ent->old, &info);
if (error) if (error)
...@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) ...@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
if (!p) { if (!p) {
error = -ENOENT; error = -ENOENT;
info = "parent does not exist"; info = "parent does not exist";
name = ent->new->base.hname;
goto fail_lock; goto fail_lock;
} }
rcu_assign_pointer(ent->new->parent, aa_get_profile(p)); rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
...@@ -1214,9 +1210,22 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) ...@@ -1214,9 +1210,22 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
fail_lock: fail_lock:
mutex_unlock(&ns->lock); mutex_unlock(&ns->lock);
fail:
error = audit_policy(op, GFP_KERNEL, name, info, error);
/* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
/* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load";
list_for_each_entry(tmp, &lh, list) {
if (tmp == ent) {
info = "unchecked profile in failed atomic policy load";
/* skip entry that caused failure */
continue;
}
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
}
free:
list_for_each_entry_safe(ent, tmp, &lh, list) { list_for_each_entry_safe(ent, tmp, &lh, list) {
list_del_init(&ent->list); list_del_init(&ent->list);
aa_load_ent_free(ent); aa_load_ent_free(ent);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment