Skip to content

Commit 75c77e9

Browse files
jrjohansenjrjohansen
committed
apparmor: provide separate audit messages for file and policy checks
Improve policy load failure messages by identifying which dfa the verification check failed in. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
1 parent 90c436a commit 75c77e9

File tree

1 file changed

+11
-5
lines changed

1 file changed

+11
-5
lines changed

security/apparmor/policy_unpack.c

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1240,12 +1240,18 @@ static int verify_profile(struct aa_profile *profile)
12401240
if (!rules)
12411241
return 0;
12421242

1243-
if ((rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
1244-
rules->file.size)) ||
1245-
(rules->policy.dfa &&
1246-
!verify_dfa_accept_index(rules->policy.dfa, rules->policy.size))) {
1243+
if (rules->file.dfa && !verify_dfa_accept_index(rules->file.dfa,
1244+
rules->file.size)) {
12471245
audit_iface(profile, NULL, NULL,
1248-
"Unpack: Invalid named transition", NULL, -EPROTO);
1246+
"Unpack: file Invalid named transition", NULL,
1247+
-EPROTO);
1248+
return -EPROTO;
1249+
}
1250+
if (rules->policy.dfa &&
1251+
!verify_dfa_accept_index(rules->policy.dfa, rules->policy.size)) {
1252+
audit_iface(profile, NULL, NULL,
1253+
"Unpack: policy Invalid named transition", NULL,
1254+
-EPROTO);
12491255
return -EPROTO;
12501256
}
12511257

0 commit comments

Comments
 (0)