Commit cbedbdde authored by Tyler Hicks's avatar Tyler Hicks

libapparmor: ENOENT should only signify label not found in label queries

It may be useful to applications that do AppArmor queries to know if the
subject label in the query is unknown to the kernel. For example, the
corresponding profile may have been removed/renamed.

This patch eliminates all potential return locations of aa_query_label()
that may have errno set to ENOENT, except for the write() to
apparmorfs/.access that sets ENOENT when the subject label isn't found
by the kernel.
Signed-off-by: Tyler Hicks's avatarTyler Hicks <tyhicks@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent fe3ccea3
......@@ -684,7 +684,9 @@ static void aafs_access_init_once(void)
* @audited: upon successful return, will be 1 if query should be audited and 0
* if not
*
* Returns: 0 on success else -1 and sets errno
* Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
* ENOENT, the subject label in the query string is unknown to the
* kernel.
*/
int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
int *audited)
......@@ -708,8 +710,11 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
}
fd = open(aafs_access, O_RDWR);
if (fd == -1)
if (fd == -1) {
if (errno == ENOENT)
errno = EPROTONOSUPPORT;
return -1;
}
memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
errno = 0;
......@@ -717,6 +722,10 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
if (ret != size) {
if (ret >= 0)
errno = EPROTO;
/* IMPORTANT: This is the only valid error path that can have
* errno set to ENOENT. It indicates that the subject label
* could not be found by the kernel.
*/
return -1;
}
......@@ -725,8 +734,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
(void)close(fd);
errno = saved;
if (ret != QUERY_LABEL_REPLY_LEN) {
if (ret >= 0)
errno = EPROTO;
errno = EPROTO;
return -1;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment