Ignore 'x' in mixed file mode log events (!1001) · Merge requests · AppArmor / apparmor

Christian Boltz requested to merge cboltz/apparmor:cboltz-file-mixed-mode into master Mar 29, 2023

Probably thanks to O_MAYEXEC, denials for file access can now contain a mix of x (exec) and other file permissions.

The actual exec should appear in a separate "exec" log event, therefore ignore 'x' in file events for now if it's mixed with other permissions.

Note that file events ("open", "link" etc.) that contain denied_mask="x" without another permission will still cause an error. (So far, this hasn't been seen in the wild.)

Fixes: #303 (closed)

Also add the log line from the bugreport and the (for now) expected result as test_multi testcase.

I propose this patch for all branches.

Ignore 'x' in mixed file mode log events

Merge request reports