libapparmor: fix failure in procattr accesses due to domain change (!681) · Merge requests · AppArmor / apparmor

John Johansen requested to merge jjohansen/apparmor:fix-libprocattr into master Nov 03, 2020

libapparmor on startup does detection of whether the new stacking proc interfaces are available and then store a var for which interface should be used. This avoids libapparmor needing to detect which interface to use on each proc based api call.

Unfortunately if the domain is changed on the task via change_hat or change_profile and the proc interface is used after the domain change it is possible that access to the interface will be denied by policy. This is not a problem in and of it self except policy may have been created assuming the old interface.

Fix this by adding a fallback that tries the old interface if we are using the new interface by default and the failure was due to an EACCES denial (policy based).

Also refactor the code a bit so this retry is isolated to one function instead of adding it in two places.

Fixes: #131 (closed) Signed-off-by: John Johansen john.johansen@canonical.com

libapparmor: fix failure in procattr accesses due to domain change

Merge request reports