• J
    apparmor: fix absroot causing audited secids to begin with = · 511f7b5b
    John Johansen 提交于
    AppArmor is prefixing secids that are converted to secctx with the =
    to indicate the secctx should only be parsed from an absolute root
    POV. This allows catching errors where secctx are reparsed back into
    internal labels.
    
    Unfortunately because audit is using secid to secctx conversion this
    means that subject and object labels can result in a very unfortunate
    == that can break audit parsing.
    
    eg. the subj==unconfined term in the below audit message
    
    type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
    ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
    hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
    
    Fix this by switch the prepending of = to a _. This still works as a
    special character to flag this case without breaking audit. Also move
    this check behind debug as it should not be needed during normal
    operqation.
    
    Fixes: 26b78995 ("apparmor: add support for absolute root view based labels")
    Reported-by: NCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
    511f7b5b
lib.h 7.9 KB