From 17322cc3f9ba578f20b5c09fb1630bd234040008 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 18 Feb 2013 15:59:34 -0800
Subject: [PATCH] apparmor: fix auditing of domain transition failures due to
 incomplete policy

When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly because the audit code is treating this as an allowed
permission and thus not reporting it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
---
 security/apparmor/domain.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 859abda..7bc85c7 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -443,6 +443,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 			} else {
 				error = -ENOENT;
 				info = "profile not found";
+				/* remove MAY_EXEC to audit as failure */
+				perms.allow &= ~MAY_EXEC;
 			}
 		}
 	} else if (COMPLAIN_MODE(profile)) {
-- 
2.7.4