apparmor: exec should not be returning ENOENT when it denies
authorJohn Johansen <john.johansen@canonical.com>
Fri, 25 Jul 2014 11:02:03 +0000 (04:02 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Tue, 12 Jul 2016 15:43:10 +0000 (08:43 -0700)
The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
security/apparmor/domain.c

index dc0027b28b049fa86b83543e2ce0a0640e591c89..67a7418937a5b1a6ca4412531859d8ec6836e26f 100644 (file)
@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                                new_profile = aa_get_newest_profile(ns->unconfined);
                                info = "ux fallback";
                        } else {
-                               error = -ENOENT;
+                               error = -EACCES;
                                info = "profile not found";
                                /* remove MAY_EXEC to audit as failure */
                                perms.allow &= ~MAY_EXEC;