apparmor: remove redundant perms.allow MAY_EXEC bitflag set

This section of profile_transition that occurs after x_to_label only happens if perms.allow already has the MAY_EXEC bit set, so we don't need to set it again. Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined") Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: Ryan Lee <ryan.lee@canonical.com> 2025-06-23 14:58:00 -0700
committer: John Johansen <john.johansen@canonical.com> 2025-07-20 02:19:28 -0700
commit: 4ce7d3cf5ad846a8843f8afc78de2a8309f74f12 (patch)
tree: 1d2de151ecaddc8baf00effa684fc8b9be8cb39c
parent: da0edababafa444e638a0be6dd2feef0a9e529e2 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index f9370a63a83c..d689597f253b 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -734,10 +734,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 			 * we don't need to care about clobbering it
 			 */
 			if (info == CONFLICTING_ATTACH_STR_IX
-			    || info == CONFLICTING_ATTACH_STR_UX) {
+			    || info == CONFLICTING_ATTACH_STR_UX)
 				perms.audit |= MAY_EXEC;
-				perms.allow |= MAY_EXEC;
-			}
 			/* hack ix fallback - improve how this is detected */
 			goto audit;
 		} else if (!new) {
author	Ryan Lee <ryan.lee@canonical.com>	2025-06-23 14:58:00 -0700
committer	John Johansen <john.johansen@canonical.com>	2025-07-20 02:19:28 -0700
commit	4ce7d3cf5ad846a8843f8afc78de2a8309f74f12 (patch)
tree	1d2de151ecaddc8baf00effa684fc8b9be8cb39c
parent	da0edababafa444e638a0be6dd2feef0a9e529e2 (diff)