apparmor: exec should not be returning ENOENT when it denies

The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dc0027b28b049fa86b83543e2ce0a0640e591c89..67a7418937a5b1a6ca4412531859d8ec6836e26f 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                                new_profile = aa_get_newest_profile(ns->unconfined);
                                info = "ux fallback";
                        } else {
-                               error = -ENOENT;
+                               error = -EACCES;
                                info = "profile not found";
                                /* remove MAY_EXEC to audit as failure */
                                perms.allow &= ~MAY_EXEC;