| Message ID | 94b09a9a-4e2d-43d4-9230-f72662817086@canonical.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [GIT,PULL] apparmor: Final fix for v6.7-rc8 | expand |
The pull request you sent on Wed, 3 Jan 2024 12:26:25 -0800:
> git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2024-01-03
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/d7807d8544e56af9b5523f15eddac09ec0291b4e
Thank you!
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 38650e52ef57..2d9f2a4b4519 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2373,6 +2373,7 @@ static struct aa_sfs_entry aa_sfs_entry_policy[] = { static struct aa_sfs_entry aa_sfs_entry_mount[] = { AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), + AA_SFS_FILE_STRING("move_mount", "detached"), { } }; diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index fb30204c761a..49fe8da6fea4 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -499,6 +499,10 @@ int aa_move_mount(const struct cred *subj_cred, error = -ENOMEM; if (!to_buffer || !from_buffer) goto out; + + if (!our_mnt(from_path->mnt)) + /* moving a mount detached from the namespace */ + from_path = NULL; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, to_path, to_buffer, from_path, from_buffer,
Linus, Please pull the following fix for the apparmor move_mount regression - detect that the source mount is not in the namespace and if it isn't don't use it as a source path match. This prevent apparmor from applying the attach_disconnected flag to move_mount() source which prevents detached mounts from appearing as / when applying mount mediation, which is not only incorrect but could result in bad policy being generated. The following changes since commit 610a9b8f49fbcf1100716370d3b5f6f884a2835a: Linux 6.7-rc8 (2023-12-31 12:51:25 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2024-01-03 for you to fetch changes up to 8026e40608b4d552216d2a818ca7080a4264bb44: apparmor: Fix move_mount mediation by detecting if source is detached (2024-01-03 12:10:29 -0800) ---------------------------------------------------------------- + Bug Fix - Fix move_mount mediation regression when source is detached ---------------------------------------------------------------- John Johansen (1): apparmor: Fix move_mount mediation by detecting if source is detached security/apparmor/apparmorfs.c | 1 + security/apparmor/mount.c | 4 ++++ 2 files changed, 5 insertions(+) ---------------------------