| Message ID | 20240209214328.690764-1-georgia.garcia@canonical.com |
|---|---|
| Headers | show |
| Series | apparmor: Fix move_mount mediation by detecting if source is detached | expand |
On 24/02/09 06:43PM, Georgia Garcia wrote: > BugLink: http://launchpad.net/bugs/2052662 > > [Impact] > > In AppArmor mediation, detached mounts are appearing as / when > applying mount mediation, which is incorrect and leads to bad AppArmor > policy being generated. > > In addition, the move_mount mediation is not being advertised to > userspace, which denies the applications the possibility to respond > accordingly. > > [Fix] > > Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by > preventing move_mont from applying the attach_disconnected flag. > > [Test Plan] > > Check if move_mount file is available in securityfs: > > $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached > > Run upstream AppArmor mount tests, which include move_mount mediation. > https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh > > [Where problems could occur] > > Low chance of regression since the move_mount mediation fix is already > available in mantic, and noble. > > [Other info] > > The kernel version currently in Noble 6.6 also needs this patch, but I > couldn't say for sure if you're still maintaining it due to the > official announcement in > https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958 > > John Johansen (1): > apparmor: Fix move_mount mediation by detecting if source is detached > > security/apparmor/apparmorfs.c | 1 + > security/apparmor/mount.c | 4 ++++ > 2 files changed, 5 insertions(+) Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 09.02.24 22:43, Georgia Garcia wrote: > BugLink: http://launchpad.net/bugs/2052662 > > [Impact] > > In AppArmor mediation, detached mounts are appearing as / when > applying mount mediation, which is incorrect and leads to bad AppArmor > policy being generated. > > In addition, the move_mount mediation is not being advertised to > userspace, which denies the applications the possibility to respond > accordingly. > > [Fix] > > Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by > preventing move_mont from applying the attach_disconnected flag. > > [Test Plan] > > Check if move_mount file is available in securityfs: > > $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached > > Run upstream AppArmor mount tests, which include move_mount mediation. > https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh > > [Where problems could occur] > > Low chance of regression since the move_mount mediation fix is already > available in mantic, and noble. > > [Other info] > > The kernel version currently in Noble 6.6 also needs this patch, but I > couldn't say for sure if you're still maintaining it due to the > official announcement in > https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958 > > John Johansen (1): > apparmor: Fix move_mount mediation by detecting if source is detached > > security/apparmor/apparmorfs.c | 1 + > security/apparmor/mount.c | 4 ++++ > 2 files changed, 5 insertions(+) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 09.02.24 22:43, Georgia Garcia wrote: > BugLink: http://launchpad.net/bugs/2052662 https://bugs.launchpad.net/... > > [Impact] > > In AppArmor mediation, detached mounts are appearing as / when > applying mount mediation, which is incorrect and leads to bad AppArmor > policy being generated. > > In addition, the move_mount mediation is not being advertised to > userspace, which denies the applications the possibility to respond > accordingly. > > [Fix] > > Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by > preventing move_mont from applying the attach_disconnected flag. > > [Test Plan] > > Check if move_mount file is available in securityfs: > > $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached > > Run upstream AppArmor mount tests, which include move_mount mediation. > https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh > > [Where problems could occur] > > Low chance of regression since the move_mount mediation fix is already > available in mantic, and noble. > > [Other info] > > The kernel version currently in Noble 6.6 also needs this patch, but I > couldn't say for sure if you're still maintaining it due to the > official announcement in > https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958 > > John Johansen (1): > apparmor: Fix move_mount mediation by detecting if source is detached > > security/apparmor/apparmorfs.c | 1 + > security/apparmor/mount.c | 4 ++++ > 2 files changed, 5 insertions(+) > Applied to mantic:linux/master-next fixing BugLink to standard format. Thanks. -Stefan