From patchwork Fri Feb 9 21:43:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Georgia Garcia X-Patchwork-Id: 1897254 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TWnRg5y1Hz23hf for ; Sat, 10 Feb 2024 08:43:59 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rYYey-0004D4-2O; Fri, 09 Feb 2024 21:43:48 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rYYel-00046t-3q for kernel-team@lists.ubuntu.com; Fri, 09 Feb 2024 21:43:35 +0000 Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C4D463F131 for ; Fri, 9 Feb 2024 21:43:34 +0000 (UTC) Received: by mail-pj1-f69.google.com with SMTP id 98e67ed59e1d1-29679438039so1326967a91.2 for ; Fri, 09 Feb 2024 13:43:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707515012; x=1708119812; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2puNJ7z4pmoW9QfXhGXoCW/Q39Asa7i0G7S1zt0Bfc4=; b=NSu+hjy3ZzC+V8NNpDdSUc0FzNcrau87h06J2uvI527Fn9oGwjda+L1GifMi8QMbUf /vEz5QWkSutjWsUWIC1qGhrbOLamk9nNlt7tabJwxe6J7w4gCqVrzRJc/7u4tbijND7a d8Volf3Lm3cwSkVyYDWmiCArT9bxAdLuClg+kRH1QkH5bpmFJ4zMW0UarFqH8uaogIWQ EbA6O/BNYgoOPhNFBviXScVhL6LJQiF4IJU+jGFib9N7xWkVAp0rMslh8XT/2/aZso6c O25cfpf+wycBbKywJ6L38jz9Ivk81gMbkK8bI5jypXkgnxHGCNx5LOl+RHlfaQliEC8a pCVA== X-Gm-Message-State: AOJu0Ywqul1IhH+snMh4IRRxKH9INbmQxu/lhIiILt9WS5B276avZFN5 WJIVztD2ZpR+jKhy88BvWAIbFrbOhTm/GijgPbiaj9zc0awbM88eHP/iudsGLguxFpwforNKLKf zVgJsSXLw5iHjPtsIhJyB8GgjWvU2MwbeGeNSuuIEdaUSxwiYypSJ4KC4eAJq3SaAK2leIy2tkC 4WsUA3y9LZI1+N X-Received: by 2002:a17:90a:f193:b0:297:eca:8381 with SMTP id bv19-20020a17090af19300b002970eca8381mr295659pjb.16.1707515012591; Fri, 09 Feb 2024 13:43:32 -0800 (PST) X-Google-Smtp-Source: AGHT+IHlHMJslu7lPu78tYRlbjzCeVBFNoeNEYSna+ukXqzxZlilUKfc9EWi2AWWOF/MYwk3lxr2fQ== X-Received: by 2002:a17:90a:f193:b0:297:eca:8381 with SMTP id bv19-20020a17090af19300b002970eca8381mr295645pjb.16.1707515012253; Fri, 09 Feb 2024 13:43:32 -0800 (PST) Received: from georgia.. ([2001:1284:f034:f554:634e:43c2:dd2a:b546]) by smtp.gmail.com with ESMTPSA id gm15-20020a17090b100f00b00296f780de33sm2272621pjb.36.2024.02.09.13.43.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 13:43:31 -0800 (PST) From: Georgia Garcia To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH v2 0/1] apparmor: Fix move_mount mediation by detecting if source is detached Date: Fri, 9 Feb 2024 18:43:27 -0300 Message-Id: <20240209214328.690764-1-georgia.garcia@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: http://launchpad.net/bugs/2052662 [Impact] In AppArmor mediation, detached mounts are appearing as / when applying mount mediation, which is incorrect and leads to bad AppArmor policy being generated. In addition, the move_mount mediation is not being advertised to userspace, which denies the applications the possibility to respond accordingly. [Fix] Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by preventing move_mont from applying the attach_disconnected flag. [Test Plan] Check if move_mount file is available in securityfs: $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached Run upstream AppArmor mount tests, which include move_mount mediation. https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh [Where problems could occur] Low chance of regression since the move_mount mediation fix is already available in mantic, and noble. [Other info] The kernel version currently in Noble 6.6 also needs this patch, but I couldn't say for sure if you're still maintaining it due to the official announcement in https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958 John Johansen (1): apparmor: Fix move_mount mediation by detecting if source is detached security/apparmor/apparmorfs.c | 1 + security/apparmor/mount.c | 4 ++++ 2 files changed, 5 insertions(+) Acked-by: Andrei Gherzan Acked-by: Stefan Bader