[SRU][M][PATCH 0/1] apparmor: Fix move_mount mediation by detecting if source is detached
Georgia Garcia
georgia.garcia at canonical.com
Wed Feb 7 20:57:39 UTC 2024
BugLink: http://launchpad.net/bugs/2052662
[Impact]
In AppArmor mediation, detached mounts are appearing as / when
applying mount mediation, which is incorrect and leads to bad AppArmor
policy being generated.
In addition, the move_mount mediation is not being advertised to
userspace, which denies the applications the possibility to respond
accordingly.
[Fix]
Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by
preventing move_mont from applying the attach_disconnected flag.
[Test Plan]
Check if move_mount file is available in securityfs:
$ cat /sys/kernel/security/apparmor/features/mount/move_mount detached
Run upstream AppArmor mount tests, which include move_mount mediation.
https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh
[Where problems could occur]
Low chance of regression since the move_mount mediation fix is already
available in mantic, and noble.
[Other info]
The kernel version currently in Noble 6.6 also needs this patch, but I
couldn't say for sure if you're still maintaining it due to the
official announcement in
https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958
John Johansen (1):
apparmor: Fix move_mount mediation by detecting if source is detached
security/apparmor/apparmorfs.c | 1 +
security/apparmor/mount.c | 4 ++++
2 files changed, 5 insertions(+)
--
2.34.1
More information about the kernel-team
mailing list