Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-04 04:06:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

+ Bug Fix

Browse Source 
- Fix move_mount mediation regression when source is detached
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAmWVv7gACgkQBS82cBjV
 w9h8dA//UHcaX3cQ0opftuUJQmjFaGrk0uqgtN+oXM4rhj+AEGGFNlieBW+H2FQH
 wGWYpIgpc+h1kZLjUdqxoEznQucjAwqm6/p/sqJCxCe6X1eDe5NNVBrWs1O+EbEf
 GIvHD484Kvz6pHCXh7SATrue5i7vmU/b4TvklTW4alGFE6KVSZ3ZUADhnGPt4zoY
 s8dNJ81OlBWyWnJ5laXpoEVpEDgboeaGpXjrKCxHdYYO0YOBEYduQsfEVblTU3AI
 /pbctMFk55hA3qZTpWAOvsNAp5UKwIewj0hEzOhwyhXC5Iz0b4SS9uAo6TVqHOVn
 vgK7zN5UaI+AIKkjZuFIms7weIsXnuP8PucN7AX2NEdZgm0P4QfqOIlAsBORx3+o
 ZqRdO/d9nkc84+slumxra+TPNXA7qnsufH58rdQrKAaDVGcKsuSMtj4wKWLui21W
 MX1vXHFMJut1Vfuch/4x8eq6/iPtIq6BGa499hGmVC+K6QKPskyMEKl17aEvAqi4
 dQmYyaVmnuZyLKjX6IIOXOfLhNf8KsCHJsvZBu07yj3DLpHKspBC/bRodAcK5cK3
 Y3srUfCUNr4j3Me3OUZdSJ7xQ9ztSg1M1U27dKM3w/sdf5U3O84+atT6x+Y7EEp8
 uquXJqomx35aUhE8SKPRC/vGireBA0WLs10fMtVAV1V/sZTCF7w=
 =tRkN
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2024-01-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor fix from John Johansen:
 "Detect that the source mount is not in the namespace and if it isn't
  don't use it as a source path match.

  This prevent apparmor from applying the attach_disconnected flag to
  move_mount() source which prevents detached mounts from appearing as /
  when applying mount mediation, which is not only incorrect but could
  result in bad policy being generated"

* tag 'apparmor-pr-2024-01-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: Fix move_mount mediation by detecting if source is detached
This commit is contained in:
Linus Torvalds 2024-01-03 13:58:37 -08:00
commit d7807d8544
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
security/apparmor/apparmorfs.c
View File

@ -2373,6 +2373,7 @@ static struct aa_sfs_entry aa_sfs_entry_policy[] = {
static struct aa_sfs_entry aa_sfs_entry_mount[] = {
AA_SFS_FILE_STRING("mask", "mount umount pivot_root"),
AA_SFS_FILE_STRING("move_mount", "detached"),
{ }
};

4
security/apparmor/mount.c
View File

@ -499,6 +499,10 @@ int aa_move_mount(const struct cred *subj_cred,
error = -ENOMEM;
if (!to_buffer || !from_buffer)
goto out;
if (!our_mnt(from_path->mnt))
/* moving a mount detached from the namespace */
from_path = NULL;
error = fn_for_each_confined(label, profile,
match_mnt(subj_cred, profile, to_path, to_buffer,
from_path, from_buffer,