APPLIED/Cmnt: [SRU][M][PATCH v2 0/1] apparmor: Fix move_mount mediation by detecting if source is detached

Stefan Bader stefan.bader at canonical.com
Mon Feb 19 10:41:56 UTC 2024 

On 09.02.24 22:43, Georgia Garcia wrote:
> BugLink: http://launchpad.net/bugs/2052662

https://bugs.launchpad.net/...

> 
> [Impact]
> 
> In AppArmor mediation, detached mounts are appearing as / when
> applying mount mediation, which is incorrect and leads to bad AppArmor
> policy being generated.
> 
> In addition, the move_mount mediation is not being advertised to
> userspace, which denies the applications the possibility to respond
> accordingly.
> 
> [Fix]
> 
> Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44 by
> preventing move_mont from applying the attach_disconnected flag.
> 
> [Test Plan]
> 
> Check if move_mount file is available in securityfs:
> 
> $ cat /sys/kernel/security/apparmor/features/mount/move_mount detached
> 
> Run upstream AppArmor mount tests, which include move_mount mediation.
> https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh
> 
> [Where problems could occur]
> 
> Low chance of regression since the move_mount mediation fix is already
> available in mantic, and noble.
> 
> [Other info]
> 
> The kernel version currently in Noble 6.6 also needs this patch, but I
> couldn't say for sure if you're still maintaining it due to the
> official announcement in
> https://discourse.ubuntu.com/t/introducing-kernel-6-8-for-the-24-04-noble-numbat-release/41958
> 
> John Johansen (1):
>    apparmor: Fix move_mount mediation by detecting if source is detached
> 
>   security/apparmor/apparmorfs.c | 1 +
>   security/apparmor/mount.c      | 4 ++++
>   2 files changed, 5 insertions(+)
> 

Applied to mantic:linux/master-next fixing BugLink to standard format. 
Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240219/f70d1296/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240219/f70d1296/attachment-0001.sig>

More information about the kernel-team mailing list