Skip to content

Commit 5b9f57c

Browse files
jrjohansenjrjohansen
committed
apparmor: fix regression in mount mediation when feature set is pinned
When the mount code was refactored for Labels it was not correctly updated to check whether policy supported mediation of the mount class. This causes a regression when the kernel feature set is reported as supporting mount and policy is pinned to a feature set that does not support mount mediation. BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41 Fixes: 2ea3ffb ("apparmor: add mount mediation") Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> Cc: Stable <stable@vger.kernel.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
1 parent 30a7acd commit 5b9f57c

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

security/apparmor/mount.c

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
329329
AA_BUG(!mntpath);
330330
AA_BUG(!buffer);
331331

332+
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
333+
return 0;
334+
332335
error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
333336
&mntpnt, &info, profile->disconnected);
334337
if (error)
@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
380383
AA_BUG(!profile);
381384
AA_BUG(devpath && !devbuffer);
382385

386+
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
387+
return 0;
388+
383389
if (devpath) {
384390
error = aa_path_name(devpath, path_flags(profile, devpath),
385391
devbuffer, &devname, &info,
@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
558564
AA_BUG(!profile);
559565
AA_BUG(!path);
560566

567+
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
568+
return 0;
569+
561570
error = aa_path_name(path, path_flags(profile, path), buffer, &name,
562571
&info, profile->disconnected);
563572
if (error)
@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
613622
AA_BUG(!new_path);
614623
AA_BUG(!old_path);
615624

616-
if (profile_unconfined(profile))
625+
if (profile_unconfined(profile) ||
626+
!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
617627
return aa_get_newest_label(&profile->label);
618628

619629
error = aa_path_name(old_path, path_flags(profile, old_path),

0 commit comments

Comments
 (0)