diff options
| author | John Johansen <john.johansen@canonical.com> | 2017-12-07 03:28:27 -0500 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-01-05 18:07:42 -0500 |
| commit | 5b9f57cf47b87f07210875d6a24776b4496b818d (patch) | |
| tree | b3c7dc808d1a67ca1bd9379c532af6e1a67b643f | |
| parent | 30a7acd573899fd8b8ac39236eff6468b195ac7d (diff) | |
apparmor: fix regression in mount mediation when feature set is pinned
When the mount code was refactored for Labels it was not correctly
updated to check whether policy supported mediation of the mount
class. This causes a regression when the kernel feature set is
reported as supporting mount and policy is pinned to a feature set
that does not support mount mediation.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/mount.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index ed9b4d0f9f7e..8c558cbce930 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c | |||
| @@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile, | |||
| 329 | AA_BUG(!mntpath); | 329 | AA_BUG(!mntpath); |
| 330 | AA_BUG(!buffer); | 330 | AA_BUG(!buffer); |
| 331 | 331 | ||
| 332 | if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT)) | ||
| 333 | return 0; | ||
| 334 | |||
| 332 | error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, | 335 | error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, |
| 333 | &mntpnt, &info, profile->disconnected); | 336 | &mntpnt, &info, profile->disconnected); |
| 334 | if (error) | 337 | if (error) |
| @@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path, | |||
| 380 | AA_BUG(!profile); | 383 | AA_BUG(!profile); |
| 381 | AA_BUG(devpath && !devbuffer); | 384 | AA_BUG(devpath && !devbuffer); |
| 382 | 385 | ||
| 386 | if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT)) | ||
| 387 | return 0; | ||
| 388 | |||
| 383 | if (devpath) { | 389 | if (devpath) { |
| 384 | error = aa_path_name(devpath, path_flags(profile, devpath), | 390 | error = aa_path_name(devpath, path_flags(profile, devpath), |
| 385 | devbuffer, &devname, &info, | 391 | devbuffer, &devname, &info, |
| @@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path, | |||
| 558 | AA_BUG(!profile); | 564 | AA_BUG(!profile); |
| 559 | AA_BUG(!path); | 565 | AA_BUG(!path); |
| 560 | 566 | ||
| 567 | if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT)) | ||
| 568 | return 0; | ||
| 569 | |||
| 561 | error = aa_path_name(path, path_flags(profile, path), buffer, &name, | 570 | error = aa_path_name(path, path_flags(profile, path), buffer, &name, |
| 562 | &info, profile->disconnected); | 571 | &info, profile->disconnected); |
| 563 | if (error) | 572 | if (error) |
| @@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile, | |||
| 613 | AA_BUG(!new_path); | 622 | AA_BUG(!new_path); |
| 614 | AA_BUG(!old_path); | 623 | AA_BUG(!old_path); |
| 615 | 624 | ||
| 616 | if (profile_unconfined(profile)) | 625 | if (profile_unconfined(profile) || |
| 626 | !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT)) | ||
| 617 | return aa_get_newest_label(&profile->label); | 627 | return aa_get_newest_label(&profile->label); |
| 618 | 628 | ||
| 619 | error = aa_path_name(old_path, path_flags(profile, old_path), | 629 | error = aa_path_name(old_path, path_flags(profile, old_path), |