apparmor: fix regression in mount mediation when feature set is pinned
authorJohn Johansen <john.johansen@canonical.com>
Thu, 7 Dec 2017 08:28:27 +0000 (00:28 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 10 Jan 2018 08:31:22 +0000 (09:31 +0100)
commit 5b9f57cf47b87f07210875d6a24776b4496b818d upstream.

When the mount code was refactored for Labels it was not correctly
updated to check whether policy supported mediation of the mount
class.  This causes a regression when the kernel feature set is
reported as supporting mount and policy is pinned to a feature set
that does not support mount mediation.

BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
security/apparmor/mount.c

index 82a64b58041d2adc62debcf572b77b7a6607678d..e395137ecff1505225eb6d8efaab9965d5ec6bd6 100644 (file)
@@ -330,6 +330,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
        AA_BUG(!mntpath);
        AA_BUG(!buffer);
 
+       if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+               return 0;
+
        error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
                             &mntpnt, &info, profile->disconnected);
        if (error)
@@ -381,6 +384,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
        AA_BUG(!profile);
        AA_BUG(devpath && !devbuffer);
 
+       if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+               return 0;
+
        if (devpath) {
                error = aa_path_name(devpath, path_flags(profile, devpath),
                                     devbuffer, &devname, &info,
@@ -559,6 +565,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
        AA_BUG(!profile);
        AA_BUG(!path);
 
+       if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+               return 0;
+
        error = aa_path_name(path, path_flags(profile, path), buffer, &name,
                             &info, profile->disconnected);
        if (error)
@@ -614,7 +623,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
        AA_BUG(!new_path);
        AA_BUG(!old_path);
 
-       if (profile_unconfined(profile))
+       if (profile_unconfined(profile) ||
+           !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
                return aa_get_newest_label(&profile->label);
 
        error = aa_path_name(old_path, path_flags(profile, old_path),