niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

apparmor: Fix regression in mount mediation

Browse source 
commit 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")

introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any
existing LSM. This creates a regression for AppArmor mediation of
mount. This patch provides a base mapping of the move_mount syscall to
the existing mount mediation. In the future we may introduce
additional mediations around the new mount calls.

Fixes: 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")
CC: stable@vger.kernel.org
Reported-by: Andreas Steinmetz <anstein99@googlemail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-09-10 03:35:22 -07:00
parent ea9bae12d0
commit 157a3537d6
3 changed files with 51 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
security/apparmor/include/mount.h
View file

@ -38,9 +38,12 @@ int aa_mount_change_type(const struct cred *subj_cred,
struct aa_label *label, const struct path *path, struct aa_label *label, const struct path *path,
unsigned long flags); unsigned long flags);
int aa_move_mount_old(const struct cred *subj_cred,
struct aa_label *label, const struct path *path,
const char *old_name);
int aa_move_mount(const struct cred *subj_cred, int aa_move_mount(const struct cred *subj_cred,
struct aa_label *label, const struct path *path, struct aa_label *label, const struct path *from_path,
const char *old_name); const struct path *to_path);
int aa_new_mount(const struct cred *subj_cred, int aa_new_mount(const struct cred *subj_cred,
struct aa_label *label, const char *dev_name, struct aa_label *label, const char *dev_name,

20
security/apparmor/lsm.c
View file

@ -722,8 +722,8 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path,
error = aa_mount_change_type(current_cred(), label, error = aa_mount_change_type(current_cred(), label,
path, flags); path, flags);
else if (flags & MS_MOVE) else if (flags & MS_MOVE)
error = aa_move_mount(current_cred(), label, path, error = aa_move_mount_old(current_cred(), label, path,
dev_name); dev_name);
else else
error = aa_new_mount(current_cred(), label, dev_name, error = aa_new_mount(current_cred(), label, dev_name,
path, type, flags, data); path, type, flags, data);
@ -733,6 +733,21 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path,
return error; return error;
} }
static int apparmor_move_mount(const struct path *from_path,
const struct path *to_path)
{
struct aa_label *label;
int error = 0;
label = __begin_current_label_crit_section();
if (!unconfined(label))
error = aa_move_mount(current_cred(), label, from_path,
to_path);
__end_current_label_crit_section(label);
return error;
}
static int apparmor_sb_umount(struct vfsmount *mnt, int flags) static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
{ {
struct aa_label *label; struct aa_label *label;
@ -1376,6 +1391,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(capget, apparmor_capget), LSM_HOOK_INIT(capget, apparmor_capget),
LSM_HOOK_INIT(capable, apparmor_capable), LSM_HOOK_INIT(capable, apparmor_capable),
LSM_HOOK_INIT(move_mount, apparmor_move_mount),
LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),

46
security/apparmor/mount.c
View file

@ -483,36 +483,46 @@ int aa_mount_change_type(const struct cred *subj_cred,
} }
int aa_move_mount(const struct cred *subj_cred, int aa_move_mount(const struct cred *subj_cred,
struct aa_label *label, const struct path *path, struct aa_label *label, const struct path *from_path,
const char *orig_name) const struct path *to_path)
{ {
struct aa_profile *profile; struct aa_profile *profile;
char *buffer = NULL, *old_buffer = NULL; char *to_buffer = NULL, *from_buffer = NULL;
struct path old_path;
int error; int error;
AA_BUG(!label); AA_BUG(!label);
AA_BUG(!path); AA_BUG(!from_path);
AA_BUG(!to_path);
to_buffer = aa_get_buffer(false);
from_buffer = aa_get_buffer(false);
error = -ENOMEM;
if (!to_buffer || !from_buffer)
goto out;
error = fn_for_each_confined(label, profile,
match_mnt(subj_cred, profile, to_path, to_buffer,
from_path, from_buffer,
NULL, MS_MOVE, NULL, false));
out:
aa_put_buffer(to_buffer);
aa_put_buffer(from_buffer);
return error;
}
int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label,
const struct path *path, const char *orig_name)
{
struct path old_path;
int error;
if (!orig_name || !*orig_name) if (!orig_name || !*orig_name)
return -EINVAL; return -EINVAL;
error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
if (error) if (error)
return error; return error;
buffer = aa_get_buffer(false); error = aa_move_mount(subj_cred, label, &old_path, path);
old_buffer = aa_get_buffer(false);
error = -ENOMEM;
if (!buffer || !old_buffer)
goto out;
error = fn_for_each_confined(label, profile,
match_mnt(subj_cred, profile, path, buffer, &old_path,
old_buffer,
NULL, MS_MOVE, NULL, false));
out:
aa_put_buffer(buffer);
aa_put_buffer(old_buffer);
path_put(&old_path); path_put(&old_path);
return error; return error;