On Mon, Jan 09, 2023 at 06:25:52PM -0800, Luis Chamberlain wrote:
> Commit 2ea3ffb7782 ("apparmor: add mount mediation") John Johansen
> added mount mediation support. However just the day before this commit
> David Howells modified the internal sb flags through commit e462ec50cb5
> ("VFS: Differentiate mount flags (MS_*) from internal superblock flags").
>
> Use the modified sb flags to make things clear and avoid further uses
> of the old MS_* flags for superblock internal flags. This will let us
> later remove the MS_* sb internal flags as userspace should not be
> using them.
>
> This commit does not fix anything as the old flags used map to the
> same bitmask, this just tidies things up. I split up the flags to
> make it clearer which ones are for the superblock and used internally.
I don't think that's right. apparmor_sb_mount() gets (almost) raw flags
from mount(2); incidentally, MS_MGC_MSK removal directly above the modified
line is BS since _that_ has already been done by the caller.
Note that the same function explicitly checks for MS_MOVE, etc. in the
same argument.
> @@ -74,7 +74,7 @@ static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
> audit_log_format(ab, ", iversion");
> if (flags & MS_STRICTATIME)
> audit_log_format(ab, ", strictatime");
> - if (flags & MS_NOUSER)
> + if (flags & SB_NOUSER)
> audit_log_format(ab, ", nouser");
> }
Umm... How does one trigger that one?
