The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 157a3537d6bc28ceb9a11fc8cb67f2152d860146 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable@xxxxxxxxxxxxxxx>' --in-reply-to '2023112237-headsman-unshackle-d1e3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 157a3537d6bc ("apparmor: Fix regression in mount mediation") 90c436a64a6e ("apparmor: pass cred through to audit info.") d20f5a1a6e79 ("apparmor: rename audit_data->label to audit_data->subj_label") bd7bd201ca46 ("apparmor: combine common_audit_data and apparmor_audit_data") 25ff0ff2d628 ("apparmor: Fix kernel-doc warnings in apparmor/policy.c") 13c1748e2170 ("apparmor: Fix kernel-doc warnings in apparmor/resource.c") 892148228611 ("apparmor: Fix kernel-doc warnings in apparmor/lib.c") 26c9ecb34f5f ("apparmor: Fix kernel-doc warnings in apparmor/audit.c") 76862af5d1ad ("apparmor: fix kernel-doc complaints") 665b1856dc23 ("apparmor: Fix loading of child before parent") 2f7a29debae2 ("apparmor: remove useless static inline functions") 65f7f666f21c ("apparmor: make __aa_path_perm() static") 1ad22fcc4d0d ("apparmor: rework profile->rules to be a list") 217af7e2f4de ("apparmor: refactor profile rules and attachments") 3bf3d728a58d ("apparmor: verify loaded permission bits masks don't overlap") 3dfd16ab697f ("apparmor: cleanup: move perm accumulation into perms.h") 0bece4fa97a2 ("apparmor: make sure perm indexes are accumulated") 670f31774ab6 ("apparmor: verify permission table indexes") 371e50a0b19f ("apparmor: make unpack_array return a trianary value") ad596ea74e74 ("apparmor: group dfa policydb unpacking") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 157a3537d6bc28ceb9a11fc8cb67f2152d860146 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@xxxxxxxxxxxxx> Date: Sun, 10 Sep 2023 03:35:22 -0700 Subject: [PATCH] apparmor: Fix regression in mount mediation commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for AppArmor mediation of mount. This patch provides a base mapping of the move_mount syscall to the existing mount mediation. In the future we may introduce additional mediations around the new mount calls. Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") CC: stable@xxxxxxxxxxxxxxx Reported-by: Andreas Steinmetz <anstein99@xxxxxxxxxxxxxx> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h index 10c76f906a65..46834f828179 100644 --- a/security/apparmor/include/mount.h +++ b/security/apparmor/include/mount.h @@ -38,9 +38,12 @@ int aa_mount_change_type(const struct cred *subj_cred, struct aa_label *label, const struct path *path, unsigned long flags); +int aa_move_mount_old(const struct cred *subj_cred, + struct aa_label *label, const struct path *path, + const char *old_name); int aa_move_mount(const struct cred *subj_cred, - struct aa_label *label, const struct path *path, - const char *old_name); + struct aa_label *label, const struct path *from_path, + const struct path *to_path); int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, const char *dev_name, diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index ce4f3e7a784d..b047d1d355a9 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -722,8 +722,8 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path, error = aa_mount_change_type(current_cred(), label, path, flags); else if (flags & MS_MOVE) - error = aa_move_mount(current_cred(), label, path, - dev_name); + error = aa_move_mount_old(current_cred(), label, path, + dev_name); else error = aa_new_mount(current_cred(), label, dev_name, path, type, flags, data); @@ -733,6 +733,21 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path, return error; } +static int apparmor_move_mount(const struct path *from_path, + const struct path *to_path) +{ + struct aa_label *label; + int error = 0; + + label = __begin_current_label_crit_section(); + if (!unconfined(label)) + error = aa_move_mount(current_cred(), label, from_path, + to_path); + __end_current_label_crit_section(label); + + return error; +} + static int apparmor_sb_umount(struct vfsmount *mnt, int flags) { struct aa_label *label; @@ -1376,6 +1391,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(capget, apparmor_capget), LSM_HOOK_INIT(capable, apparmor_capable), + LSM_HOOK_INIT(move_mount, apparmor_move_mount), LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 3455dd4b1f99..fb30204c761a 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -483,36 +483,46 @@ int aa_mount_change_type(const struct cred *subj_cred, } int aa_move_mount(const struct cred *subj_cred, - struct aa_label *label, const struct path *path, - const char *orig_name) + struct aa_label *label, const struct path *from_path, + const struct path *to_path) { struct aa_profile *profile; - char *buffer = NULL, *old_buffer = NULL; - struct path old_path; + char *to_buffer = NULL, *from_buffer = NULL; int error; AA_BUG(!label); - AA_BUG(!path); + AA_BUG(!from_path); + AA_BUG(!to_path); + + to_buffer = aa_get_buffer(false); + from_buffer = aa_get_buffer(false); + error = -ENOMEM; + if (!to_buffer || !from_buffer) + goto out; + error = fn_for_each_confined(label, profile, + match_mnt(subj_cred, profile, to_path, to_buffer, + from_path, from_buffer, + NULL, MS_MOVE, NULL, false)); +out: + aa_put_buffer(to_buffer); + aa_put_buffer(from_buffer); + + return error; +} + +int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, + const struct path *path, const char *orig_name) +{ + struct path old_path; + int error; if (!orig_name || !*orig_name) return -EINVAL; - error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); if (error) return error; - buffer = aa_get_buffer(false); - old_buffer = aa_get_buffer(false); - error = -ENOMEM; - if (!buffer || !old_buffer) - goto out; - error = fn_for_each_confined(label, profile, - match_mnt(subj_cred, profile, path, buffer, &old_path, - old_buffer, - NULL, MS_MOVE, NULL, false)); -out: - aa_put_buffer(buffer); - aa_put_buffer(old_buffer); + error = aa_move_mount(subj_cred, label, &old_path, path); path_put(&old_path); return error;
