From 52babe8054c6428f83c5c028f15063c33ef88e3e Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Tue, 17 Dec 2024 11:59:54 -0800
Subject: [PATCH 1/2] Allow make-* flags with remount operations

While the mount syscall documentation disallows this, the kernel silently
ignores make-* flags when doing a remount, and real applications were
passing this conflicting set of flags. Because changing the kernel to
reject this combination would break userspace, we should allow them
instead.

For an example: see https://bugs.launchpad.net/apparmor/+bug/2091424.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 parser/mount.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/parser/mount.h b/parser/mount.h
index 48d8e6b5c..92594cb95 100644
--- a/parser/mount.h
+++ b/parser/mount.h
@@ -108,7 +108,13 @@
 #define MS_MOVE_FLAGS (MS_MOVE)
 
 #define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | MS_MAKE_CMDS)
-#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT & ~MS_BIND & ~MS_RBIND))
+/*
+ * This allows MS_MAKE_CMDS, by design: while remount and make-* shouldn't be
+ * used together, real-world applications do use them together, and the Linux
+ * kernel ignores the make-* flags when doing a remount instead of returning
+ * EINVAL. See https://bugs.launchpad.net/apparmor/+bug/2091424 for an example.
+ */
+#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~MS_MOVE_FLAGS)
 #define MS_NEW_FLAGS (MS_ALL_FLAGS & ~MS_CMDS)
 
 #define MNT_SRC_OPT 1

From 83270fcf68a1f1cd7180febc2370a16542302bdc Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Wed, 18 Dec 2024 10:28:49 -0800
Subject: [PATCH 2/2] Add a regression test for allowing rprivate with
 conflicting options

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 tests/regression/apparmor/mount.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index fd87898b0..f21f757aa 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -573,6 +573,15 @@ else
 	runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
 	remove_mnt
 
+	# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1466
+	# https://bugs.launchpad.net/apparmor/+bug/2091424
+	# Specify mount propgatation with remount, a conflict that we still allow
+	# The kernel ignored the conflict and us disallowing it broke userspace
+	genprofile cap:sys_admin "mount:ALL"
+	runchecktest "MOUNT (confined cap bind mount rprivate conflict)" pass mount ${mount_point2} ${mount_point} -o bind,rprivate,noexec
+	runchecktest "MOUNT (confined cap bind mount remount rprivate conflict)" pass mount ${mount_point2} ${mount_point} -o remount,bind,rprivate,noexec
+	remove_mnt
+
 	test_options
 
         # test new mount interface