mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge regression tests: add mount test for CVE-2016-1585

Browse source 
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 93c4c6fb9f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2024-04-12 03:57:35 +00:00 committed by John Johansen
parent a635a86e1d
commit 5ad4efec50
2 changed files with 24 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
tests/regression/apparmor/mount.c
View file

@ -114,6 +114,7 @@ static void usage(char *prog_name)
fprintf(stderr, "Options are:\n"); fprintf(stderr, "Options are:\n");
fprintf(stderr, "-o flags sent to the mount syscall\n"); fprintf(stderr, "-o flags sent to the mount syscall\n");
fprintf(stderr, "-d data sent to the mount syscall\n"); fprintf(stderr, "-d data sent to the mount syscall\n");
fprintf(stderr, "-t type of synthetic filesystem (e.g. proc) for mount syscall\n");
exit(1); exit(1);
} }
@ -121,12 +122,13 @@ int main(int argc, char *argv[])
{ {
char *options = NULL; char *options = NULL;
char *data = NULL; char *data = NULL;
char *type = NULL;
int index; int index;
int c; int c;
char *op, *source, *target, *token; char *op, *source, *target, *token;
unsigned long flags = 0; unsigned long flags = 0;
while ((c = getopt (argc, argv, "o:d:h")) != -1) { while ((c = getopt (argc, argv, "o:d:t:h")) != -1) {
switch (c) switch (c)
{ {
case 'o': case 'o':
@ -135,6 +137,9 @@ int main(int argc, char *argv[])
case 'd': case 'd':
data = optarg; data = optarg;
break; break;
case 't':
type = optarg;
break;
case 'h': case 'h':
usage(argv[0]); usage(argv[0]);
break; break;
@ -162,10 +167,18 @@ int main(int argc, char *argv[])
} }
if (strcmp(op, "mount") == 0) { if (strcmp(op, "mount") == 0) {
if (mount(source, target, "ext2", flags, data) == -1) { if (!type) {
fprintf(stderr, "FAIL: mount %s on %s failed - %s\n", if (mount(source, target, "ext2", flags, data) == -1) {
source, target, strerror(errno)); fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
return errno; source, target, strerror(errno));
return errno;
}
} else {
if (mount(source, target, type, flags, data) == -1) {
fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
source, target, strerror(errno));
return errno;
}
} }
} else if (strcmp(op, "umount") == 0) { } else if (strcmp(op, "umount") == 0) {
if (umount(target) == -1) { if (umount(target) == -1) {

6
tests/regression/apparmor/mount.sh
View file

@ -547,6 +547,12 @@ else
runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point} runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
remove_mnt remove_mnt
# https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017
# CVE-2016-1585
genprofile cap:sys_admin "mount:options=(rw,make-slave) -> **"
runchecktest "MOUNT (confined cap mount -> mntpnt, CVE-2016-1585)" fail mount -t proc proc ${mount_point}
remove_mnt
# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 # MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
# https://bugs.launchpad.net/apparmor/+bug/2023814 # https://bugs.launchpad.net/apparmor/+bug/2023814
# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989 # https://bugzilla.opensuse.org/show_bug.cgi?id=1211989