Merge fix mount regression in 2.13

Mount has regressed in two ways. That are affecting snapd confinement, since landing the mount fixes for CVE-2016-1585 in 3.1.4 and the fix for the mount change type regression in 3.1.5 Bug Reports: https://bugs.launchpad.net/apparmor/+bug/2023814 https://bugzilla.opensuse.org/show_bug.cgi?id=1211989 Issue 1: Denial of Mount ``` [ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind" ``` when the profile contains a rule that should match ``` mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/", ``` Issue 2: change_type failure. Denial of Mount in log ``` type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind" ... ``` snapd error ``` - Run configure hook of "chromium" snap if present (run hook "configure": ----- update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied snap-update-ns failed with code 1 ``` and NO mount rules in the profiles. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2023-06-21 01:31:55 -07:00 · 2023-06-21 01:31:55 -07:00 · 9525238bb0
commit 9525238bb0
parent b3881198ba 51d33c1a23
13 changed files with 87 additions and 2 deletions
--- a/parser/mount.cc
+++ b/parser/mount.cc
@ -996,7 +996,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		if (!dev_type && !opts &&
 		    gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
-		if (!dev_type && !opts &&
+		if ((!device || !mnt_point) && !dev_type && !opts &&
 		    gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
 		if (!dev_type && !opts &&
@ -1012,7 +1012,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		return gen_policy_bind_mount(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) &&
 		   (flags & (MS_MAKE_CMDS))
-		   && !dev_type && !opts) {
+		   && (!device || !mnt_point) && !dev_type && !opts) {
 		return gen_policy_change_mount_type(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
 		   && !dev_type && !opts) {
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -563,6 +563,17 @@ verify_binary_equality "link rules slash filtering" \
                        @{BAR}=/mnt/
                           /t { link @{FOO}/foo -> @{BAR}/bar, }" \

+
+# This can potentially fail as ideally it requires a better dfa comparison
+# routine as it can generates hormomorphic dfas. The enumeration of the
+# dfas dumped will be different, even if the binary is the same
+# Note: this test in the future will require -O filter-deny and
+# -O minimize and -O remove-unreachable.
+verify_binary_equality "mount specific deny doesn't affect non-overlapping" \
+			"/t { mount options=bind /e/ -> /**, }" \
+			"/t { audit deny mount /s/** -> /**,
+			      mount options=bind /e/ -> /**, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
--- a/parser/tst/simple_tests/mount/bad_opt_32.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_32.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(slave) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_35.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_35.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rslave) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_36.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_36.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(unbindable) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_37.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_37.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(runbindable) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_38.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_38.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(private) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_39.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_39.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rprivate) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_40.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_40.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(shared) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/bad_opt_41.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_41.sd
@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rshared) /snap/bin/** -> /**,
+}
--- a/parser/tst/simple_tests/mount/ok_opt_84.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_84.sd
@ -0,0 +1,8 @@
+#
+#=Description test we can parse rules associated with MR 1054
+#=EXRESULT PASS
+/usr/bin/foo {
+    mount options=(slave) /**,
+    mount options=(slave) -> /**,
+    mount /snap/bin/** -> /**,
+}
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@ -398,6 +398,16 @@ else
 	runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
 	remove_mnt

+	# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
+	# https://bugs.launchpad.net/apparmor/+bug/2023814
+	# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
+	# based on rules from profile in bug that triggered issue
+	genprofile cap:sys_admin "qual=deny:mount:/snap/bin/:-> /**" \
+				 "mount:options=(rw,bind):-> ${mount_point}/"
+
+	runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
+	remove_mnt
+
 	test_options
 fi

--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@ -107,6 +107,14 @@ exception_not_raised = [
    'mount/bad_opt_29.sd',
    'mount/bad_opt_30.sd',
    'mount/bad_opt_31.sd',
+    'mount/bad_opt_32.sd',
+    'mount/bad_opt_35.sd',
+    'mount/bad_opt_36.sd',
+    'mount/bad_opt_37.sd',
+    'mount/bad_opt_38.sd',
+    'mount/bad_opt_39.sd',
+    'mount/bad_opt_40.sd',
+    'mount/bad_opt_41.sd',
    'profile/flags/flags_bad10.sd',
    'profile/flags/flags_bad11.sd',
    'profile/flags/flags_bad12.sd',