diff --git a/parser/mount.cc b/parser/mount.cc index 39299ce9c..2d38d4d1e 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -828,15 +828,30 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count, std::string optsbuf; char class_mount_hdr[64]; const char *vec[5]; + char *mountpoint = mnt_point; sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT); - /* change type base rules can not be conditional on device, - * device type or data + /* change type base rules can specify the mount point by using + * the parser token position reserved to device. that's why if + * the mount point is not specified, we use device in its + * place. this is a deprecated behavior. + * + * change type base rules can not be conditional on device + * (source), device type or data */ /* rule class single byte header */ mntbuf.assign(class_mount_hdr); - if (!convert_entry(mntbuf, mnt_point)) + if (flags && flags != MS_ALL_FLAGS && device && mnt_point) { + PERROR("source and mount point cannot be used at the " + "same time for propagation type flags"); + goto fail; + } else if (device && !mnt_point) { + pwarn(WARN_DEPRECATED, _("The use of source as mount point for " + "propagation type flags is deprecated.\n")); + mountpoint = device; + } + if (!convert_entry(mntbuf, mountpoint)) goto fail; vec[0] = mntbuf.c_str(); /* skip device and type */ @@ -981,7 +996,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags, if (!dev_type && !opts && gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR) return RULE_ERROR; - if (!device && !dev_type && !opts && + if (!dev_type && !opts && gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR) return RULE_ERROR; if (!dev_type && !opts && @@ -997,7 +1012,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags, return gen_policy_bind_mount(prof, count, flags, opt_flags); } else if ((perms & AA_MAY_MOUNT) && (flags & (MS_MAKE_CMDS)) - && !device && !dev_type && !opts) { + && !dev_type && !opts) { return gen_policy_change_mount_type(prof, count, flags, opt_flags); } else if ((perms & AA_MAY_MOUNT) && (flags & MS_MOVE) && !dev_type && !opts) { diff --git a/parser/tst/simple_tests/mount/ok_opt_68.sd b/parser/tst/simple_tests/mount/ok_opt_68.sd new file mode 100644 index 000000000..ba4551084 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_68.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=unbindable /1, + mount options=(unbindable) /2, + mount options=(rw,unbindable) /3, + mount options in (unbindable) /4, + mount options in (ro,unbindable) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_69.sd b/parser/tst/simple_tests/mount/ok_opt_69.sd new file mode 100644 index 000000000..deddeb8f0 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_69.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=runbindable /1, + mount options=(runbindable) /2, + mount options=(rw,runbindable) /3, + mount options in (runbindable) /4, + mount options in (ro,runbindable) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_70.sd b/parser/tst/simple_tests/mount/ok_opt_70.sd new file mode 100644 index 000000000..9cc60472b --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_70.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=rprivate /1, + mount options=(rprivate) /2, + mount options=(rw,rprivate) /3, + mount options in (rprivate) /4, + mount options in (ro,rprivate) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_71.sd b/parser/tst/simple_tests/mount/ok_opt_71.sd new file mode 100644 index 000000000..bfdde5a94 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_71.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=private /1, + mount options=(private) /2, + mount options=(rw,private) /3, + mount options in (private) /4, + mount options in (ro,private) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_72.sd b/parser/tst/simple_tests/mount/ok_opt_72.sd new file mode 100644 index 000000000..da610aa2e --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_72.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=slave /1, + mount options=(slave) /2, + mount options=(rw,slave) /3, + mount options in (slave) /4, + mount options in (ro,slave) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_73.sd b/parser/tst/simple_tests/mount/ok_opt_73.sd new file mode 100644 index 000000000..6f465f050 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_73.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=rslave /1, + mount options=(rslave) /2, + mount options=(rw,rslave) /3, + mount options in (rslave) /4, + mount options in (ro,rslave) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_74.sd b/parser/tst/simple_tests/mount/ok_opt_74.sd new file mode 100644 index 000000000..463e40841 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_74.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=shared /1, + mount options=(shared) /2, + mount options=(rw,shared) /3, + mount options in (shared) /4, + mount options in (ro,shared) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_75.sd b/parser/tst/simple_tests/mount/ok_opt_75.sd new file mode 100644 index 000000000..64018c079 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_75.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=rshared /1, + mount options=(rshared) /2, + mount options=(rw,rshared) /3, + mount options in (rshared) /4, + mount options in (ro,rshared) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_76.sd b/parser/tst/simple_tests/mount/ok_opt_76.sd new file mode 100644 index 000000000..ddd0e53b3 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_76.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-unbindable /1, + mount options=(make-unbindable) /2, + mount options=(rw,make-unbindable) /3, + mount options in (make-unbindable) /4, + mount options in (ro,make-unbindable) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_77.sd b/parser/tst/simple_tests/mount/ok_opt_77.sd new file mode 100644 index 000000000..8604ecd40 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_77.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-runbindable /1, + mount options=(make-runbindable) /2, + mount options=(rw,make-runbindable) /3, + mount options in (make-runbindable) /4, + mount options in (ro,make-runbindable) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_78.sd b/parser/tst/simple_tests/mount/ok_opt_78.sd new file mode 100644 index 000000000..61e02fa43 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_78.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-private /1, + mount options=(make-private) /2, + mount options=(rw,make-private) /3, + mount options in (make-private) /4, + mount options in (ro,make-private) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_79.sd b/parser/tst/simple_tests/mount/ok_opt_79.sd new file mode 100644 index 000000000..d8ef7a92d --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_79.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-rprivate /1, + mount options=(make-rprivate) /2, + mount options=(rw,make-rprivate) /3, + mount options in (make-rprivate) /4, + mount options in (ro,make-rprivate) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_80.sd b/parser/tst/simple_tests/mount/ok_opt_80.sd new file mode 100644 index 000000000..7b10eefaf --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_80.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-slave /1, + mount options=(make-slave) /2, + mount options=(rw,make-slave) /3, + mount options in (make-slave) /4, + mount options in (ro,make-slave) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_81.sd b/parser/tst/simple_tests/mount/ok_opt_81.sd new file mode 100644 index 000000000..06c498258 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_81.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-shared /1, + mount options=(make-shared) /2, + mount options=(rw,make-shared) /3, + mount options in (make-shared) /4, + mount options in (ro,make-shared) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_82.sd b/parser/tst/simple_tests/mount/ok_opt_82.sd new file mode 100644 index 000000000..d3972c4e0 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_82.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-rslave /1, + mount options=(make-rslave) /2, + mount options=(rw,make-rslave) /3, + mount options in (make-rslave) /4, + mount options in (ro,make-rslave) /5, +} diff --git a/parser/tst/simple_tests/mount/ok_opt_83.sd b/parser/tst/simple_tests/mount/ok_opt_83.sd new file mode 100644 index 000000000..28a985bd4 --- /dev/null +++ b/parser/tst/simple_tests/mount/ok_opt_83.sd @@ -0,0 +1,10 @@ +# +#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning) +#=EXRESULT PASS +/usr/bin/foo { + mount options=make-rshared /1, + mount options=(make-rshared) /2, + mount options=(rw,make-rshared) /3, + mount options in (make-rshared) /4, + mount options in (ro,make-rshared) /5, +} diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh index cf34ea2ef..af0c54040 100755 --- a/tests/regression/apparmor/mount.sh +++ b/tests/regression/apparmor/mount.sh @@ -218,6 +218,10 @@ test_propagation_options() { runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point} genprofile cap:sys_admin "mount:options=($1)" runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1 + genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/" + runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1 + genprofile cap:sys_admin "mount:options=($1):${mount_point}/" + runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1 remove_mnt genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"