mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
parser: fix mount for all rule
Without AA_MAY_MOUNT, mount was not allowed by the allow all rule. AA_DUMMY_REMOUNT does become AA_MAY_MOUNT, but it fixes the flags to remount only, so other options are not included. Also, add allow all rule testcases to the mount regression tests. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
parent
9b66f6a749
commit
d3f5308265
3 changed files with 36 additions and 1 deletions
|
|
@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
|||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
|
|
|
|||
|
|
@ -424,6 +424,34 @@ fsmount_tests() {
|
|||
fsmount_test " fsmount deny att_dis" "qual=deny:" "flag:attach_disconnected" ${should_fail}
|
||||
}
|
||||
|
||||
all_rule() {
|
||||
if [ "$(parser_supports 'all,')" != "true" ]; then
|
||||
echo " not supported by parser - skipping allow all,"
|
||||
return
|
||||
fi
|
||||
|
||||
settest mount
|
||||
genprofile "all"
|
||||
|
||||
runchecktest "MOUNT (confined allow all)" pass mount ${loop_device} ${mount_point}
|
||||
|
||||
runchecktest "UMOUNT (confined allow all)" pass umount ${loop_device} ${mount_point}
|
||||
|
||||
runchecktest "MOUNT (confined allow all remount setup)" pass mount ${loop_device} ${mount_point}
|
||||
runchecktest "MOUNT (confined allow all remount)" pass mount ${loop_device} ${mount_point} -o remount
|
||||
remove_mnt
|
||||
|
||||
settest move_mount
|
||||
genprofile "all"
|
||||
|
||||
runchecktest "MOVE_MOUNT (confined fsmount: allow all)" pass fsmount ${loop_device} ${mount_point} ${fstype}
|
||||
remove_mnt
|
||||
|
||||
mount ${loop_device} ${mnt_source}
|
||||
runchecktest "MOVE_MOUNT (confined open_tree: allow all)" pass open_tree ${mount_point2} ${mount_point} ${fstype}
|
||||
remove_mnt
|
||||
}
|
||||
|
||||
# TEST 1. Make sure can mount and umount unconfined
|
||||
runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
|
||||
remove_mnt
|
||||
|
|
@ -569,6 +597,8 @@ else
|
|||
fsmount_tests tmpfs ${mount_point} tmpfs
|
||||
fsmount_tests ${loop_device} ${mount_point} ${fstype}
|
||||
open_tree_tests ${mount_point2} ${mount_point} ${fstype}
|
||||
|
||||
all_rule
|
||||
fi
|
||||
|
||||
#need tests for chroot
|
||||
|
|
|
|||
|
|
@ -120,6 +120,11 @@ if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "t
|
|||
exit
|
||||
fi
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
do_test "allow all rule" pass "$put_old" "$new_root" "$test"
|
||||
fi
|
||||
|
||||
# Ensure failure when no pivot_root perms are granted
|
||||
genprofile $cur $cap
|
||||
do_test "cap only" fail "$put_old" "$new_root" "$test"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue