All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH v6 2/8] apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount
Date: Tue, 07 Jul 2026 00:04:21 +0000	[thread overview]
Message-ID: <20260707000421.81C891F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260706235053.4104951-3-song@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] AppArmor's mount mediation contains a Time-of-Check to Time-of-Use (TOCTOU) vulnerability during mount operations (such as MS_BIND and MS_MOVE). It resolves user-supplied mount source paths via `kern_path()` for authorization. However, after authorization succeeds, VFS independently resolves the exact same string. An attacker can race this window to swap a symlink and mount unauthorized paths, entirely bypassing the MAC policy.
--

--- Patch [2]: [PATCH v6 2/8] apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount ---
commit eaca63dc76aaf43bda7315bdb224bbd33d80cf0e
Author: Song Liu <song@kernel.org>

apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount

This commit removes a redundant MS_MGC_MSK flag stripping check from
apparmor_sb_mount(), as path_mount() already handles it.

> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 3491e9f601943..4415bca5889cf 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -705,10 +705,6 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path,
>  	int error = 0;
>  	bool needput;

[Severity: High]
This is a pre-existing issue, but does relying on the user-supplied dev_name
string here create a time-of-check to time-of-use vulnerability?

AppArmor's mount mediation resolves the untrusted user string dev_name via
kern_path() for authorization. For example:

security/apparmor/mount.c:aa_bind_mount() {
    ...
    error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
    ...
}

After authorization succeeds, the core mount code independently resolves the
exact same string again:

fs/namespace.c:do_loopback() {
    ...
    err = kern_path(old_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
    ...
}

Could an attacker race this window to swap a symlink and mount unauthorized
paths, bypassing the access policy?

> -	/* Discard magic */
> -	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
> -		flags &= ~MS_MGC_MSK;
> -
>  	flags &= ~AA_MS_IGNORE_MASK;
>  
>  	label = __begin_current_label_crit_section(&needput);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260706235053.4104951-1-song@kernel.org?part=2

  reply	other threads:[~2026-07-07  0:04 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-06 23:50 [PATCH v6 0/8] lsm: Replace security_sb_mount with granular mount hooks Song Liu
2026-07-06 23:50 ` [PATCH v6 1/8] lsm: Add " Song Liu
2026-07-07  0:00   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 2/8] apparmor: Remove redundant MS_MGC_MSK stripping in apparmor_sb_mount Song Liu
2026-07-07  0:04   ` sashiko-bot [this message]
2026-07-06 23:50 ` [PATCH v6 3/8] apparmor: Convert from sb_mount to granular mount hooks Song Liu
2026-07-07  0:05   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 4/8] selinux: " Song Liu
2026-07-07  0:01   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 5/8] landlock: " Song Liu
2026-07-07  0:04   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 6/8] tomoyo: " Song Liu
2026-07-07  0:04   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 7/8] vfs: Replace security_sb_mount/security_move_mount with granular hooks Song Liu
2026-07-07  0:06   ` sashiko-bot
2026-07-06 23:50 ` [PATCH v6 8/8] lsm: Remove security_sb_mount and security_move_mount Song Liu
2026-07-07  2:08   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707000421.81C891F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.