From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gregkh@linuxfoundation.org>
X-Google-Smtp-Source: ACJfBovQFYGShdv7HfTO4PcaW171MU4oh+KrfsjIfx5TM+rPtxQB0WLFOMd5z/chR9+zFd5u82GD
ARC-Seal: i=1; a=rsa-sha256; t=1515416461; cv=none;
        d=google.com; s=arc-20160816;
        b=MshhaYidRp0tbwIEm5eHaEySg9exec+/ztUQerhTw+szLbhhha96Mi66HA8/cylM5w
         5JlYuKUTS6viUF66VeTORaejpSYIoiqFIygZbzRG+kLvq1aIYYIgr6pXgV3os3CuPiE9
         7I65sDVATNzJIs8AJzTzPfJmqXSB4nedK9RUBszMTp7n39ISL+jHh1UKT3R8ScXtNgtE
         zqEyYD44LFbyBq7x/hM7HuV9qHw1oXV13NJd4NZFkRWNyNIt6ZkLd2CikIbdEkCD8gLa
         5UpdBe/F26zVUG7TjLp+eoPVx7VfA4HBmOWDwtRrFAqYytWuUjrZBa86vWstBgl2Jiy3
         pBwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:user-agent:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=QqTrtwBBwtK1OwmlabE88Ij0P8QisFVLUmUSCmMwNwk=;
        b=avF07fMQ9NJvVn/8cWCDXxR5lwnoyEn3MY+/YL2HVAY+8QQ3V38T/cEtTUVDYEFORG
         pIFbaE/jG+ICTiLABDJwycZ2A82BDwHAU2Uf4IvhIUwDAsIdV+BIz60dMe1Kj8/eY7mq
         UPgyDX2QbHJJuG1T6jetDoL62iTKoNQV1T38j1Qqf2Gkdt2rqn1RCVTbIaKKOYYVGo65
         EyjE9ygNKYu2xhIhaSuOVIPUrR9Dx6wG7SCj7vmXkHdfTlA/VtAbv4bG/UvXEg6UT+Hm
         8bB6eswutasDVaT55RZP38s39wb4kVlBuDyeFLQKMCHHOhbVomQL8I7iD6xq1qyy1dZo
         y+aQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	=?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>,
	John Johansen <john.johansen@canonical.com>
Subject: [PATCH 4.14 33/38] apparmor: fix regression in mount mediation when feature set is pinned
Date: Mon,  8 Jan 2018 13:59:26 +0100
Message-Id: <20180108125918.074945785@linuxfoundation.org>
X-Mailer: git-send-email 2.15.1
In-Reply-To: <20180108125915.951963528@linuxfoundation.org>
References: <20180108125915.951963528@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?=
X-GMAIL-THRID: =?utf-8?q?1589029331180984552?=
X-GMAIL-MSGID: =?utf-8?q?1589029331180984552?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Johansen <john.johansen@canonical.com>

commit 5b9f57cf47b87f07210875d6a24776b4496b818d upstream.

When the mount code was refactored for Labels it was not correctly
updated to check whether policy supported mediation of the mount
class.  This causes a regression when the kernel feature set is
reported as supporting mount and policy is pinned to a feature set
that does not support mount mediation.

BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/apparmor/mount.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -330,6 +330,9 @@ static int match_mnt_path_str(struct aa_
 	AA_BUG(!mntpath);
 	AA_BUG(!buffer);
 
+	if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+		return 0;
+
 	error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
 			     &mntpnt, &info, profile->disconnected);
 	if (error)
@@ -381,6 +384,9 @@ static int match_mnt(struct aa_profile *
 	AA_BUG(!profile);
 	AA_BUG(devpath && !devbuffer);
 
+	if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+		return 0;
+
 	if (devpath) {
 		error = aa_path_name(devpath, path_flags(profile, devpath),
 				     devbuffer, &devname, &info,
@@ -559,6 +565,9 @@ static int profile_umount(struct aa_prof
 	AA_BUG(!profile);
 	AA_BUG(!path);
 
+	if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+		return 0;
+
 	error = aa_path_name(path, path_flags(profile, path), buffer, &name,
 			     &info, profile->disconnected);
 	if (error)
@@ -614,7 +623,8 @@ static struct aa_label *build_pivotroot(
 	AA_BUG(!new_path);
 	AA_BUG(!old_path);
 
-	if (profile_unconfined(profile))
+	if (profile_unconfined(profile) ||
+	    !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
 		return aa_get_newest_label(&profile->label);
 
 	error = aa_path_name(old_path, path_flags(profile, old_path),