AppArmor

umount fstype=... not mediated

Bug #1613403 reported by Jamie Strandboge on 2016-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Confirmed	Wishlist	Unassigned

Bug Description

These two rules are accepted by the parser and generate equivalent policy:

umount,
umount fstype=fuse.*,

apparmor.d(5) suggests that fstype should be mediated, but it currently is not. Kernel audit suggests it is not mediated:

kernel: [538611.251087] audit: type=1400 audit(1471286430.258:7513): apparmor="DENIED" operation="umount" profile="snap.snap-fuse-test.sh" name="/var/snap/snap-fuse-test/x3/mnt/" pid=1842 comm="umount"

(note fstype is not listed in the denial).

While I found this while developing snappy policy, the interface in question is privileged anyway and so I don't think this is a critical bug for Ubuntu at this time.

Tags:

Jamie Strandboge (jdstrand) on 2016-08-15

summary:	- umount fstype=... ignored + umount fstype=... not mediated
Changed in apparmor:
importance:	Undecided → Wishlist

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-10-27:

This also affects https://github.com/snapcore/snapd/pull/9547

Revision history for this message

John Johansen (jjohansen) wrote on 2020-10-28:

Indeed fstype= is not currently supported by the kernel for umount. It is not difficult to add, but it has not been a priority.

The parser also needs a small patch, and it should of course be throwing a warning when fstype is not supported.

This at earliest could be supported in 5.11 if it is decided its important enough to spend a day on. Of course Ubuntu could easily pick the fix back to its released kernels if so needed.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.