AARE doesn't work as first character in srcname for mount rules
Bug #1613427 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
With this denial:
kernel: [543599.764711] audit: type=1400 audit(147129141
I noticed that this rule will allow the mount when it should not (ie, intent is to allow any mount with a srcname that doesn't start with '/'):
mount [^/]** -> **,
Note, srcname's do not start with '/' with fuse mounts. This issue was found when developing policy for snappy, but it can be worked around and is not a critical bug for Ubuntu.
tags: | added: aa-kernel |
To post a comment you must log in.