unsupported mount options: 'nofail', 'nostrictatime', 'lazytime', and 'nolazytime'

This also affects "functionfs" that uses "uid=2000,gid=2000,no_disconnect=1,rmode=0550,fmode=0660 ".

The bitflags for the other mount options are defined in `include/uapi/linux/mount.h` of the Linux source tree, and there is no such definitions for 'nofail', so I don't think adding kernel mappings of this form (e.g. MS_RDONLY) is the solution. These options are supported by 'mount' using userspace option mappings of the form MNT_MS_NOFAIL (see: https://github.com/util-linux/util-linux/blob/master/libmount/src/optmap.c). Perhaps a similar approach could be used by apparmor to validate fs-independent userspace mount options such as nofail?

Note, however, that the 'lazytime' option does have a kernel option mapping: `#define MS_LAZYTIME (1<<25)` (in `include/uapi/linux/mount.h`). There is no option mapping for (1<<25) in `parser/mount.h`. Was this option deliberately excluded, or can it be added?

If it can be added, then 'nolazytime' is simply a matter of clearing the 'lazytime' bit.

There already exists a mapping for 'strictatime', so it should be simple enough for me to add a mapping for `nostrictatime` which sets 0 and clears MS_STRICTATIME.

Attached is a patch which adds support for 'nostrictatime', 'lazytime', and 'nolazytime'.

Since 'strictatime' already existed and documentation suggested 'nostrictatime' should already be included as well, 'nostrictatime' is a simple inclusion.

The kernel supports `MS_LAZYTIME` as `(1 << 25)`, so I added that to `parser/mount.h` with the corresponding 'lazytime' and 'nolazytime' options in `parser/mount.cc`.

More work is needed to understand userspace mount options such as 'nofail' which mount supports, so this patch does not include any fixes in that regard.

The attachment "Patch adding mount options nostrictatime, lazytime, and nolazytime" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I submitted an issue and accompanying PR for this bug on the apparmor GitLab repository.

Issue: https://gitlab.com/apparmor/apparmor/-/issues/312
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1004

Hi Oliver,

Could you please add the options listed in comment #1 as well? They are used by FunctionFS. Thank you.

Hi Robert,

I submitted a PR to allow userspace and filesystem-specific mount options to be validated directly by snapd, since apparmor should only ever see kernel mount options. It should support `nofail` and the functionfs mount options as well as options for most other common filesystems.

https://github.com/snapcore/snapd/pull/12712

Hi Oliver,

Thanks for the explanation and the PR.

Both the Apparmor MR on GitLab to support 'nostrictatime', 'lazytime', and 'nolazytime' (https://gitlab.com/apparmor/apparmor/-/merge_requests/1005), and the snapd PR to support 'nofail' and other userspace and fs-specific mount options (https://github.com/snapcore/snapd/pull/12712) have been merged into their respective master branches. The snapd changes will be backported into the 2.59 release as well.

This is released in upstream. The question becomes when do we switch to released for Ubuntu. When it is in the vendored version in snap, current ubuntu release, or are we going to open tasks and SRU to older releases.