mount -> @{HOME}/... denial

Bug #1612393 reported by Jamie Strandboge on 2016-08-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

When using apparmor tunables for the mountpoint in mount rules, the parser will parse the rule but the kernel blocks it.

Eg, this works:
  # works
  mount -> /home/*/mnt/,

This doesn't:
  mount -> @{HOME}/mnt/,

audit: type=1400 audit(1470943929.750:482): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="test" name="/home/jamie/mnt/" pid=25573 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"

I did not test the srcname. Attached is a reproducer and profile.

$ mkdir ~/mnt
$ gcc -Wall ./fusexmp.c `pkg-config fuse --cflags --libs` -o fusexmp
$ sudo apparmor_parser -r /tmp/apparmor.profile && sudo aa-exec -p test ./fusexmp ~/mnt

Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

This is the type of rule I'm striving to have:

mount fstype=fuse.* [^/]** -> @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},

That doesn't work, but his does:

mount fstype=fuse.* [^/]** -> /home/*/snap/@{SNAP_NAME}/@{SNAP_REVISION}/{,**/},

Jamie Strandboge (jdstrand) wrote :

FYI, this came up in another snapd context in support of snap parallel installs. It is worked around, but would be nice if this was fixed.

description: updated
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers