2016-08-11 19:38:29 |
Jamie Strandboge |
bug |
|
|
added bug |
2016-08-11 19:38:50 |
Jamie Strandboge |
attachment added |
|
fusexmp.c https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1612393/+attachment/4719282/+files/fusexmp.c |
|
2016-08-11 19:39:14 |
Jamie Strandboge |
attachment added |
|
apparmor.profile https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1612393/+attachment/4719283/+files/apparmor.profile |
|
2018-08-02 21:26:22 |
Jamie Strandboge |
description |
When using apparmor variables for the mountpoint in mount rules, the parser will parse the rule but the kernel blocks it.
Eg, this works:
# works
mount -> /home/*/mnt/,
This doesn't:
mount -> @{HOME}/mnt/,
audit: type=1400 audit(1470943929.750:482): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="test" name="/home/jamie/mnt/" pid=25573 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"
I did not test the srcname. Attached is a reproducer and profile.
$ mkdir ~/mnt
$ gcc -Wall ./fusexmp.c `pkg-config fuse --cflags --libs` -o fusexmp
$ sudo apparmor_parser -r /tmp/apparmor.profile && sudo aa-exec -p test ./fusexmp ~/mnt |
When using apparmor tunaables for the mountpoint in mount rules, the parser will parse the rule but the kernel blocks it.
Eg, this works:
# works
mount -> /home/*/mnt/,
This doesn't:
mount -> @{HOME}/mnt/,
audit: type=1400 audit(1470943929.750:482): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="test" name="/home/jamie/mnt/" pid=25573 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"
I did not test the srcname. Attached is a reproducer and profile.
$ mkdir ~/mnt
$ gcc -Wall ./fusexmp.c `pkg-config fuse --cflags --libs` -o fusexmp
$ sudo apparmor_parser -r /tmp/apparmor.profile && sudo aa-exec -p test ./fusexmp ~/mnt |
|
2018-08-02 21:26:30 |
Jamie Strandboge |
description |
When using apparmor tunaables for the mountpoint in mount rules, the parser will parse the rule but the kernel blocks it.
Eg, this works:
# works
mount -> /home/*/mnt/,
This doesn't:
mount -> @{HOME}/mnt/,
audit: type=1400 audit(1470943929.750:482): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="test" name="/home/jamie/mnt/" pid=25573 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"
I did not test the srcname. Attached is a reproducer and profile.
$ mkdir ~/mnt
$ gcc -Wall ./fusexmp.c `pkg-config fuse --cflags --libs` -o fusexmp
$ sudo apparmor_parser -r /tmp/apparmor.profile && sudo aa-exec -p test ./fusexmp ~/mnt |
When using apparmor tunables for the mountpoint in mount rules, the parser will parse the rule but the kernel blocks it.
Eg, this works:
# works
mount -> /home/*/mnt/,
This doesn't:
mount -> @{HOME}/mnt/,
audit: type=1400 audit(1470943929.750:482): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="test" name="/home/jamie/mnt/" pid=25573 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"
I did not test the srcname. Attached is a reproducer and profile.
$ mkdir ~/mnt
$ gcc -Wall ./fusexmp.c `pkg-config fuse --cflags --libs` -o fusexmp
$ sudo apparmor_parser -r /tmp/apparmor.profile && sudo aa-exec -p test ./fusexmp ~/mnt |
|
2018-08-17 15:46:36 |
Zygmunt Krynicki |
bug |
|
|
added subscriber Zygmunt Krynicki |
2021-01-19 21:29:58 |
Launchpad Janitor |
apparmor (Ubuntu): status |
New |
Confirmed |
|