Verification in mantic was successful:
georgia@sec-mantic-amd64:~$ uname -a
Linux sec-mantic-amd64 6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar
7 18:21:00 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-mantic-amd64:~$ cat
/sys/kernel/security/apparmor/features/mount/move_mount
detached
georgia@sec-mantic-amd64:~$ cd apparmor/tests/regression/apparmor/
georgia@sec-mantic-amd64:~/apparmor/tests/regression/apparmor$ sudo bash
./mount.sh
using mount rules ...
not supported by parser - skipping mount options=(nodirsync),
** Tags removed: verification-needed-mantic-linux
** Tags added: verification-done-mantic-linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2052662
Title:
move_mount mediation does not detect if source is detached
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Mantic:
Fix Committed
Bug description:
Impact:
In AppArmor mediation, detached mounts are appearing as / when
applying mount mediation, which is incorrect and leads to bad
AppArmor policy being generated.
In addition, the move_mount mediation is not being advertised to
userspace, which denies the applications the possibility to
respond accordingly.
Fix:
Fixed upstream by commit 8026e40608b4d552216d2a818ca7080a4264bb44
by preventing move_mont from applying the attach_disconnected
flag.
Testcase:
Check if move_mount file is available in securityfs:
$ cat /sys/kernel/security/apparmor/features/mount/move_mount
detached
Run upstream AppArmor mount tests, which include move_mount mediation.
https://gitlab.com/apparmor/apparmor/-/blob/master/tests/regression/apparmor/mount.sh
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2052662/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
