move_mount mediation does not detect if source is detached
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Mantic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Impact:
In AppArmor mediation, detached mounts are appearing as / when
applying mount mediation, which is incorrect and leads to bad
AppArmor policy being generated.
In addition, the move_mount mediation is not being advertised to
userspace, which denies the applications the possibility to
respond accordingly.
Fix:
Fixed upstream by commit 8026e40608b4d55
by preventing move_mont from applying the attach_disconnected
flag.
Testcase:
Check if move_mount file is available in securityfs:
$ cat /sys/kernel/
detached
Run upstream AppArmor mount tests, which include move_mount mediation.
https:/
CVE References
Changed in linux (Ubuntu Mantic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
status: | New → Invalid |
Changed in linux (Ubuntu Mantic): | |
status: | New → Fix Committed |
This bug is awaiting verification that the linux/6.5.0-27.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- mantic- linux' to 'verification- done-mantic- linux'. If the problem still exists, change the tag 'verification- needed- mantic- linux' to 'verification- failed- mantic- linux'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!