AppArmor

AARE doesn't work as first character in srcname for mount rules

Bug #1613427 reported by Jamie Strandboge on 2016-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

With this denial:
kernel: [543599.764711] audit: type=1400 audit(1471291418.387:7568): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="snap.snap-fuse-test.sh" name="/var/snap/snap-fuse-test/x3/mnt/" pid=4987 comm="fusexmp" fstype="fuse.fusexmp" srcname="fusexmp" flags="rw, nosuid, nodev"

I noticed that this rule will allow the mount when it should not (ie, intent is to allow any mount with a srcname that doesn't start with '/'):

mount [^/]** -> **,

Note, srcname's do not start with '/' with fuse mounts. This issue was found when developing policy for snappy, but it can be worked around and is not a critical bug for Ubuntu.

Tags:

Christian Boltz (cboltz) on 2016-10-13

tags:

added: aa-kernel

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.