tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: shift ouid when mediating hard links in userns

When using AppArmor profiles inside an unprivileged container,
the link operation observes an unshifted ouid.
(tested with LXD and Incus)

For example, root inside container and uid 1000000 outside, with
`owner /root/link l,` profile entry for ln:

/root$ touch chain && ln chain link
==> dmesg
apparmor="DENIED" operation="link" class="file"
namespace="root//lxd-feet_<var-snap-lxd-common-lxd>" profile="linkit"
name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
fsuid=1000000 ouid=0 [<== should be 1000000] target="/root/chain"

Fix by mapping inode uid of old_dentry in aa_path_link() rather than
using it directly, similarly to how it's mapped in __file_path_perm()
later in the file.

Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Gabriel Totev and committed by
John Johansen c5bf96d2 88fec352

+4 -2
+4 -2
security/apparmor/file.c
··· 430 430 { 431 431 struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry }; 432 432 struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry }; 433 + struct inode *inode = d_backing_inode(old_dentry); 434 + vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode); 433 435 struct path_cond cond = { 434 - d_backing_inode(old_dentry)->i_uid, 435 - d_backing_inode(old_dentry)->i_mode 436 + .uid = vfsuid_into_kuid(vfsuid), 437 + .mode = inode->i_mode, 436 438 }; 437 439 char *buffer = NULL, *buffer2 = NULL; 438 440 struct aa_profile *profile;