Skip to content

fix mount regression in 3.1.5

John Johansen requested to merge jjohansen/apparmor:fix-mount into apparmor-3.1

Mount has regressed in two ways. That are affecting snapd confinement, since landing the mount fixes for CVE-2016-1585 in 3.1.4 and the fix for the mount change type regression in 3.1.5

Bug Reports:

https://bugs.launchpad.net/apparmor/+bug/2023814

https://bugzilla.opensuse.org/show_bug.cgi?id=1211989

Issue 1: Denial of Mount

[ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind"

when the profile contains a rule that should match

mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/",

Issue 2: change_type failure. Denial of Mount in log

type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"
...

snapd error

- Run configure hook of "chromium" snap if present (run hook "configure": 
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
snap-update-ns failed with code 1

and NO mount rules in the profiles.

Edited by John Johansen

Merge request reports