diff --git a/parser/mount.cc b/parser/mount.cc index c7130786f..c349e5ca6 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -772,8 +772,17 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, goto fail; vec[0] = mntbuf.c_str(); } else { - if (!convert_entry(mntbuf, device)) + if (device && strcmp(device, "detached") == 0) { + /* if (features_supports_detached_mount) ... + * not needed because this is equiv to "" + * which was preivously supported + * + * match nothing + */ + devbuf.clear(); + } else if (!clear_and_convert_entry(devbuf, device)) { goto fail; + } vec[0] = mntbuf.c_str(); } /* skip device */ @@ -844,8 +853,12 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count, if (!convert_entry(mntbuf, mnt_point)) goto fail; vec[0] = mntbuf.c_str(); - if (!clear_and_convert_entry(devbuf, device)) + if (device && strcmp(device, "detached") == 0) { + /* see note in move_mount. match nothing */ + devbuf.clear(); + } else if (!clear_and_convert_entry(devbuf, device)) { goto fail; + } vec[1] = devbuf.c_str(); /* skip type */ vec[2] = default_match_pattern; @@ -946,8 +959,12 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count, if (!convert_entry(mntbuf, mnt_point)) goto fail; vec[0] = mntbuf.c_str(); - if (!clear_and_convert_entry(devbuf, device)) + if (device && strcmp(device, "detached") == 0) { + /* see note in move_mount. match nothing */ + devbuf.clear(); + } else if (!clear_and_convert_entry(devbuf, device)) { goto fail; + } vec[1] = devbuf.c_str(); /* skip type */ vec[2] = default_match_pattern; @@ -987,8 +1004,12 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, if (!convert_entry(mntbuf, mnt_point)) goto fail; vec[0] = mntbuf.c_str(); - if (!clear_and_convert_entry(devbuf, device)) + if (device && strcmp(device, "detached") == 0) { + /* see note in move mount. match nothing */ + devbuf.clear(); + } else if (!clear_and_convert_entry(devbuf, device)) { goto fail; + } vec[1] = devbuf.c_str(); typebuf.clear(); if (!build_list_val_expr(typebuf, dev_type)) diff --git a/parser/parser.h b/parser/parser.h index 2f63e65cc..3e0eb5ee9 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -321,6 +321,7 @@ extern int features_supports_inet; extern int kernel_supports_policydb; extern int kernel_supports_diff_encode; extern int features_supports_mount; +extern bool features_supports_detached_mount; extern int features_supports_dbus; extern int features_supports_signal; extern int features_supports_ptrace; diff --git a/parser/parser_common.c b/parser/parser_common.c index 7da975991..ca9457c94 100644 --- a/parser/parser_common.c +++ b/parser/parser_common.c @@ -73,6 +73,7 @@ int features_supports_inet = 0; /* kernel supports inet network rules */ int features_supports_unix = 0; /* kernel supports unix socket rules */ int kernel_supports_policydb = 0; /* kernel supports new policydb */ int features_supports_mount = 0; /* kernel supports mount rules */ +bool features_supports_detached_mount = false; int features_supports_dbus = 0; /* kernel supports dbus rules */ int kernel_supports_diff_encode = 0; /* kernel supports diff_encode */ int features_supports_signal = 0; /* kernel supports signal rules */ diff --git a/parser/parser_main.c b/parser/parser_main.c index 8234ec9c3..802217dd1 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -956,6 +956,14 @@ void set_supported_features() features_supports_mount = features_intersect(kernel_features, policy_features, "mount"); + /* + * note: detached mounts are just a null condition, so previous + * mount rule encoding supports it, if the kernel supports + * it. So support for detached depends on mount intersect and + * kernel detached. + */ + features_supports_detached_mount = aa_features_supports(kernel_features, + "mount/move_mount/detached"); features_supports_dbus = features_intersect(kernel_features, policy_features, "dbus"); features_supports_signal = features_intersect(kernel_features,