mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

regression tests: add mount test for CVE-2016-1585

Browse Source 
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
This commit is contained in:
Steve Beattie
2024-04-11 11:46:52 -07:00
parent 41d4664124
commit ff644df776
2 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
tests/regression/apparmor/mount.c
View File

@@ -114,6 +114,7 @@ static void usage(char *prog_name)
fprintf(stderr, "Options are:\n"); fprintf(stderr, "Options are:\n");
fprintf(stderr, "-o flags sent to the mount syscall\n"); fprintf(stderr, "-o flags sent to the mount syscall\n");
fprintf(stderr, "-d data sent to the mount syscall\n"); fprintf(stderr, "-d data sent to the mount syscall\n");
fprintf(stderr, "-t type of synthetic filesystem (e.g. proc) for mount syscall\n");
exit(1); exit(1);
} }
@@ -121,12 +122,13 @@ int main(int argc, char *argv[])
{ {
char *options = NULL; char *options = NULL;
char *data = NULL; char *data = NULL;
char *type = NULL;
int index; int index;
int c; int c;
char *op, *source, *target, *token; char *op, *source, *target, *token;
unsigned long flags = 0; unsigned long flags = 0;
while ((c = getopt (argc, argv, "o:d:h")) != -1) { while ((c = getopt (argc, argv, "o:d:t:h")) != -1) {
switch (c) switch (c)
{ {
case 'o': case 'o':
@@ -135,6 +137,9 @@ int main(int argc, char *argv[])
case 'd': case 'd':
data = optarg; data = optarg;
break; break;
case 't':
type = optarg;
break;
case 'h': case 'h':
usage(argv[0]); usage(argv[0]);
break; break;
@@ -162,10 +167,18 @@ int main(int argc, char *argv[])
} }
if (strcmp(op, "mount") == 0) { if (strcmp(op, "mount") == 0) {
if (mount(source, target, "ext2", flags, data) == -1) { if (!type) {
fprintf(stderr, "FAIL: mount %s on %s failed - %s\n", if (mount(source, target, "ext2", flags, data) == -1) {
source, target, strerror(errno)); fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
return errno; source, target, strerror(errno));
return errno;
}
} else {
if (mount(source, target, type, flags, data) == -1) {
fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
source, target, strerror(errno));
return errno;
}
} }
} else if (strcmp(op, "umount") == 0) { } else if (strcmp(op, "umount") == 0) {
if (umount(target) == -1) { if (umount(target) == -1) {

6
tests/regression/apparmor/mount.sh
View File

@@ -547,6 +547,12 @@ else
runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point} runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
remove_mnt remove_mnt
# https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017
# CVE-2016-1585
genprofile cap:sys_admin "mount:options=(rw,make-slave) -> **"
runchecktest "MOUNT (confined cap mount -> mntpnt, CVE-2016-1585)" fail mount -t proc proc ${mount_point}
remove_mnt
# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 # MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
# https://bugs.launchpad.net/apparmor/+bug/2023814 # https://bugs.launchpad.net/apparmor/+bug/2023814
# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989 # https://bugzilla.opensuse.org/show_bug.cgi?id=1211989