diff --git a/debian/changelog b/debian/changelog index 6ae12bb82..a8b230fad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ linux-2.6 (3.2.14-2) UNRELEASED; urgency=low * [x86] drm/i915: mask transcoder select bits before setting them on LVDS * [armhf/mx5,mipsel/loongson-2f] input: Enable INPUT_TOUCHSCREEN (Closes: #668036) + * TOMOYO: Fix mount flags checking order. [ Jonathan Nieder ] * [x86] ioat: fix size of 'completion' for Xen (Closes: #660554) diff --git a/debian/patches/bugfix/all/TOMOYO-Fix-mount-flags-checking-order.patch b/debian/patches/bugfix/all/TOMOYO-Fix-mount-flags-checking-order.patch new file mode 100644 index 000000000..8c38e6b84 --- /dev/null +++ b/debian/patches/bugfix/all/TOMOYO-Fix-mount-flags-checking-order.patch @@ -0,0 +1,89 @@ +From: Tetsuo Handa +Date: Wed, 29 Feb 2012 21:53:22 +0900 +Subject: [PATCH] TOMOYO: Fix mount flags checking order. + +commit df91e49477a9be15921cb2854e1d12a3bdb5e425 upstream. + +Userspace can pass in arbitrary combinations of MS_* flags to mount(). + +If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are +passed, device name which should be checked for MS_BIND was not checked because +MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND. + +If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which +should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had +higher priority than MS_REMOUNT. + +Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND -> +MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does. + +Also, unconditionally return -EINVAL if more than one of +MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not +generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount +flags passed to change_mnt_propagation()" clarified that these flags must be +exclusively passed. + +Signed-off-by: Tetsuo Handa +Signed-off-by: James Morris +--- + security/tomoyo/mount.c | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c +index bee09d0..fe00cdf 100644 +--- a/security/tomoyo/mount.c ++++ b/security/tomoyo/mount.c +@@ -199,30 +199,32 @@ int tomoyo_mount_permission(char *dev_name, struct path *path, + if (flags & MS_REMOUNT) { + type = tomoyo_mounts[TOMOYO_MOUNT_REMOUNT]; + flags &= ~MS_REMOUNT; +- } +- if (flags & MS_MOVE) { +- type = tomoyo_mounts[TOMOYO_MOUNT_MOVE]; +- flags &= ~MS_MOVE; +- } +- if (flags & MS_BIND) { ++ } else if (flags & MS_BIND) { + type = tomoyo_mounts[TOMOYO_MOUNT_BIND]; + flags &= ~MS_BIND; +- } +- if (flags & MS_UNBINDABLE) { +- type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_UNBINDABLE]; +- flags &= ~MS_UNBINDABLE; +- } +- if (flags & MS_PRIVATE) { ++ } else if (flags & MS_SHARED) { ++ if (flags & (MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) ++ return -EINVAL; ++ type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SHARED]; ++ flags &= ~MS_SHARED; ++ } else if (flags & MS_PRIVATE) { ++ if (flags & (MS_SHARED | MS_SLAVE | MS_UNBINDABLE)) ++ return -EINVAL; + type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_PRIVATE]; + flags &= ~MS_PRIVATE; +- } +- if (flags & MS_SLAVE) { ++ } else if (flags & MS_SLAVE) { ++ if (flags & (MS_SHARED | MS_PRIVATE | MS_UNBINDABLE)) ++ return -EINVAL; + type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SLAVE]; + flags &= ~MS_SLAVE; +- } +- if (flags & MS_SHARED) { +- type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SHARED]; +- flags &= ~MS_SHARED; ++ } else if (flags & MS_UNBINDABLE) { ++ if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE)) ++ return -EINVAL; ++ type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_UNBINDABLE]; ++ flags &= ~MS_UNBINDABLE; ++ } else if (flags & MS_MOVE) { ++ type = tomoyo_mounts[TOMOYO_MOUNT_MOVE]; ++ flags &= ~MS_MOVE; + } + if (!type) + type = ""; +-- +1.7.9.5 + diff --git a/debian/patches/series/base b/debian/patches/series/base index 44b542e8c..4ea07c025 100644 --- a/debian/patches/series/base +++ b/debian/patches/series/base @@ -94,3 +94,4 @@ + bugfix/all/net-fix-proc-net-dev-regression.patch + bugfix/arm/ARM-orion5x-Fix-GPIO-enable-bits-for-MPP9.patch + bugfix/x86/drm-i915-mask-transcoder-select-bits-before-setting-.patch ++ bugfix/all/TOMOYO-Fix-mount-flags-checking-order.patch