From: Gabriel Totev Date: Wed, 16 Apr 2025 22:42:08 +0000 (-0400) Subject: apparmor: shift ouid when mediating hard links in userns X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=c5bf96d20fd787e4909b755de4705d52f3458836;p=users%2Fjedix%2Flinux-maple.git apparmor: shift ouid when mediating hard links in userns When using AppArmor profiles inside an unprivileged container, the link operation observes an unshifted ouid. (tested with LXD and Incus) For example, root inside container and uid 1000000 outside, with `owner /root/link l,` profile entry for ln: /root$ touch chain && ln chain link ==> dmesg apparmor="DENIED" operation="link" class="file" namespace="root//lxd-feet_" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" fsuid=1000000 ouid=0 [<== should be 1000000] target="/root/chain" Fix by mapping inode uid of old_dentry in aa_path_link() rather than using it directly, similarly to how it's mapped in __file_path_perm() later in the file. Signed-off-by: Gabriel Totev Signed-off-by: John Johansen --- diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 65e1d29af792f..5504059d6101e 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -430,9 +430,11 @@ int aa_path_link(const struct cred *subj_cred, { struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry }; struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry }; + struct inode *inode = d_backing_inode(old_dentry); + vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode); struct path_cond cond = { - d_backing_inode(old_dentry)->i_uid, - d_backing_inode(old_dentry)->i_mode + .uid = vfsuid_into_kuid(vfsuid), + .mode = inode->i_mode, }; char *buffer = NULL, *buffer2 = NULL; struct aa_profile *profile;