diff options
| author | Dudu Lu <phx0fer@gmail.com> | 2026-04-13 17:03:13 +0800 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2026-04-22 20:08:09 -0700 |
| commit | ef78fdc4724190fbd4e66d80bcdf4d08045f5e98 (patch) | |
| tree | 2551dc7ba2fb1e5c6a8db55206fc049f49a56c21 /include/linux/timerqueue.h | |
| parent | 72971e6f745ad5c366629b0affbe3a6b619dcd8b (diff) | |
apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check
In apparmor_path_rename(), when handling RENAME_EXCHANGE, the
cond_exchange structure is supposed to carry the attributes of the
*new* dentry (since it is used to authorize moving new_dentry to the
old location). However, line 412 reads:
vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry));
This fetches the uid of old_dentry instead of new_dentry. As a result,
the RENAME_EXCHANGE permission check uses the wrong file owner, which
can allow a rename that should be denied (if old_dentry's owner has
more privileges) or deny one that should be allowed.
Note that cond_exchange.mode on the line above correctly uses
new_dentry. Only the uid lookup is wrong.
Fix by changing old_dentry to new_dentry in the i_uid_into_vfsuid call.
Fixes: 5e26a01e56fd ("apparmor: use type safe idmapping helpers")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions