apparmor: shift uid when mediating af_unix in userns

Avoid unshifted ouids for socket file operations as observed when using
AppArmor profiles in unprivileged containers with LXD or Incus.

For example, root inside container and uid 1000000 outside, with
`owner /root/sock rw,` profile entry for nc:

/root$ nc -lkU sock & nc -U sock
==> dmesg
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0 [<== should be 1000000]

Fix by performing uid mapping as per common_perm_cond() in lsm.c

Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com>
Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index 257648a13bf83547bbd33d02044159a03ea18732..c4e722605fcdc28f0a379b7fd6257c881465051e 100644 (file)
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -12,6 +12,7 @@
  * License.
  */
 
+#include <linux/fs.h>
 #include <net/tcp_states.h>
 
 #include "include/audit.h"
@@ -44,8 +45,11 @@ static int unix_fs_perm(const char *op, u32 mask, const struct cred *subj_cred,
         */
        if (path->dentry) {
                /* the sunpath may not be valid for this ns so use the path */
-               struct path_cond cond = { path->dentry->d_inode->i_uid,
-                                         path->dentry->d_inode->i_mode
+               struct inode *inode = path->dentry->d_inode;
+               vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), inode);
+               struct path_cond cond = {
+                       .uid = vfsuid_into_kuid(vfsuid),
+                       .mode = inode->i_mode,
                };
 
                return aa_path_perm(op, subj_cred, label, path,