From: Dudu Lu Date: Mon, 13 Apr 2026 09:03:13 +0000 (+0800) Subject: apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check X-Git-Tag: v7.1-rc1~32^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ef78fdc4724190fbd4e66d80bcdf4d08045f5e98;p=thirdparty%2Fkernel%2Flinux.git apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check In apparmor_path_rename(), when handling RENAME_EXCHANGE, the cond_exchange structure is supposed to carry the attributes of the *new* dentry (since it is used to authorize moving new_dentry to the old location). However, line 412 reads: vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); This fetches the uid of old_dentry instead of new_dentry. As a result, the RENAME_EXCHANGE permission check uses the wrong file owner, which can allow a rename that should be denied (if old_dentry's owner has more privileges) or deny one that should be allowed. Note that cond_exchange.mode on the line above correctly uses new_dentry. Only the uid lookup is wrong. Fix by changing old_dentry to new_dentry in the i_uid_into_vfsuid call. Fixes: 5e26a01e56fd ("apparmor: use type safe idmapping helpers") Reviewed-by: Georgia Garcia Signed-off-by: Dudu Lu Signed-off-by: John Johansen --- diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 49b5e4f32983..467f7ac476aa 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -410,7 +410,7 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d struct path_cond cond_exchange = { .mode = d_backing_inode(new_dentry)->i_mode, }; - vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); + vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(new_dentry)); cond_exchange.uid = vfsuid_into_kuid(vfsuid); error = aa_path_perm(OP_RENAME_SRC, current_cred(),