#
c1ed5da1 |
|
26-Mar-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow label to carry debug flags Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
341c1fda |
|
14-Sep-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: make it so work buffers can be allocated from atomic context In some situations AppArmor needs to be able to use its work buffers from atomic context. Add the ability to specify when in atomic context and hold a set of work buffers in reserve for atomic context to reduce the chance that a large work buffer allocation will need to be done. Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
df323337 |
|
03-May-2019 |
Sebastian Andrzej Siewior <bigeasy@linutronix.de> |
apparmor: Use a memory pool instead per-CPU caches The get_buffers() macro may provide one or two buffers to the caller. Those buffers are pre-allocated on init for each CPU. By default it allocates 2* 2 * MAX_PATH * POSSIBLE_CPU which equals 64KiB on a system with 4 CPUs or 1MiB with 64 CPUs and so on. Replace the per-CPU buffers with a common memory pool which is shared across all CPUs. The pool grows on demand and never shrinks. The pool starts with two (UP) or four (SMP) elements. By using this pool it is possible to request a buffer and keeping preemption enabled which avoids the hack in profile_transition(). It has been pointed out by Tetsuo Handa that GFP_KERNEL allocations for small amount of memory do not fail. In order not to have an endless retry, __GFP_RETRY_MAYFAIL is passed (so the memory allocation is not repeated until success) and retried once hoping that in the meantime a buffer has been returned to the pool. Since now NULL is possible all allocation paths check the buffer pointer and return -ENOMEM on failure. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
38125c2c |
|
04-May-2018 |
John Johansen <john.johansen@canonical.com> |
apparmor: improve get_buffers macro by using get_cpu_ptr Refactor get_buffers so the cpu_ptr can be obtained in the outer layer, instead of inside the macro. This also enables us to cleanup the code and use get_cpu_ptr, to handle the preempt_disable() Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
cf14f27f |
|
28-Mar-2018 |
Alexei Starovoitov <ast@kernel.org> |
macro: introduce COUNT_ARGS() macro move COUNT_ARGS() macro from apparmor to generic header and extend it to count till twelve. COUNT() was an alternative name for this logic, but it's used for different purpose in many other places. Similarly for CONCATENATE() macro. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
#
4227c333 |
|
23-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: Move path lookup to using preallocated buffers Dynamically allocating buffers is problematic and is an extra layer that is a potntial point of failure and can slow down mediation. Change path lookup to use the preallocated per cpu buffers. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
72c8a768 |
|
22-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow profiles to provide info to disconnected paths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d4669f0b |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add per cpu work buffers to avoid allocating buffers at every hook Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2c7661ff |
|
25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
[apparmor] constify struct path * in a bunch of helpers Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
57fa1e18 |
|
16-Feb-2012 |
John Johansen <john.johansen@canonical.com> |
AppArmor: Move path failure information into aa_get_name and rename Move the path name lookup failure messages into the main path name lookup routine, as the information is useful in more than just aa_path_perm. Also rename aa_get_name to aa_path_name as it is not getting a reference counted object with a corresponding put fn. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
cdff2642 |
|
29-Jul-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: misc. base functions and defines Miscellaneous functions and defines needed by AppArmor, including the base path resolution routines. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|