#
2d9da9b1 |
|
09-Aug-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow restricting unprivileged change_profile unprivileged unconfined can use change_profile to alter the confinement set by the mac admin. Allow restricting unprivileged unconfined by still allowing change_profile but stacking the change against unconfined. This allows unconfined to still apply system policy but allows the task to enter the new confinement. If unprivileged unconfined is required a sysctl is provided to switch to the previous behavior. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98b824ff |
|
28-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: refcount the pdb With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
90c436a6 |
|
19-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass cred through to audit info. The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
efea5b0d |
|
07-Aug-2023 |
GONG, Ruiqi <gongruiqi1@huawei.com> |
apparmor: remove unused PROF_* macros The last usage of PROF_{ADD,REPLACE} were removed by commit 18e99f191a8e ("apparmor: provide finer control over policy management"). So remove these two unused macros. Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
9a0dbdbf |
|
25-Jul-2023 |
Xiu Jianfeng <xiujianfeng@huawei.com> |
apparmor: cleanup unused declarations in policy.h The implementions of these declarations do not exist, remove them all. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
58f89ce5 |
|
03-Oct-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor code that alloc null profiles Bother unconfined and learning profiles use the null profile as their base. Refactor so they are share a common base routine. This doesn't save much atm but will be important when the feature set of the parent is inherited. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
1ad22fcc |
|
05-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: rework profile->rules to be a list Convert profile->rules to a list as the next step towards supporting multiple rulesets in a profile. For this step only support a single list entry item. The logic for iterating the list will come as a separate step. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
217af7e2 |
|
29-Jul-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor profile rules and attachments In preparation for moving from a single set of rules and a single attachment to multiple rulesets and attachments separate from the profile refactor attachment information and ruleset info into their own structures. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fd1b2b95 |
|
26-Aug-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: add the ability for policy to specify a permission table Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits the permissions that userspace can specify, so allow userspace to directly specify the permission table. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
22fac8a0 |
|
17-Dec-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: add user mode flag Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
90917d5b |
|
16-Jul-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: extend permissions to support a label and tag string add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
33fc95d8 |
|
17-Jan-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: preparse for state being more than just an integer Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e844fe9b |
|
16-Jul-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert policy lookup to use accept as an index Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the perm table. This is done so that the perm table can be separated from the dfa, allowing dfa accept to index to share expanded permission sets. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
048d4954 |
|
21-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert xmatch to using the new shared policydb struct continue permission unification by converting xmatch to use the policydb struct that is used by the other profile dfas. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
53bdc46f |
|
19-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: combine file_rules and aa_policydb into a single shared struct file_rules and policydb are almost the same and will need the same features in the future so combine them. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e2967ede |
|
17-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: compute policydb permission on profile load Rather than computing policydb permissions for each access permissions can be computed once on profile load and stored for lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e48ffd24 |
|
13-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert xmatch to use aa_perms structure Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b5b57993 |
|
31-May-2020 |
Mike Salvatore <mike.salvatore@canonical.com> |
apparmor: compute xmatch permissions on profile load Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c1ed5da1 |
|
26-Mar-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow label to carry debug flags Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2504db20 |
|
26-Mar-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix overlapping attachment computation When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
92de220a |
|
30-Jun-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: update policy capable checks to use a label Previously the policy capable checks assumed they were using the current task. Make them take the task label so the query can be made against an arbitrary task. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
23375b13 |
|
26-May-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix PROFILE_MEDIATES for untrusted input While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure every profile has a policy.dfa it does not resize the policy.start[] to have entries for every possible start value. Which means PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not take into account the start value usage. The input string in profile_query_cb() is user controlled and is not properly checked to be within the limited start[] entries, even worse it can't be as userspace policy is allowed to make us of entries types the kernel does not know about. This mean usespace can currently cause the kernel to access memory up to 240 entries beyond the start array bounds. Cc: stable@vger.kernel.org Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
9caafbe2 |
|
24-May-2018 |
Matthew Garrett <mjg59@google.com> |
apparmor: Parse secmark policy Add support for parsing secmark policy provided by userspace, and store that in the overall policy. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b9590ad4 |
|
03-Mar-2018 |
John Johansen <john.johansen@canonical.com> |
apparmor: remove POLICY_MEDIATES_SAFE The unpack code now makes sure every profile has a dfa so the safe version of POLICY_MEDIATES is no longer needed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
56974a6f |
|
19-Jul-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add base infastructure for socket mediation version 2 - Force an abi break. Network mediation will only be available in v8 abi complaint policy. Provide a basic mediation of sockets. This is not a full net mediation but just whether a spcific family of socket can be used by an application, along with setting up some basic infrastructure for network mediation to follow. the user space rule hav the basic form of NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ] [ TYPE | PROTOCOL ] DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ',' TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) PROTOCOL = ( 'tcp' | 'udp' | 'icmp' ) eg. network, network inet, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
73f488cd |
|
12-Dec-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert attaching profiles via xattrs to use dfa matching This converts profile attachment based on xattrs to a fixed extended conditional using dfa matching. This has a couple of advantages - pattern matching can be used for the xattr match - xattrs can be optional for an attachment or marked as required - the xattr attachment conditional will be able to be combined with other extended conditionals when the flexible extended conditional work lands. The xattr fixed extended conditional is appended to the xmatch conditional. If an xattr attachment is specified the profile xmatch will be generated regardless of whether there is a pattern match on the executable name. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
8e51f908 |
|
08-Feb-2018 |
Matthew Garrett <mjg59@google.com> |
apparmor: Add support for attaching profiles via xattr, presence and value Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
80c094a4 |
|
26-Oct-2017 |
Linus Torvalds <torvalds@linux-foundation.org> |
Revert "apparmor: add base infastructure for socket mediation" This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e. This caused a regression: "The specific problem is that dnsmasq refuses to start on openSUSE Leap 42.2. The specific cause is that and attempt to open a PF_LOCAL socket gets EACCES. This means that networking doesn't function on a system with a 4.14-rc2 system." Sadly, the developers involved seemed to be in denial for several weeks about this, delaying the revert. This has not been a good release for the security subsystem, and this area needs to change development practices. Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com> Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info> Cc: John Johansen <john.johansen@canonical.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Seth Arnold <seth.arnold@canonical.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
651e28c5 |
|
19-Jul-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add base infastructure for socket mediation Provide a basic mediation of sockets. This is not a full net mediation but just whether a spcific family of socket can be used by an application, along with setting up some basic infrastructure for network mediation to follow. the user space rule hav the basic form of NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ] [ TYPE | PROTOCOL ] DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ',' TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) PROTOCOL = ( 'tcp' | 'udp' | 'icmp' ) eg. network, network inet, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
637f688d |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch from profiles to using labels on contexts Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b5b2557c |
|
29-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add fn to test if profile supports a given mediation class Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
18e99f19 |
|
26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: provide finer control over policy management Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fc7e0b26 |
|
26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move permissions into their own file to be more easily shared Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
72c8a768 |
|
22-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow profiles to provide info to disconnected paths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e025be0f |
|
15-Jan-2017 |
William Hua <william.hua@canonical.com> |
apparmor: support querying extended trusted helper extra data Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
47f6e5cc |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: change op from int to const char * Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
12dd7171 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass the subject profile into profile replace/remove This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
5ac8c355 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow introspecting the loaded policy pre internal transform Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
078c73c6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add profile and ns params to aa_may_manage_policy() Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fd2a8043 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add ns being viewed as a param to policy_admin_capable() Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2bd8dbbf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add ns being viewed as a param to policy_view_capable() Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b79473f2 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: Make aa_remove_profile() callable from a different view This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
181f7c97 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: name null-XXX profiles after the executable When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
30b026a8 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass gfp_t parameter into profile allocation Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
73688d1e |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor prepare_ns() and make usable from different views prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
31617ddf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add fn to lookup profiles by fqname Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
1741e9eb |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add strn version of lookup_profile fn Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
8399588a |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename replacedby to proxy Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d97d51d2 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename PFLAG_INVALID to PFLAG_STALE Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98849dff |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename namespace to ns to improve code line lengths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cff281f6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split apparmor policy namespaces code into its own file Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fe6bb31f |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split out shared policy_XXX fns to lib Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
12557dcb |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move lib definitions into separate lib include Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6b1ffa06 |
|
14-Nov-2016 |
Peter Zijlstra <peterz@infradead.org> |
locking/atomic, kref: Use kref_get_unless_zero() more For some obscure reason apparmor thinks its needs to locally implement kref primitives that already exist. Stop doing this. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
#
58acf9d9 |
|
22-Jun-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix module parameters can be changed after policy is locked the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
4cd4fc77 |
|
29-Sep-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix suspicious RCU usage warning in policy.c/policy.h The recent 3.12 pull request for apparmor was missing a couple rcu _protected access modifiers. Resulting in the follow suspicious RCU usage [ 29.804534] [ INFO: suspicious RCU usage. ] [ 29.804539] 3.11.0+ #5 Not tainted [ 29.804541] ------------------------------- [ 29.804545] security/apparmor/include/policy.h:363 suspicious rcu_dereference_check() usage! [ 29.804548] [ 29.804548] other info that might help us debug this: [ 29.804548] [ 29.804553] [ 29.804553] rcu_scheduler_active = 1, debug_locks = 1 [ 29.804558] 2 locks held by apparmor_parser/1268: [ 29.804560] #0: (sb_writers#9){.+.+.+}, at: [<ffffffff81120a4c>] file_start_write+0x27/0x29 [ 29.804576] #1: (&ns->lock){+.+.+.}, at: [<ffffffff811f5d88>] aa_replace_profiles+0x166/0x57c [ 29.804589] [ 29.804589] stack backtrace: [ 29.804595] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5 [ 29.804599] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010 [ 29.804602] 0000000000000000 ffff8800b95a1d90 ffffffff8144eb9b ffff8800b94db540 [ 29.804611] ffff8800b95a1dc0 ffffffff81087439 ffff880138cc3a18 ffff880138cc3a18 [ 29.804619] ffff8800b9464a90 ffff880138cc3a38 ffff8800b95a1df0 ffffffff811f5084 [ 29.804628] Call Trace: [ 29.804636] [<ffffffff8144eb9b>] dump_stack+0x4e/0x82 [ 29.804642] [<ffffffff81087439>] lockdep_rcu_suspicious+0xfc/0x105 [ 29.804649] [<ffffffff811f5084>] __aa_update_replacedby+0x53/0x7f [ 29.804655] [<ffffffff811f5408>] __replace_profile+0x11f/0x1ed [ 29.804661] [<ffffffff811f6032>] aa_replace_profiles+0x410/0x57c [ 29.804668] [<ffffffff811f16d4>] profile_replace+0x35/0x4c [ 29.804674] [<ffffffff81120fa3>] vfs_write+0xad/0x113 [ 29.804680] [<ffffffff81121609>] SyS_write+0x44/0x7a [ 29.804687] [<ffffffff8145bfd2>] system_call_fastpath+0x16/0x1b [ 29.804691] [ 29.804694] =============================== [ 29.804697] [ INFO: suspicious RCU usage. ] [ 29.804700] 3.11.0+ #5 Not tainted [ 29.804703] ------------------------------- [ 29.804706] security/apparmor/policy.c:566 suspicious rcu_dereference_check() usage! [ 29.804709] [ 29.804709] other info that might help us debug this: [ 29.804709] [ 29.804714] [ 29.804714] rcu_scheduler_active = 1, debug_locks = 1 [ 29.804718] 2 locks held by apparmor_parser/1268: [ 29.804721] #0: (sb_writers#9){.+.+.+}, at: [<ffffffff81120a4c>] file_start_write+0x27/0x29 [ 29.804733] #1: (&ns->lock){+.+.+.}, at: [<ffffffff811f5d88>] aa_replace_profiles+0x166/0x57c [ 29.804744] [ 29.804744] stack backtrace: [ 29.804750] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5 [ 29.804753] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010 [ 29.804756] 0000000000000000 ffff8800b95a1d80 ffffffff8144eb9b ffff8800b94db540 [ 29.804764] ffff8800b95a1db0 ffffffff81087439 ffff8800b95b02b0 0000000000000000 [ 29.804772] ffff8800b9efba08 ffff880138cc3a38 ffff8800b95a1dd0 ffffffff811f4f94 [ 29.804779] Call Trace: [ 29.804786] [<ffffffff8144eb9b>] dump_stack+0x4e/0x82 [ 29.804791] [<ffffffff81087439>] lockdep_rcu_suspicious+0xfc/0x105 [ 29.804798] [<ffffffff811f4f94>] aa_free_replacedby_kref+0x4d/0x62 [ 29.804804] [<ffffffff811f4f47>] ? aa_put_namespace+0x17/0x17 [ 29.804810] [<ffffffff811f4f0b>] kref_put+0x36/0x40 [ 29.804816] [<ffffffff811f5423>] __replace_profile+0x13a/0x1ed [ 29.804822] [<ffffffff811f6032>] aa_replace_profiles+0x410/0x57c [ 29.804829] [<ffffffff811f16d4>] profile_replace+0x35/0x4c [ 29.804835] [<ffffffff81120fa3>] vfs_write+0xad/0x113 [ 29.804840] [<ffffffff81121609>] SyS_write+0x44/0x7a [ 29.804847] [<ffffffff8145bfd2>] system_call_fastpath+0x16/0x1b Reported-by: miles.lane@gmail.com CC: paulmck@linux.vnet.ibm.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
f8eb8a13 |
|
14-Aug-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: add the ability to report a sha1 hash of loaded policy Provide userspace the ability to introspect a sha1 hash value for each profile currently loaded. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
556d0be7 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: add an optional profile attachment string for profiles Add the ability to take in and report a human readable profile attachment string for profiles so that attachment specifications can be easily inspected. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
0d259f04 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: add interface files for profiles and namespaces Add basic interface files to access namespace and profile information. The interface files are created when a profile is loaded and removed when the profile or namespace is removed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
03816507 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow setting any profile into the unconfined state Allow emulating the default profile behavior from boot, by allowing loading of a profile in the unconfined state into a new NS. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
8651e1d6 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: make free_profile available outside of policy.c Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
742058b0 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: rework namespace free path namespaces now completely use the unconfined profile to track the refcount and rcu freeing cycle. So rework the code to simplify (track everything through the profile path right up to the end), and move the rcu_head from policy base to profile as the namespace no longer needs it. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
fa2ac468 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: update how unconfined is handled ns->unconfined is being used read side without locking, nor rcu but is being updated when a namespace is removed. This works for the root ns which is never removed but has a race window and can cause failures when children namespaces are removed. Also ns and ns->unconfined have a circular refcounting dependency that is problematic and must be broken. Currently this is done incorrectly when the namespace is destroyed. Fix this by forward referencing unconfined via the replacedby infrastructure instead of directly updating the ns->unconfined pointer. Remove the circular refcount dependency by making the ns and its unconfined profile share the same refcount. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
77b071b3 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: change how profile replacement update is done remove the use of replaced by chaining and move to profile invalidation and lookup to handle task replacement. Replacement chaining can result in large chains of profiles being pinned in memory when one profile in the chain is use. With implicit labeling this will be even more of a problem, so move to a direct lookup method. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
01e2b670 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert profile lists to RCU based locking Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
a4987857 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: remove sid from profiles The sid is not going to be a direct property of a profile anymore, instead it will be directly related to the label, and the profile will pickup a label back reference. For null-profiles replace the use of sid with a per namespace unique id. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
50c5ecd5 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor profile mode macros Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
|
#
2d4cee7e |
|
14-Mar-2012 |
Jan Engelhardt <jengelh@medozas.de> |
AppArmor: add const qualifiers to string arrays Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
ad5ff3db |
|
16-Feb-2012 |
John Johansen <john.johansen@canonical.com> |
AppArmor: Add ability to load extended policy Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
c88d4c7b |
|
29-Jul-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: core policy routines The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task Profiles tend to be named after an executable that they will attach to but this is not required. namespaces - a container for a set of profiles that will be used during attachment and transitions between profiles. sids - which provide a unique id for each profile Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|