#
fee5304a |
|
10-Aug-2023 |
Xiu Jianfeng <xiujianfeng@huawei.com> |
apparmor: remove unused functions in policy_ns.c/.h These functions are not used now, remove them. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
95c0581f |
|
24-May-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: add a kernel label to use on kernel objects Separate kernel objects from unconfined. This is done so we can distinguish between the two in debugging, auditing and in preparation for being able to replace unconfined, which is not appropriate for the kernel. The kernel label will continue to behave similar to unconfined. Acked-by: Jon Tourville <jon.tourville@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
637f688d |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch from profiles to using labels on contexts Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
3664268f |
|
02-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add namespace lookup fns() Currently lookups are restricted to a single ns component in the path. However when namespaces are allowed to have separate views, and scopes this will not be sufficient, as it will be possible to have a multiple component ns path in scope. Add some ns lookup fns() to allow this and use them. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d9bf2c26 |
|
26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add policy revision file interface Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace. The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
5d5182ca |
|
09-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move to per loaddata files, instead of replicating in profiles The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
|
#
a71ada30 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add special .null file used to "close" fds at exec Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
73688d1e |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor prepare_ns() and make usable from different views prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
92b6d8ef |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow ns visibility question to consider subnses Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
31617ddf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add fn to lookup profiles by fqname Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
9a2d40c1 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add strn version of aa_find_ns Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98849dff |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename namespace to ns to improve code line lengths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cff281f6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split apparmor policy namespaces code into its own file Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
|