#
1af5aa82 |
|
27-Nov-2023 |
Fedor Pchelkin <pchelkin@ispras.ru> |
apparmor: free the allocated pdb objects policy_db objects are allocated with kzalloc() inside aa_alloc_pdb() and are not cleared in the corresponding aa_free_pdb() function causing leak: unreferenced object 0xffff88801f0a1400 (size 192): comm "apparmor_parser", pid 1247, jiffies 4295122827 (age 2306.399s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81ddc612>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c47c55>] kmalloc_trace+0x25/0xc0 [<ffffffff83eb9a12>] aa_alloc_pdb+0x82/0x140 [<ffffffff83ec4077>] unpack_pdb+0xc7/0x2700 [<ffffffff83ec6b10>] unpack_profile+0x450/0x4960 [<ffffffff83ecc129>] aa_unpack+0x309/0x15e0 [<ffffffff83ebdb23>] aa_replace_profiles+0x213/0x33c0 [<ffffffff83e8d341>] policy_update+0x261/0x370 [<ffffffff83e8d66e>] profile_replace+0x20e/0x2a0 [<ffffffff81eadfaf>] vfs_write+0x2af/0xe00 [<ffffffff81eaf4c6>] ksys_write+0x126/0x250 [<ffffffff890fa0b6>] do_syscall_64+0x46/0xf0 [<ffffffff892000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Free the pdbs inside aa_free_pdb(). While at it, rename the variable representing an aa_policydb object to make the function more unified with aa_pdb_free_kref() and aa_alloc_pdb(). Found by Linux Verification Center (linuxtesting.org). Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6cede101 |
|
22-Oct-2023 |
Yang Li <yang.lee@linux.alibaba.com> |
apparmor: Fix some kernel-doc comments Fix some kernel-doc comments to silence the warnings: security/apparmor/policy.c:117: warning: Function parameter or member 'kref' not described in 'aa_pdb_free_kref' security/apparmor/policy.c:117: warning: Excess function parameter 'kr' description in 'aa_pdb_free_kref' security/apparmor/policy.c:882: warning: Function parameter or member 'subj_cred' not described in 'aa_may_manage_policy' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7037 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2d9da9b1 |
|
09-Aug-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow restricting unprivileged change_profile unprivileged unconfined can use change_profile to alter the confinement set by the mac admin. Allow restricting unprivileged unconfined by still allowing change_profile but stacking the change against unconfined. This allows unconfined to still apply system policy but allows the task to enter the new confinement. If unprivileged unconfined is required a sysctl is provided to switch to the previous behavior. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98b824ff |
|
28-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: refcount the pdb With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
90c436a6 |
|
19-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass cred through to audit info. The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d20f5a1a |
|
19-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename audit_data->label to audit_data->subj_label rename audit_data's label field to subj_label to better reflect its use. Also at the same time drop unneeded assignments to ->subj_label as the later call to aa_check_perms will do the assignment if needed. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
bd7bd201 |
|
14-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: combine common_audit_data and apparmor_audit_data Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
8884ba07 |
|
21-Aug-2023 |
Georgia Garcia <georgia.garcia@canonical.com> |
apparmor: fix invalid reference on profile->disconnected profile->disconnected was storing an invalid reference to the disconnected path. Fix it by duplicating the string using aa_unpack_strdup and freeing accordingly. Fixes: 72c8a768641d ("apparmor: allow profiles to provide info to disconnected paths") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
25ff0ff2 |
|
24-Jun-2023 |
Gaosheng Cui <cuigaosheng1@huawei.com> |
apparmor: Fix kernel-doc warnings in apparmor/policy.c Fix kernel-doc warnings: security/apparmor/policy.c:294: warning: Function parameter or member 'proxy' not described in 'aa_alloc_profile' security/apparmor/policy.c:785: warning: Function parameter or member 'label' not described in 'aa_policy_view_capable' security/apparmor/policy.c:785: warning: Function parameter or member 'ns' not described in 'aa_policy_view_capable' security/apparmor/policy.c:847: warning: Function parameter or member 'ns' not described in 'aa_may_manage_policy' security/apparmor/policy.c:964: warning: Function parameter or member 'hname' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'info' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'noreplace' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'ns' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'p' not described in '__lookup_replace' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
afad5357 |
|
14-Jun-2023 |
Dan Carpenter <dan.carpenter@linaro.org> |
apparmor: use passed in gfp flags in aa_alloc_null() These allocations should use the gfp flags from the caller instead of GFP_KERNEL. But from what I can see, all the callers pass in GFP_KERNEL so this does not affect runtime. Fixes: e31dd6e412f7 ("apparmor: fix: kzalloc perms tables for shared dfas") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
ec6851ae |
|
15-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix: kzalloc perms tables for shared dfas Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com>
|
#
76862af5 |
|
02-Jan-2023 |
Randy Dunlap <rdunlap@infradead.org> |
apparmor: fix kernel-doc complaints Correct kernel-doc notation to placate kernel-doc W=1 warnings: security/apparmor/policy.c:439: warning: duplicate section name 'Return' security/apparmor/secid.c:57: warning: Cannot understand * security/apparmor/file.c:174: warning: cannot understand function prototype: 'struct aa_perms default_perms = ' Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: John Johansen <john.johansen@canonical.com> Cc: John Johansen <john@apparmor.net> Cc: apparmor@lists.ubuntu.com Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
7dd426e3 |
|
24-Oct-2022 |
Gaosheng Cui <cuigaosheng1@huawei.com> |
apparmor: fix a memleak in free_ruleset() When the aa_profile is released, we will call free_ruleset to release aa_ruleset, but we don't free the memory of aa_ruleset, so there will be memleak, fix it. unreferenced object 0xffff8881475df800 (size 1024): comm "apparmor_parser", pid 883, jiffies 4294899650 (age 9114.088s) hex dump (first 32 bytes): 00 f8 5d 47 81 88 ff ff 00 f8 5d 47 81 88 ff ff ..]G......]G.... 00 00 00 00 00 00 00 00 00 dc 65 47 81 88 ff ff ..........eG.... backtrace: [<00000000370e658e>] __kmem_cache_alloc_node+0x182/0x700 [<00000000f2f5a6d2>] kmalloc_trace+0x2c/0x130 [<00000000c5c905b3>] aa_alloc_profile+0x1bc/0x5c0 [<00000000bc4fa72b>] unpack_profile+0x319/0x30c0 [<00000000eab791e9>] aa_unpack+0x307/0x1450 [<000000002c3a6ee1>] aa_replace_profiles+0x1b8/0x3790 [<00000000d0c3fd54>] policy_update+0x35a/0x890 [<00000000d04fed90>] profile_replace+0x1d1/0x260 [<00000000cba0c0a7>] vfs_write+0x283/0xd10 [<000000006bae64a5>] ksys_write+0x134/0x260 [<00000000b2fd8f31>] __x64_sys_write+0x78/0xb0 [<00000000f3c8a015>] do_syscall_64+0x5c/0x90 [<00000000a242b1db>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
665b1856 |
|
03-Oct-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix loading of child before parent Unfortunately it is possible for some userspace's to load children profiles before the parent profile. This can even happen when the child and the parent are in different load sets. Fix this by creating a null place holder profile that grants no permissions and can be replaced by the parent once it is loaded. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
58f89ce5 |
|
03-Oct-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor code that alloc null profiles Bother unconfined and learning profiles use the null profile as their base. Refactor so they are share a common base routine. This doesn't save much atm but will be important when the feature set of the parent is inherited. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
1ad22fcc |
|
05-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: rework profile->rules to be a list Convert profile->rules to a list as the next step towards supporting multiple rulesets in a profile. For this step only support a single list entry item. The logic for iterating the list will come as a separate step. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
217af7e2 |
|
29-Jul-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor profile rules and attachments In preparation for moving from a single set of rules and a single attachment to multiple rulesets and attachments separate from the profile refactor attachment information and ruleset info into their own structures. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
22fac8a0 |
|
17-Dec-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: add user mode flag Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
8c4b785a |
|
19-Apr-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: add mediation class information to auditing Audit messages currently don't contain the mediation class which can make them less clear than they should be in some circumstances. With newer mediation classes coming this potential confusion will become worse. Fix this by adding the mediatin class to the messages. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
048d4954 |
|
21-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert xmatch to using the new shared policydb struct continue permission unification by converting xmatch to use the policydb struct that is used by the other profile dfas. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
53bdc46f |
|
19-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: combine file_rules and aa_policydb into a single shared struct file_rules and policydb are almost the same and will need the same features in the future so combine them. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e2967ede |
|
17-Nov-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: compute policydb permission on profile load Rather than computing policydb permissions for each access permissions can be computed once on profile load and stored for lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b5b57993 |
|
31-May-2020 |
Mike Salvatore <mike.salvatore@canonical.com> |
apparmor: compute xmatch permissions on profile load Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
9c4557ef |
|
06-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix lockdep warning when removing a namespace Fix the following lockdep warning [ 1119.158984] ============================================ [ 1119.158988] WARNING: possible recursive locking detected [ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N [ 1119.158999] -------------------------------------------- [ 1119.159001] bash/80100 is trying to acquire lock: [ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140 [ 1119.159028] but task is already holding lock: [ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640 [ 1119.159040] other info that might help us debug this: [ 1119.159042] Possible unsafe locking scenario: [ 1119.159043] CPU0 [ 1119.159045] ---- [ 1119.159047] lock(&ns->lock/1); [ 1119.159051] lock(&ns->lock/1); [ 1119.159055] *** DEADLOCK *** Which is caused by an incorrect lockdep nesting notation Fixes: feb3c766a3ab ("apparmor: fix possible recursive lock warning in __aa_create_ns") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d61c57fd |
|
01-Feb-2021 |
John Johansen <john.johansen@canonical.com> |
apparmor: make export of raw binary profile to userspace optional Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
240516df |
|
17-Nov-2021 |
Yang Li <yang.lee@linux.alibaba.com> |
apparmor: Fix kernel-doc Fix function name in security/apparmor/label.c, policy.c, procattr.c kernel-doc comment to remove some warnings found by clang(make W=1 LLVM=1). security/apparmor/label.c:499: warning: expecting prototype for aa_label_next_not_in_set(). Prototype was for __aa_label_next_not_in_set() instead security/apparmor/label.c:2147: warning: expecting prototype for __aa_labelset_udate_subtree(). Prototype was for __aa_labelset_update_subtree() instead security/apparmor/policy.c:434: warning: expecting prototype for aa_lookup_profile(). Prototype was for aa_lookupn_profile() instead security/apparmor/procattr.c:101: warning: expecting prototype for aa_setprocattr_chagnehat(). Prototype was for aa_setprocattr_changehat() instead Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
f4a2d282 |
|
29-Sep-2021 |
Gustavo A. R. Silva <gustavoars@kernel.org> |
apparmor: Use struct_size() helper in kzalloc() Make use of the struct_size() helper instead of an open-coded version, in order to avoid any potential type mistakes or integer overflows that, in the worse scenario, could lead to heap overflows. Link: https://github.com/KSPP/linux/issues/160 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
dc155617 |
|
03-Apr-2021 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix internal policy capable check for policy management The check was incorrectly treating a returned error as a boolean. Fixes: 31ec99e13346 ("apparmor: switch to apparmor to internal capable check for policy management") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
31ec99e1 |
|
01-Jul-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch to apparmor to internal capable check for policy management With LSM stacking calling back into capable to check for MAC_ADMIN for apparmor policy results in asking the other stacked LSMs for MAC_ADMIN resulting in the other LSMs answering based on their policy management. For apparmor policy management we just need to call apparmor's capability fn directly. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
92de220a |
|
30-Jun-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: update policy capable checks to use a label Previously the policy capable checks assumed they were using the current task. Make them take the task label so the query can be made against an arbitrary task. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
453431a5 |
|
07-Aug-2020 |
Waiman Long <longman@redhat.com> |
mm, treewide: rename kzfree() to kfree_sensitive() As said by Linus: A symmetric naming is only helpful if it implies symmetries in use. Otherwise it's actively misleading. In "kzalloc()", the z is meaningful and an important part of what the caller wants. In "kzfree()", the z is actively detrimental, because maybe in the future we really _might_ want to use that "memfill(0xdeadbeef)" or something. The "zero" part of the interface isn't even _relevant_. The main reason that kzfree() exists is to clear sensitive information that should not be leaked to other future users of the same memory objects. Rename kzfree() to kfree_sensitive() to follow the example of the recently added kvfree_sensitive() and make the intention of the API more explicit. In addition, memzero_explicit() is used to clear the memory to make sure that it won't get optimized away by the compiler. The renaming is done by using the command sequence: git grep -w --name-only kzfree |\ xargs sed -i 's/kzfree/kfree_sensitive/' followed by some editing of the kfree_sensitive() kerneldoc and adding a kzfree backward compatibility macro in slab.h. [akpm@linux-foundation.org: fs/crypto/inline_crypt.c needs linux/slab.h] [akpm@linux-foundation.org: fix fs/crypto/inline_crypt.c some more] Suggested-by: Joe Perches <joe@perches.com> Signed-off-by: Waiman Long <longman@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: David Howells <dhowells@redhat.com> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: Joe Perches <joe@perches.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: David Rientjes <rientjes@google.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: "Jason A . Donenfeld" <Jason@zx2c4.com> Link: http://lkml.kernel.org/r/20200616154311.12314-3-longman@redhat.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
3622ad25 |
|
07-Jun-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix memory leak of profile proxy When the proxy isn't replaced and the profile is removed, the proxy is being leaked resulting in a kmemleak check message of unreferenced object 0xffff888077a3a490 (size 16): comm "apparmor_parser", pid 128041, jiffies 4322684109 (age 1097.028s) hex dump (first 16 bytes): 03 00 00 00 00 00 00 00 b0 92 fd 4b 81 88 ff ff ...........K.... backtrace: [<0000000084d5daf2>] aa_alloc_proxy+0x58/0xe0 [<00000000ecc0e21a>] aa_alloc_profile+0x159/0x1a0 [<000000004cc9ce15>] unpack_profile+0x275/0x1c40 [<000000007332b3ca>] aa_unpack+0x1e7/0x7e0 [<00000000e25e31bd>] aa_replace_profiles+0x18a/0x1d10 [<00000000350d9415>] policy_update+0x237/0x650 [<000000003fbf934e>] profile_load+0x122/0x160 [<0000000047f7b781>] vfs_write+0x139/0x290 [<000000008ad12358>] ksys_write+0xcd/0x170 [<000000001a9daa7b>] do_syscall_64+0x70/0x310 [<00000000b9efb0cf>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 Make sure to cleanup the profile's embedded label which will result on the proxy being properly freed. Fixes: 637f688dc3dc ("apparmor: switch from profiles to using labels on contexts") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
8c62ed27 |
|
02-Jan-2020 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a context protected by an rcu_read_lock. This can not be done as vfs_getxattr_alloc() may sleep regardles of the gfp_t value being passed to it. Fix this by breaking the rcu_read_lock on the policy search when the xattr match feature is requested and restarting the search if a policy changes occur. Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value") Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
058c4f34 |
|
16-Apr-2019 |
Colin Ian King <colin.king@canonical.com> |
apparmor: fix spelling mistake "immutible" -> "immutable" There is a spelling mistake in an information message string, fix it. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
145a0ef2 |
|
09-Mar-2019 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix blob compression when ns is forced on a policy load When blob compression is turned on, if the policy namespace is forced onto a policy load, the policy load will fail as the namespace name being referenced is inside the compressed policy blob, resulting in invalid or names that are too long. So duplicate the name before the blob is compressed. Fixes: 876dd866c084 ("apparmor: Initial implementation of raw policy blob compression") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
76af016e |
|
01-Nov-2018 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix checkpatch error in Parse secmark policy Fix missed spacing error reported by checkpatch for 9caafbe2b4cf ("Parse secmark policy") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
9caafbe2 |
|
24-May-2018 |
Matthew Garrett <mjg59@google.com> |
apparmor: Parse secmark policy Add support for parsing secmark policy provided by userspace, and store that in the overall policy. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
3ddae987 |
|
13-Apr-2018 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix memory leak when deduping profile load AppArmor is leaking the newly loaded profile and its proxy when the profile is an exact match to the currently loaded version. In this case the dedup check results in the profile being skipped and put without dealing with the proxy ref thus not breaking a circular refcount and causing a leak. BugLink: http://bugs.launchpad.net/bugs/1750594 Fixes: 5d5182cae401 ("apparmor: move to per loaddata files, instead of replicating in profiles") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
3107e8cb |
|
11-Apr-2018 |
Zygmunt Krynicki <zygmunt.krynicki@canonical.com> |
apparmor: fix typo "preconfinement" Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c0929212 |
|
31-Jul-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add support for mapping secids and using secctxes Use a radix tree to provide a map between the secid and the label, and along with it a basic ability to provide secctx conversion. Shared/cached secctx will be added later. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
73f488cd |
|
12-Dec-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert attaching profiles via xattrs to use dfa matching This converts profile attachment based on xattrs to a fixed extended conditional using dfa matching. This has a couple of advantages - pattern matching can be used for the xattr match - xattrs can be optional for an attachment or marked as required - the xattr attachment conditional will be able to be combined with other extended conditionals when the flexible extended conditional work lands. The xattr fixed extended conditional is appended to the xmatch conditional. If an xattr attachment is specified the profile xmatch will be generated regardless of whether there is a pattern match on the executable name. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
8e51f908 |
|
08-Feb-2018 |
Matthew Garrett <mjg59@google.com> |
apparmor: Add support for attaching profiles via xattr, presence and value Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d8889d49 |
|
11-Oct-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move context.h to cred.h Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e1a03f62 |
|
27-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: cleanup fixup description of aa_replace_profiles Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
4d2f8ba3 |
|
19-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename task_ctx to the more accurate cred_ctx Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
feb3c766 |
|
21-Nov-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix possible recursive lock warning in __aa_create_ns Use mutex_lock_nested to provide lockdep the parent child lock ordering of the tree. This fixes the lockdep Warning [ 305.275177] ============================================ [ 305.275178] WARNING: possible recursive locking detected [ 305.275179] 4.14.0-rc7+ #320 Not tainted [ 305.275180] -------------------------------------------- [ 305.275181] apparmor_parser/1339 is trying to acquire lock: [ 305.275182] (&ns->lock){+.+.}, at: [<ffffffff970544dd>] __aa_create_ns+0x6d/0x1e0 [ 305.275187] but task is already holding lock: [ 305.275187] (&ns->lock){+.+.}, at: [<ffffffff97054b5d>] aa_prepare_ns+0x3d/0xd0 [ 305.275190] other info that might help us debug this: [ 305.275191] Possible unsafe locking scenario: [ 305.275192] CPU0 [ 305.275193] ---- [ 305.275193] lock(&ns->lock); [ 305.275194] lock(&ns->lock); [ 305.275195] *** DEADLOCK *** [ 305.275196] May be due to missing lock nesting notation [ 305.275198] 2 locks held by apparmor_parser/1339: [ 305.275198] #0: (sb_writers#10){.+.+}, at: [<ffffffff96e9c6b7>] vfs_write+0x1a7/0x1d0 [ 305.275202] #1: (&ns->lock){+.+.}, at: [<ffffffff97054b5d>] aa_prepare_ns+0x3d/0xd0 [ 305.275205] stack backtrace: [ 305.275207] CPU: 1 PID: 1339 Comm: apparmor_parser Not tainted 4.14.0-rc7+ #320 [ 305.275208] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 [ 305.275209] Call Trace: [ 305.275212] dump_stack+0x85/0xcb [ 305.275214] __lock_acquire+0x141c/0x1460 [ 305.275216] ? __aa_create_ns+0x6d/0x1e0 [ 305.275218] ? ___slab_alloc+0x183/0x540 [ 305.275219] ? ___slab_alloc+0x183/0x540 [ 305.275221] lock_acquire+0xed/0x1e0 [ 305.275223] ? lock_acquire+0xed/0x1e0 [ 305.275224] ? __aa_create_ns+0x6d/0x1e0 [ 305.275227] __mutex_lock+0x89/0x920 [ 305.275228] ? __aa_create_ns+0x6d/0x1e0 [ 305.275230] ? trace_hardirqs_on_caller+0x11f/0x190 [ 305.275231] ? __aa_create_ns+0x6d/0x1e0 [ 305.275233] ? __lockdep_init_map+0x57/0x1d0 [ 305.275234] ? lockdep_init_map+0x9/0x10 [ 305.275236] ? __rwlock_init+0x32/0x60 [ 305.275238] mutex_lock_nested+0x1b/0x20 [ 305.275240] ? mutex_lock_nested+0x1b/0x20 [ 305.275241] __aa_create_ns+0x6d/0x1e0 [ 305.275243] aa_prepare_ns+0xc2/0xd0 [ 305.275245] aa_replace_profiles+0x168/0xf30 [ 305.275247] ? __might_fault+0x85/0x90 [ 305.275250] policy_update+0xb9/0x380 [ 305.275252] profile_load+0x7e/0x90 [ 305.275254] __vfs_write+0x28/0x150 [ 305.275256] ? rcu_read_lock_sched_held+0x72/0x80 [ 305.275257] ? rcu_sync_lockdep_assert+0x2f/0x60 [ 305.275259] ? __sb_start_write+0xdc/0x1c0 [ 305.275261] ? vfs_write+0x1a7/0x1d0 [ 305.275262] vfs_write+0xca/0x1d0 [ 305.275264] ? trace_hardirqs_on_caller+0x11f/0x190 [ 305.275266] SyS_write+0x49/0xa0 [ 305.275268] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 305.275271] RIP: 0033:0x7fa6b22e8c74 [ 305.275272] RSP: 002b:00007ffeaaee6288 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 305.275273] RAX: ffffffffffffffda RBX: 00007ffeaaee62a4 RCX: 00007fa6b22e8c74 [ 305.275274] RDX: 0000000000000a51 RSI: 00005566a8198c10 RDI: 0000000000000004 [ 305.275275] RBP: 0000000000000a39 R08: 0000000000000a51 R09: 0000000000000000 [ 305.275276] R10: 0000000000000000 R11: 0000000000000246 R12: 00005566a8198c10 [ 305.275277] R13: 0000000000000004 R14: 00005566a72ecb88 R15: 00005566a72ec3a8 Fixes: 73688d1ed0b8 ("apparmor: refactor prepare_ns() and make usable from different views") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
4633307e |
|
15-Nov-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix leak of null profile name if profile allocation fails Fixes: d07881d2edb0 ("apparmor: move new_null_profile to after profile lookup fns()") Reported-by: Seth Arnold <seth.arnold@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
290638a5 |
|
16-Aug-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix race condition in null profile creation There is a race when null- profile is being created between the initial lookup/creation of the profile and lock/addition of the profile. This could result in multiple version of a profile being added to the list which need to be removed/replaced. Since these are learning profile their is no affect on mediation. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d07881d2 |
|
16-Aug-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move new_null_profile to after profile lookup fns() new_null_profile will need to use some of the profile lookup fns() so move instead of doing forward fn declarations. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
637f688d |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch from profiles to using labels on contexts Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
dca91402 |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: cleanup remove unused and not fully implemented profile rename Remove the partially implemented code, until this can be properly implemented. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
435222bc |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor updating profiles to the newest parent Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
a1bd627b |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: share profile name on replacement The profile names are the same, leverage this. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
60285eb3 |
|
04-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix policy load/remove semantics The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
3664268f |
|
02-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add namespace lookup fns() Currently lookups are restricted to a single ns component in the path. However when namespaces are allowed to have separate views, and scopes this will not be sufficient, as it will be possible to have a multiple component ns path in scope. Add some ns lookup fns() to allow this and use them. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
ae3b3165 |
|
02-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: cleanup __find_child() Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
18e99f19 |
|
26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: provide finer control over policy management Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c97204ba |
|
25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename apparmor file fns and data to indicate use prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
|
#
5d5182ca |
|
09-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move to per loaddata files, instead of replicating in profiles The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
|
#
b9b144bc |
|
06-Apr-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix invalid reference to index variable of iterator line 836 Once the loop on lines 836-853 is complete and exits normally, ent is a pointer to the dummy list head value. The derefernces accessible from eg the goto fail on line 860 or the various goto fail_lock's afterwards thus seem incorrect. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
b2d09103 |
|
03-Feb-2017 |
Ingo Molnar <mingo@kernel.org> |
sched/headers: Prepare to use <linux/rcuupdate.h> instead of <linux/rculist.h> in <linux/sched.h> We don't actually need the full rculist.h header in sched.h anymore, we will be able to include the smaller rcupdate.h header instead. But first update code that relied on the implicit header inclusion. Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
#
5b825c3a |
|
02-Feb-2017 |
Ingo Molnar <mingo@kernel.org> |
sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h> Add #include <linux/cred.h> dependencies to all .c files rely on sched.h doing that for them. Note that even if the count where we need to add extra headers seems high, it's still a net win, because <linux/sched.h> is included in over 2,200 files ... Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
#
e3ea1ca5 |
|
16-Mar-2016 |
Tyler Hicks <tyhicks@canonical.com> |
apparmor: sysctl to enable unprivileged user ns AppArmor policy loading If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in the root namespace has created an AppArmor policy namespace, unprivileged processes will be able to change to a profile in the newly created AppArmor policy namespace and, if the profile allows CAP_MAC_ADMIN and appropriate file permissions, will be able to load policy in the respective policy namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
e025be0f |
|
15-Jan-2017 |
William Hua <william.hua@canonical.com> |
apparmor: support querying extended trusted helper extra data Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
ef88a7ac |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: change aad apparmor_audit_data macro to a fn macro The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
47f6e5cc |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: change op from int to const char * Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
55a26ebf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename context abreviation cxt to the more standard ctx Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
12dd7171 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass the subject profile into profile replace/remove This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
04dc715e |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: audit policy ns specified in policy load Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
5ac8c355 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow introspecting the loaded policy pre internal transform Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fc1c9fd1 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add ns name to the audit data for policy loads Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
078c73c6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add profile and ns params to aa_may_manage_policy() Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fd2a8043 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add ns being viewed as a param to policy_admin_capable() Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2bd8dbbf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add ns being viewed as a param to policy_view_capable() Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
a6f23300 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow specifying the profile doing the management Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b79473f2 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: Make aa_remove_profile() callable from a different view This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
11c236b8 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add a default null dfa Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
181f7c97 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: name null-XXX profiles after the executable When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
30b026a8 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass gfp_t parameter into profile allocation Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
73688d1e |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: refactor prepare_ns() and make usable from different views prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d102d895 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: pass gfp param into aa_policy_init() Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6e474e30 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename hname_tail to basename Rename to the shorter and more familiar shell cmd name Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
31617ddf |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add fn to lookup profiles by fqname Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
1741e9eb |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add strn version of lookup_profile fn Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
8399588a |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename replacedby to proxy Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
d97d51d2 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename PFLAG_INVALID to PFLAG_STALE Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98849dff |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename namespace to ns to improve code line lengths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cff281f6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split apparmor policy namespaces code into its own file Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
fe6bb31f |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split out shared policy_XXX fns to lib Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
58acf9d9 |
|
22-Jun-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix module parameters can be changed after policy is locked the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
de7c4cc9 |
|
16-Dec-2015 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix refcount race when finding a child profile When finding a child profile via an rcu critical section, the profile may be put and scheduled for deletion after the child is found but before its refcount is incremented. Protect against this by repeating the lookup if the profiles refcount is 0 and is one its way to deletion. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
7ee6da25 |
|
16-Apr-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix audit full profile hname on successful load Currently logging of a successful profile load only logs the basename of the profile. This can result in confusion when a child profile has the same name as the another profile in the set. Logging the hname will ensure there is no confusion. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
bf15cf0c |
|
16-Apr-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix log failures for all profiles in a set currently only the profile that is causing the failure is logged. This makes it more confusing than necessary about which profiles loaded and which didn't. So make sure to log success and failure messages for all profiles in the set being loaded. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
f351841f |
|
16-Apr-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix put() parent ref after updating the active ref Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
ec34fa24 |
|
11-Apr-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix replacement bug that adds new child to old parent When set atomic replacement is used and the parent is updated before the child, and the child did not exist in the old parent so there is no direct replacement then the new child is incorrectly added to the old parent. This results in the new parent not having the child(ren) that it should and the old parent when being destroyed asserting the following error. AppArmor: policy_destroy: internal error, policy '<profile/name>' still contains profiles Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
dcda617a |
|
11-Apr-2016 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix refcount bug in profile replacement Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
5cb3e91e |
|
14-Oct-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix memleak of the profile hash BugLink: http://bugs.launchpad.net/bugs/1235523 This fixes the following kmemleak trace: unreferenced object 0xffff8801e8c35680 (size 32): comm "apparmor_parser", pid 691, jiffies 4294895667 (age 13230.876s) hex dump (first 32 bytes): e0 d3 4e b5 ac 6d f4 ed 3f cb ee 48 1c fd 40 cf ..N..m..?..H..@. 5b cc e9 93 00 00 00 00 00 00 00 00 00 00 00 00 [............... backtrace: [<ffffffff817a97ee>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811ca9f3>] __kmalloc+0x103/0x290 [<ffffffff8138acbc>] aa_calc_profile_hash+0x6c/0x150 [<ffffffff8138074d>] aa_unpack+0x39d/0xd50 [<ffffffff8137eced>] aa_replace_profiles+0x3d/0xd80 [<ffffffff81376937>] profile_replace+0x37/0x50 [<ffffffff811e9f2d>] vfs_write+0xbd/0x1e0 [<ffffffff811ea96c>] SyS_write+0x4c/0xa0 [<ffffffff817ccb1d>] system_call_fastpath+0x1a/0x1f [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
4cd4fc77 |
|
29-Sep-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix suspicious RCU usage warning in policy.c/policy.h The recent 3.12 pull request for apparmor was missing a couple rcu _protected access modifiers. Resulting in the follow suspicious RCU usage [ 29.804534] [ INFO: suspicious RCU usage. ] [ 29.804539] 3.11.0+ #5 Not tainted [ 29.804541] ------------------------------- [ 29.804545] security/apparmor/include/policy.h:363 suspicious rcu_dereference_check() usage! [ 29.804548] [ 29.804548] other info that might help us debug this: [ 29.804548] [ 29.804553] [ 29.804553] rcu_scheduler_active = 1, debug_locks = 1 [ 29.804558] 2 locks held by apparmor_parser/1268: [ 29.804560] #0: (sb_writers#9){.+.+.+}, at: [<ffffffff81120a4c>] file_start_write+0x27/0x29 [ 29.804576] #1: (&ns->lock){+.+.+.}, at: [<ffffffff811f5d88>] aa_replace_profiles+0x166/0x57c [ 29.804589] [ 29.804589] stack backtrace: [ 29.804595] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5 [ 29.804599] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010 [ 29.804602] 0000000000000000 ffff8800b95a1d90 ffffffff8144eb9b ffff8800b94db540 [ 29.804611] ffff8800b95a1dc0 ffffffff81087439 ffff880138cc3a18 ffff880138cc3a18 [ 29.804619] ffff8800b9464a90 ffff880138cc3a38 ffff8800b95a1df0 ffffffff811f5084 [ 29.804628] Call Trace: [ 29.804636] [<ffffffff8144eb9b>] dump_stack+0x4e/0x82 [ 29.804642] [<ffffffff81087439>] lockdep_rcu_suspicious+0xfc/0x105 [ 29.804649] [<ffffffff811f5084>] __aa_update_replacedby+0x53/0x7f [ 29.804655] [<ffffffff811f5408>] __replace_profile+0x11f/0x1ed [ 29.804661] [<ffffffff811f6032>] aa_replace_profiles+0x410/0x57c [ 29.804668] [<ffffffff811f16d4>] profile_replace+0x35/0x4c [ 29.804674] [<ffffffff81120fa3>] vfs_write+0xad/0x113 [ 29.804680] [<ffffffff81121609>] SyS_write+0x44/0x7a [ 29.804687] [<ffffffff8145bfd2>] system_call_fastpath+0x16/0x1b [ 29.804691] [ 29.804694] =============================== [ 29.804697] [ INFO: suspicious RCU usage. ] [ 29.804700] 3.11.0+ #5 Not tainted [ 29.804703] ------------------------------- [ 29.804706] security/apparmor/policy.c:566 suspicious rcu_dereference_check() usage! [ 29.804709] [ 29.804709] other info that might help us debug this: [ 29.804709] [ 29.804714] [ 29.804714] rcu_scheduler_active = 1, debug_locks = 1 [ 29.804718] 2 locks held by apparmor_parser/1268: [ 29.804721] #0: (sb_writers#9){.+.+.+}, at: [<ffffffff81120a4c>] file_start_write+0x27/0x29 [ 29.804733] #1: (&ns->lock){+.+.+.}, at: [<ffffffff811f5d88>] aa_replace_profiles+0x166/0x57c [ 29.804744] [ 29.804744] stack backtrace: [ 29.804750] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5 [ 29.804753] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010 [ 29.804756] 0000000000000000 ffff8800b95a1d80 ffffffff8144eb9b ffff8800b94db540 [ 29.804764] ffff8800b95a1db0 ffffffff81087439 ffff8800b95b02b0 0000000000000000 [ 29.804772] ffff8800b9efba08 ffff880138cc3a38 ffff8800b95a1dd0 ffffffff811f4f94 [ 29.804779] Call Trace: [ 29.804786] [<ffffffff8144eb9b>] dump_stack+0x4e/0x82 [ 29.804791] [<ffffffff81087439>] lockdep_rcu_suspicious+0xfc/0x105 [ 29.804798] [<ffffffff811f4f94>] aa_free_replacedby_kref+0x4d/0x62 [ 29.804804] [<ffffffff811f4f47>] ? aa_put_namespace+0x17/0x17 [ 29.804810] [<ffffffff811f4f0b>] kref_put+0x36/0x40 [ 29.804816] [<ffffffff811f5423>] __replace_profile+0x13a/0x1ed [ 29.804822] [<ffffffff811f6032>] aa_replace_profiles+0x410/0x57c [ 29.804829] [<ffffffff811f16d4>] profile_replace+0x35/0x4c [ 29.804835] [<ffffffff81120fa3>] vfs_write+0xad/0x113 [ 29.804840] [<ffffffff81121609>] SyS_write+0x44/0x7a [ 29.804847] [<ffffffff8145bfd2>] system_call_fastpath+0x16/0x1b Reported-by: miles.lane@gmail.com CC: paulmck@linux.vnet.ibm.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
0d259f04 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: add interface files for profiles and namespaces Add basic interface files to access namespace and profile information. The interface files are created when a profile is loaded and removed when the profile or namespace is removed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
03816507 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow setting any profile into the unconfined state Allow emulating the default profile behavior from boot, by allowing loading of a profile in the unconfined state into a new NS. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
8651e1d6 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: make free_profile available outside of policy.c Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
742058b0 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: rework namespace free path namespaces now completely use the unconfined profile to track the refcount and rcu freeing cycle. So rework the code to simplify (track everything through the profile path right up to the end), and move the rcu_head from policy base to profile as the namespace no longer needs it. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
fa2ac468 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: update how unconfined is handled ns->unconfined is being used read side without locking, nor rcu but is being updated when a namespace is removed. This works for the root ns which is never removed but has a race window and can cause failures when children namespaces are removed. Also ns and ns->unconfined have a circular refcounting dependency that is problematic and must be broken. Currently this is done incorrectly when the namespace is destroyed. Fix this by forward referencing unconfined via the replacedby infrastructure instead of directly updating the ns->unconfined pointer. Remove the circular refcount dependency by making the ns and its unconfined profile share the same refcount. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
#
77b071b3 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: change how profile replacement update is done remove the use of replaced by chaining and move to profile invalidation and lookup to handle task replacement. Replacement chaining can result in large chains of profiles being pinned in memory when one profile in the chain is use. With implicit labeling this will be even more of a problem, so move to a direct lookup method. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
01e2b670 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert profile lists to RCU based locking Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
dd51c848 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: provide base for multiple profiles to be replaced at once previously profiles had to be loaded one at a time, which could result in cases where a replacement of a set would partially succeed, and then fail resulting in inconsistent policy. Allow multiple profiles to replaced "atomically" so that the replacement either succeeds or fails for the entire set of profiles. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
41d1b3e8 |
|
21-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix smatch warning in aa_remove_profiles smatch reports error: potential NULL dereference 'ns'. this can not actually occur because it relies on aa_split_fqname setting both ns_name and name as null but ns_name will actually always have a value in this case. so remove the unnecessary if (ns_name) conditional that is resulting in the false positive further down. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
4da05cc0 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: move the free_profile fn ahead of aa_alloc_profile Move the free_profile fn ahead of aa_alloc_profile so it can be used in aa_alloc_profile without a forward declaration. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
a4987857 |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: remove sid from profiles The sid is not going to be a direct property of a profile anymore, instead it will be directly related to the label, and the profile will pickup a label back reference. For null-profiles replace the use of sid with a per namespace unique id. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
2e680dd6 |
|
24-Oct-2012 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix IRQ stack overflow during free_profile BugLink: http://bugs.launchpad.net/bugs/1056078 Profile replacement can cause long chains of profiles to build up when the profile being replaced is pinned. When the pinned profile is finally freed, it puts the reference to its replacement, which may in turn nest another call to free_profile on the stack. Because this may happen for each profile in the replacedby chain this can result in a recusion that causes the stack to overflow. Break this nesting by directly walking the chain of replacedby profiles (ie. use iteration instead of recursion to free the list). This results in at most 2 levels of free_profile being called, while freeing a replacedby chain. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
bf83208e |
|
16-May-2012 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix profile lookup for unconfined BugLink: http://bugs.launchpad.net/bugs/978038 also affects apparmor portion of BugLink: http://bugs.launchpad.net/bugs/987371 The unconfined profile is not stored in the regular profile list, but change_profile and exec transitions may want access to it when setting up specialized transitions like switch to the unconfined profile of a new policy namespace. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
50c205f5 |
|
04-Apr-2012 |
Eric Paris <eparis@redhat.com> |
LSM: do not initialize common_audit_data to 0 It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com>
|
#
bd5e50f9 |
|
04-Apr-2012 |
Eric Paris <eparis@redhat.com> |
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion Just open code it so grep on the source code works better. Signed-off-by: Eric Paris <eparis@redhat.com>
|
#
3b3b0e4f |
|
03-Apr-2012 |
Eric Paris <eparis@redhat.com> |
LSM: shrink sizeof LSM specific portion of common_audit_data Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
2d4cee7e |
|
14-Mar-2012 |
Jan Engelhardt <jengelh@medozas.de> |
AppArmor: add const qualifiers to string arrays Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
ad5ff3db |
|
16-Feb-2012 |
John Johansen <john.johansen@canonical.com> |
AppArmor: Add ability to load extended policy Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
246c3fb1 |
|
09-Nov-2010 |
wzt.wzt@gmail.com <wzt.wzt@gmail.com> |
APPARMOR: Fix memory leak of alloc_namespace() policy->name is a substring of policy->hname, if prefix is not NULL, it will allocted strlen(prefix) + strlen(name) + 3 bytes to policy->hname in policy_init(). use kzfree(ns->base.name) will casue memory leak if alloc_namespace() failed. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
999b4f0a |
|
27-Aug-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: Fix locking from removal of profile namespace The locking for profile namespace removal is wrong, when removing a profile namespace, it needs to be removed from its parent's list. Lock the parent of namespace list instead of the namespace being removed. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
c88d4c7b |
|
29-Jul-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: core policy routines The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task Profiles tend to be named after an executable that they will attach to but this is not required. namespaces - a container for a set of profiles that will be used during attachment and transitions between profiles. sids - which provide a unique id for each profile Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|