#
d2fe16e9 |
|
08-Aug-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: fixup return comments for kernel doc cleanups by Gaosheng Cui [PATCH -next 05/11] apparmor: Fix kernel-doc warnings in apparmor/label.c missed updating the Returns comment for the new parameter names [PATCH -next 05/11] apparmor: Fix kernel-doc warnings in apparmor/label.c Added the @size parameter comment without mentioning it is a return value. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
2520d61c |
|
24-Jun-2023 |
Gaosheng Cui <cuigaosheng1@huawei.com> |
apparmor: Fix kernel-doc warnings in apparmor/policy_compat.c Fix kernel-doc warnings: security/apparmor/policy_compat.c:151: warning: Function parameter or member 'size' not described in 'compute_fperms' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6f442d42 |
|
17-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix profile verification and enable it The transition table size was not being set by compat mappings resulting in the profile verification code not being run. Unfortunately the checks were also buggy not being correctly updated from the old accept perms, to the new layout. Also indicate to userspace that the kernel has the permstable verification fixes. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 670f31774ab6 ("apparmor: verify permission table indexes") Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com>
|
#
6600e9f6 |
|
14-Apr-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: add missing failure check in compute_xmatch_perms Add check for failure to allocate the permission table. Fixes: caa9f579ca72 ("apparmor: isolate policy backwards compatibility to its own file") Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cbb13e12 |
|
14-Feb-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix regression in compat permissions for getattr This fixes a regression in mediation of getattr when old policy built under an older ABI is loaded and mapped to internal permissions. The regression does not occur for all getattr permission requests, only appearing if state zero is the final state in the permission lookup. This is because despite the first state (index 0) being guaranteed to not have permissions in both newer and older permission formats, it may have to carry permissions that were not mediated as part of an older policy. These backward compat permissions are mapped here to avoid special casing the mediation code paths. Since the mapping code already takes into account backwards compat permission from older formats it can be applied to state 0 to fix the regression. Fixes: 408d53e923bd ("apparmor: compute file permissions on profile load") Reported-by: Philip Meulengracht <the_meulengracht@hotmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
1ddece8c |
|
24-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix doc comment for compute_fperms When compute_fperms was moved to policy_compat and made static it was renamed from aa_compute_fperms to just compute_fperms to help indicate it is only available statically. Unfortunately the doc comment did not also get updated to reflect the change. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
caa9f579 |
|
21-Aug-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: isolate policy backwards compatibility to its own file The details of mapping old policy into newer policy formats clutters up the unpack code and makes it possible to accidentally use old mappings in code, so isolate the mapping code into its own file. This will become more important when the dfa remapping code lands, as it will greatly expand the compat code base. Signed-off-by: John Johansen <john.johansen@canonical.com>
|