#
223981db |
|
12-Sep-2023 |
Casey Schaufler <casey@schaufler-ca.com> |
AppArmor: Add selfattr hooks Add hooks for setselfattr and getselfattr. These hooks are not very different from their setprocattr and getprocattr equivalents, and much of the code is shared. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> [PM: forward ported beyond v6.6 due merge window changes] Signed-off-by: Paul Moore <paul@paul-moore.com>
|
#
1f2bc06a |
|
26-Sep-2022 |
Gaosheng Cui <cuigaosheng1@huawei.com> |
apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource() Update the comments for aa_getprocattr() and audit_resource(), the args of them have beed changed since commit 76a1d263aba3 ("apparmor: switch getprocattr to using label_print fns()"). Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
240516df |
|
17-Nov-2021 |
Yang Li <yang.lee@linux.alibaba.com> |
apparmor: Fix kernel-doc Fix function name in security/apparmor/label.c, policy.c, procattr.c kernel-doc comment to remove some warnings found by clang(make W=1 LLVM=1). security/apparmor/label.c:499: warning: expecting prototype for aa_label_next_not_in_set(). Prototype was for __aa_label_next_not_in_set() instead security/apparmor/label.c:2147: warning: expecting prototype for __aa_labelset_udate_subtree(). Prototype was for __aa_labelset_update_subtree() instead security/apparmor/policy.c:434: warning: expecting prototype for aa_lookup_profile(). Prototype was for aa_lookupn_profile() instead security/apparmor/procattr.c:101: warning: expecting prototype for aa_setprocattr_chagnehat(). Prototype was for aa_setprocattr_changehat() instead Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
582122f1 |
|
03-Nov-2021 |
Austin Kim <austindh.kim@gmail.com> |
apparmor: remove duplicated 'Returns:' comments It might look better if duplicated 'Returns:' comment is removed. Signed-off-by: Austin Kim <austindh.kim@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
b886d83c |
|
01-Jun-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
d8889d49 |
|
11-Oct-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: move context.h to cred.h Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
76a1d263 |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch getprocattr to using label_print fns() Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
637f688d |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch from profiles to using labels on contexts Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
df8073c6 |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert aa_change_XXX bool parameters to flags Instead of passing multiple booleans consolidate on a single flags field. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cf797c0e |
|
09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert to profile block critical sections There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing the current label through a critical section that will always ensure mediation is using the current label regardless of whether the tasks cred has been updated or not. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
aa9a39ad |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert change_profile to use fqname later to give better control Moving the use of fqname to later allows learning profiles to be based on the fqname request instead of just the hname. It also allows cleaning up some of the name parsing and lookup by allowing the use of the fqlookupn_profile() lib fn. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c3e1e584 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix change_hat debug output Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
47f6e5cc |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: change op from int to const char * Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
92b6d8ef |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow ns visibility question to consider subnses Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
98849dff |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename namespace to ns to improve code line lengths Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
cff281f6 |
|
16-Jan-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: split apparmor policy namespaces code into its own file Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
0d259f04 |
|
10-Jul-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: add interface files for profiles and namespaces Add basic interface files to access namespace and profile information. The interface files are created when a profile is loaded and removed when the profile or namespace is removed. Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
4b7c331f |
|
18-Feb-2013 |
John Johansen <john.johansen@canonical.com> |
apparmor: remove "permipc" command The "permipc" command is unused and unfinished, remove it. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
|
#
cc7db099 |
|
28-Aug-2011 |
James Morris <jmorris@namei.org> |
apparmor: sparse fix: include procattr.h in procattr.c Fix sparse warnings: security/apparmor/procattr.c:35:5: warning: symbol 'aa_getprocattr' was not declared. Should it be static? security/apparmor/procattr.c:113:5: warning: symbol 'aa_setprocattr_changehat' was not declared. Should it be static? security/apparmor/procattr.c:158:5: warning: symbol 'aa_setprocattr_changeprofile' was not declared. Should it be static? security/apparmor/procattr.c:166:5: warning: symbol 'aa_setprocattr_permipc' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
|
#
63e2b423 |
|
29-Jul-2010 |
John Johansen <john.johansen@canonical.com> |
AppArmor: userspace interfaces The /proc/<pid>/attr/* interface is used for process introspection and commands. While the apparmorfs interface is used for global introspection and loading and removing policy. The interface currently only contains the files necessary for loading policy, and will be extended in the future to include sysfs style single per file introspection inteface. The old AppArmor 2.4 interface files have been removed into a compatibility patch, that distros can use to maintain backwards compatibility. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|