Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/security/apparmor/include?h=master 2022-07-19T11:14:22Z 2022-07-19T11:14:22Z John Johansen john.johansen@canonical.com 2021-11-23T07:28:32Z urn:sha1:eac931254d99c5aeb12ace02366dd338c4371164 AppArmor split out task oriented controls to their own logical file a while ago. Ptrace mediation is better grouped with task than ipc, so move it. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:57:15Z John Johansen john.johansen@canonical.com 2022-03-25T12:20:02Z urn:sha1:f567e7fada03d4c9c5f646a439ad2356371c4147 The policydb permission set has left the xbits unused. Make them available for mediation. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:55:45Z John Johansen john.johansen@canonical.com 2022-03-26T08:46:18Z urn:sha1:c1ed5da197652318341fd36333d45e8e6d5c3359 Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:52:36Z John Johansen john.johansen@canonical.com 2022-03-26T08:58:15Z urn:sha1:2504db207146543736e877241f3b3de005cbe056 When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-14T00:18:29Z John Johansen john.johansen@canonical.com 2020-10-06T21:43:16Z urn:sha1:524d8e14258a3c31bcaf915db5762e41249eb924 Displaying the mode as part of the seectx takes up unnecessary memory, makes it so we can't use refcounted secctx so we need to alloc/free on every conversion from secid to secctx and introduces a space that could be potentially mishandled by tooling. Eg. In an audit record we get subj_type=firefix (enforce) Having the mode reported is not necessary, and might even be confusing eg. when writing an audit rule to match the above record field you would use -F subj_type=firefox ie. the mode is not included. AppArmor provides ways to find the mode without reporting as part of the secctx. So disable this by default before its use is wide spread and we can't. For now we add a sysctl to control the behavior as we can't guarantee no one is using this. Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-14T00:16:02Z Matthew Wilcox willy@infradead.org 2022-06-06T20:23:22Z urn:sha1:df4390934da48e0462d1e77fba3e15f080e2c2a0 XArrays are a better match than IDR for how AppArmor is mapping secids. Specifically AppArmor is trying to keep the allocation dense. XArrays also have the advantage of avoiding the complexity IDRs preallocation. In addition this avoids/fixes a lockdep issue raised in the LKML thread "Linux 5.18-rc4" where there is a report of an interaction between apparmor and IPC, this warning may have been spurious as the reported issue is in a per-cpu local lock taken by the IDR. With the one side in the IPC id allocation and the other in AppArmor's secid allocation. Description by John Johansen <john.johansen@canonical.com> Message-Id: <226cee6a-6ca1-b603-db08-8500cd8f77b7@gnuweeb.org> Signed-off-by: Matthew Wilcox <willy@infradead.org> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-13T23:37:21Z John Johansen john.johansen@canonical.com 2022-05-24T09:38:12Z urn:sha1:95c0581f9bfdfbe97126ba1c7f5650a9dd064dda Separate kernel objects from unconfined. This is done so we can distinguish between the two in debugging, auditing and in preparation for being able to replace unconfined, which is not appropriate for the kernel. The kernel label will continue to behave similar to unconfined. Acked-by: Jon Tourville <jon.tourville@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-09T22:13:59Z John Johansen john.johansen@canonical.com 2021-02-01T11:43:18Z urn:sha1:d61c57fde81915c04b41982f66a159ccc014e799 Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-09T22:13:58Z John Johansen john.johansen@canonical.com 2021-12-14T10:59:28Z urn:sha1:511f7b5b835726e844a5fc7444c18e4b8672edfd AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels") Reported-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2021-11-11T22:47:32Z Linus Torvalds torvalds@linux-foundation.org 2021-11-11T22:47:32Z urn:sha1:5593a733f968521444df84902901902233c17d8f Pull apparmor updates from John Johansen: "Features - use per file locks for transactional queries - update policy management capability checks to work with LSM stacking Bug Fixes: - check/put label on apparmor_sk_clone_security() - fix error check on update of label hname - fix introspection of of task mode for unconfined tasks Cleanups: - avoid -Wempty-body warning - remove duplicated 'Returns:' comments - fix doc warning - remove unneeded one-line hook wrappers - use struct_size() helper in kzalloc() - fix zero-length compiler warning in AA_BUG() - file.h: delete duplicated word - delete repeated words in comments - remove repeated declaration" * tag 'apparmor-pr-2021-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: remove duplicated 'Returns:' comments apparmor: remove unneeded one-line hook wrappers apparmor: Use struct_size() helper in kzalloc() apparmor: fix zero-length compiler warning in AA_BUG() apparmor: use per file locks for transactional queries apparmor: fix doc warning apparmor: Remove the repeated declaration apparmor: avoid -Wempty-body warning apparmor: Fix internal policy capable check for policy management apparmor: fix error check security: apparmor: delete repeated words in comments security: apparmor: file.h: delete duplicated word apparmor: switch to apparmor to internal capable check for policy management apparmor: update policy capable checks to use a label apparmor: fix introspection of of task mode for unconfined tasks apparmor: check/put label on apparmor_sk_clone_security()