Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/security/apparmor?h=master 2022-09-01T21:34:39Z 2022-09-01T21:34:39Z Al Viro viro@zeniv.linux.org.uk 2022-01-31T00:57:52Z urn:sha1:c8e477c649b40c1a073b7a843d89e51dc0037db7 cast of ->d_name.name to char * is completely wrong - nothing is allowed to modify its contents. Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2022-07-20T20:22:19Z Lukas Bulwahn lukas.bulwahn@gmail.com 2022-07-20T12:04:43Z urn:sha1:79eb2711c919e6db10ed2b8fb22ab605121e80ea Commit 5bfcbd22ee4e ("apparmor: Enable tuning of policy paranoid load for embedded systems") introduces the config SECURITY_APPARMOR_PARANOID_LOAD, but then refers in the code to SECURITY_PARANOID_LOAD; note the missing APPARMOR in the middle. Correct this to the introduced and intended config option. Fixes: 5bfcbd22ee4e ("apparmor: Enable tuning of policy paranoid load for embedded systems") Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T11:14:22Z John Johansen john.johansen@canonical.com 2021-11-23T07:28:32Z urn:sha1:eac931254d99c5aeb12ace02366dd338c4371164 AppArmor split out task oriented controls to their own logical file a while ago. Ptrace mediation is better grouped with task than ipc, so move it. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:57:15Z John Johansen john.johansen@canonical.com 2022-03-25T12:20:02Z urn:sha1:f567e7fada03d4c9c5f646a439ad2356371c4147 The policydb permission set has left the xbits unused. Make them available for mediation. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:55:45Z John Johansen john.johansen@canonical.com 2022-03-26T08:46:18Z urn:sha1:c1ed5da197652318341fd36333d45e8e6d5c3359 Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:52:36Z John Johansen john.johansen@canonical.com 2022-03-26T08:58:15Z urn:sha1:2504db207146543736e877241f3b3de005cbe056 When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:43:12Z John Johansen john.johansen@canonical.com 2022-03-26T08:52:06Z urn:sha1:3bbb7b2e9bbcd22e539e23034da753898fe3b4dc When loading a profile that is set to unconfined mode, that label flag is not set when it should be. Ensure it is set so that when used in a label the unconfined check will be applied correctly. Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state") Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:39:15Z Yang Li yang.lee@linux.alibaba.com 2022-07-18T06:30:22Z urn:sha1:f378973698657404f059687025e1e35f229b124c Remove warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. security/apparmor/policy_ns.c:65: warning: Function parameter or member 'curr' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: Function parameter or member 'view' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: Function parameter or member 'subns' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: expecting prototype for aa_na_name(). Prototype was for aa_ns_name() instead security/apparmor/policy_ns.c:214: warning: Function parameter or member 'view' not described in '__aa_lookupn_ns' security/apparmor/policy_ns.c:214: warning: Excess function parameter 'base' description in '__aa_lookupn_ns' security/apparmor/policy_ns.c:297: warning: expecting prototype for aa_create_ns(). Prototype was for __aa_find_or_create_ns() instead Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-19T09:38:34Z Souptick Joarder (HPE) jrdr.linux@gmail.com 2022-07-19T02:12:18Z urn:sha1:a3f215ef088f1fc3e751dc9a5fa4c1a22f16212b Kernel test robot throws below warning -> security/apparmor/policy_ns.c:83:20: warning: no previous prototype for function 'alloc_unconfined' [-Wmissing-prototypes] Mark it as static. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Souptick Joarder (HPE) <jrdr.linux@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-14T00:18:29Z John Johansen john.johansen@canonical.com 2020-10-06T21:43:16Z urn:sha1:524d8e14258a3c31bcaf915db5762e41249eb924 Displaying the mode as part of the seectx takes up unnecessary memory, makes it so we can't use refcounted secctx so we need to alloc/free on every conversion from secid to secctx and introduces a space that could be potentially mishandled by tooling. Eg. In an audit record we get subj_type=firefix (enforce) Having the mode reported is not necessary, and might even be confusing eg. when writing an audit rule to match the above record field you would use -F subj_type=firefox ie. the mode is not included. AppArmor provides ways to find the mode without reporting as part of the secctx. So disable this by default before its use is wide spread and we can't. For now we add a sysctl to control the behavior as we can't guarantee no one is using this. Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>