the exec file isn't processing its command arg. It should only set be
responding to a command of exec.

Also cleanup setprocattr some more while we are at it.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Fix a couple of warning reported by sparse
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

smatch reports
  error: potential NULL dereference 'ns'.

this can not actually occur because it relies on aa_split_fqname setting
both ns_name and name as null but ns_name will actually always have a
value in this case.

so remove the unnecessary if (ns_name) conditional that is resulting
in the false positive further down.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The audit type table is missing a comma so that KILLED comes out as
KILLEDAUTO.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

The top 8 bits of the base field have never been used, in fact can't
be used, by the current 'dfa16' format.  However they will be used in the
future as flags, so mask them off when using base as an index value.

Note: the use of the top 8 bits, without masking is trapped by the verify
      checks that base entries are within the size bounds.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>

Move the free_profile fn ahead of aa_alloc_profile so it can be used
in aa_alloc_profile without a forward declaration.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>

The sid is not going to be a direct property of a profile anymore, instead
it will be directly related to the label, and the profile will pickup
a label back reference.

For null-profiles replace the use of sid with a per namespace unique
id.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

tidying up comments, includes and defines
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>

Instead of limiting the setting of the processes limits to current,
relax this to tasks confined by the same profile, as the apparmor
controls for rlimits are at a profile level granularity.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

The "permipc" command is unused and unfinished, remove it.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

-ESTALE used to be incorrectly used to indicate a disconnected path, when
name lookup failed.  This was fixed in commit e1b0e444 to correctly return
-EACCESS, but the error to failure message mapping was not correctly updated
to reflect this change.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSteve Beattie <sbeattie@ubuntu.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-By: NSteve Beattie <sbeattie@ubuntu.com>

When policy specifies a transition to a profile that is not currently
loaded, it result in exec being denied.  However the failure is not being
audited correctly because the audit code is treating this as an allowed
permission and thus not reporting it.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-By: NSteve Beattie <sbeattie@ubuntu.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

BugLink: http://bugs.launchpad.net/bugs/1056078

Profile replacement can cause long chains of profiles to build up when
the profile being replaced is pinned. When the pinned profile is finally
freed, it puts the reference to its replacement, which may in turn nest
another call to free_profile on the stack. Because this may happen for
each profile in the replacedby chain this can result in a recusion that
causes the stack to overflow.

Break this nesting by directly walking the chain of replacedby profiles
(ie. use iteration instead of recursion to free the list). This results
in at most 2 levels of free_profile being called, while freeing a
replacedby chain.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

The capability defines have moved causing the auto generated names
of capabilities that apparmor uses in logging to be incorrect.

Fix the autogenerated table source to uapi/linux/capability.h
Reported-by: NYanHong <clouds.yan@gmail.com>
Reported-by: NKrzysztof Kolasa <kkolasa@winsoft.pl>
Analyzed-by: NAl Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NThomas Gleixner <tglx@linutronix.de>
Acked-by: NMichael Kerrisk <mtk.manpages@gmail.com>
Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: NDave Jones <davej@redhat.com>

Don't make the security modules deal with raw user space uid and
gids instead pass in a kuid_t and a kgid_t so that security modules
only have to deal with internal kernel uids and gids.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: James Morris <james.l.morris@oracle.com>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>

Cc: John Johansen <john.johansen@canonical.com>
Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>

Commit 4fdef218 ("AppArmor: Cleanup make
file to remove cruft and make it easier to read") removed all traces of
af_names.h from the tree. Remove its entry in AppArmor's .gitignore file
too.
Signed-off-by: NPaul Bolle <pebolle@tiscali.nl>
Signed-off-by: NJiri Kosina <jkosina@suse.cz>

... i.e. file-dependent and address-dependent checks.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

... switch callers.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

BugLink: http://bugs.launchpad.net/bugs/955892

All failures from __d_path where being treated as disconnected paths,
however __d_path can also fail when the generated pathname is too long.

The initial ENAMETOOLONG error was being lost, and ENAMETOOLONG was only
returned if the subsequent dentry_path call resulted in that error.  Other
wise if the path was split across a mount point such that the dentry_path
fit within the buffer when the __d_path did not the failure was treated
as a disconnected path.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/978038

also affects apparmor portion of
BugLink: http://bugs.launchpad.net/bugs/987371

The unconfined profile is not stored in the regular profile list, but
change_profile and exec transitions may want access to it when setting
up specialized transitions like switch to the unconfined profile of a
new policy namespace.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.

Transitions from unconfined are still allowed because this always results
in a reduction of privileges.
Acked-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NWill Drewry <wad@chromium.org>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Signed-off-by: NAndy Lutomirski <luto@amacapital.net>

v18: new acked-by, new description
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

With this change, calling
  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
disables privilege granting operations at execve-time.  For example, a
process will not be able to execute a setuid binary to change their uid
or gid if this bit is set.  The same is true for file capabilities.

Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
LSMs respect the requested behavior.

To determine if the NO_NEW_PRIVS bit is set, a task may call
  prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
It returns 1 if set and 0 if it is not set. If any of the arguments are
non-zero, it will return -1 and set errno to -EINVAL.
(PR_SET_NO_NEW_PRIVS behaves similarly.)

This functionality is desired for the proposed seccomp filter patch
series.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
system call behavior for itself and its child tasks without being
able to impact the behavior of a more privileged task.

Another potential use is making certain privileged operations
unprivileged.  For example, chroot may be considered "safe" if it cannot
affect privileged tasks.

Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use.  It is fixed in a subsequent patch.
Signed-off-by: NAndy Lutomirski <luto@amacapital.net>
Signed-off-by: NWill Drewry <wad@chromium.org>
Acked-by: NEric Paris <eparis@redhat.com>
Acked-by: NKees Cook <keescook@chromium.org>

v18: updated change desc
v17: using new define values as per 3.4
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

It isn't needed.  If you don't set the type of the data associated with
that type it is a pretty obvious programming bug.  So why waste the cycles?
Signed-off-by: NEric Paris <eparis@redhat.com>

apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.
Signed-off-by: NEric Paris <eparis@redhat.com>

Just open code it so grep on the source code works better.
Signed-off-by: NEric Paris <eparis@redhat.com>

dentry_open takes a file, rename it to file_open
Signed-off-by: NEric Paris <eparis@redhat.com>

It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.

So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop.  This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union.  Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: NEric Paris <eparis@redhat.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Fix failure in aa_change_onexec api when the request is made from a confined
task.  This failure was caused by two problems

 The AA_MAY_ONEXEC perm was not being mapped correctly for this case.

 The executable name was being checked as second time instead of using the
 requested onexec profile name, which may not be the same as the exec
 profile name. This mistake can not be exploited to grant extra permission
 because of the above flaw where the ONEXEC permission was not being mapped
 so it will not be granted.

BugLink: http://bugs.launchpad.net/bugs/963756Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

Signed-off-by: NTetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>