Signed-off-by: NZygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: NChristian Boltz <apparmor@cboltz.de>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Currently variable size is a unsigned size_t, hence comparisons to
see if it is less than zero (for error checking) will always be
false.  Fix this by making size a ssize_t

Detected by CoverityScan, CID#1466080 ("Unsigned compared against 0")

Fixes: 8e51f908 ("apparmor: Add support for attaching profiles via xattr, presence and value")
Signed-off-by: NColin Ian King <colin.king@canonical.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Overlapping domain attachments using the current longest left exact
match fail in some simple cases, and with the fix to ensure consistent
behavior by failing unresolvable attachments it becomes important to
do a better job.

eg. under the current match the following are unresolvable where
the alternation is clearly a better match under the most specific
left match rule.
  /**
  /{bin/,}usr/

Use a counting match that detects when a loop in the state machine is
enter, and return the match count to provide a better specific left
match resolution.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

This converts profile attachment based on xattrs to a fixed extended
conditional using dfa matching.

This has a couple of advantages
- pattern matching can be used for the xattr match

- xattrs can be optional for an attachment or marked as required

- the xattr attachment conditional will be able to be combined with
  other extended conditionals when the flexible extended conditional
  work lands.

The xattr fixed extended conditional is appended to the xmatch
conditional. If an xattr attachment is specified the profile xmatch
will be generated regardless of whether there is a pattern match on
the executable name.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Make it possible to tie Apparmor profiles to the presence of one or more
extended attributes, and optionally their values. An example usecase for
this is to automatically transition to a more privileged Apparmor profile
if an executable has a valid IMA signature, which can then be appraised
by the IMA subsystem.
Signed-off-by: NMatthew Garrett <mjg59@google.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Domain transition so far have been largely blocked by no new privs,
unless the transition has been provably a subset of the previous
confinement. There was a couple problems with the previous
implementations,

- transitions that weren't explicitly a stack but resulted in a subset
  of confinement were disallowed

- confinement subsets were only calculated from the previous
  confinement instead of the confinement being enforced at the time of
  no new privs, so transitions would have to get progressively
  tighter.

Fix this by detecting and storing a reference to the task's
confinement at the "time" no new privs is set. This reference is then
used to determine whether a transition is a subsystem of the
confinement at the time no new privs was set.

Unfortunately the implementation is less than ideal in that we have to
detect no new privs after the fact when a task attempts a domain
transition. This is adequate for the currently but will not work in a
stacking situation where no new privs could be conceivably be set in
both the "host" and in the container.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Now that file contexts have been moved into file, and task context
fns() and data have been split from the context, only the cred context
remains in context.h so rename to cred.h to better reflect what it
deals with.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

now that cred_ctx has been removed we can rename task_ctxs from tctx
without causing confusion.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

With the task domain change information now stored in the task->security
context, the cred->security context only stores the label. We can get
rid of the cred_ctx and directly reference the label, removing a layer
of indirection, and unneeded extra allocations.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The task domain change info is task specific and its and abuse of
the cred to store the information in there. Now that a task->security
field exists store it in the proper place.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.

Fixes: 844b8292 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: NMatthew Garrett <mjg59@google.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Break the per cpu buffer atomic section when creating a new null
complain profile. In learning mode this won't matter and we can
safely re-aquire the buffer.

This fixes the following lockdep BUG trace
   nov. 14 14:09:09 cyclope audit[7152]: AVC apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" name="/usr/sbin/adcli" pid=7152 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-/usr/sbin/adcli"
    nov. 14 14:09:09 cyclope kernel: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747
    nov. 14 14:09:09 cyclope kernel: in_atomic(): 1, irqs_disabled(): 0, pid: 7152, name: sssd_be
    nov. 14 14:09:09 cyclope kernel: 1 lock held by sssd_be/7152:
    nov. 14 14:09:09 cyclope kernel:  #0:  (&sig->cred_guard_mutex){....}, at: [<ffffffff8182d53e>] prepare_bprm_creds+0x4e/0x100
    nov. 14 14:09:09 cyclope kernel: CPU: 3 PID: 7152 Comm: sssd_be Not tainted 4.14.0prahal+intel #150
    nov. 14 14:09:09 cyclope kernel: Hardware name: LENOVO 20CDCTO1WW/20CDCTO1WW, BIOS GQET53WW (1.33 ) 09/15/2017
    nov. 14 14:09:09 cyclope kernel: Call Trace:
    nov. 14 14:09:09 cyclope kernel:  dump_stack+0xb0/0x135
    nov. 14 14:09:09 cyclope kernel:  ? _atomic_dec_and_lock+0x15b/0x15b
    nov. 14 14:09:09 cyclope kernel:  ? lockdep_print_held_locks+0xc4/0x130
    nov. 14 14:09:09 cyclope kernel:  ___might_sleep+0x29c/0x320
    nov. 14 14:09:09 cyclope kernel:  ? rq_clock+0xf0/0xf0
    nov. 14 14:09:09 cyclope kernel:  ? __kernel_text_address+0xd/0x40
    nov. 14 14:09:09 cyclope kernel:  __might_sleep+0x95/0x190
    nov. 14 14:09:09 cyclope kernel:  ? aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  __mutex_lock+0x13e/0x1a20
    nov. 14 14:09:09 cyclope kernel:  ? aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  ? save_stack+0x43/0xd0
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? mutex_lock_io_nested+0x1880/0x1880
    nov. 14 14:09:09 cyclope kernel:  ? profile_transition+0x932/0x2d40
    nov. 14 14:09:09 cyclope kernel:  ? apparmor_bprm_set_creds+0x1479/0x1f70
    nov. 14 14:09:09 cyclope kernel:  ? security_bprm_set_creds+0x5a/0x80
    nov. 14 14:09:09 cyclope kernel:  ? prepare_binprm+0x366/0x980
    nov. 14 14:09:09 cyclope kernel:  ? do_execveat_common.isra.30+0x12a9/0x2350
    nov. 14 14:09:09 cyclope kernel:  ? SyS_execve+0x2c/0x40
    nov. 14 14:09:09 cyclope kernel:  ? do_syscall_64+0x228/0x650
    nov. 14 14:09:09 cyclope kernel:  ? entry_SYSCALL64_slow_path+0x25/0x25
    nov. 14 14:09:09 cyclope kernel:  ? deactivate_slab.isra.62+0x49d/0x5e0
    nov. 14 14:09:09 cyclope kernel:  ? save_stack_trace+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? init_object+0x88/0x90
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? lock_downgrade+0x7e0/0x7e0
    nov. 14 14:09:09 cyclope kernel:  ? memcg_kmem_get_cache+0x970/0x970
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? kasan_kmalloc+0xad/0xe0
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? _raw_spin_unlock+0x22/0x30
    nov. 14 14:09:09 cyclope kernel:  ? vec_find+0xa0/0xa0
    nov. 14 14:09:09 cyclope kernel:  ? aa_label_init+0x6f/0x230
    nov. 14 14:09:09 cyclope kernel:  ? __label_insert+0x3e0/0x3e0
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_profile+0x58/0x200
    nov. 14 14:09:09 cyclope kernel:  mutex_lock_nested+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? mutex_lock_nested+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  ? aa_fqlookupn_profile+0xdc0/0xdc0
    nov. 14 14:09:09 cyclope kernel:  ? aa_compute_fperms+0x4b5/0x640
    nov. 14 14:09:09 cyclope kernel:  ? disconnect.isra.2+0x1b0/0x1b0
    nov. 14 14:09:09 cyclope kernel:  ? aa_str_perms+0x8d/0xe0
    nov. 14 14:09:09 cyclope kernel:  profile_transition+0x932/0x2d40
    nov. 14 14:09:09 cyclope kernel:  ? up_read+0x1a/0x40
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_get+0x15c/0xaf0 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? x_table_lookup+0x190/0x190
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_ibody_get+0x590/0x590 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_security_get+0x1a/0x20 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? __vfs_getxattr+0x6d/0xa0
    nov. 14 14:09:09 cyclope kernel:  ? get_vfs_caps_from_disk+0x114/0x720
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? get_vfs_caps_from_disk+0x720/0x720
    nov. 14 14:09:09 cyclope kernel:  ? native_sched_clock_from_tsc+0x201/0x2b0
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? find_held_lock+0x3c/0x1e0
    nov. 14 14:09:09 cyclope kernel:  ? rb_insert_color_cached+0x1660/0x1660
    nov. 14 14:09:09 cyclope kernel:  apparmor_bprm_set_creds+0x1479/0x1f70
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? handle_onexec+0x31d0/0x31d0
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? graph_lock+0xd0/0xd0
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? find_held_lock+0x3c/0x1e0
    nov. 14 14:09:09 cyclope kernel:  security_bprm_set_creds+0x5a/0x80
    nov. 14 14:09:09 cyclope kernel:  prepare_binprm+0x366/0x980
    nov. 14 14:09:09 cyclope kernel:  ? install_exec_creds+0x150/0x150
    nov. 14 14:09:09 cyclope kernel:  ? __might_fault+0x89/0xb0
    nov. 14 14:09:09 cyclope kernel:  ? up_read+0x40/0x40
    nov. 14 14:09:09 cyclope kernel:  ? get_user_arg_ptr.isra.18+0x2c/0x70
    nov. 14 14:09:09 cyclope kernel:  ? count.isra.20.constprop.32+0x7c/0xf0
    nov. 14 14:09:09 cyclope kernel:  do_execveat_common.isra.30+0x12a9/0x2350
    nov. 14 14:09:09 cyclope kernel:  ? prepare_bprm_creds+0x100/0x100
    nov. 14 14:09:09 cyclope kernel:  ? _raw_spin_unlock+0x22/0x30
    nov. 14 14:09:09 cyclope kernel:  ? deactivate_slab.isra.62+0x49d/0x5e0
    nov. 14 14:09:09 cyclope kernel:  ? save_stack_trace+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? init_object+0x88/0x90
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? kasan_check_write+0x14/0x20
    nov. 14 14:09:09 cyclope kernel:  ? memcg_kmem_get_cache+0x970/0x970
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? glob_match+0x730/0x730
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc+0x225/0x280
    nov. 14 14:09:09 cyclope kernel:  ? getname_flags+0xb8/0x510
    nov. 14 14:09:09 cyclope kernel:  ? mm_fault_error+0x2e0/0x2e0
    nov. 14 14:09:09 cyclope kernel:  ? getname_flags+0xf6/0x510
    nov. 14 14:09:09 cyclope kernel:  ? ptregs_sys_vfork+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  SyS_execve+0x2c/0x40
    nov. 14 14:09:09 cyclope kernel:  do_syscall_64+0x228/0x650
    nov. 14 14:09:09 cyclope kernel:  ? syscall_return_slowpath+0x2f0/0x2f0
    nov. 14 14:09:09 cyclope kernel:  ? syscall_return_slowpath+0x167/0x2f0
    nov. 14 14:09:09 cyclope kernel:  ? prepare_exit_to_usermode+0x220/0x220
    nov. 14 14:09:09 cyclope kernel:  ? prepare_exit_to_usermode+0xda/0x220
    nov. 14 14:09:09 cyclope kernel:  ? perf_trace_sys_enter+0x1060/0x1060
    nov. 14 14:09:09 cyclope kernel:  ? __put_user_4+0x1c/0x30
    nov. 14 14:09:09 cyclope kernel:  entry_SYSCALL64_slow_path+0x25/0x25
    nov. 14 14:09:09 cyclope kernel: RIP: 0033:0x7f9320f23637
    nov. 14 14:09:09 cyclope kernel: RSP: 002b:00007fff783be338 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
    nov. 14 14:09:09 cyclope kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9320f23637
    nov. 14 14:09:09 cyclope kernel: RDX: 0000558c35002a70 RSI: 0000558c3505bd10 RDI: 0000558c35018b90
    nov. 14 14:09:09 cyclope kernel: RBP: 0000558c34b63ae8 R08: 0000558c3505bd10 R09: 0000000000000080
    nov. 14 14:09:09 cyclope kernel: R10: 0000000000000095 R11: 0000000000000202 R12: 0000000000000001
    nov. 14 14:09:09 cyclope kernel: R13: 0000558c35018b90 R14: 0000558c3505bd18 R15: 0000558c3505bd10

Fixes: 4227c333 ("apparmor: Move path lookup to using preallocated buffers")
BugLink: http://bugs.launchpad.net/bugs/173228Reported-by: NAlban Browaeys <prahal@yahoo.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

It used to be that unconfined would never attach. However that is not
the case anymore as some special profiles can be marked as unconfined,
that are not the namespaces unconfined profile, and may have an
attachment.

Fixes: f1bd9041 ("apparmor: add the base fns() for domain labels")
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Profiles that have an undecidable overlap in their attachments are
being incorrectly handled. Instead of failing to attach the first one
encountered is being used.

eg.
  profile A /** { .. }
  profile B /*foo { .. }

have an unresolvable longest left attachment, they both have an exact
match on / and then have an overlapping expression that has no clear
winner.

Currently the winner will be the profile that is loaded first which
can result in non-deterministic behavior. Instead in this situation
the exec should fail.

Fixes: 898127c3 ("AppArmor: functions for domain transitions")
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.

default userspace policy rules have the form of
  MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

  MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
          [ '->' MOUNTPOINT FILEGLOB ]

  REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
            MOUNTPOINT FILEGLOB

  UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

  MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
                       MOUNT FSTYPE EXPRESSION ]
		       [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

  MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

  MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
                      virtual filesystem types (eg ext4, debugfs, etc)

  MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

  MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

  MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
                  'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
		  'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
		  'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
		  'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
		  'unbindable' | 'runbindable' | 'private' | 'rprivate' |
		  'slave' | 'rslave' | 'shared' | 'rshared' |
		  'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
		  'strictatime' | 'nouser' | 'user' )

  MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

  PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
                    [ NEW ROOT FILEGLOB ]

  SOURCE FILEGLOB = FILEGLOB

  MOUNTPOINT FILEGLOB = FILEGLOB

eg.
  mount,
  mount /dev/foo,
  mount options=ro /dev/foo -> /mnt/,
  mount options in (ro,atime) /dev/foo -> /mnt/,
  mount options=ro options=atime,
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).

Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.
Signed-off-by: NKees Cook <keescook@chromium.org>
Acked-by: NJohn Johansen <john.johansen@canonical.com>
Reviewed-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>

The cred_prepared bprm flag has a misleading name. It has nothing to do
with the bprm_prepare_cred hook, and actually tracks if bprm_set_creds has
been called. Rename this flag and improve its comment.

Cc: David Howells <dhowells@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Acked-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NJames Morris <james.l.morris@oracle.com>
Acked-by: NPaul Moore <paul@paul-moore.com>
Acked-by: NSerge Hallyn <serge@hallyn.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Instead of passing multiple booleans consolidate on a single flags
field.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

There is no reason to have the small stubs that don't use domain
private functions in domain.c, instead move them to lsm.c and make
them static.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Dynamically allocating buffers is problematic and is an extra layer
that is a potntial point of failure and can slow down mediation.
Change path lookup to use the preallocated per cpu buffers.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

With previous changes every location that tests for
LSM_UNSAFE_PTRACE_CAP also tests for LSM_UNSAFE_PTRACE making the
LSM_UNSAFE_PTRACE_CAP redundant, so remove it.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

Moving the use of fqname to later allows learning profiles to be based
on the fqname request instead of just the hname. It also allows cleaning
up some of the name parsing and lookup by allowing the use of
the fqlookupn_profile() lib fn.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.

Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

When possible its better to name a learning profile after the missing
profile in question. This allows for both more informative names and
for profile reuse.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Policy namespaces will be diverging from profile management and
expanding so put it in its own file.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.

Fixes: 01e2b670 (failure to find hat)
Fixes: 898127c3 (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Cc: stable@vger.kernel.org
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>