- 16 1月, 2017 29 次提交
-
-
由 John Johansen 提交于
Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Newer policy encodes more than just version in the version tag, so add masking to make sure the comparison remains correct. Note: this is fully compatible with older policy as it will never set the bits being masked out. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Policy should always under go a full paranoid verification. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Rename to the shorter and more familiar shell cmd name Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Rename to indicate the test is only about whether path mediation is used, not whether other types of mediation might be used. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Move to common terminology with other LSMs and kernel infrastucture Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 Kees Cook 提交于
Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 Tetsuo Handa 提交于
Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not recommended because it might fall into infinite retry loop without invoking the OOM killer. Since aa_dfa_unpack() is the only caller of kvzalloc() and aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Since aa_simple_write_to_buffer() is the only caller of kvmalloc() and aa_simple_write_to_buffer() is calling copy_from_user() which is GFP_KERNEL context (see memdup_user_nul()), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
- 21 11月, 2016 1 次提交
-
-
由 John Johansen 提交于
After a policy replacement, the task cred may be out of date and need to be updated. However change_hat is using the stale profiles from the out of date cred resulting in either: a stale profile being applied or, incorrect failure when searching for a hat profile as it has been migrated to the new parent profile. Fixes: 01e2b670 (failure to find hat) Fixes: 898127c3 (stale policy being applied) Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287 Cc: stable@vger.kernel.org Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 28 9月, 2016 1 次提交
-
-
由 Deepa Dinamani 提交于
CURRENT_TIME macro is not appropriate for filesystems as it doesn't use the right granularity for filesystem timestamps. Use current_time() instead. CURRENT_TIME is also not y2038 safe. This is also in preparation for the patch that transitions vfs timestamps to use 64 bit time and hence make them y2038 safe. As part of the effort current_time() will be extended to do range checks. Hence, it is necessary for all file system timestamps to use current_time(). Also, current_time() will be transitioned along with vfs to be y2038 safe. Note that whenever a single call to current_time() is used to change timestamps in different inodes, it is because they share the same time granularity. Signed-off-by: NDeepa Dinamani <deepa.kernel@gmail.com> Reviewed-by: NArnd Bergmann <arnd@arndb.de> Acked-by: NFelipe Balbi <balbi@kernel.org> Acked-by: NSteven Whitehouse <swhiteho@redhat.com> Acked-by: NRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Acked-by: NDavid Sterba <dsterba@suse.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 27 7月, 2016 1 次提交
-
-
由 Arnd Bergmann 提交于
The newly added Kconfig option could never work and just causes a build error when disabled: security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() helper to turn it into a boolean constant. Another minor problem with the original patch is that the option is even offered in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option in that case. Signed-off-by: NArnd Bergmann <arnd@arndb.de> Fixes: 6059f71f ("apparmor: add parameter to control whether policy hashing is used") Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 12 7月, 2016 8 次提交
-
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 Vegard Nossum 提交于
When proc_pid_attr_write() was changed to use memdup_user apparmor's (interface violating) assumption that the setprocattr buffer was always a single page was violated. The size test is not strictly speaking needed as proc_pid_attr_write() will reject anything larger, but for the sake of robustness we can keep it in. SMACK and SELinux look safe to me, but somebody else should probably have a look just in case. Based on original patch from Vegard Nossum <vegard.nossum@oracle.com> modified for the case that apparmor provides null termination. Fixes: bb646cdbReported-by: NVegard Nossum <vegard.nossum@oracle.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@kernel.org Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Reviewed-by: NTyler Hicks <tyhicks@canonical.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
由 Heinrich Schuchardt 提交于
Do not copy uninitalized fields th.td_hilen, th.td_data. Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
BugLink: http://bugs.launchpad.net/bugs/1592547 If unpack_dfa() returns NULL due to the dfa not being present, profile_unpack() is not checking if the dfa is not present (NULL). Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 John Johansen 提交于
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-
由 Jeff Mahoney 提交于
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit on another task. The only other example of a AppArmor mediating access to another, already running, task (ignoring fork+exec) is ptrace. The AppArmor model for ptrace is that one of the following must be true: 1) The tracer is unconfined 2) The tracer is in complain mode 3) The tracer and tracee are confined by the same profile 4) The tracer is confined but has SYS_CAP_PTRACE 1), 2, and 3) are already true for setrlimit. We can match the ptrace model just by allowing CAP_SYS_RESOURCE. We still test the values of the rlimit since it can always be overridden using a value that means unlimited for a particular resource. Signed-off-by: NJeff Mahoney <jeffm@suse.com> Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
-