27 Jul, 2016
1 commit
-
The newly added Kconfig option could never work and just causes a build error
when disabled:security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
helper to turn it into a boolean constant.Another minor problem with the original patch is that the option is even offered
in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
in that case.Signed-off-by: Arnd Bergmann
Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
Signed-off-by: John Johansen
Signed-off-by: James Morris
12 Jul, 2016
24 commits
-
Signed-off-by: John Johansen
-
When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.Based on original patch from Vegard Nossum
modified for the case that apparmor provides null termination.Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum
Cc: Al Viro
Cc: John Johansen
Cc: Paul Moore
Cc: Stephen Smalley
Cc: Eric Paris
Cc: Casey Schaufler
Cc: stable@kernel.org
Signed-off-by: John Johansen
Reviewed-by: Tyler Hicks
Signed-off-by: James Morris -
Do not copy uninitalized fields th.td_hilen, th.td_data.
Signed-off-by: Heinrich Schuchardt
Signed-off-by: John Johansen -
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.Signed-off-by: John Johansen
-
BugLink: http://bugs.launchpad.net/bugs/1592547
If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE1), 2, and 3) are already true for setrlimit.
We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.Signed-off-by: Jeff Mahoney
Signed-off-by: John Johansen -
list_next_entry has been defined in list.h, so I replace list_entry_next
with it.Signed-off-by: Geliang Tang
Acked-by: Serge Hallyn
Signed-off-by: John Johansen -
When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
The target profile name was not being correctly audited in a few
cases because the target variable was not being set and gotos
passed the code to set it at apply:Since it is always based on new_profile just drop the target var
and conditionally report based on new_profile.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Tyler Hicks
Acked-by: Seth Arnold -
Internal mounts are not mounted anywhere and as such should be treated
as disconnected paths.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Bind mounts can fail to be properly reconnected when PATH_CONNECT is
specified. Ensure that when PATH_CONNECT is specified the path has
a root.BugLink: http://bugs.launchpad.net/bugs/1319984
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
BugLink: http://bugs.launchpad.net/bugs/1268727
The task field in the lsm_audit struct needs to be initialized if
a change_hat fails, otherwise the following oops will occurBUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [] _raw_spin_lock+0xe/0x50
PGD 1e3f35067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
RIP: 0010:[] [] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff880212987b68 EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
Stack:
ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
Call Trace:
[] __lock_task_sighand+0x47/0x80
[] ? apparmor_cred_prepare+0x2f/0x50
[] do_send_sig_info+0x2c/0x80
[] send_sig_info+0x1e/0x30
[] aa_audit+0x13d/0x190
[] aa_audit_file+0xbc/0x130
[] ? apparmor_cred_prepare+0x2f/0x50
[] aa_change_hat+0x202/0x530
[] aa_setprocattr_changehat+0x116/0x1d0
[] apparmor_setprocattr+0x25d/0x300
[] security_setprocattr+0x16/0x20
[] proc_pid_attr_write+0x107/0x130
[] vfs_write+0xb4/0x1f0
[] SyS_write+0x49/0xa0
[] tracesys+0xe1/0xe6Signed-off-by: John Johansen
Acked-by: Seth Arnold -
When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.AppArmor: policy_destroy: internal error, policy '' still
contains profilesSigned-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold
28 Mar, 2016
12 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
... as well as unix_mknod() and may_o_create()
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
was open-coded in several places...
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
22 Oct, 2015
1 commit
-
The crypto framework can be built as a loadable module, but the
apparmor hash code can only be built-in, which then causes a
link error:security/built-in.o: In function `aa_calc_profile_hash':
integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'
security/built-in.o: In function `init_profile_hash':
integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'This changes Apparmor to use 'select CRYPTO' like a lot of other
subsystems do.Signed-off-by: Arnd Bergmann
Acked-by: John Johansen
Signed-off-by: James Morris
02 Jul, 2015
1 commit
-
Pull module updates from Rusty Russell:
"Main excitement here is Peter Zijlstra's lockless rbtree optimization
to speed module address lookup. He found some abusers of the module
lock doing that too.A little bit of parameter work here too; including Dan Streetman's
breaking up the big param mutex so writing a parameter can load
another module (yeah, really). Unfortunately that broke the usual
suspects, !CONFIG_MODULES and !CONFIG_SYSFS, so those fixes were
appended too"* tag 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (26 commits)
modules: only use mod->param_lock if CONFIG_MODULES
param: fix module param locks when !CONFIG_SYSFS.
rcu: merge fix for Convert ACCESS_ONCE() to READ_ONCE() and WRITE_ONCE()
module: add per-module param_lock
module: make perm const
params: suppress unused variable error, warn once just in case code changes.
modules: clarify CONFIG_MODULE_COMPRESS help, suggest 'N'.
kernel/module.c: avoid ifdefs for sig_enforce declaration
kernel/workqueue.c: remove ifdefs over wq_power_efficient
kernel/params.c: export param_ops_bool_enable_only
kernel/params.c: generalize bool_enable_only
kernel/module.c: use generic module param operaters for sig_enforce
kernel/params: constify struct kernel_param_ops uses
sysfs: tightened sysfs permission checks
module: Rework module_addr_{min,max}
module: Use __module_address() for module_address_lookup()
module: Make the mod_tree stuff conditional on PERF_EVENTS || TRACING
module: Optimize __module_address() using a latched RB-tree
rbtree: Implement generic latch_tree
seqlock: Introduce raw_read_seqcount_latch()
...
28 May, 2015
1 commit
-
Most code already uses consts for the struct kernel_param_ops,
sweep the kernel for the last offending stragglers. Other than
include/linux/moduleparam.h and kernel/params.c all other changes
were generated with the following Coccinelle SmPL patch. Merge
conflicts between trees can be handled with Coccinelle.In the future git could get Coccinelle merge support to deal with
patch --> fail --> grammar --> Coccinelle --> new patch conflicts
automatically for us on patches where the grammar is available and
the patch is of high confidence. Consider this a feature request.Test compiled on x86_64 against:
* allnoconfig
* allmodconfig
* allyesconfig@ const_found @
identifier ops;
@@const struct kernel_param_ops ops = {
};@ const_not_found depends on !const_found @
identifier ops;
@@-struct kernel_param_ops ops = {
+const struct kernel_param_ops ops = {
};Generated-by: Coccinelle SmPL
Cc: Rusty Russell
Cc: Junio C Hamano
Cc: Andrew Morton
Cc: Kees Cook
Cc: Tejun Heo
Cc: Ingo Molnar
Cc: cocci@systeme.lip6.fr
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Luis R. Rodriguez
Signed-off-by: Rusty Russell
