21 Nov, 2016
1 commit
-
After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Cc: stable@vger.kernel.org
Signed-off-by: John Johansen
Signed-off-by: James Morris
28 Sep, 2016
1 commit
-
CURRENT_TIME macro is not appropriate for filesystems as it
doesn't use the right granularity for filesystem timestamps.
Use current_time() instead.CURRENT_TIME is also not y2038 safe.
This is also in preparation for the patch that transitions
vfs timestamps to use 64 bit time and hence make them
y2038 safe. As part of the effort current_time() will be
extended to do range checks. Hence, it is necessary for all
file system timestamps to use current_time(). Also,
current_time() will be transitioned along with vfs to be
y2038 safe.Note that whenever a single call to current_time() is used
to change timestamps in different inodes, it is because they
share the same time granularity.Signed-off-by: Deepa Dinamani
Reviewed-by: Arnd Bergmann
Acked-by: Felipe Balbi
Acked-by: Steven Whitehouse
Acked-by: Ryusuke Konishi
Acked-by: David Sterba
Signed-off-by: Al Viro
27 Jul, 2016
1 commit
-
The newly added Kconfig option could never work and just causes a build error
when disabled:security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
helper to turn it into a boolean constant.Another minor problem with the original patch is that the option is even offered
in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
in that case.Signed-off-by: Arnd Bergmann
Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
Signed-off-by: John Johansen
Signed-off-by: James Morris
12 Jul, 2016
24 commits
-
Signed-off-by: John Johansen
-
When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.Based on original patch from Vegard Nossum
modified for the case that apparmor provides null termination.Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum
Cc: Al Viro
Cc: John Johansen
Cc: Paul Moore
Cc: Stephen Smalley
Cc: Eric Paris
Cc: Casey Schaufler
Cc: stable@kernel.org
Signed-off-by: John Johansen
Reviewed-by: Tyler Hicks
Signed-off-by: James Morris -
Do not copy uninitalized fields th.td_hilen, th.td_data.
Signed-off-by: Heinrich Schuchardt
Signed-off-by: John Johansen -
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.Signed-off-by: John Johansen
-
BugLink: http://bugs.launchpad.net/bugs/1592547
If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE1), 2, and 3) are already true for setrlimit.
We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.Signed-off-by: Jeff Mahoney
Signed-off-by: John Johansen -
list_next_entry has been defined in list.h, so I replace list_entry_next
with it.Signed-off-by: Geliang Tang
Acked-by: Serge Hallyn
Signed-off-by: John Johansen -
When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
The target profile name was not being correctly audited in a few
cases because the target variable was not being set and gotos
passed the code to set it at apply:Since it is always based on new_profile just drop the target var
and conditionally report based on new_profile.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Tyler Hicks
Acked-by: Seth Arnold -
Internal mounts are not mounted anywhere and as such should be treated
as disconnected paths.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Bind mounts can fail to be properly reconnected when PATH_CONNECT is
specified. Ensure that when PATH_CONNECT is specified the path has
a root.BugLink: http://bugs.launchpad.net/bugs/1319984
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
BugLink: http://bugs.launchpad.net/bugs/1268727
The task field in the lsm_audit struct needs to be initialized if
a change_hat fails, otherwise the following oops will occurBUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [] _raw_spin_lock+0xe/0x50
PGD 1e3f35067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
RIP: 0010:[] [] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff880212987b68 EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
Stack:
ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
Call Trace:
[] __lock_task_sighand+0x47/0x80
[] ? apparmor_cred_prepare+0x2f/0x50
[] do_send_sig_info+0x2c/0x80
[] send_sig_info+0x1e/0x30
[] aa_audit+0x13d/0x190
[] aa_audit_file+0xbc/0x130
[] ? apparmor_cred_prepare+0x2f/0x50
[] aa_change_hat+0x202/0x530
[] aa_setprocattr_changehat+0x116/0x1d0
[] apparmor_setprocattr+0x25d/0x300
[] security_setprocattr+0x16/0x20
[] proc_pid_attr_write+0x107/0x130
[] vfs_write+0xb4/0x1f0
[] SyS_write+0x49/0xa0
[] tracesys+0xe1/0xe6Signed-off-by: John Johansen
Acked-by: Seth Arnold -
When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.AppArmor: policy_destroy: internal error, policy '' still
contains profilesSigned-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold
28 Mar, 2016
12 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
... as well as unix_mknod() and may_o_create()
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
was open-coded in several places...
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
22 Oct, 2015
1 commit
-
The crypto framework can be built as a loadable module, but the
apparmor hash code can only be built-in, which then causes a
link error:security/built-in.o: In function `aa_calc_profile_hash':
integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'
security/built-in.o: In function `init_profile_hash':
integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'This changes Apparmor to use 'select CRYPTO' like a lot of other
subsystems do.Signed-off-by: Arnd Bergmann
Acked-by: John Johansen
Signed-off-by: James Morris