02 Mar, 2017
2 commits
-
We don't actually need the full rculist.h header in sched.h anymore,
we will be able to include the smaller rcupdate.h header instead.But first update code that relied on the implicit header inclusion.
Acked-by: Linus Torvalds
Cc: Mike Galbraith
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar -
Add #include dependencies to all .c files rely on sched.h
doing that for them.Note that even if the count where we need to add extra headers seems high,
it's still a net win, because is included in over
2,200 files ...Acked-by: Linus Torvalds
Cc: Mike Galbraith
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar
16 Jan, 2017
27 commits
-
If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in
the root namespace has created an AppArmor policy namespace,
unprivileged processes will be able to change to a profile in the
newly created AppArmor policy namespace and, if the profile allows
CAP_MAC_ADMIN and appropriate file permissions, will be able to load
policy in the respective policy namespace.Signed-off-by: Tyler Hicks
Signed-off-by: John Johansen -
Allow a profile to carry extra data that can be queried via userspace.
This provides a means to store extra data in a profile that a trusted
helper can extract and use from live policy.Signed-off-by: William Hua
Signed-off-by: John Johansen -
The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.Signed-off-by: John Johansen
-
Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
This is just setup for new ns specific .load, .replace, .remove interface
files.Signed-off-by: John Johansen
-
Verify that profiles in a load set specify the same policy ns and
audit the name of the policy ns that policy is being loaded for.Signed-off-by: John Johansen
-
Store loaded policy and allow introspecting it through apparmorfs. This
has several uses from debugging, policy validation, and policy checkpoint
and restore for containers.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.Signed-off-by: John Johansen
-
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.Signed-off-by: John Johansen
-
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.This strict pairing will be relaxed once true support of user namespaces
lands.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
This is prep work for fs operations being able to remove namespaces.
Signed-off-by: John Johansen
-
Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.Signed-off-by: John Johansen
-
When possible its better to name a learning profile after the missing
profile in question. This allows for both more informative names and
for profile reuse.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
prepare_ns() will need to be called from alternate views, and namespaces
will need to be created via different interfaces. So refactor and
allow specifying the view ns.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Rename to the shorter and more familiar shell cmd name
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Proxy is shorter and a better fit than replaceby, so rename it.
Signed-off-by: John Johansen
-
Invalid does not convey the meaning of the flag anymore so rename it.
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
-
Policy namespaces will be diverging from profile management and
expanding so put it in its own file.Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
12 Jul, 2016
7 commits
-
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.Signed-off-by: John Johansen
-
When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.Signed-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold -
When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.AppArmor: policy_destroy: internal error, policy '' still
contains profilesSigned-off-by: John Johansen
Acked-by: Seth Arnold -
Signed-off-by: John Johansen
Acked-by: Seth Arnold
16 Oct, 2013
1 commit
-
BugLink: http://bugs.launchpad.net/bugs/1235523
This fixes the following kmemleak trace:
unreferenced object 0xffff8801e8c35680 (size 32):
comm "apparmor_parser", pid 691, jiffies 4294895667 (age 13230.876s)
hex dump (first 32 bytes):
e0 d3 4e b5 ac 6d f4 ed 3f cb ee 48 1c fd 40 cf ..N..m..?..H..@.
5b cc e9 93 00 00 00 00 00 00 00 00 00 00 00 00 [...............
backtrace:
[] kmemleak_alloc+0x4e/0xb0
[] __kmalloc+0x103/0x290
[] aa_calc_profile_hash+0x6c/0x150
[] aa_unpack+0x39d/0xd50
[] aa_replace_profiles+0x3d/0xd80
[] profile_replace+0x37/0x50
[] vfs_write+0xbd/0x1e0
[] SyS_write+0x4c/0xa0
[] system_call_fastpath+0x1a/0x1f
[] 0xffffffffffffffffSigned-off-by: John Johansen
Signed-off-by: James Morris
30 Sep, 2013
1 commit
-
The recent 3.12 pull request for apparmor was missing a couple rcu _protected
access modifiers. Resulting in the follow suspicious RCU usage[ 29.804534] [ INFO: suspicious RCU usage. ]
[ 29.804539] 3.11.0+ #5 Not tainted
[ 29.804541] -------------------------------
[ 29.804545] security/apparmor/include/policy.h:363 suspicious rcu_dereference_check() usage!
[ 29.804548]
[ 29.804548] other info that might help us debug this:
[ 29.804548]
[ 29.804553]
[ 29.804553] rcu_scheduler_active = 1, debug_locks = 1
[ 29.804558] 2 locks held by apparmor_parser/1268:
[ 29.804560] #0: (sb_writers#9){.+.+.+}, at: [] file_start_write+0x27/0x29
[ 29.804576] #1: (&ns->lock){+.+.+.}, at: [] aa_replace_profiles+0x166/0x57c
[ 29.804589]
[ 29.804589] stack backtrace:
[ 29.804595] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5
[ 29.804599] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010
[ 29.804602] 0000000000000000 ffff8800b95a1d90 ffffffff8144eb9b ffff8800b94db540
[ 29.804611] ffff8800b95a1dc0 ffffffff81087439 ffff880138cc3a18 ffff880138cc3a18
[ 29.804619] ffff8800b9464a90 ffff880138cc3a38 ffff8800b95a1df0 ffffffff811f5084
[ 29.804628] Call Trace:
[ 29.804636] [] dump_stack+0x4e/0x82
[ 29.804642] [] lockdep_rcu_suspicious+0xfc/0x105
[ 29.804649] [] __aa_update_replacedby+0x53/0x7f
[ 29.804655] [] __replace_profile+0x11f/0x1ed
[ 29.804661] [] aa_replace_profiles+0x410/0x57c
[ 29.804668] [] profile_replace+0x35/0x4c
[ 29.804674] [] vfs_write+0xad/0x113
[ 29.804680] [] SyS_write+0x44/0x7a
[ 29.804687] [] system_call_fastpath+0x16/0x1b
[ 29.804691]
[ 29.804694] ===============================
[ 29.804697] [ INFO: suspicious RCU usage. ]
[ 29.804700] 3.11.0+ #5 Not tainted
[ 29.804703] -------------------------------
[ 29.804706] security/apparmor/policy.c:566 suspicious rcu_dereference_check() usage!
[ 29.804709]
[ 29.804709] other info that might help us debug this:
[ 29.804709]
[ 29.804714]
[ 29.804714] rcu_scheduler_active = 1, debug_locks = 1
[ 29.804718] 2 locks held by apparmor_parser/1268:
[ 29.804721] #0: (sb_writers#9){.+.+.+}, at: [] file_start_write+0x27/0x29
[ 29.804733] #1: (&ns->lock){+.+.+.}, at: [] aa_replace_profiles+0x166/0x57c
[ 29.804744]
[ 29.804744] stack backtrace:
[ 29.804750] CPU: 0 PID: 1268 Comm: apparmor_parser Not tainted 3.11.0+ #5
[ 29.804753] Hardware name: ASUSTeK Computer Inc. UL50VT /UL50VT , BIOS 217 03/01/2010
[ 29.804756] 0000000000000000 ffff8800b95a1d80 ffffffff8144eb9b ffff8800b94db540
[ 29.804764] ffff8800b95a1db0 ffffffff81087439 ffff8800b95b02b0 0000000000000000
[ 29.804772] ffff8800b9efba08 ffff880138cc3a38 ffff8800b95a1dd0 ffffffff811f4f94
[ 29.804779] Call Trace:
[ 29.804786] [] dump_stack+0x4e/0x82
[ 29.804791] [] lockdep_rcu_suspicious+0xfc/0x105
[ 29.804798] [] aa_free_replacedby_kref+0x4d/0x62
[ 29.804804] [] ? aa_put_namespace+0x17/0x17
[ 29.804810] [] kref_put+0x36/0x40
[ 29.804816] [] __replace_profile+0x13a/0x1ed
[ 29.804822] [] aa_replace_profiles+0x410/0x57c
[ 29.804829] [] profile_replace+0x35/0x4c
[ 29.804835] [] vfs_write+0xad/0x113
[ 29.804840] [] SyS_write+0x44/0x7a
[ 29.804847] [] system_call_fastpath+0x16/0x1bReported-by: miles.lane@gmail.com
CC: paulmck@linux.vnet.ibm.com
Signed-off-by: John Johansen
Signed-off-by: James Morris
15 Aug, 2013
2 commits
-
Add basic interface files to access namespace and profile information.
The interface files are created when a profile is loaded and removed
when the profile or namespace is removed.Signed-off-by: John Johansen
-
Allow emulating the default profile behavior from boot, by allowing
loading of a profile in the unconfined state into a new NS.Signed-off-by: John Johansen
Acked-by: Seth Arnold