- 03 Oct, 2022 32 commits
-
-
John Johansen authored
While the dfa xindex's are verified, the indexes in the permission table are not currently verified. Fix this. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits the permissions that userspace can specify, so allow userspace to directly specify the permission table. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
currently unpack_array() does not return an error nor whether the array is not present. The ability to detect an error or the array not being present is needed so rework the unpack_array() to return the needed information. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
There are currently three policydb rule groupings (xmatch, file, policydb) that each do their own slightly different thing. Group them into a single routine and unify. This extends/unifies dfa features by - all dfas are allowed having an optional start field - all dfas are allowed having a string/transition table Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Currently the transition table is tied to the file dfa. Make it so we can unpack a transition table against any dfa. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Audit messages currently don't contain the mediation class which can make them less clear than they should be in some circumstances. With newer mediation classes coming this potential confusion will become worse. Fix this by adding the mediatin class to the messages. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The details of mapping old policy into newer policy formats clutters up the unpack code and makes it possible to accidentally use old mappings in code, so isolate the mapping code into its own file. This will become more important when the dfa remapping code lands, as it will greatly expand the compat code base. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Allow the xindex to have 2^24 entries. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Now that the permission remapping macros aren't needed anywhere except during profile unpack, move them. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The policydb permission set has left the xbits unused. Make them available for mediation. Note: that this does not bring full auditing control of the permissions as there are not enough bits. The quieting of denials is provided as that is used more than forced auditing of allowed permissions. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The v8 abi is supported by the kernel but the userspace supported version check does not allow for it. This was missed when v8 was added due to a bug in the userspace compiler which was setting an older abi version for v8 encoding (which is forward compatible except on the network encoding). However it is possible to detect the network encoding by checking the policydb network support which the code does. The end result was that missing the abi flag worked until userspace was fixed and began correctly checking for the v8 abi version. Fixes: 56974a6f ("apparmor: add base infastructure for socket mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the perm table. This is done so that the perm table can be separated from the dfa, allowing dfa accept to index to share expanded permission sets. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The shared permissions struct has the stop field which is unneeded and the "reserved" subtree field commented which is needed. Also reorganize so that the entries are logically grouped. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Remap xmatch dfa accept table from embedded perms to an index and then move xmatch lookup to use accept entry to index into the xmatch table. This is step towards unifying permission lookup and reducing the size of permissions tables. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Remap file dfa accept table from embedded perms to index and then move fperm lookup to use the accept entry as an index into the fperm table. This is a step toward unifying permission lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
continue permission unification by converting xmatch to use the policydb struct that is used by the other profile dfas. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
file_rules and policydb are almost the same and will need the same features in the future so combine them. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Rather than computing policydb permissions for each access permissions can be computed once on profile load and stored for lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
shorten the name of some of the mapping functions which shortens line lengths. change the mapping so it returns the perm table instead of operating directly on the file struct. Handle potential memory allocation failure. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
fperm computation is only needed during policy_unpack so move the code there to isolate it fromt the run time code. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Mike Salvatore authored
Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Mike Salvatore authored
Rather than computing file permissions for each file access, file permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Jon Tourville authored
Create two new files in apparmor's sysfs: /sys/kernel/security/apparmor/raw_data_compression_level_min /sys/kernel/security/apparmor/raw_data_compression_level_max These correspond to the minimum and maximum zstd compression levels that can be assigned to the apparmor module parameter raw_data_compression_level. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Jon Tourville authored
Change the algorithm used by apparmor to compress profile data from zlib to zstd, using the new zstd API introduced in 5.16. Zstd provides a larger range of compression levels than zlib and significantly better performance at the default level (for a relatively small increase in compressed size). The apparmor module parameter raw_data_compression_level is now clamped to the minimum and maximum compression levels reported by the zstd library. A compression level of 0 retains the previous behavior of disabling policy compression instead of using zstd's behavior, which is to use the default compression level. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Reserve mediation classes that exist in out of tree development branches or are used by userspace mediation helpers. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Fix the following lockdep warning [ 1119.158984] ============================================ [ 1119.158988] WARNING: possible recursive locking detected [ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N [ 1119.158999] -------------------------------------------- [ 1119.159001] bash/80100 is trying to acquire lock: [ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140 [ 1119.159028] but task is already holding lock: [ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640 [ 1119.159040] other info that might help us debug this: [ 1119.159042] Possible unsafe locking scenario: [ 1119.159043] CPU0 [ 1119.159045] ---- [ 1119.159047] lock(&ns->lock/1); [ 1119.159051] lock(&ns->lock/1); [ 1119.159055] *** DEADLOCK *** Which is caused by an incorrect lockdep nesting notation Fixes: feb3c766 ("apparmor: fix possible recursive lock warning in __aa_create_ns") Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Gaosheng Cui authored
In multi_transaction_new(), the variable t is not freed or passed out on the failure of copy_from_user(t->data, buf, size), which could lead to a memleak. Fix this bug by adding a put_multi_transaction(t) in the error path. Fixes: 1dea3b41 ("apparmor: speed up transactional queries") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 16 Aug, 2022 5 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linuxLinus Torvalds authored
Pull NIOS2 fixes from Dinh Nguyen: - Security fixes from Al Viro * tag 'nios2_fixes_v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux: nios2: add force_successful_syscall_return() nios2: restarts apply only to the first sigframe we build... nios2: fix syscall restart checks nios2: traced syscall does need to check the syscall number nios2: don't leave NULLs in sys_call_table[] nios2: page fault et.al. are *not* restartable syscalls...
-
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spiLinus Torvalds authored
Pull spi fixes from Mark Brown: "A few fixes that came in since my pull request, the Meson fix is a little large since it's fixing all possible cases of the problem that was observed with the driver and clock API trying to share configuration by integrating the device clocking fully with the clock API rather than spot fixing the one instance that was observed" * tag 'spi-fix-v6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: dt-bindings: Drop Pratyush Yadav spi: meson-spicc: add local pow2 clock ops to preserve rate between messages MAINTAINERS: rectify entry for ARM/HPE GXP ARCHITECTURE spi: spi.c: Add missing __percpu annotations in users of spi_statistics
-
Linus Torvalds authored
Merge tag 'regulator-fix-v6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "A couple of small fixes that came in since my pull request, nothing major here" * tag 'regulator-fix-v6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: core: Fix missing error return from regulator_bulk_get() regulator: pca9450: Remove restrictions for regulator-name
-
Linus Torvalds authored
The exception for the "unaligned access at the end of the page, next page not mapped" never happens, but the fixup code ends up causing trouble for compilers to optimize well. clang in particular ends up seeing it being in the middle of a loop, and tries desperately to optimize the exception fixup code that is never really reached. The simple solution is to just move all the fixups into the exception handler itself, which moves it all out of the hot case code, and means that the compiler never sees it or needs to worry about it. Acked-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Hector Martin authored
These operations are documented as always ordered in include/asm-generic/bitops/instrumented-atomic.h, and producer-consumer type use cases where one side needs to ensure a flag is left pending after some shared data was updated rely on this ordering, even in the failure case. This is the case with the workqueue code, which currently suffers from a reproducible ordering violation on Apple M1 platforms (which are notoriously out-of-order) that ends up causing the TTY layer to fail to deliver data to userspace properly under the right conditions. This change fixes that bug. Change the documentation to restrict the "no order on failure" story to the _lock() variant (for which it makes sense), and remove the early-exit from the generic implementation, which is what causes the missing barrier semantics in that case. Without this, the remaining atomic op is fully ordered (including on ARM64 LSE, as of recent versions of the architecture spec). Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@vger.kernel.org Fixes: e986a0d6 ("locking/atomics, asm-generic/bitops/atomic.h: Rewrite using atomic_*() APIs") Fixes: 61e02392 ("locking/atomic/bitops: Document and clarify ordering semantics for failed test_and_{}_bit()") Signed-off-by: Hector Martin <marcan@marcan.st> Acked-by: Will Deacon <will@kernel.org> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 15 Aug, 2022 3 commits
-
-
Al Viro authored
If we use the ancient SysV syscall ABI, we'd better have tell the kernel how to claim that a negative return value is a success. Use ->orig_r2 for that - it's inaccessible via ptrace, so it's a fair game for changes and it's normally[*] non-negative on return from syscall. Set to -1; syscall is not going to be restart-worthy by definition, so we won't interfere with that use either. [*] the only exception is rt_sigreturn(), where we skip the entire messing with r1/r2 anyway. Fixes: 82ed08dd ("nios2: Exception handling") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
-
Al Viro authored
Fixes: b53e906d ("nios2: Signal handling support") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
-
Al Viro authored
sys_foo() returns -512 (aka -ERESTARTSYS) => do_signal() sees 512 in r2 and 1 in r1. sys_foo() returns 512 => do_signal() sees 512 in r2 and 0 in r1. The former is restart-worthy; the latter obviously isn't. Fixes: b53e906d ("nios2: Signal handling support") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
-