1. 14 Jul, 2022 2 commits
    • John Johansen's avatar
      apparmor: disable showing the mode as part of a secid to secctx · 524d8e14
      John Johansen authored
      Displaying the mode as part of the seectx takes up unnecessary memory,
      makes it so we can't use refcounted secctx so we need to alloc/free on
      every conversion from secid to secctx and introduces a space that
      could be potentially mishandled by tooling.
      
      Eg. In an audit record we get
      
        subj_type=firefix (enforce)
      
      Having the mode reported is not necessary, and might even be confusing
      eg. when writing an audit rule to match the above record field you
      would use
      
        -F subj_type=firefox
      
      ie. the mode is not included. AppArmor provides ways to find the mode
      without reporting as part of the secctx. So disable this by default
      before its use is wide spread and we can't. For now we add a sysctl
      to control the behavior as we can't guarantee no one is using this.
      Acked-by: default avatarAndrea Righi <andrea.righi@canonical.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      524d8e14
    • Matthew Wilcox's avatar
      apparmor: Convert secid mapping to XArrays instead of IDR · df439093
      Matthew Wilcox authored
      XArrays are a better match than IDR for how AppArmor is mapping
      secids.  Specifically AppArmor is trying to keep the allocation
      dense. XArrays also have the advantage of avoiding the complexity IDRs
      preallocation.
      
      In addition this avoids/fixes a lockdep issue raised in the LKML thread
        "Linux 5.18-rc4"
      
      where there is a report of an interaction between apparmor and IPC,
      this warning may have been spurious as the reported issue is in a
      per-cpu local lock taken by the IDR. With the one side in the IPC id
      allocation and the other in AppArmor's secid allocation.
      
      Description by John Johansen <john.johansen@canonical.com>
      
      Message-Id: <226cee6a-6ca1-b603-db08-8500cd8f77b7@gnuweeb.org>
      Signed-off-by: default avatarMatthew Wilcox <willy@infradead.org>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      df439093
  2. 13 Jul, 2022 1 commit
  3. 09 Jul, 2022 22 commits
  4. 06 Jun, 2022 3 commits
  5. 05 Jun, 2022 12 commits