- 16 Jan, 2017 38 commits
-
-
John Johansen authored
Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Commit 9f834ec1 ("binfmt_elf: switch to new creds when switching to new mm") changed when the creds are installed by the binfmt_elf handler. This affects which creds are used to mmap the executable into the address space. Which can have an affect on apparmor policy. Add a flag to apparmor at /sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap to make it possible to detect this semantic change so that the userspace tools and the regression test suite can correctly deal with the change. BugLink: http://bugs.launchpad.net/bugs/1630069Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Newer policy encodes more than just version in the version tag, so add masking to make sure the comparison remains correct. Note: this is fully compatible with older policy as it will never set the bits being masked out. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Policy should always under go a full paranoid verification. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Rename to the shorter and more familiar shell cmd name Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Rename to indicate the test is only about whether path mediation is used, not whether other types of mediation might be used. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Move to common terminology with other LSMs and kernel infrastucture Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Kees Cook authored
Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 15 Jan, 2017 1 commit
-
-
Tetsuo Handa authored
Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not recommended because it might fall into infinite retry loop without invoking the OOM killer. Since aa_dfa_unpack() is the only caller of kvzalloc() and aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Since aa_simple_write_to_buffer() is the only caller of kvmalloc() and aa_simple_write_to_buffer() is calling copy_from_user() which is GFP_KERNEL context (see memdup_user_nul()), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 10 Jan, 2017 1 commit
-
-
Mickaël Salaün authored
Replace arguments @mnt and @dentry with @path. Signed-off-by: Mickaël Salaün <mic@digikod.net> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
-