- 27 Jul, 2016 1 commit
-
-
Arnd Bergmann authored
The newly added Kconfig option could never work and just causes a build error when disabled: security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() helper to turn it into a boolean constant. Another minor problem with the original patch is that the option is even offered in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option in that case. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Fixes: 6059f71f ("apparmor: add parameter to control whether policy hashing is used") Signed-off-by:
John Johansen <john.johansen@canonical.com> Signed-off-by:
James Morris <james.l.morris@oracle.com>
-
- 19 Jul, 2016 7 commits
-
-
Jason Gunthorpe authored
The command flow is exactly the same, the core simply needs to be told to enable TPM2 mode when the compatible string indicates a TPM2. Signed-off-by:
Andrew Azmansky <andrew.zamansky@nuvoton.com> Tested-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Acked-by:
Rob Herring <robh@kernel.org> Reviewed-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by:
-
Jason Gunthorpe authored
The TCG standard startup sequence (get timeouts, tpm startup, etc) for TPM and TPM2 chips is being open coded in many drivers, move it into the core code. tpm_tis and tpm_crb are used as the basis for the core code implementation and the easy drivers are converted. In the process several small drivers bugs relating to error handling this flow are fixed. For now the flag TPM_OPS_AUTO_STARTUP is optional to allow a staged driver roll out, but ultimately all drivers should use this flow and the flag removed. Some drivers still do not implement the startup sequence at all and will need to be tested with it enabled. Signed-off-by:
-
Sudip Mukherjee authored
If devm_add_action() fails we are explicitly calling put_device() to free the resources allocated. Lets use the helper devm_add_action_or_reset() and return directly in case of error, as we know that the cleanup function has been already called by the helper if there was any error. Signed-off-by:
Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Reviewed-by:
-
Andrew Zamansky authored
In 570a3609 IRQ path is incorrectly always exercised while it should be exercised only when there is an IRQ number allocated. This commit reverts the old behavior. [jarkko.sakkinen@linux.intel.com: updated description] Fixes: 570a3609 ("tpm: drop 'irq' from struct tpm_vendor_specific") Signed-off-by:
-
Andrey Pronin authored
Some chips incorrectly support partial reads from TPM_STS register at non-zero offsets. Read the entire 32-bits register instead of making two 8-bit reads to support such devices and reduce the number of bus transactions when obtaining the burstcount from TPM_STS. Fixes: 27084efe ("tpm: driver for next generation TPM chips") Signed-off-by:
Andrey Pronin <apronin@chromium.org> Reviewed-by:
-
apronin@chromium.org authored
The result must be converted from BE byte order, which is used by the TPM2 protocol. This has not popped out because tpm2_get_tpm_pt() has been only used for probing. Fixes: 7a1d7e6d ("tpm: TPM 2.0 baseline support") Change-Id: I7d71cd379b1a3b7659d20a1b6008216762596590 Signed-off-by:
-
apronin@chromium.org authored
tpm_tis_core was missing conversion from msec when assigning max timeouts from constants. Fixes: aec04cbd ("tpm: TPM 2.0 FIFO Interface") Signed-off-by:
-
- 12 Jul, 2016 24 commits
-
-
John Johansen authored
Signed-off-by: -
Vegard Nossum authored
When proc_pid_attr_write() was changed to use memdup_user apparmor's (interface violating) assumption that the setprocattr buffer was always a single page was violated. The size test is not strictly speaking needed as proc_pid_attr_write() will reject anything larger, but for the sake of robustness we can keep it in. SMACK and SELinux look safe to me, but somebody else should probably have a look just in case. Based on original patch from Vegard Nossum <vegard.nossum@oracle.com> modified for the case that apparmor provides null termination. Fixes: bb646cdbReported-by:
Vegard Nossum <vegard.nossum@oracle.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@kernel.org Signed-off-by:
Tyler Hicks <tyhicks@canonical.com> Signed-off-by:
-
Heinrich Schuchardt authored
Do not copy uninitalized fields th.td_hilen, th.td_data. Signed-off-by:
Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by:
-
John Johansen authored
the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: -
John Johansen authored
BugLink: http://bugs.launchpad.net/bugs/1592547 If unpack_dfa() returns NULL due to the dfa not being present, profile_unpack() is not checking if the dfa is not present (NULL). Signed-off-by:
-
John Johansen authored
Signed-off-by: -
John Johansen authored
Signed-off-by: -
Jeff Mahoney authored
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit on another task. The only other example of a AppArmor mediating access to another, already running, task (ignoring fork+exec) is ptrace. The AppArmor model for ptrace is that one of the following must be true: 1) The tracer is unconfined 2) The tracer is in complain mode 3) The tracer and tracee are confined by the same profile 4) The tracer is confined but has SYS_CAP_PTRACE 1), 2, and 3) are already true for setrlimit. We can match the ptrace model just by allowing CAP_SYS_RESOURCE. We still test the values of the rlimit since it can always be overridden using a value that means unlimited for a particular resource. Signed-off-by:
Jeff Mahoney <jeffm@suse.com> Signed-off-by:
-
Geliang Tang authored
list_next_entry has been defined in list.h, so I replace list_entry_next with it. Signed-off-by:
Geliang Tang <geliangtang@163.com> Acked-by:
Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by:
-
John Johansen authored
When finding a child profile via an rcu critical section, the profile may be put and scheduled for deletion after the child is found but before its refcount is incremented. Protect against this by repeating the lookup if the profiles refcount is 0 and is one its way to deletion. Signed-off-by:
Seth Arnold <seth.arnold@canonical.com>
-
John Johansen authored
Signed-off-by:
-
John Johansen authored
Signed-off-by:
-
John Johansen authored
The target profile name was not being correctly audited in a few cases because the target variable was not being set and gotos passed the code to set it at apply: Since it is always based on new_profile just drop the target var and conditionally report based on new_profile. Signed-off-by:
-
John Johansen authored
Currently logging of a successful profile load only logs the basename of the profile. This can result in confusion when a child profile has the same name as the another profile in the set. Logging the hname will ensure there is no confusion. Signed-off-by:
-
John Johansen authored
currently only the profile that is causing the failure is logged. This makes it more confusing than necessary about which profiles loaded and which didn't. So make sure to log success and failure messages for all profiles in the set being loaded. Signed-off-by:
-
John Johansen authored
Signed-off-by:
-
John Johansen authored
Signed-off-by:
-
John Johansen authored
Internal mounts are not mounted anywhere and as such should be treated as disconnected paths. Signed-off-by:
-
John Johansen authored
Bind mounts can fail to be properly reconnected when PATH_CONNECT is specified. Ensure that when PATH_CONNECT is specified the path has a root. BugLink: http://bugs.launchpad.net/bugs/1319984Signed-off-by:
-
John Johansen authored
Signed-off-by:
-
John Johansen authored
The current behavior is confusing as it causes exec failures to report the executable is missing instead of identifying that apparmor caused the failure. Signed-off-by:
-
John Johansen authored
BugLink: http://bugs.launchpad.net/bugs/1268727 The task field in the lsm_audit struct needs to be initialized if a change_hat fails, otherwise the following oops will occur BUG: unable to handle kernel paging request at 0000002fbead7d08 IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50 PGD 1e3f35067 PUD 0 Oops: 0002 [#1] SMP Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc] CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011 task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000 RIP: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50 RSP: 0018:ffff880212987b68 EFLAGS: 00010006 RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000 RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08 RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0 R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830 FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0 Stack: ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026 Call Trace: [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50 [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80 [<ffffffff81075fee>] send_sig_info+0x1e/0x30 [<ffffffff8130242d>] aa_audit+0x13d/0x190 [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50 [<ffffffff81304cc2>] aa_change_hat+0x202/0x530 [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0 [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300 [<ffffffff812cee56>] security_setprocattr+0x16/0x20 [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130 [<ffffffff811b7604>] vfs_write+0xb4/0x1f0 [<ffffffff811b8039>] SyS_write+0x49/0xa0 [<ffffffff8171a1bf>] tracesys+0xe1/0xe6 Signed-off-by:
-
John Johansen authored
When set atomic replacement is used and the parent is updated before the child, and the child did not exist in the old parent so there is no direct replacement then the new child is incorrectly added to the old parent. This results in the new parent not having the child(ren) that it should and the old parent when being destroyed asserting the following error. AppArmor: policy_destroy: internal error, policy '<profile/name>' still contains profiles Signed-off-by:
-
John Johansen authored
Signed-off-by:
-
- 09 Jul, 2016 1 commit
-
-
James Morris authored
Merge tag 'keys-misc-20160708' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
-
- 08 Jul, 2016 1 commit
-
-
- 07 Jul, 2016 3 commits
-
-
Casey Schaufler authored
The Smack working tree has moved from gitorious to github. Signed-off-by:Casey Schaufler <casey@schaufler-ca.com>
-
Olof Johansson authored
Add a separate Kconfig option for SAMPLES_SECCOMP. Main reason for this is that, just like other samples, it's forced to be a module. Without this, since the sample is a target only controlled by CONFIG_SECCOMP_FILTER, the samples will be built before include files are put in place properly. For example, from an arm64 allmodconfig built with "make -sk -j 32" (without specific target), the following happens: samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory So, just stick to the same format as other samples. Signed-off-by:
Olof Johansson <olof@lixom.net> Signed-off-by:
Kees Cook <keescook@chromium.org>
-
-
- 30 Jun, 2016 3 commits
-
-
Eric Richter authored
Extend the PCR supplied as a parameter, instead of assuming that the measurement entry uses the default configured PCR. Signed-off-by:
Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Eric Richter authored
IMA avoids re-measuring files by storing the current state as a flag in the integrity cache. It will then skip adding a new measurement log entry if the cache reports the file as already measured. If a policy measures an already measured file to a new PCR, the measurement will not be added to the list. This patch implements a new bitfield for specifying which PCR the file was measured into, rather than if it was measured. Signed-off-by:
-
Eric Richter authored
Template entry duplicates are prevented from being added to the measurement list by checking a hash table that contains the template entry digests. However, the PCR value is not included in this comparison, so duplicate template entry digests with differing PCRs may be dropped. This patch redefines duplicate template entries as template entries with the same digest and same PCR values. Reported-by:
-
