- 11 Jun, 2017 17 commits
-
-
John Johansen authored
There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing the current label through a critical section that will always ensure mediation is using the current label regardless of whether the tasks cred has been updated or not. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
There is no reason to have the small stubs that don't use domain private functions in domain.c, instead move them to lsm.c and make them static. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The ns name being displayed should go through an ns view lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The data being queried isn't always the current profile and a lookup relative to the current profile should be done. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Currently lookups are restricted to a single ns component in the path. However when namespaces are allowed to have separate views, and scopes this will not be sufficient, as it will be possible to have a multiple component ns path in scope. Add some ns lookup fns() to allow this and use them. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Allow userspace to query a profile about permissions, through the transaction interface that is already used to allow userspace to query about key,value data. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
The simple_transaction interface is slow. It requires 4 syscalls (open, write, read, close) per query and shares a single lock for each queries. So replace its use with a compatible in multi_transaction interface. It allows for a faster 2 syscall pattern per query. After an initial open, an arbitrary number of writes and reads can be issued. Each write will reset the query with new data that can be read. Reads do not clear the data, and can be issued multiple times, and used with seek, until a new write is performed which will reset the data available and the seek position. Note: this keeps the single lock design, if needed moving to a per file lock will have to come later. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support but its failure is indistinguishable from other failures, making it an unreliable indicator. Fix by making support of label data queries available as a flag in the apparmorfs features dir tree. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
When setting up namespaces for containers its easier for them to use an fs interface to create the namespace for the containers policy. Allow mkdir/rmdir under the policy/namespaces/ dir to be used to create and remove namespaces. BugLink: http://bugs.launchpad.net/bugs/1611078Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace. The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 09 Jun, 2017 1 commit
-
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 08 Jun, 2017 17 commits
-
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Virtualize the apparmor policy/ directory so that the current namespace affects what part of policy is seen. To do this convert to using apparmorfs for policy namespace files and setup a magic symlink in the securityfs apparmor dir to access those files. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
AppArmor policy needs to be able to be resolved based on the policy namespace a task is confined by. Add a base apparmorfs filesystem that (like nsfs) will exist as a kern mount and be accessed via jump_link through a securityfs file. Setup the base apparmorfs fns and data, but don't use it yet. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Kees Cook <keescook@chromium.org>
-
John Johansen authored
Dynamically allocating buffers is problematic and is an extra layer that is a potntial point of failure and can slow down mediation. Change path lookup to use the preallocated per cpu buffers. Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
John Johansen authored
Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Thomas Schneider authored
When using a strictly POSIX-compliant shell, "-n #define ..." gets written into the file. Use "printf '%s'" to avoid this. Signed-off-by: Thomas Schneider <qsx@qsx.re> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Dan Carpenter authored
We can either return PTR_ERR(NULL) or a PTR_ERR(a valid pointer) here. Returning NULL is probably not good, but since this happens at boot then we are probably already toasted if we were to hit this bug in real life. In other words, it seems like a very low severity bug to me. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Markus Elfring authored
Two single characters (line breaks) should be put into a sequence. Thus use the corresponding function "seq_putc". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
Markus Elfring authored
A bit of data was put into a sequence by two separate function calls. Print the same data by a single function call instead. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: John Johansen <john.johansen@canonical.com>
-
- 22 May, 2017 3 commits
-
-
James Morris authored
-
Linus Torvalds authored
-
Linus Torvalds authored
The code to fetch a 64-bit value from user space was entirely buggered, and has been since the code was merged in early 2016 in commit b2f68038 ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit kernels"). Happily the buggered routine is almost certainly entirely unused, since the normal way to access user space memory is just with the non-inlined "get_user()", and the inlined version didn't even historically exist. The normal "get_user()" case is handled by external hand-written asm in arch/x86/lib/getuser.S that doesn't have either of these issues. There were two independent bugs in __get_user_asm_u64(): - it still did the STAC/CLAC user space access marking, even though that is now done by the wrapper macros, see commit 11f1a4b9 ("x86: reorganize SMAP handling in user space accesses"). This didn't result in a semantic error, it just means that the inlined optimized version was hugely less efficient than the allegedly slower standard version, since the CLAC/STAC overhead is quite high on modern Intel CPU's. - the double register %eax/%edx was marked as an output, but the %eax part of it was touched early in the asm, and could thus clobber other inputs to the asm that gcc didn't expect it to touch. In particular, that meant that the generated code could look like this: mov (%eax),%eax mov 0x4(%eax),%edx where the load of %edx obviously was _supposed_ to be from the 32-bit word that followed the source of %eax, but because %eax was overwritten by the first instruction, the source of %edx was basically random garbage. The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark the 64-bit output as early-clobber to let gcc know that no inputs should alias with the output register. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: stable@kernel.org # v4.8+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 21 May, 2017 2 commits
-
-
Linus Torvalds authored
Al noticed that unsafe_put_user() had type problems, and fixed them in commit a7cc722f ("fix unsafe_put_user()"), which made me look more at those functions. It turns out that unsafe_get_user() had a type issue too: it limited the largest size of the type it could handle to "unsigned long". Which is fine with the current users, but doesn't match our existing normal get_user() semantics, which can also handle "u64" even when that does not fit in a long. While at it, also clean up the type cast in unsafe_put_user(). We actually want to just make it an assignment to the expected type of the pointer, because we actually do want warnings from types that don't convert silently. And it makes the code more readable by not having that one very long and complex line. [ This patch might become stable material if we ever end up back-porting any new users of the unsafe uaccess code, but as things stand now this doesn't matter for any current existing uses. ] Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds authored
Pull misc uaccess fixes from Al Viro: "Fix for unsafe_put_user() (no callers currently in mainline, but anyone starting to use it will step into that) + alpha osf_wait4() infoleak fix" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: osf_wait4(): fix infoleak fix unsafe_put_user()
-