Commit d81f50bd authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'apparmor-pr-2018-11-01' of... 

Merge tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features/Improvements:
   - replace spin_is_locked() with lockdep
   - add base support for secmark labeling and matching

  Cleanups:
   - clean an indentation issue, remove extraneous space
   - remove no-op permission check in policy_unpack
   - fix checkpatch missing spaces error in Parse secmark policy
   - fix network performance issue in aa_label_sk_perm

  Bug fixes:
   - add #ifdef checks for secmark filtering
   - fix an error code in __aa_create_ns()
   - don't try to replace stale label in ptrace checks
   - fix failure to audit context info in build_change_hat
   - check buffer bounds when mapping permissions mask
   - fully initialize aa_perms struct when answering userspace query
   - fix uninitialized value in aa_split_fqname"

* tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: clean an indentation issue, remove extraneous space
  apparmor: fix checkpatch error in Parse secmark policy
  apparmor: add #ifdef checks for secmark filtering
  apparmor: Fix uninitialized value in aa_split_fqname
  apparmor: don't try to replace stale label in ptraceme check
  apparmor: Replace spin_is_locked() with lockdep
  apparmor: Allow filtering based on secmark policy
  apparmor: Parse secmark policy
  apparmor: Add a wildcard secid
  apparmor: don't try to replace stale label in ptrace access check
  apparmor: Fix network performance issue in aa_label_sk_perm
parents c2aa1a44 566f52ec

security/apparmor/file.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -496,7 +496,7 @@ static void update_file_ctx(struct aa_file_ctx *fctx, struct aa_label *label, 
	/* update caching of label on file_ctx */

	/* update caching of label on file_ctx */

	spin_lock(&fctx->lock);

	spin_lock(&fctx->lock);

	old = rcu_dereference_protected(fctx->label,

	old = rcu_dereference_protected(fctx->label,

					spin_is_locked(&fctx->lock));

					lockdep_is_held(&fctx->lock));

	l = aa_label_merge(old, label, GFP_ATOMIC);

	l = aa_label_merge(old, label, GFP_ATOMIC);

	if (l) {

	if (l) {

		if (l != old) {

		if (l != old) {

security/apparmor/include/cred.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -151,6 +151,8 @@ static inline struct aa_label *begin_current_label_crit_section(void) 
{

{

	struct aa_label *label = aa_current_raw_label();

	struct aa_label *label = aa_current_raw_label();





	might_sleep();



	if (label_is_stale(label)) {

	if (label_is_stale(label)) {

		label = aa_get_newest_label(label);

		label = aa_get_newest_label(label);

		if (aa_replace_current_label(label) == 0)

		if (aa_replace_current_label(label) == 0)

security/apparmor/include/net.h

+10 −0
Original line number Original line Diff line number Diff line
@@ -83,6 +83,13 @@ struct aa_sk_ctx { 
	__e;					\

	__e;					\

})

})





struct aa_secmark {

	u8 audit;

	u8 deny;

	u32 secid;

	char *label;

};



extern struct aa_sfs_entry aa_sfs_entry_network[];

extern struct aa_sfs_entry aa_sfs_entry_network[];





void audit_net_cb(struct audit_buffer *ab, void *va);

void audit_net_cb(struct audit_buffer *ab, void *va);
@@ -103,4 +110,7 @@ int aa_sk_perm(const char *op, u32 request, struct sock *sk); 
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,

int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,

		      struct socket *sock);

		      struct socket *sock);





int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,

			   u32 secid, struct sock *sk);



#endif /* __AA_NET_H */
 
#endif /* __AA_NET_H */

security/apparmor/include/policy.h

+3 −0
Original line number Original line Diff line number Diff line
@@ -155,6 +155,9 @@ struct aa_profile { 




	struct aa_rlimit rlimits;

	struct aa_rlimit rlimits;





	int secmark_count;

	struct aa_secmark *secmark;



	struct aa_loaddata *rawdata;

	struct aa_loaddata *rawdata;

	unsigned char *hash;

	unsigned char *hash;

	char *dirname;

	char *dirname;

security/apparmor/include/secid.h

+3 −0
Original line number Original line Diff line number Diff line
@@ -22,6 +22,9 @@ struct aa_label; 
/* secid value that will not be allocated */

/* secid value that will not be allocated */

#define AA_SECID_INVALID 0

#define AA_SECID_INVALID 0





/* secid value that matches any other secid */

#define AA_SECID_WILDCARD 1



struct aa_label *aa_secid_to_label(u32 secid);

struct aa_label *aa_secid_to_label(u32 secid);

int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);

int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);

int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);

int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);

CRA Git | Maintained and supported by SUSTech CRA and CCSE