summaryrefslogtreecommitdiffstats
path: root/security/apparmor
Commit message (Collapse)AuthorAgeFilesLines
* apparmor: Fix move_mount mediation by detecting if source is detachedJohn Johansen2024-01-032-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent move_mount from applying the attach_disconnected flag to move_mount(). This prevents detached mounts from appearing as / when applying mount mediation, which is not only incorrect but could result in bad policy being generated. Basic mount rules like allow mount, allow mount options=(move) -> /target/, will allow detached mounts, allowing older policy to continue to function. New policy gains the ability to specify `detached` as a source option allow mount detached -> /target/, In addition make sure support of move_mount is advertised as a feature to userspace so that applications that generate policy can respond to the addition. Note: this fixes mediation of move_mount when a detached mount is used, it does not fix the broader regression of apparmor mediation of mounts under the new mount api. Link: https://lore.kernel.org/all/68c166b8-5b4d-4612-8042-1dee3334385b@leemhuis.info/T/#mb35fdde37f999f08f0b02d58dc1bf4e6b65b8da2 Fixes: 157a3537d6bc ("apparmor: Fix regression in mount mediation") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* Merge tag 'apparmor-pr-2023-11-03' of ↵Linus Torvalds2023-11-0332-848/+1336
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "This adds initial support for mediating io_uring and userns creation. Adds a new restriction that tightens the use of change_profile, and a couple of optimizations to reduce performance bottle necks that have been found when retrieving the current task's secid and allocating work buffers. The majority of the patch set continues cleaning up and simplifying the code (fixing comments, removing now dead functions, and macros etc). Finally there are 4 bug fixes, with the regression fix having had a couple months of testing. Features: - optimize retrieving current task secid - add base io_uring mediation - add base userns mediation - improve buffer allocation - allow restricting unprivilege change_profile Cleanups: - Fix kernel doc comments - remove unused declarations - remove unused functions - remove unneeded #ifdef - remove unused macros - mark fns static - cleanup fn with unused return values - cleanup audit data - pass cred through to audit data - refcount the pdb instead of using duplicates - make SK_CTX macro an inline fn - some comment cleanups Bug fixes: - fix regression in mount mediation - fix invalid refenece - use passed in gfp flags - advertise avaiability of extended perms and disconnected.path" * tag 'apparmor-pr-2023-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (39 commits) apparmor: Fix some kernel-doc comments apparmor: Fix one kernel-doc comment apparmor: Fix some kernel-doc comments apparmor: mark new functions static apparmor: Fix regression in mount mediation apparmor: cache buffers on percpu list if there is lock contention apparmor: add io_uring mediation apparmor: add user namespace creation mediation apparmor: allow restricting unprivileged change_profile apparmor: advertise disconnected.path is available apparmor: refcount the pdb apparmor: provide separate audit messages for file and policy checks apparmor: pass cred through to audit info. apparmor: rename audit_data->label to audit_data->subj_label apparmor: combine common_audit_data and apparmor_audit_data apparmor: rename SK_CTX() to aa_sock and make it an inline fn apparmor: Optimize retrieving current task secid apparmor: remove unused functions in policy_ns.c/.h apparmor: remove unneeded #ifdef in decompress_zstd() apparmor: fix invalid reference on profile->disconnected ...
| * apparmor: Fix some kernel-doc commentsYang Li2023-10-231-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Fix some kernel-doc comments to silence the warnings: security/apparmor/policy.c:117: warning: Function parameter or member 'kref' not described in 'aa_pdb_free_kref' security/apparmor/policy.c:117: warning: Excess function parameter 'kr' description in 'aa_pdb_free_kref' security/apparmor/policy.c:882: warning: Function parameter or member 'subj_cred' not described in 'aa_may_manage_policy' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7037 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix one kernel-doc commentYang Li2023-10-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | Fix one kernel-doc comment to silence the warnings: security/apparmor/domain.c:46: warning: Function parameter or member 'to_cred' not described in 'may_change_ptraced_domain' security/apparmor/domain.c:46: warning: Excess function parameter 'cred' description in 'may_change_ptraced_domain' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7036 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix some kernel-doc commentsYang Li2023-10-231-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Fix some kernel-doc comments to silence the warnings: security/apparmor/capability.c:66: warning: Function parameter or member 'ad' not described in 'audit_caps' security/apparmor/capability.c:66: warning: Excess function parameter 'as' description in 'audit_caps' security/apparmor/capability.c:154: warning: Function parameter or member 'subj_cred' not described in 'aa_capable' security/apparmor/capability.c:154: warning: Excess function parameter 'subj_cread' description in 'aa_capable' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7035 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: mark new functions staticArnd Bergmann2023-10-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Two new functions were introduced as global functions when they are only called from inside the file that defines them and should have been static: security/apparmor/lsm.c:658:5: error: no previous prototype for 'apparmor_uring_override_creds' [-Werror=missing-prototypes] security/apparmor/lsm.c:682:5: error: no previous prototype for 'apparmor_uring_sqpoll' [-Werror=missing-prototypes] Fixes: c4371d90633b7 ("apparmor: add io_uring mediation") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix regression in mount mediationJohn Johansen2023-10-183-22/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for AppArmor mediation of mount. This patch provides a base mapping of the move_mount syscall to the existing mount mediation. In the future we may introduce additional mediations around the new mount calls. Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") CC: stable@vger.kernel.org Reported-by: Andreas Steinmetz <anstein99@googlemail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: cache buffers on percpu list if there is lock contentionJohn Johansen2023-10-181-5/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit df323337e507 ("apparmor: Use a memory pool instead per-CPU caches") changed buffer allocation to use a memory pool, however on a heavily loaded machine there can be lock contention on the global buffers lock. Add a percpu list to cache buffers on when lock contention is encountered. When allocating buffers attempt to use cached buffers first, before taking the global buffers lock. When freeing buffers try to put them back to the global list but if contention is encountered, put the buffer on the percpu list. The length of time a buffer is held on the percpu list is dynamically adjusted based on lock contention. The amount of hold time is increased and decreased linearly. v5: - simplify base patch by removing: improvements can be added later - MAX_LOCAL and must lock - contention scaling. v4: - fix percpu ->count buffer count which had been spliced across a debug patch. - introduce define for MAX_LOCAL_COUNT - rework count check and locking around it. - update commit message to reference commit that introduced the memory. v3: - limit number of buffers that can be pushed onto the percpu list. This avoids a problem on some kernels where one percpu list can inherit buffers from another cpu after a reschedule, causing more kernel memory to used than is necessary. Under normal conditions this should eventually return to normal but under pathelogical conditions the extra memory consumption may have been unbouanded v2: - dynamically adjust buffer hold time on percpu list based on lock contention. v1: - cache buffers on percpu list on lock contention Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add io_uring mediationGeorgia Garcia2023-10-186-2/+131
| | | | | | | | | | | | | | | | For now, the io_uring mediation is limited to sqpoll and override_creds. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add user namespace creation mediationJohn Johansen2023-10-187-2/+75
| | | | | | | | | | | | | | | | | | | | | | | | | | Unprivileged user namespace creation is often used as a first step in privilege escalation attacks. Instead of disabling it at the sysrq level, which blocks its legitimate use as for setting up a sandbox, allow control on a per domain basis. This allows an admin to quickly lock down a system while also still allowing legitimate use. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: allow restricting unprivileged change_profileJohn Johansen2023-10-185-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | unprivileged unconfined can use change_profile to alter the confinement set by the mac admin. Allow restricting unprivileged unconfined by still allowing change_profile but stacking the change against unconfined. This allows unconfined to still apply system policy but allows the task to enter the new confinement. If unprivileged unconfined is required a sysctl is provided to switch to the previous behavior. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: advertise disconnected.path is availableJohn Johansen2023-10-181-0/+1
| | | | | | | | | | | | | | | | | | While disconnected.path has been available for a while it was never properly advertised as a feature. Fix this so that userspace doesn't need special casing to handle it. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: refcount the pdbJohn Johansen2023-10-1815-210/+260
| | | | | | | | | | | | | | | | | | | | | | | | | | With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: provide separate audit messages for file and policy checksJohn Johansen2023-10-181-5/+11
| | | | | | | | | | | | | | | | Improve policy load failure messages by identifying which dfa the verification check failed in. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: pass cred through to audit info.John Johansen2023-10-1820-211/+388
| | | | | | | | | | | | | | | | | | The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename audit_data->label to audit_data->subj_labelJohn Johansen2023-10-1810-18/+17
| | | | | | | | | | | | | | | | | | rename audit_data's label field to subj_label to better reflect its use. Also at the same time drop unneeded assignments to ->subj_label as the later call to aa_check_perms will do the assignment if needed. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: combine common_audit_data and apparmor_audit_dataJohn Johansen2023-10-1815-245/+257
| | | | | | | | | | | | | | | | | | Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename SK_CTX() to aa_sock and make it an inline fnJohn Johansen2023-10-182-11/+16
| | | | | | | | | | | | | | In preparation for LSM stacking rework the macro to an inline fn Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Optimize retrieving current task secidVinicius Costa Gomes2023-10-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running will-it-scale[1] open2_process testcase, in a system with a large number of cores, a bottleneck in retrieving the current task secid was detected: 27.73% ima_file_check;do_open (inlined);path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_x64 (inlined);do_syscall_64;entry_SYSCALL_64_after_hwframe (inlined);__libc_open64 (inlined) 27.72% 0.01% [kernel.vmlinux] [k] security_current_getsecid_subj - - 27.71% security_current_getsecid_subj;ima_file_check;do_open (inlined);path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_x64 (inlined);do_syscall_64;entry_SYSCALL_64_after_hwframe (inlined);__libc_open64 (inlined) 27.71% 27.68% [kernel.vmlinux] [k] apparmor_current_getsecid_subj - - 19.94% __refcount_add (inlined);__refcount_inc (inlined);refcount_inc (inlined);kref_get (inlined);aa_get_label (inlined);aa_get_label (inlined);aa_get_current_label (inlined);apparmor_current_getsecid_subj;security_current_getsecid_subj;ima_file_check;do_open (inlined);path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_x64 (inlined);do_syscall_64;entry_SYSCALL_64_after_hwframe (inlined);__libc_open64 (inlined) 7.72% __refcount_sub_and_test (inlined);__refcount_dec_and_test (inlined);refcount_dec_and_test (inlined);kref_put (inlined);aa_put_label (inlined);aa_put_label (inlined);apparmor_current_getsecid_subj;security_current_getsecid_subj;ima_file_check;do_open (inlined);path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_x64 (inlined);do_syscall_64;entry_SYSCALL_64_after_hwframe (inlined);__libc_open64 (inlined) A large amount of time was spent in the refcount. The most common case is that the current task label is available, and no need to take references for that one. That is exactly what the critical section helpers do, make use of them. New perf output: 39.12% vfs_open;path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_64;entry_SYSCALL_64_after_hwframe;__libc_open64 (inlined) 39.07% 0.13% [kernel.vmlinux] [k] do_dentry_open - - 39.05% do_dentry_open;vfs_open;path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_64;entry_SYSCALL_64_after_hwframe;__libc_open64 (inlined) 38.71% 0.01% [kernel.vmlinux] [k] security_file_open - - 38.70% security_file_open;do_dentry_open;vfs_open;path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_64;entry_SYSCALL_64_after_hwframe;__libc_open64 (inlined) 38.65% 38.60% [kernel.vmlinux] [k] apparmor_file_open - - 38.65% apparmor_file_open;security_file_open;do_dentry_open;vfs_open;path_openat;do_filp_open;do_sys_openat2;__x64_sys_openat;do_syscall_64;entry_SYSCALL_64_after_hwframe;__libc_open64 (inlined) The result is a throughput improvement of around 20% across the board on the open2 testcase. On more realistic workloads the impact should be much less. [1] https://github.com/antonblanchard/will-it-scale Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: remove unused functions in policy_ns.c/.hXiu Jianfeng2023-10-152-51/+0
| | | | | | | | | | | | | | These functions are not used now, remove them. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: remove unneeded #ifdef in decompress_zstd()Xiu Jianfeng2023-10-151-2/+0
| | | | | | | | | | | | | | | | The whole function is guarded by CONFIG_SECURITY_APPARMOR_EXPORT_BINARY, so the #ifdef here is redundant, remove it. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: fix invalid reference on profile->disconnectedGeorgia Garcia2023-08-222-2/+4
| | | | | | | | | | | | | | | | | | | | profile->disconnected was storing an invalid reference to the disconnected path. Fix it by duplicating the string using aa_unpack_strdup and freeing accordingly. Fixes: 72c8a768641d ("apparmor: allow profiles to provide info to disconnected paths") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: remove unused PROF_* macrosGONG, Ruiqi2023-08-081-3/+0
| | | | | | | | | | | | | | | | | | The last usage of PROF_{ADD,REPLACE} were removed by commit 18e99f191a8e ("apparmor: provide finer control over policy management"). So remove these two unused macros. Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: cleanup unused functions in file.hXiu Jianfeng2023-08-081-37/+0
| | | | | | | | | | | | | | | | | | | | After changes in commit 33bf60cabcc7 ("LSM: Infrastructure management of the file security"), aa_alloc_file_ctx() and aa_free_file_ctx() are no longer used, so remove them, and also remove aa_get_file_label() because it seems that it's never been used before. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: cleanup unused declarations in policy.hXiu Jianfeng2023-08-081-6/+0
| | | | | | | | | | | | | | The implementions of these declarations do not exist, remove them all. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: fixup return comments for kernel doc cleanups by Gaosheng CuiJohn Johansen2023-08-082-4/+4
| | | | | | | | | | | | | | | | | | | | | | [PATCH -next 05/11] apparmor: Fix kernel-doc warnings in apparmor/label.c missed updating the Returns comment for the new parameter names [PATCH -next 05/11] apparmor: Fix kernel-doc warnings in apparmor/label.c Added the @size parameter comment without mentioning it is a return value. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/policy.cGaosheng Cui2023-07-101-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/policy.c:294: warning: Function parameter or member 'proxy' not described in 'aa_alloc_profile' security/apparmor/policy.c:785: warning: Function parameter or member 'label' not described in 'aa_policy_view_capable' security/apparmor/policy.c:785: warning: Function parameter or member 'ns' not described in 'aa_policy_view_capable' security/apparmor/policy.c:847: warning: Function parameter or member 'ns' not described in 'aa_may_manage_policy' security/apparmor/policy.c:964: warning: Function parameter or member 'hname' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'info' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'noreplace' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'ns' not described in '__lookup_replace' security/apparmor/policy.c:964: warning: Function parameter or member 'p' not described in '__lookup_replace' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/policy_compat.cGaosheng Cui2023-07-101-0/+1
| | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/policy_compat.c:151: warning: Function parameter or member 'size' not described in 'compute_fperms' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/policy_unpack.cGaosheng Cui2023-07-101-1/+1
| | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/policy_unpack.c:1173: warning: Function parameter or member 'table_size' not described in 'verify_dfa_accept_index' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/resource.cGaosheng Cui2023-07-101-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/resource.c:111: warning: Function parameter or member 'label' not described in 'aa_task_setrlimit' security/apparmor/resource.c:111: warning: Function parameter or member 'new_rlim' not described in 'aa_task_setrlimit' security/apparmor/resource.c:111: warning: Function parameter or member 'resource' not described in 'aa_task_setrlimit' security/apparmor/resource.c:111: warning: Function parameter or member 'task' not described in 'aa_task_setrlimit' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/match.cGaosheng Cui2023-07-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/match.c:148: warning: Function parameter or member 'tables' not described in 'verify_table_headers' security/apparmor/match.c:289: warning: Excess function parameter 'kr' description in 'aa_dfa_free_kref' security/apparmor/match.c:289: warning: Function parameter or member 'kref' not described in 'aa_dfa_free_kref' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/lib.cGaosheng Cui2023-07-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/lib.c:33: warning: Excess function parameter 'str' description in 'aa_free_str_table' security/apparmor/lib.c:33: warning: Function parameter or member 't' not described in 'aa_free_str_table' security/apparmor/lib.c:94: warning: Function parameter or member 'n' not described in 'skipn_spaces' security/apparmor/lib.c:390: warning: Excess function parameter 'deny' description in 'aa_check_perms' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/label.cGaosheng Cui2023-07-101-9/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/label.c:166: warning: Excess function parameter 'n' description in 'vec_cmp' security/apparmor/label.c:166: warning: Excess function parameter 'vec' description in 'vec_cmp' security/apparmor/label.c:166: warning: Function parameter or member 'an' not described in 'vec_cmp' security/apparmor/label.c:166: warning: Function parameter or member 'bn' not described in 'vec_cmp' security/apparmor/label.c:166: warning: Function parameter or member 'b' not described in 'vec_cmp' security/apparmor/label.c:2051: warning: Function parameter or member 'label' not described in '__label_update' security/apparmor/label.c:266: warning: Function parameter or member 'flags' not described in 'aa_vec_unique' security/apparmor/label.c:594: warning: Excess function parameter 'l' description in '__label_remove' security/apparmor/label.c:594: warning: Function parameter or member 'label' not described in '__label_remove' security/apparmor/label.c:929: warning: Function parameter or member 'label' not described in 'aa_label_insert' security/apparmor/label.c:929: warning: Function parameter or member 'ls' not described in 'aa_label_insert' security/apparmor/label.c:1221: warning: Excess function parameter 'ls' description in 'aa_label_merge' security/apparmor/label.c:1302: warning: Excess function parameter 'start' description in 'label_compound_match' security/apparmor/label.c:1302: warning: Function parameter or member 'rules' not described in 'label_compound_match' security/apparmor/label.c:1302: warning: Function parameter or member 'state' not described in 'label_compound_match' security/apparmor/label.c:2051: warning: Function parameter or member 'label' not described in '__label_update' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/file.cGaosheng Cui2023-07-101-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/file.c:177: warning: Excess function parameter 'dfa' description in 'aa_lookup_fperms' security/apparmor/file.c:177: warning: Function parameter or member 'file_rules' not described in 'aa_lookup_fperms' security/apparmor/file.c:202: warning: Excess function parameter 'dfa' description in 'aa_str_perms' security/apparmor/file.c:202: warning: Excess function parameter 'state' description in 'aa_str_perms' security/apparmor/file.c:202: warning: Function parameter or member 'file_rules' not described in 'aa_str_perms' security/apparmor/file.c:202: warning: Function parameter or member 'start' not described in 'aa_str_perms' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/domain.cGaosheng Cui2023-07-101-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/domain.c:279: warning: Function parameter or member 'perms' not described in 'change_profile_perms' security/apparmor/domain.c:380: warning: Function parameter or member 'bprm' not described in 'find_attach' security/apparmor/domain.c:380: warning: Function parameter or member 'head' not described in 'find_attach' security/apparmor/domain.c:380: warning: Function parameter or member 'info' not described in 'find_attach' security/apparmor/domain.c:380: warning: Function parameter or member 'name' not described in 'find_attach' security/apparmor/domain.c:558: warning: Function parameter or member 'info' not described in 'x_to_label' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/capability.cGaosheng Cui2023-07-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/capability.c:45: warning: Function parameter or member 'ab' not described in 'audit_cb' security/apparmor/capability.c:45: warning: Function parameter or member 'va' not described in 'audit_cb' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Fix kernel-doc warnings in apparmor/audit.cGaosheng Cui2023-07-101-0/+1
| | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings: security/apparmor/audit.c:150: warning: Function parameter or member 'type' not described in 'aa_audit_msg' Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: use passed in gfp flags in aa_alloc_null()Dan Carpenter2023-07-091-2/+2
| | | | | | | | | | | | | | | | | | | | These allocations should use the gfp flags from the caller instead of GFP_KERNEL. But from what I can see, all the callers pass in GFP_KERNEL so this does not affect runtime. Fixes: e31dd6e412f7 ("apparmor: fix: kzalloc perms tables for shared dfas") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: advertise availability of exended permsJohn Johansen2023-07-091-0/+3
| | | | | | | | | | | | | | | | | | Userspace won't load policy using extended perms unless it knows the kernel can handle them. Advertise that extended perms are supported in the feature set. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com>
| * apparmor: remove unused macroGONG, Ruiqi2023-07-091-1/+0
| | | | | | | | | | | | | | SOCK_ctx() doesn't seem to be used anywhere in the code, so remove it. Signed-off-by: GONG, Ruiqi <gongruiqi@huaweicloud.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: make aa_set_current_onexec return voidQuanfa Fu2023-07-093-6/+3
| | | | | | | | | | | | | | | | | | Change the return type to void since it always return 0, and no need to do the checking in aa_set_current_onexec. Signed-off-by: Quanfa Fu <quanfafu@gmail.com> Reviewed-by: "Tyler Hicks (Microsoft)" <code@tyhicks.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* | Merge tag 'lsm-pr-20231030' of ↵Linus Torvalds2023-10-301-2/+2
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull LSM updates from Paul Moore: - Add new credential functions, get_cred_many() and put_cred_many() to save some atomic_t operations for a few operations. While not strictly LSM related, this patchset had been rotting on the mailing lists for some time and since the LSMs do care a lot about credentials I thought it reasonable to give this patch a home. - Five patches to constify different LSM hook parameters. - Fix a spelling mistake. * tag 'lsm-pr-20231030' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: fix a spelling mistake cred: add get_cred_many and put_cred_many lsm: constify 'sb' parameter in security_sb_kern_mount() lsm: constify 'bprm' parameter in security_bprm_committed_creds() lsm: constify 'bprm' parameter in security_bprm_committing_creds() lsm: constify 'file' parameter in security_bprm_creds_from_file() lsm: constify 'sb' parameter in security_quotactl()
| * | lsm: constify 'bprm' parameter in security_bprm_committed_creds()Khadija Kamran2023-09-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Three LSMs register the implementations for the 'bprm_committed_creds()' hook: AppArmor, SELinux and tomoyo. Looking at the function implementations we may observe that the 'bprm' parameter is not changing. Mark the 'bprm' parameter of LSM hook security_bprm_committed_creds() as 'const' since it will not be changing in the LSM hook. Signed-off-by: Khadija Kamran <kamrankhadijadj@gmail.com> [PM: minor merge fuzzing due to other constification patches] Signed-off-by: Paul Moore <paul@paul-moore.com>
| * | lsm: constify 'bprm' parameter in security_bprm_committing_creds()Khadija Kamran2023-09-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'bprm_committing_creds' hook has implementations registered in SELinux and Apparmor. Looking at the function implementations we observe that the 'bprm' parameter is not changing. Mark the 'bprm' parameter of LSM hook security_bprm_committing_creds() as 'const' since it will not be changing in the LSM hook. Signed-off-by: Khadija Kamran <kamrankhadijadj@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
* | | apparmor: convert to new timestamp accessorsJeff Layton2023-10-182-5/+6
|/ / | | | | | | | | | | | | | | Convert to using the new inode timestamp accessor functions. Signed-off-by: Jeff Layton <jlayton@kernel.org> Link: https://lore.kernel.org/r/20231004185347.80880-82-jlayton@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
* | Merge tag 'lsm-pr-20230829' of ↵Linus Torvalds2023-08-301-1/+1
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull LSM updates from Paul Moore: - Add proper multi-LSM support for xattrs in the security_inode_init_security() hook Historically the LSM layer has only allowed a single LSM to add an xattr to an inode, with IMA/EVM measuring that and adding its own as well. As we work towards promoting IMA/EVM to a "proper LSM" instead of the special case that it is now, we need to better support the case of multiple LSMs each adding xattrs to an inode and after several attempts we now appear to have something that is working well. It is worth noting that in the process of making this change we uncovered a problem with Smack's SMACK64TRANSMUTE xattr which is also fixed in this pull request. - Additional LSM hook constification Two patches to constify parameters to security_capget() and security_binder_transfer_file(). While I generally don't make a special note of who submitted these patches, these were the work of an Outreachy intern, Khadija Kamran, and that makes me happy; hopefully it does the same for all of you reading this. - LSM hook comment header fixes One patch to add a missing hook comment header, one to fix a minor typo. - Remove an old, unused credential function declaration It wasn't clear to me who should pick this up, but it was trivial, obviously correct, and arguably the LSM layer has a vested interest in credentials so I merged it. Sadly I'm now noticing that despite my subject line cleanup I didn't cleanup the "unsued" misspelling, sigh * tag 'lsm-pr-20230829' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: constify the 'file' parameter in security_binder_transfer_file() lsm: constify the 'target' parameter in security_capget() lsm: add comment block for security_sk_classify_flow LSM hook security: Fix ret values doc for security_inode_init_security() cred: remove unsued extern declaration change_create_files_as() evm: Support multiple LSMs providing an xattr evm: Align evm_inode_init_security() definition with LSM infrastructure smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security() security: Allow all LSMs to provide xattrs for inode_init_security hook lsm: fix typo in security_file_lock() comment header
| * | lsm: constify the 'target' parameter in security_capget()Khadija Kamran2023-08-081-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Three LSMs register the implementations for the "capget" hook: AppArmor, SELinux, and the normal capability code. Looking at the function implementations we may observe that the first parameter "target" is not changing. Mark the first argument "target" of LSM hook security_capget() as "const" since it will not be changing in the LSM hook. cap_capget() LSM hook declaration exceeds the 80 characters per line limit. Split the function declaration to multiple lines to decrease the line length. Signed-off-by: Khadija Kamran <kamrankhadijadj@gmail.com> Acked-by: John Johansen <john.johansen@canonical.com> [PM: align the cap_capget() declaration, spelling fixes] Signed-off-by: Paul Moore <paul@paul-moore.com>
* | apparmor: convert to ctime accessor functionsJeff Layton2023-07-242-5/+5
| | | | | | | | | | | | | | | | | | | | | | In later patches, we're going to change how the inode's ctime field is used. Switch to using accessor functions instead of raw accesses of inode->i_ctime. Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Jan Kara <jack@suse.cz> Message-Id: <20230705190309.579783-87-jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
* | apparmor: update ctime whenever the mtime changes on an inodeJeff Layton2023-07-102-6/+12
|/ | | | | | | | | | In general, when updating the mtime on an inode, one must also update the ctime. Add the missing ctime updates. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Message-Id: <20230705190309.579783-5-jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
* Merge tag 'apparmor-pr-2023-07-06' of ↵Linus Torvalds2023-07-078-68/+110
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: - fix missing error check for rhashtable_insert_fast - add missing failure check in compute_xmatch_perms - fix policy_compat permission remap with extended permissions - fix profile verification and enable it - fix kzalloc perms tables for shared dfas - Fix kernel-doc header for verify_dfa_accept_index - aa_buffer: Convert 1-element array to flexible array - Return directly after a failed kzalloc() in two functions - fix use of strcpy in policy_unpack_test - fix kernel-doc complaints - Fix some kernel-doc comments * tag 'apparmor-pr-2023-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: Fix kernel-doc header for verify_dfa_accept_index apparmor: fix: kzalloc perms tables for shared dfas apparmor: fix profile verification and enable it apparmor: fix policy_compat permission remap with extended permissions apparmor: aa_buffer: Convert 1-element array to flexible array apparmor: add missing failure check in compute_xmatch_perms apparmor: fix missing error check for rhashtable_insert_fast apparmor: Return directly after a failed kzalloc() in two functions AppArmor: Fix some kernel-doc comments apparmor: fix use of strcpy in policy_unpack_test apparmor: fix kernel-doc complaints