linux-stable.git/security/apparmor/include, branch linux-3.10.y Linux kernel stable tree apparmor: fix module parameters can be changed after policy is locked 2017-06-20T12:04:13+00:00 John Johansen john.johansen@canonical.com 2016-06-23T01:01:08+00:00 a078d77fb083a364341b376c8cfec25c00f50ee2 commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream. the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream.

the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.

split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
apparmor: add missing id bounds check on dfa verification 2017-06-20T12:04:12+00:00 John Johansen john.johansen@canonical.com 2016-06-02T09:37:02+00:00 efbb2d5b9dad87aea586b21ba861aba605d35bf7 commit 15756178c6a65b261a080e21af4766f59cafc112 upstream. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Willy Tarreau <w@1wt.eu> 
commit 15756178c6a65b261a080e21af4766f59cafc112 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
userns: Convert apparmor to use kuid and kgid where appropriate 2012-09-21T10:13:21+00:00 Eric W. Biederman ebiederm@xmission.com 2012-02-08T00:33:13+00:00 2db81452931eb51cc739d6e495cf1bd4860c3c99 Cc: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> 
Cc: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
apparmor: move task from common_audit_data to apparmor_audit_data 2012-04-09T16:23:02+00:00 Eric Paris eparis@redhat.com 2012-04-04T19:01:42+00:00 0972c74ecba4878baa5f97bb78b242c0eefacfb6 apparmor is the only LSM that uses the common_audit_data tsk field. Instead of making all LSMs pay for the stack space move the aa usage into the apparmor_audit_data. Signed-off-by: Eric Paris <eparis@redhat.com> 
apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.

Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: shrink sizeof LSM specific portion of common_audit_data 2012-04-03T16:48:40+00:00 Eric Paris eparis@redhat.com 2012-04-03T16:37:02+00:00 3b3b0e4fc15efa507b902d90cea39e496a523c3b Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop.  This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union.  Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
AppArmor: add const qualifiers to string arrays 2012-03-15T02:09:13+00:00 Jan Engelhardt jengelh@medozas.de 2012-03-14T12:30:36+00:00 2d4cee7e3a2b9f9c3237672cc136e20dbad0e2ce Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
AppArmor: Add ability to load extended policy 2012-03-15T02:09:03+00:00 John Johansen john.johansen@canonical.com 2012-02-16T15:07:53+00:00 ad5ff3db53c68c2f12936bc74ea5dfe0af943592 Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com> 
Add the base support for the new policy extensions. This does not bring
any additional functionality, or change current semantics.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
AppArmor: Move path failure information into aa_get_name and rename 2012-03-14T13:15:25+00:00 John Johansen john.johansen@canonical.com 2012-02-16T14:20:33+00:00 57fa1e18091e66b7e1002816523cb218196a882e Move the path name lookup failure messages into the main path name lookup routine, as the information is useful in more than just aa_path_perm. Also rename aa_get_name to aa_path_name as it is not getting a reference counted object with a corresponding put fn. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com> 
Move the path name lookup failure messages into the main path name lookup
routine, as the information is useful in more than just aa_path_perm.

Also rename aa_get_name to aa_path_name as it is not getting a reference
counted object with a corresponding put fn.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
AppArmor: Update dfa matching routines. 2012-03-14T13:15:24+00:00 John Johansen john.johansen@canonical.com 2012-02-16T14:20:26+00:00 0fe1212d0539eb6c1e27d388711172d786e299cc Update aa_dfa_match so that it doesn't result in an input string being walked twice (once to get its length and another time to match) Add a single step functions aa_dfa_next Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com> 
Update aa_dfa_match so that it doesn't result in an input string being
walked twice (once to get its length and another time to match)

Add a single step functions
  aa_dfa_next

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
AppArmor: Fix underflow in xindex calculation 2012-02-27T19:38:21+00:00 John Johansen john.johansen@canonical.com 2012-02-22T08:32:30+00:00 8b964eae204d791421677ec56b94a7b18cf8740d If the xindex value stored in the accept tables is 0, the extraction of that value will result in an underflow (0 - 4). In properly compiled policy this should not happen for file rules but it may be possible for other rule types in the future. To exploit this underflow a user would have to be able to load a corrupt policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel memory or know of a compiler error resulting in the flaw being present for loaded policy (no such flaw is known at this time). Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com> 
If the xindex value stored in the accept tables is 0, the extraction of
that value will result in an underflow (0 - 4).

In properly compiled policy this should not happen for file rules but
it may be possible for other rule types in the future.

To exploit this underflow a user would have to be able to load a corrupt
policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
memory or know of a compiler error resulting in the flaw being present
for loaded policy (no such flaw is known at this time).

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>