<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/security/apparmor, branch linux-6.11.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>apparmor: test: Fix memory leak for aa_unpack_strdup()</title>
<updated>2024-12-05T12:54:11+00:00</updated>
<author>
<name>Jinjie Ruan</name>
<email>ruanjinjie@huawei.com</email>
</author>
<published>2024-10-11T01:22:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59a149e7c38e7b76616c8b333fc6aa5b6fb2293c'/>
<id>59a149e7c38e7b76616c8b333fc6aa5b6fb2293c</id>
<content type='text'>
commit 7290f59231910ccba427d441a6e8b8c6f6112448 upstream.

The string allocated by kmemdup() in aa_unpack_strdup() is not
freed and cause following memory leaks, free them to fix it.

	unreferenced object 0xffffff80c6af8a50 (size 8):
	  comm "kunit_try_catch", pid 225, jiffies 4294894407
	  hex dump (first 8 bytes):
	    74 65 73 74 69 6e 67 00                          testing.
	  backtrace (crc 5eab668b):
	    [&lt;0000000001e3714d&gt;] kmemleak_alloc+0x34/0x40
	    [&lt;000000006e6c7776&gt;] __kmalloc_node_track_caller_noprof+0x300/0x3e0
	    [&lt;000000006870467c&gt;] kmemdup_noprof+0x34/0x60
	    [&lt;000000001176bb03&gt;] aa_unpack_strdup+0xd0/0x18c
	    [&lt;000000008ecde918&gt;] policy_unpack_test_unpack_strdup_with_null_name+0xf8/0x3ec
	    [&lt;0000000032ef8f77&gt;] kunit_try_run_case+0x13c/0x3ac
	    [&lt;00000000f3edea23&gt;] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [&lt;00000000adf936cf&gt;] kthread+0x2e8/0x374
	    [&lt;0000000041bb1628&gt;] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80c2a29090 (size 8):
	  comm "kunit_try_catch", pid 227, jiffies 4294894409
	  hex dump (first 8 bytes):
	    74 65 73 74 69 6e 67 00                          testing.
	  backtrace (crc 5eab668b):
	    [&lt;0000000001e3714d&gt;] kmemleak_alloc+0x34/0x40
	    [&lt;000000006e6c7776&gt;] __kmalloc_node_track_caller_noprof+0x300/0x3e0
	    [&lt;000000006870467c&gt;] kmemdup_noprof+0x34/0x60
	    [&lt;000000001176bb03&gt;] aa_unpack_strdup+0xd0/0x18c
	    [&lt;0000000046a45c1a&gt;] policy_unpack_test_unpack_strdup_with_name+0xd0/0x3c4
	    [&lt;0000000032ef8f77&gt;] kunit_try_run_case+0x13c/0x3ac
	    [&lt;00000000f3edea23&gt;] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [&lt;00000000adf936cf&gt;] kthread+0x2e8/0x374
	    [&lt;0000000041bb1628&gt;] ret_from_fork+0x10/0x20

Cc: stable@vger.kernel.org
Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack")
Signed-off-by: Jinjie Ruan &lt;ruanjinjie@huawei.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7290f59231910ccba427d441a6e8b8c6f6112448 upstream.

The string allocated by kmemdup() in aa_unpack_strdup() is not
freed and cause following memory leaks, free them to fix it.

	unreferenced object 0xffffff80c6af8a50 (size 8):
	  comm "kunit_try_catch", pid 225, jiffies 4294894407
	  hex dump (first 8 bytes):
	    74 65 73 74 69 6e 67 00                          testing.
	  backtrace (crc 5eab668b):
	    [&lt;0000000001e3714d&gt;] kmemleak_alloc+0x34/0x40
	    [&lt;000000006e6c7776&gt;] __kmalloc_node_track_caller_noprof+0x300/0x3e0
	    [&lt;000000006870467c&gt;] kmemdup_noprof+0x34/0x60
	    [&lt;000000001176bb03&gt;] aa_unpack_strdup+0xd0/0x18c
	    [&lt;000000008ecde918&gt;] policy_unpack_test_unpack_strdup_with_null_name+0xf8/0x3ec
	    [&lt;0000000032ef8f77&gt;] kunit_try_run_case+0x13c/0x3ac
	    [&lt;00000000f3edea23&gt;] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [&lt;00000000adf936cf&gt;] kthread+0x2e8/0x374
	    [&lt;0000000041bb1628&gt;] ret_from_fork+0x10/0x20
	unreferenced object 0xffffff80c2a29090 (size 8):
	  comm "kunit_try_catch", pid 227, jiffies 4294894409
	  hex dump (first 8 bytes):
	    74 65 73 74 69 6e 67 00                          testing.
	  backtrace (crc 5eab668b):
	    [&lt;0000000001e3714d&gt;] kmemleak_alloc+0x34/0x40
	    [&lt;000000006e6c7776&gt;] __kmalloc_node_track_caller_noprof+0x300/0x3e0
	    [&lt;000000006870467c&gt;] kmemdup_noprof+0x34/0x60
	    [&lt;000000001176bb03&gt;] aa_unpack_strdup+0xd0/0x18c
	    [&lt;0000000046a45c1a&gt;] policy_unpack_test_unpack_strdup_with_name+0xd0/0x3c4
	    [&lt;0000000032ef8f77&gt;] kunit_try_run_case+0x13c/0x3ac
	    [&lt;00000000f3edea23&gt;] kunit_generic_run_threadfn_adapter+0x80/0xec
	    [&lt;00000000adf936cf&gt;] kthread+0x2e8/0x374
	    [&lt;0000000041bb1628&gt;] ret_from_fork+0x10/0x20

Cc: stable@vger.kernel.org
Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack")
Signed-off-by: Jinjie Ruan &lt;ruanjinjie@huawei.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: fix 'Do simple duplicate message elimination'</title>
<updated>2024-12-05T12:54:05+00:00</updated>
<author>
<name>chao liu</name>
<email>liuzgyid@outlook.com</email>
</author>
<published>2023-06-27T02:03:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2be9d38ad87252ada540d1a79b9d09142244da3a'/>
<id>2be9d38ad87252ada540d1a79b9d09142244da3a</id>
<content type='text'>
[ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ]

Multiple profiles shared 'ent-&gt;caps', so some logs missed.

Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
Signed-off-by: chao liu &lt;liuzgyid@outlook.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ]

Multiple profiles shared 'ent-&gt;caps', so some logs missed.

Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
Signed-off-by: chao liu &lt;liuzgyid@outlook.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>lsm: infrastructure management of the sock security</title>
<updated>2024-10-04T14:38:53+00:00</updated>
<author>
<name>Casey Schaufler</name>
<email>casey@schaufler-ca.com</email>
</author>
<published>2024-07-10T21:32:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6033ffb6532ae3c3f6b6552ea61032372af01b7b'/>
<id>6033ffb6532ae3c3f6b6552ea61032372af01b7b</id>
<content type='text'>
[ Upstream commit 2aff9d20d50ac45dd13a013ef5231f4fb8912356 ]

Move management of the sock-&gt;sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Acked-by: Paul Moore &lt;paul@paul-moore.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: John Johansen &lt;john.johansen@canonical.com&gt;
Acked-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
[PM: subject tweak]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
Stable-dep-of: 63dff3e48871 ("lsm: add the inode_free_security_rcu() LSM implementation hook")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2aff9d20d50ac45dd13a013ef5231f4fb8912356 ]

Move management of the sock-&gt;sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Acked-by: Paul Moore &lt;paul@paul-moore.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: John Johansen &lt;john.johansen@canonical.com&gt;
Acked-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
Signed-off-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
[PM: subject tweak]
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
Stable-dep-of: 63dff3e48871 ("lsm: add the inode_free_security_rcu() LSM implementation hook")
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: fix policy_unpack_test on big endian systems</title>
<updated>2024-08-25T22:26:30+00:00</updated>
<author>
<name>Guenter Roeck</name>
<email>linux@roeck-us.net</email>
</author>
<published>2024-08-08T15:50:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=98c0cc48e27e9d269a3e4db2acd72b486c88ec77'/>
<id>98c0cc48e27e9d269a3e4db2acd72b486c88ec77</id>
<content type='text'>
policy_unpack_test fails on big endian systems because data byte order
is expected to be little endian but is generated in host byte order.
This results in test failures such as:

 # policy_unpack_test_unpack_array_with_null_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:150
    Expected array_size == (u16)16, but
        array_size == 4096 (0x1000)
        (u16)16 == 16 (0x10)
    # policy_unpack_test_unpack_array_with_null_name: pass:0 fail:1 skip:0 total:1
    not ok 3 policy_unpack_test_unpack_array_with_null_name
    # policy_unpack_test_unpack_array_with_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:164
    Expected array_size == (u16)16, but
        array_size == 4096 (0x1000)
        (u16)16 == 16 (0x10)
    # policy_unpack_test_unpack_array_with_name: pass:0 fail:1 skip:0 total:1

Add the missing endianness conversions when generating test data.

Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack")
Cc: Brendan Higgins &lt;brendanhiggins@google.com&gt;
Cc: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
policy_unpack_test fails on big endian systems because data byte order
is expected to be little endian but is generated in host byte order.
This results in test failures such as:

 # policy_unpack_test_unpack_array_with_null_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:150
    Expected array_size == (u16)16, but
        array_size == 4096 (0x1000)
        (u16)16 == 16 (0x10)
    # policy_unpack_test_unpack_array_with_null_name: pass:0 fail:1 skip:0 total:1
    not ok 3 policy_unpack_test_unpack_array_with_null_name
    # policy_unpack_test_unpack_array_with_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:164
    Expected array_size == (u16)16, but
        array_size == 4096 (0x1000)
        (u16)16 == 16 (0x10)
    # policy_unpack_test_unpack_array_with_name: pass:0 fail:1 skip:0 total:1

Add the missing endianness conversions when generating test data.

Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack")
Cc: Brendan Higgins &lt;brendanhiggins@google.com&gt;
Cc: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor</title>
<updated>2024-07-27T20:28:39+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2024-07-27T20:28:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ff30564411ffdcee49d579cb15eb13185a36e253'/>
<id>ff30564411ffdcee49d579cb15eb13185a36e253</id>
<content type='text'>
Pull apparmor updates from John Johansen:
 "Cleanups
   - optimization: try to avoid refing the label in apparmor_file_open
   - remove useless static inline function is_deleted
   - use kvfree_sensitive to free data-&gt;data
   - fix typo in kernel doc

  Bug fixes:
   - unpack transition table if dfa is not present
   - test: add MODULE_DESCRIPTION()
   - take nosymfollow flag into account
   - fix possible NULL pointer dereference
   - fix null pointer deref when receiving skb during sock creation"

* tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: unpack transition table if dfa is not present
  apparmor: try to avoid refing the label in apparmor_file_open
  apparmor: test: add MODULE_DESCRIPTION()
  apparmor: take nosymfollow flag into account
  apparmor: fix possible NULL pointer dereference
  apparmor: fix typo in kernel doc
  apparmor: remove useless static inline function is_deleted
  apparmor: use kvfree_sensitive to free data-&gt;data
  apparmor: Fix null pointer deref when receiving skb during sock creation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull apparmor updates from John Johansen:
 "Cleanups
   - optimization: try to avoid refing the label in apparmor_file_open
   - remove useless static inline function is_deleted
   - use kvfree_sensitive to free data-&gt;data
   - fix typo in kernel doc

  Bug fixes:
   - unpack transition table if dfa is not present
   - test: add MODULE_DESCRIPTION()
   - take nosymfollow flag into account
   - fix possible NULL pointer dereference
   - fix null pointer deref when receiving skb during sock creation"

* tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: unpack transition table if dfa is not present
  apparmor: try to avoid refing the label in apparmor_file_open
  apparmor: test: add MODULE_DESCRIPTION()
  apparmor: take nosymfollow flag into account
  apparmor: fix possible NULL pointer dereference
  apparmor: fix typo in kernel doc
  apparmor: remove useless static inline function is_deleted
  apparmor: use kvfree_sensitive to free data-&gt;data
  apparmor: Fix null pointer deref when receiving skb during sock creation
</pre>
</div>
</content>
</entry>
<entry>
<title>sysctl: treewide: constify the ctl_table argument of proc_handlers</title>
<updated>2024-07-24T18:59:29+00:00</updated>
<author>
<name>Joel Granados</name>
<email>j.granados@samsung.com</email>
</author>
<published>2024-07-24T18:59:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=78eb4ea25cd5fdbdae7eb9fdf87b99195ff67508'/>
<id>78eb4ea25cd5fdbdae7eb9fdf87b99195ff67508</id>
<content type='text'>
const qualify the struct ctl_table argument in the proc_handler function
signatures. This is a prerequisite to moving the static ctl_table
structs into .rodata data which will ensure that proc_handler function
pointers cannot be modified.

This patch has been generated by the following coccinelle script:

```
  virtual patch

  @r1@
  identifier ctl, write, buffer, lenp, ppos;
  identifier func !~ "appldata_(timer|interval)_handler|sched_(rt|rr)_handler|rds_tcp_skbuf_handler|proc_sctp_do_(hmac_alg|rto_min|rto_max|udp_port|alpha_beta|auth|probe_interval)";
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int write, void *buffer, size_t *lenp, loff_t *ppos);

  @r2@
  identifier func, ctl, write, buffer, lenp, ppos;
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int write, void *buffer, size_t *lenp, loff_t *ppos)
  { ... }

  @r3@
  identifier func;
  @@

  int func(
  - struct ctl_table *
  + const struct ctl_table *
    ,int , void *, size_t *, loff_t *);

  @r4@
  identifier func, ctl;
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int , void *, size_t *, loff_t *);

  @r5@
  identifier func, write, buffer, lenp, ppos;
  @@

  int func(
  - struct ctl_table *
  + const struct ctl_table *
    ,int write, void *buffer, size_t *lenp, loff_t *ppos);

```

* Code formatting was adjusted in xfs_sysctl.c to comply with code
  conventions. The xfs_stats_clear_proc_handler,
  xfs_panic_mask_proc_handler and xfs_deprecated_dointvec_minmax where
  adjusted.

* The ctl_table argument in proc_watchdog_common was const qualified.
  This is called from a proc_handler itself and is calling back into
  another proc_handler, making it necessary to change it as part of the
  proc_handler migration.

Co-developed-by: Thomas Weißschuh &lt;linux@weissschuh.net&gt;
Signed-off-by: Thomas Weißschuh &lt;linux@weissschuh.net&gt;
Co-developed-by: Joel Granados &lt;j.granados@samsung.com&gt;
Signed-off-by: Joel Granados &lt;j.granados@samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
const qualify the struct ctl_table argument in the proc_handler function
signatures. This is a prerequisite to moving the static ctl_table
structs into .rodata data which will ensure that proc_handler function
pointers cannot be modified.

This patch has been generated by the following coccinelle script:

```
  virtual patch

  @r1@
  identifier ctl, write, buffer, lenp, ppos;
  identifier func !~ "appldata_(timer|interval)_handler|sched_(rt|rr)_handler|rds_tcp_skbuf_handler|proc_sctp_do_(hmac_alg|rto_min|rto_max|udp_port|alpha_beta|auth|probe_interval)";
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int write, void *buffer, size_t *lenp, loff_t *ppos);

  @r2@
  identifier func, ctl, write, buffer, lenp, ppos;
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int write, void *buffer, size_t *lenp, loff_t *ppos)
  { ... }

  @r3@
  identifier func;
  @@

  int func(
  - struct ctl_table *
  + const struct ctl_table *
    ,int , void *, size_t *, loff_t *);

  @r4@
  identifier func, ctl;
  @@

  int func(
  - struct ctl_table *ctl
  + const struct ctl_table *ctl
    ,int , void *, size_t *, loff_t *);

  @r5@
  identifier func, write, buffer, lenp, ppos;
  @@

  int func(
  - struct ctl_table *
  + const struct ctl_table *
    ,int write, void *buffer, size_t *lenp, loff_t *ppos);

```

* Code formatting was adjusted in xfs_sysctl.c to comply with code
  conventions. The xfs_stats_clear_proc_handler,
  xfs_panic_mask_proc_handler and xfs_deprecated_dointvec_minmax where
  adjusted.

* The ctl_table argument in proc_watchdog_common was const qualified.
  This is called from a proc_handler itself and is calling back into
  another proc_handler, making it necessary to change it as part of the
  proc_handler migration.

Co-developed-by: Thomas Weißschuh &lt;linux@weissschuh.net&gt;
Signed-off-by: Thomas Weißschuh &lt;linux@weissschuh.net&gt;
Co-developed-by: Joel Granados &lt;j.granados@samsung.com&gt;
Signed-off-by: Joel Granados &lt;j.granados@samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: unpack transition table if dfa is not present</title>
<updated>2024-07-24T18:15:06+00:00</updated>
<author>
<name>Georgia Garcia</name>
<email>georgia.garcia@canonical.com</email>
</author>
<published>2024-06-10T12:51:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e0ff0cff1f6cdce0aa596aac04129893201c4162'/>
<id>e0ff0cff1f6cdce0aa596aac04129893201c4162</id>
<content type='text'>
Due to a bug in earlier userspaces, a transition table may be present
even when the dfa is not. Commit 7572fea31e3e
("apparmor: convert fperm lookup to use accept as an index") made the
verification check more rigourous regressing old userspaces with
the bug. For compatibility reasons allow the orphaned transition table
during unpack and discard.

Fixes: 7572fea31e3e ("apparmor: convert fperm lookup to use accept as an index")
Signed-off-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Due to a bug in earlier userspaces, a transition table may be present
even when the dfa is not. Commit 7572fea31e3e
("apparmor: convert fperm lookup to use accept as an index") made the
verification check more rigourous regressing old userspaces with
the bug. For compatibility reasons allow the orphaned transition table
during unpack and discard.

Fixes: 7572fea31e3e ("apparmor: convert fperm lookup to use accept as an index")
Signed-off-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: try to avoid refing the label in apparmor_file_open</title>
<updated>2024-07-24T18:05:14+00:00</updated>
<author>
<name>Mateusz Guzik</name>
<email>mjguzik@gmail.com</email>
</author>
<published>2024-06-20T17:15:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f4fee216df7d28b87d1c9cc60bcebfecb51c1a05'/>
<id>f4fee216df7d28b87d1c9cc60bcebfecb51c1a05</id>
<content type='text'>
If the label is not stale (which is the common case), the fact that the
passed file object holds a reference can be leverged to avoid the
ref/unref cycle. Doing so reduces performance impact of apparmor on
parallel open() invocations.

When benchmarking on a 24-core vm using will-it-scale's open1_process
("Separate file open"), the results are (ops/s):
before: 6092196
after:  8309726 (+36%)

Signed-off-by: Mateusz Guzik &lt;mjguzik@gmail.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If the label is not stale (which is the common case), the fact that the
passed file object holds a reference can be leverged to avoid the
ref/unref cycle. Doing so reduces performance impact of apparmor on
parallel open() invocations.

When benchmarking on a 24-core vm using will-it-scale's open1_process
("Separate file open"), the results are (ops/s):
before: 6092196
after:  8309726 (+36%)

Signed-off-by: Mateusz Guzik &lt;mjguzik@gmail.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: test: add MODULE_DESCRIPTION()</title>
<updated>2024-07-24T17:35:31+00:00</updated>
<author>
<name>Jeff Johnson</name>
<email>quic_jjohnson@quicinc.com</email>
</author>
<published>2024-05-30T01:21:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4b954a025591a1c7d3a0c0111b6d4730596046b6'/>
<id>4b954a025591a1c7d3a0c0111b6d4730596046b6</id>
<content type='text'>
Fix the 'make W=1' warning:
WARNING: modpost: missing MODULE_DESCRIPTION() in security/apparmor/apparmor_policy_unpack_test.o

Signed-off-by: Jeff Johnson &lt;quic_jjohnson@quicinc.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix the 'make W=1' warning:
WARNING: modpost: missing MODULE_DESCRIPTION() in security/apparmor/apparmor_policy_unpack_test.o

Signed-off-by: Jeff Johnson &lt;quic_jjohnson@quicinc.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: take nosymfollow flag into account</title>
<updated>2024-07-24T17:33:58+00:00</updated>
<author>
<name>Alexander Mikhalitsyn</name>
<email>aleksandr.mikhalitsyn@canonical.com</email>
</author>
<published>2024-06-28T15:37:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=33be0cfa5ba522ba88ba25cb95e582932843409b'/>
<id>33be0cfa5ba522ba88ba25cb95e582932843409b</id>
<content type='text'>
A "nosymfollow" flag was added in commit
dab741e0e02b ("Add a "nosymfollow" mount option.")

While we don't need to implement any special logic on
the AppArmor kernel side to handle it, we should provide
user with a correct list of mount flags in audit logs.

Signed-off-by: Alexander Mikhalitsyn &lt;aleksandr.mikhalitsyn@canonical.com&gt;
Reviewed-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
A "nosymfollow" flag was added in commit
dab741e0e02b ("Add a "nosymfollow" mount option.")

While we don't need to implement any special logic on
the AppArmor kernel side to handle it, we should provide
user with a correct list of mount flags in audit logs.

Signed-off-by: Alexander Mikhalitsyn &lt;aleksandr.mikhalitsyn@canonical.com&gt;
Reviewed-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
