<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/security/apparmor/Kconfig, branch v5.8</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>security: apparmor: default KUNIT_* fragments to KUNIT_ALL_TESTS</title>
<updated>2020-06-01T20:25:15+00:00</updated>
<author>
<name>Anders Roxell</name>
<email>anders.roxell@linaro.org</email>
</author>
<published>2020-05-11T13:14:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6d6861d45e38d42a7df9db244c871ee3856acf57'/>
<id>6d6861d45e38d42a7df9db244c871ee3856acf57</id>
<content type='text'>
This makes it easier to enable all KUnit fragments.

Adding 'if !KUNIT_ALL_TESTS' so individual tests can not be turned off.
Therefore if KUNIT_ALL_TESTS is enabled that will hide the prompt in
menuconfig.

Reviewed-by: David Gow &lt;davidgow@google.com&gt;
Signed-off-by: Anders Roxell &lt;anders.roxell@linaro.org&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This makes it easier to enable all KUnit fragments.

Adding 'if !KUNIT_ALL_TESTS' so individual tests can not be turned off.
Therefore if KUNIT_ALL_TESTS is enabled that will hide the prompt in
menuconfig.

Reviewed-by: David Gow &lt;davidgow@google.com&gt;
Signed-off-by: Anders Roxell &lt;anders.roxell@linaro.org&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>kunit: building kunit as a module breaks allmodconfig</title>
<updated>2020-01-10T21:36:37+00:00</updated>
<author>
<name>Alan Maguire</name>
<email>alan.maguire@oracle.com</email>
</author>
<published>2020-01-10T11:49:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=35c57fc3f8eac81b38664a0fe160e267b908d8b8'/>
<id>35c57fc3f8eac81b38664a0fe160e267b908d8b8</id>
<content type='text'>
kunit tests that do not support module build should depend
on KUNIT=y rather than just KUNIT in Kconfig, otherwise
they will trigger compilation errors for "make allmodconfig"
builds.

Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module")
Reported-by: Stephen Rothwell &lt;sfr@canb.auug.org.au&gt;
Signed-off-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
kunit tests that do not support module build should depend
on KUNIT=y rather than just KUNIT in Kconfig, otherwise
they will trigger compilation errors for "make allmodconfig"
builds.

Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module")
Reported-by: Stephen Rothwell &lt;sfr@canb.auug.org.au&gt;
Signed-off-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: add AppArmor KUnit tests for policy unpack</title>
<updated>2020-01-09T23:27:43+00:00</updated>
<author>
<name>Mike Salvatore</name>
<email>mike.salvatore@canonical.com</email>
</author>
<published>2019-11-06T00:43:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4d944bcd4e731ab7bfe8d01a7041ea0ebdc090f1'/>
<id>4d944bcd4e731ab7bfe8d01a7041ea0ebdc090f1</id>
<content type='text'>
Add KUnit tests to test AppArmor unpacking of userspace policies.
AppArmor uses a serialized binary format for loading policies. To find
policy format documentation see
Documentation/admin-guide/LSM/apparmor.rst.

In order to write the tests against the policy unpacking code, some
static functions needed to be exposed for testing purposes. One of the
goals of this patch is to establish a pattern for which testing these
kinds of functions should be done in the future.

Signed-off-by: Brendan Higgins &lt;brendanhiggins@google.com&gt;
Signed-off-by: Mike Salvatore &lt;mike.salvatore@canonical.com&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add KUnit tests to test AppArmor unpacking of userspace policies.
AppArmor uses a serialized binary format for loading policies. To find
policy format documentation see
Documentation/admin-guide/LSM/apparmor.rst.

In order to write the tests against the policy unpacking code, some
static functions needed to be exposed for testing purposes. One of the
goals of this patch is to establish a pattern for which testing these
kinds of functions should be done in the future.

Signed-off-by: Brendan Higgins &lt;brendanhiggins@google.com&gt;
Signed-off-by: Mike Salvatore &lt;mike.salvatore@canonical.com&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor</title>
<updated>2019-12-03T20:51:35+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2019-12-03T20:51:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=79e178a57dae819ae724065b47c25720494cc9f2'/>
<id>79e178a57dae819ae724065b47c25720494cc9f2</id>
<content type='text'>
Pull apparmor updates from John Johansen:
 "Features:

   - increase left match history buffer size to provide improved
     conflict resolution in overlapping execution rules.

   - switch buffer allocation to use a memory pool and GFP_KERNEL where
     possible.

   - add compression of policy blobs to reduce memory usage.

  Cleanups:

   - fix spelling mistake "immutible" -&gt; "immutable"

  Bug fixes:

   - fix unsigned len comparison in update_for_len macro

   - fix sparse warning for type-casting of current-&gt;real_cred"

* tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: make it so work buffers can be allocated from atomic context
  apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
  apparmor: fix wrong buffer allocation in aa_new_mount
  apparmor: fix unsigned len comparison with less than zero
  apparmor: increase left match history buffer size
  apparmor: Switch to GFP_KERNEL where possible
  apparmor: Use a memory pool instead per-CPU caches
  apparmor: Force type-casting of current-&gt;real_cred
  apparmor: fix spelling mistake "immutible" -&gt; "immutable"
  apparmor: fix blob compression when ns is forced on a policy load
  apparmor: fix missing ZLIB defines
  apparmor: fix blob compression build failure on ppc
  apparmor: Initial implementation of raw policy blob compression
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull apparmor updates from John Johansen:
 "Features:

   - increase left match history buffer size to provide improved
     conflict resolution in overlapping execution rules.

   - switch buffer allocation to use a memory pool and GFP_KERNEL where
     possible.

   - add compression of policy blobs to reduce memory usage.

  Cleanups:

   - fix spelling mistake "immutible" -&gt; "immutable"

  Bug fixes:

   - fix unsigned len comparison in update_for_len macro

   - fix sparse warning for type-casting of current-&gt;real_cred"

* tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: make it so work buffers can be allocated from atomic context
  apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
  apparmor: fix wrong buffer allocation in aa_new_mount
  apparmor: fix unsigned len comparison with less than zero
  apparmor: increase left match history buffer size
  apparmor: Switch to GFP_KERNEL where possible
  apparmor: Use a memory pool instead per-CPU caches
  apparmor: Force type-casting of current-&gt;real_cred
  apparmor: fix spelling mistake "immutible" -&gt; "immutable"
  apparmor: fix blob compression when ns is forced on a policy load
  apparmor: fix missing ZLIB defines
  apparmor: fix blob compression build failure on ppc
  apparmor: Initial implementation of raw policy blob compression
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier - Makefile/Kconfig</title>
<updated>2019-05-21T08:50:46+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1'/>
<id>ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1</id>
<content type='text'>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: fix missing ZLIB defines</title>
<updated>2019-04-11T21:56:37+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2019-02-12T05:56:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fe166a9f2868839a1e2f7bd950164d05e86eb154'/>
<id>fe166a9f2868839a1e2f7bd950164d05e86eb154</id>
<content type='text'>
On configs where ZLIB is not already selected we are getting

undefined reference to `zlib_deflateInit2'
undefined reference to `zlib_deflate'
undefined reference to `zlib_deflateEnd'

For now just select the necessary ZLIB configs.

Fixes: 876dd866c084 ("apparmor: Initial implementation of raw policy blob compression")
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
On configs where ZLIB is not already selected we are getting

undefined reference to `zlib_deflateInit2'
undefined reference to `zlib_deflate'
undefined reference to `zlib_deflateEnd'

For now just select the necessary ZLIB configs.

Fixes: 876dd866c084 ("apparmor: Initial implementation of raw policy blob compression")
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE</title>
<updated>2019-01-08T21:18:43+00:00</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2018-10-02T00:08:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0102fb83f90050b86ce37aec810ea17bb4448e0c'/>
<id>0102fb83f90050b86ce37aec810ea17bb4448e0c</id>
<content type='text'>
In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the
soon-to-be redundant SECURITY_APPARMOR_BOOTPARAM_VALUE. Since explicit
ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or
not, this CONFIG will become effectively ignored, so remove it. However,
in order to stay backward-compatible with "security=apparmor", the enable
variable defaults to true.

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the
soon-to-be redundant SECURITY_APPARMOR_BOOTPARAM_VALUE. Since explicit
ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or
not, this CONFIG will become effectively ignored, so remove it. However,
in order to stay backward-compatible with "security=apparmor", the enable
variable defaults to true.

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: add debug assert AA_BUG and Kconfig to control debug info</title>
<updated>2017-01-16T09:18:24+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2017-01-16T08:42:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=680cd62e910d7b7e3c1fcde6ba67c6ca770c2286'/>
<id>680cd62e910d7b7e3c1fcde6ba67c6ca770c2286</id>
<content type='text'>
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: add parameter to control whether policy hashing is used</title>
<updated>2016-07-12T15:43:10+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2014-10-24T16:16:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6059f71f1e94486a51cef90e872add11fa7b5775'/>
<id>6059f71f1e94486a51cef90e872add11fa7b5775</id>
<content type='text'>
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Acked-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Acked-by: Seth Arnold &lt;seth.arnold@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Acked-by: Tyler Hicks &lt;tyhicks@canonical.com&gt;
Acked-by: Seth Arnold &lt;seth.arnold@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: clarify CRYPTO dependency</title>
<updated>2015-10-22T00:11:28+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2015-10-21T19:16:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=083c1290ca73666ce1b551cc89d080d060f02ad6'/>
<id>083c1290ca73666ce1b551cc89d080d060f02ad6</id>
<content type='text'>
The crypto framework can be built as a loadable module, but the
apparmor hash code can only be built-in, which then causes a
link error:

security/built-in.o: In function `aa_calc_profile_hash':
integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'
security/built-in.o: In function `init_profile_hash':
integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'

This changes Apparmor to use 'select CRYPTO' like a lot of other
subsystems do.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: James Morris &lt;james.l.morris@oracle.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The crypto framework can be built as a loadable module, but the
apparmor hash code can only be built-in, which then causes a
link error:

security/built-in.o: In function `aa_calc_profile_hash':
integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'
security/built-in.o: In function `init_profile_hash':
integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'

This changes Apparmor to use 'select CRYPTO' like a lot of other
subsystems do.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: James Morris &lt;james.l.morris@oracle.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
