<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/security/apparmor/policy.c, branch v6.6</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>apparmor: fix: kzalloc perms tables for shared dfas</title>
<updated>2023-07-06T18:05:58+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2023-04-15T07:50:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ec6851ae0ab4587e610e260ddda75f92f3389f91'/>
<id>ec6851ae0ab4587e610e260ddda75f92f3389f91</id>
<content type='text'>
Currently the permstables of the shared dfas are not shared, and need
to be allocated and copied. In the future this should be addressed
with a larger rework on dfa and pdb ref counts and structure sharing.

BugLink: http://bugs.launchpad.net/bugs/2017903
Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
Cc: stable@vger.kernel.org
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reviewed-by: Jon Tourville &lt;jontourville@me.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently the permstables of the shared dfas are not shared, and need
to be allocated and copied. In the future this should be addressed
with a larger rework on dfa and pdb ref counts and structure sharing.

BugLink: http://bugs.launchpad.net/bugs/2017903
Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
Cc: stable@vger.kernel.org
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reviewed-by: Jon Tourville &lt;jontourville@me.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: fix kernel-doc complaints</title>
<updated>2023-01-10T18:04:35+00:00</updated>
<author>
<name>Randy Dunlap</name>
<email>rdunlap@infradead.org</email>
</author>
<published>2023-01-02T20:45:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=76862af5d1add618f0cc99868bc729925f9551d2'/>
<id>76862af5d1add618f0cc99868bc729925f9551d2</id>
<content type='text'>
Correct kernel-doc notation to placate kernel-doc W=1 warnings:

security/apparmor/policy.c:439: warning: duplicate section name 'Return'
security/apparmor/secid.c:57: warning: Cannot understand  *
security/apparmor/file.c:174: warning: cannot understand function prototype: 'struct aa_perms default_perms = '

Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: John Johansen &lt;john.johansen@canonical.com&gt;
Cc: John Johansen &lt;john@apparmor.net&gt;
Cc: apparmor@lists.ubuntu.com
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: "Serge E. Hallyn" &lt;serge@hallyn.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Correct kernel-doc notation to placate kernel-doc W=1 warnings:

security/apparmor/policy.c:439: warning: duplicate section name 'Return'
security/apparmor/secid.c:57: warning: Cannot understand  *
security/apparmor/file.c:174: warning: cannot understand function prototype: 'struct aa_perms default_perms = '

Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Cc: John Johansen &lt;john.johansen@canonical.com&gt;
Cc: John Johansen &lt;john@apparmor.net&gt;
Cc: apparmor@lists.ubuntu.com
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Cc: "Serge E. Hallyn" &lt;serge@hallyn.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: fix a memleak in free_ruleset()</title>
<updated>2022-10-25T07:15:19+00:00</updated>
<author>
<name>Gaosheng Cui</name>
<email>cuigaosheng1@huawei.com</email>
</author>
<published>2022-10-25T03:59:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7dd426e33e2f9275ac03a306efdc89aa86515a52'/>
<id>7dd426e33e2f9275ac03a306efdc89aa86515a52</id>
<content type='text'>
When the aa_profile is released, we will call free_ruleset to
release aa_ruleset, but we don't free the memory of aa_ruleset,
so there will be memleak, fix it.

unreferenced object 0xffff8881475df800 (size 1024):
  comm "apparmor_parser", pid 883, jiffies 4294899650 (age 9114.088s)
  hex dump (first 32 bytes):
    00 f8 5d 47 81 88 ff ff 00 f8 5d 47 81 88 ff ff  ..]G......]G....
    00 00 00 00 00 00 00 00 00 dc 65 47 81 88 ff ff  ..........eG....
  backtrace:
    [&lt;00000000370e658e&gt;] __kmem_cache_alloc_node+0x182/0x700
    [&lt;00000000f2f5a6d2&gt;] kmalloc_trace+0x2c/0x130
    [&lt;00000000c5c905b3&gt;] aa_alloc_profile+0x1bc/0x5c0
    [&lt;00000000bc4fa72b&gt;] unpack_profile+0x319/0x30c0
    [&lt;00000000eab791e9&gt;] aa_unpack+0x307/0x1450
    [&lt;000000002c3a6ee1&gt;] aa_replace_profiles+0x1b8/0x3790
    [&lt;00000000d0c3fd54&gt;] policy_update+0x35a/0x890
    [&lt;00000000d04fed90&gt;] profile_replace+0x1d1/0x260
    [&lt;00000000cba0c0a7&gt;] vfs_write+0x283/0xd10
    [&lt;000000006bae64a5&gt;] ksys_write+0x134/0x260
    [&lt;00000000b2fd8f31&gt;] __x64_sys_write+0x78/0xb0
    [&lt;00000000f3c8a015&gt;] do_syscall_64+0x5c/0x90
    [&lt;00000000a242b1db&gt;] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
Signed-off-by: Gaosheng Cui &lt;cuigaosheng1@huawei.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the aa_profile is released, we will call free_ruleset to
release aa_ruleset, but we don't free the memory of aa_ruleset,
so there will be memleak, fix it.

unreferenced object 0xffff8881475df800 (size 1024):
  comm "apparmor_parser", pid 883, jiffies 4294899650 (age 9114.088s)
  hex dump (first 32 bytes):
    00 f8 5d 47 81 88 ff ff 00 f8 5d 47 81 88 ff ff  ..]G......]G....
    00 00 00 00 00 00 00 00 00 dc 65 47 81 88 ff ff  ..........eG....
  backtrace:
    [&lt;00000000370e658e&gt;] __kmem_cache_alloc_node+0x182/0x700
    [&lt;00000000f2f5a6d2&gt;] kmalloc_trace+0x2c/0x130
    [&lt;00000000c5c905b3&gt;] aa_alloc_profile+0x1bc/0x5c0
    [&lt;00000000bc4fa72b&gt;] unpack_profile+0x319/0x30c0
    [&lt;00000000eab791e9&gt;] aa_unpack+0x307/0x1450
    [&lt;000000002c3a6ee1&gt;] aa_replace_profiles+0x1b8/0x3790
    [&lt;00000000d0c3fd54&gt;] policy_update+0x35a/0x890
    [&lt;00000000d04fed90&gt;] profile_replace+0x1d1/0x260
    [&lt;00000000cba0c0a7&gt;] vfs_write+0x283/0xd10
    [&lt;000000006bae64a5&gt;] ksys_write+0x134/0x260
    [&lt;00000000b2fd8f31&gt;] __x64_sys_write+0x78/0xb0
    [&lt;00000000f3c8a015&gt;] do_syscall_64+0x5c/0x90
    [&lt;00000000a242b1db&gt;] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
Signed-off-by: Gaosheng Cui &lt;cuigaosheng1@huawei.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: Fix loading of child before parent</title>
<updated>2022-10-25T07:15:11+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2022-10-03T13:06:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=665b1856dc2399828d8ee07a18d4fd79868e729a'/>
<id>665b1856dc2399828d8ee07a18d4fd79868e729a</id>
<content type='text'>
Unfortunately it is possible for some userspace's to load children
profiles before the parent profile. This can even happen when the
child and the parent are in different load sets.

Fix this by creating a null place holder profile that grants no permissions
and can be replaced by the parent once it is loaded.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Unfortunately it is possible for some userspace's to load children
profiles before the parent profile. This can even happen when the
child and the parent are in different load sets.

Fix this by creating a null place holder profile that grants no permissions
and can be replaced by the parent once it is loaded.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: refactor code that alloc null profiles</title>
<updated>2022-10-25T05:35:36+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2022-10-03T09:48:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=58f89ce58bb4f5cf5963b20a19aaa2431b0412d8'/>
<id>58f89ce58bb4f5cf5963b20a19aaa2431b0412d8</id>
<content type='text'>
Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: rework profile-&gt;rules to be a list</title>
<updated>2022-10-03T21:49:04+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2022-09-06T03:47:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1ad22fcc4d0d2fb2e0f35aed555a86d016d5e590'/>
<id>1ad22fcc4d0d2fb2e0f35aed555a86d016d5e590</id>
<content type='text'>
Convert profile-&gt;rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item. The logic for iterating the list will come as a
separate step.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Convert profile-&gt;rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item. The logic for iterating the list will come as a
separate step.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: refactor profile rules and attachments</title>
<updated>2022-10-03T21:49:04+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2022-07-30T00:17:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=217af7e2f4deb629aaa49622685ccfee923898ca'/>
<id>217af7e2f4deb629aaa49622685ccfee923898ca</id>
<content type='text'>
In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor attachment information and ruleset info into their
own structures.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor attachment information and ruleset info into their
own structures.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: add user mode flag</title>
<updated>2022-10-03T21:49:03+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2019-12-17T23:40:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=22fac8a051191113becc0da62bf88b0ba8ce6c08'/>
<id>22fac8a051191113becc0da62bf88b0ba8ce6c08</id>
<content type='text'>
Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: add mediation class information to auditing</title>
<updated>2022-10-03T21:49:03+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2022-04-19T23:25:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8c4b785a86be1219f7d50f7b38266c454d6a9bbc'/>
<id>8c4b785a86be1219f7d50f7b38266c454d6a9bbc</id>
<content type='text'>
Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>apparmor: convert xmatch to using the new shared policydb struct</title>
<updated>2022-10-03T21:49:03+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2020-11-21T09:42:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=048d49544455b3e3a535c4ec89057ea5ca8676f0'/>
<id>048d49544455b3e3a535c4ec89057ea5ca8676f0</id>
<content type='text'>
continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
