Commit Graph

253 Commits

Author SHA1 Message Date
Peter Zijlstra 9a1f37ebcf apparmor: Free up __cleanup() name
In order to use __cleanup for __attribute__((__cleanup__(func))) the
name must not be used for anything else. Avoid the conflict.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Link: https://lkml.kernel.org/r/20230612093537.536441207%40infradead.org
2023-06-26 11:14:18 +02:00
Linus Torvalds 93761c93e9 + Features
- switch to zstd compression for profile raw data
 
 + Cleanups
   - Simplify obtain the newest label on a cred
   - remove useless static inline functions
   - compute permission conversion on policy unpack
   - refactor code to share common permissins
   - refactor unpack to group policy backwards compatiblity code
   - add __init annotation to aa_{setup/teardown}_dfa_engine()
 
 + Bug Fixes
   - fix a memleak in
     - multi_transaction_new()
     - free_ruleset()
     - unpack_profile()
     - alloc_ns()
   - fix lockdep warning when removing a namespace
   - fix regression in stacking due to label flags
   - fix loading of child before parent
   - fix kernel-doc comments that differ from fns
   - fix spelling errors in comments
   - store return value of unpack_perms_table() to signed variable
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAmOZwywACgkQBS82cBjV
 w9jBjRAAmj4gyK0L3eGY4IV2BpvnkHwHY4lOObJulTwILOOj0Pz8CJqRCa/HDCGj
 aOlnwqksPsAjadzzfi58D6TnT+3fOuskbcMgTyvX5jraTXPrUl90+hXorbXKuLrw
 iaX6QxW8soNW/s3oJhrC2HxbIhGA9VpVnmQpVZpJMmz5bU2xmzL62FCN8x88kytr
 9CygaudPrvwYJf5pPd62p7ltj2S6lFwZ6dVCyiDQGTc+Gyng4G8p4MCfI1CwMMyo
 mAUeeRnoeeBwH3tSy/Wsr72jPKjsMASpcMHo3ns/dVSw/ug2FYYToZbfxT/uAa6O
 WVHfS1Kv/5afG9xxyfocWecd+Yp3lsXq9F+q36uOT9NeJmlej9aJr5sWMcvV3sru
 QVNN7tFZbHqCnLhpl6RDH/NiguweNYQXrl2lukXZe/FKu/KDasFIOzL+IAt2TqZE
 3mWrha7Q7j/gdBw8+fHHGtXCx0NSQlz1oFLo/y/mI7ztwUPJsBYbH5+108iP0ys/
 7Kd+jkYRucJB4upGH4meQbN6f/rrs3+m/b/j0Q8RCFHAs2f+mYZeN/JOHCo0T4YH
 KO1W60846fPs+7yZTVxWYFpR/kIuXksyxMWpEEZFFtF4MNoaeM1uypBWqm/JmKYr
 8oDtEyiOd/qmZnWRcuO3/bmdoJUZY1zTXWA0dlScYc8vR4KC+EE=
 =6GKy
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:
   - switch to zstd compression for profile raw data

  Cleanups:
   - simplify obtaining the newest label on a cred
   - remove useless static inline functions
   - compute permission conversion on policy unpack
   - refactor code to share common permissins
   - refactor unpack to group policy backwards compatiblity code
   - add __init annotation to aa_{setup/teardown}_dfa_engine()

  Bug Fixes:
   - fix a memleak in
       - multi_transaction_new()
       - free_ruleset()
       - unpack_profile()
       - alloc_ns()
   - fix lockdep warning when removing a namespace
   - fix regression in stacking due to label flags
   - fix loading of child before parent
   - fix kernel-doc comments that differ from fns
   - fix spelling errors in comments
   - store return value of unpack_perms_table() to signed variable"

* tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (64 commits)
  apparmor: Fix uninitialized symbol 'array_size' in policy_unpack_test.c
  apparmor: Add __init annotation to aa_{setup/teardown}_dfa_engine()
  apparmor: Fix memleak in alloc_ns()
  apparmor: Fix memleak issue in unpack_profile()
  apparmor: fix a memleak in free_ruleset()
  apparmor: Fix spelling of function name in comment block
  apparmor: Use pointer to struct aa_label for lbs_cred
  AppArmor: Fix kernel-doc
  LSM: Fix kernel-doc
  AppArmor: Fix kernel-doc
  apparmor: Fix loading of child before parent
  apparmor: refactor code that alloc null profiles
  apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource()
  apparmor: remove useless static inline functions
  apparmor: Fix unpack_profile() warn: passing zero to 'ERR_PTR'
  apparmor: fix uninitialize table variable in error in unpack_trans_table
  apparmor: store return value of unpack_perms_table() to signed variable
  apparmor: Fix kunit test for out of bounds array
  apparmor: Fix decompression of rawdata for read back to userspace
  apparmor: Fix undefined references to zstd_ symbols
  ...
2022-12-14 13:42:09 -08:00
Rae Moar b11e51dd70 apparmor: test: make static symbols visible during kunit testing
Use macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allow
static symbols to be conditionally set to be visible during
apparmor_policy_unpack_test, which removes the need to include the testing
file in the implementation file.

Change the namespace of the symbols that are now conditionally visible (by
adding the prefix aa_) to avoid confusion with symbols of the same name.

Allow the test to be built as a module and namespace the module name from
policy_unpack_test to apparmor_policy_unpack_test to improve clarity of
the module name.

Provide an example of how static symbols can be dealt with in testing.

Signed-off-by: Rae Moar <rmoar@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2022-12-12 14:13:48 -07:00
John Johansen 58f89ce58b apparmor: refactor code that alloc null profiles
Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-24 22:35:36 -07:00
John Johansen 70f24a9f90 apparmor: Fix undefined references to zstd_ symbols
Unfortunately the switch to using zstd compression did not properly
ifdef all the code that uses zstd_ symbols. So that if exporting of
binary policy is disabled in the config the compile will fail with the
following errors

security/apparmor/lsm.c:1545: undefined reference to `zstd_min_clevel'
aarch64-linux-ld: security/apparmor/lsm.c:1545: undefined reference to `zstd_max_clevel'

Reported-by: kernel test robot <lkp@intel.com>
Fixes: 52ccc20c652b ("apparmor: use zstd compression for profile data")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Jon Tourville <jon.tourville@canonical.com>
2022-10-03 14:49:04 -07:00
Xiu Jianfeng 65f7f666f2 apparmor: make __aa_path_perm() static
Make __aa_path_perm() static as it's only used inside apparmor/file.c.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
Gaosheng Cui adaa9a3f72 apparmor: Simplify obtain the newest label on a cred
In aa_get_task_label(), aa_get_newest_cred_label(__task_cred(task))
can do the same things as aa_get_newest_label(__aa_task_raw_label(task)),
so we can replace it and remove __aa_task_raw_label() to simplify the code.

Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
John Johansen 1ad22fcc4d apparmor: rework profile->rules to be a list
Convert profile->rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item. The logic for iterating the list will come as a
separate step.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
John Johansen 217af7e2f4 apparmor: refactor profile rules and attachments
In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor attachment information and ruleset info into their
own structures.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
John Johansen 3dfd16ab69 apparmor: cleanup: move perm accumulation into perms.h
Perm accumulation is going to be used much more frequently so let
the compiler figure out if it can be optimized when used.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
John Johansen 0bece4fa97 apparmor: make sure perm indexes are accumulated
accumulate permission indexes on a first encountered basis. This
favors original rulesets so that new ones can not override without
profile replacement.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:04 -07:00
John Johansen fd1b2b95a2 apparmor: add the ability for policy to specify a permission table
Currently permissions are encoded in the dfa accept entries that are
then mapped to an internal permission structure. This limits the
permissions that userspace can specify, so allow userspace to directly
specify the permission table.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 22fac8a051 apparmor: add user mode flag
Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 8c4b785a86 apparmor: add mediation class information to auditing
Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 90917d5b68 apparmor: extend permissions to support a label and tag string
add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen caa9f579ca apparmor: isolate policy backwards compatibility to its own file
The details of mapping old policy into newer policy formats clutters
up the unpack code and makes it possible to accidentally use old
mappings in code, so isolate the mapping code into its own file.

This will become more important when the dfa remapping code lands,
as it will greatly expand the compat code base.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen ae6d35ed0a apparmor: extend xindex size
Allow the xindex to have 2^24 entries.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen b06a62ebf5 apparmor: move dfa perm macros into policy_unpack
Now that the permission remapping macros aren't needed anywhere except
during profile unpack, move them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 33fc95d829 apparmor: preparse for state being more than just an integer
Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen e844fe9b51 apparmor: convert policy lookup to use accept as an index
Remap polidydb dfa accept table from embedded perms to an index, and
then move the perm lookup to use the accept entry as an index into the
perm table. This is done so that the perm table can be separated from
the dfa, allowing dfa accept to index to share expanded permission
sets.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen bf690f59d0 apparmor: cleanup shared permission struct
The shared permissions struct has the stop field which is unneeded
and the "reserved" subtree field commented which is needed. Also
reorganize so that the entries are logically grouped.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 048d495444 apparmor: convert xmatch to using the new shared policydb struct
continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen 53bdc46f4b apparmor: combine file_rules and aa_policydb into a single shared struct
file_rules and policydb are almost the same and will need the same
features in the future so combine them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen e2967ede22 apparmor: compute policydb permission on profile load
Rather than computing policydb permissions for each access
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:03 -07:00
John Johansen e48ffd24c1 apparmor: convert xmatch to use aa_perms structure
Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:02 -07:00
John Johansen 754f209b81 apparmor: move fperm computation into policy_unpack
fperm computation is only needed during policy_unpack so move the
code there to isolate it fromt the run time code.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:02 -07:00
Mike Salvatore b5b5799350 apparmor: compute xmatch permissions on profile load
Rather than computing xmatch permissions each time access is requested,
these permissions can be computed once on profile load and stored for
lookup.

Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:02 -07:00
Mike Salvatore 408d53e923 apparmor: compute file permissions on profile load
Rather than computing file permissions for each file access, file
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:02 -07:00
John Johansen f47acc4b7c apparmor: reserve mediation classes
Reserve mediation classes that exist in out of tree development
branches or are used by userspace mediation helpers.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03 14:49:02 -07:00
John Johansen eac931254d apparmor: move ptrace mediation to more logical task.{h,c}
AppArmor split out task oriented controls to their own logical file
a while ago. Ptrace mediation is better grouped with task than
ipc, so move it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-19 04:14:22 -07:00
John Johansen f567e7fada apparmor: extend policydb permission set by making use of the xbits
The policydb permission set has left the xbits unused. Make them available
for mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-19 02:57:15 -07:00
John Johansen c1ed5da197 apparmor: allow label to carry debug flags
Allow labels to have debug flags that can be used to trigger debug output
only from profiles/labels that are marked. This can help reduce debug
output by allowing debug to be target to a specific confinement condition.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-19 02:55:45 -07:00
John Johansen 2504db2071 apparmor: fix overlapping attachment computation
When finding the profile via patterned attachments, the longest left
match is being set to the static compile time value and not using the
runtime computed value.

Fix this by setting the candidate value to the greater of the
precomputed value or runtime computed value.

Fixes: 21f6066105 ("apparmor: improve overlapping domain attachment resolution")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-19 02:52:36 -07:00
John Johansen 524d8e1425 apparmor: disable showing the mode as part of a secid to secctx
Displaying the mode as part of the seectx takes up unnecessary memory,
makes it so we can't use refcounted secctx so we need to alloc/free on
every conversion from secid to secctx and introduces a space that
could be potentially mishandled by tooling.

Eg. In an audit record we get

  subj_type=firefix (enforce)

Having the mode reported is not necessary, and might even be confusing
eg. when writing an audit rule to match the above record field you
would use

  -F subj_type=firefox

ie. the mode is not included. AppArmor provides ways to find the mode
without reporting as part of the secctx. So disable this by default
before its use is wide spread and we can't. For now we add a sysctl
to control the behavior as we can't guarantee no one is using this.

Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-13 17:18:29 -07:00
Matthew Wilcox df4390934d apparmor: Convert secid mapping to XArrays instead of IDR
XArrays are a better match than IDR for how AppArmor is mapping
secids.  Specifically AppArmor is trying to keep the allocation
dense. XArrays also have the advantage of avoiding the complexity IDRs
preallocation.

In addition this avoids/fixes a lockdep issue raised in the LKML thread
  "Linux 5.18-rc4"

where there is a report of an interaction between apparmor and IPC,
this warning may have been spurious as the reported issue is in a
per-cpu local lock taken by the IDR. With the one side in the IPC id
allocation and the other in AppArmor's secid allocation.

Description by John Johansen <john.johansen@canonical.com>

Message-Id: <226cee6a-6ca1-b603-db08-8500cd8f77b7@gnuweeb.org>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-13 17:16:02 -07:00
John Johansen 95c0581f9b apparmor: add a kernel label to use on kernel objects
Separate kernel objects from unconfined. This is done so we can
distinguish between the two in debugging, auditing and in preparation
for being able to replace unconfined, which is not appropriate for the
kernel.

The kernel label will continue to behave similar to unconfined.

Acked-by: Jon Tourville <jon.tourville@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-13 16:37:21 -07:00
John Johansen d61c57fde8 apparmor: make export of raw binary profile to userspace optional
Embedded systems have limited space and don't need the introspection
or checkpoint restore capability provided by exporting the raw
profile binary data so make it so make it a config option.

This will reduce run time memory use and also speed up policy loads.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-09 15:13:59 -07:00
John Johansen 511f7b5b83 apparmor: fix absroot causing audited secids to begin with =
AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 26b7899510 ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-09 15:13:58 -07:00
Linus Torvalds 5593a733f9 + Features
- use per file locks for transactional queries
   - update policy management capability checks to work with LSM stacking
 
 + Bug Fixes
   - check/put label on apparmor_sk_clone_security()
   - fix error check on update of label hname
   - fix introspection of of task mode for unconfined tasks
 
 + Cleanups
   - avoid -Wempty-body warning
   - remove duplicated 'Returns:' comments
   - fix doc warning
   - remove unneeded one-line hook wrappers
   - Use struct_size() helper in kzalloc()
   - fix zero-length compiler warning in AA_BUG()
   - file.h: delete duplicated word
   - delete repeated words in comments
   - Remove the repeated declaration
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAmGMO1QACgkQBS82cBjV
 w9jedA//R0DMYXY4zOREghQPc//IWoV079BCDgdvs+GBAJQK2AsmqTV+DZFgXTPN
 F8Fo8Ki8lNRFDnyg8cVhhykx74lYVLYjrcxO5Q0dXbwaahsIxFziVMywTPCdaUW6
 JAGUq2iEAN4IRMjqj3+9ctjih23ckTS4u4n//h8lBOzC9kjOxF7/sfDuo2ocKw37
 zzB63jTTXbwwYqxOnw5+9QcNqygne3igz1YLiXScWMoflY3XMlxDO6a5SZRZgql7
 dobydgx4xWliQU1EK3QPMlytC6mIettcRcBSxQABE6AGg2fs4aRRir31H7mj8ZRE
 ybpmHzbE8C3TbW3Px7Djjf0UFbXCwGBqLOTc/myyJqUgNV6bnvIjkGFVqxQuwHZX
 MPbrxCf7/kawxjZ+2dnBdU0JIYaQqEddXbWJdeNL6npguzczA1sOi5MqGaeeaJML
 NZdytpzQTGv4PRj4Ybh2U0Sv3H33VvPRDDeszjbsjlJEh6rYBeImVXBjaNWPM7pc
 WGzAgOHzs5EDTtTqtrOXyQcgwSaQMgGAkgBxbMyu4JFhQBvPbKac6aZP2QdXph65
 e0C82yuz5QqyOrK5UK4PclxOPC1r5HtckyLqzntblZ3K6d1Ar4WpiTKnCDGhWHe1
 PaL9tbjrih5H3VfAesN8i2UbgqA5WWX1XjI1Pt7BHnbJvLPnhd0=
 =1UZ1
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2021-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features
   - use per file locks for transactional queries
   - update policy management capability checks to work with LSM stacking

  Bug Fixes:
   - check/put label on apparmor_sk_clone_security()
   - fix error check on update of label hname
   - fix introspection of of task mode for unconfined tasks

  Cleanups:
   - avoid -Wempty-body warning
   - remove duplicated 'Returns:' comments
   - fix doc warning
   - remove unneeded one-line hook wrappers
   - use struct_size() helper in kzalloc()
   - fix zero-length compiler warning in AA_BUG()
   - file.h: delete duplicated word
   - delete repeated words in comments
   - remove repeated declaration"

* tag 'apparmor-pr-2021-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: remove duplicated 'Returns:' comments
  apparmor: remove unneeded one-line hook wrappers
  apparmor: Use struct_size() helper in kzalloc()
  apparmor: fix zero-length compiler warning in AA_BUG()
  apparmor: use per file locks for transactional queries
  apparmor: fix doc warning
  apparmor: Remove the repeated declaration
  apparmor: avoid -Wempty-body warning
  apparmor: Fix internal policy capable check for policy management
  apparmor: fix error check
  security: apparmor: delete repeated words in comments
  security: apparmor: file.h: delete duplicated word
  apparmor: switch to apparmor to internal capable check for policy management
  apparmor: update policy capable checks to use a label
  apparmor: fix introspection of of task mode for unconfined tasks
  apparmor: check/put label on apparmor_sk_clone_security()
2021-11-11 14:47:32 -08:00
John Johansen 4d47fbbe54 apparmor: fix zero-length compiler warning in AA_BUG()
Uses of AA_BUG() without a message can result in the compiler warning

  warning: zero-length gnu_printf format string [-Wformat-zero-length]

Fix this with a pragma for now. A larger rework of AA_BUG() will
follow.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-11-03 01:08:15 -07:00
Shaokun Zhang 7e50e9ffde apparmor: Remove the repeated declaration
Function 'aa_labelset_destroy' and 'aa_labelset_init' are declared
twice, so remove the repeated declaration and unnecessary blank line.

Cc: John Johansen <john.johansen@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-11-03 00:46:28 -07:00
Arnd Bergmann c75ea02409 apparmor: avoid -Wempty-body warning
Building with 'make W=1' shows a warning for an empty macro:

security/apparmor/label.c: In function '__label_update':
security/apparmor/label.c:2096:59: error: suggest braces around empty body in an 'else' statement [-Werror=empty-body]
 2096 |                 AA_BUG(labels_ns(label) != labels_ns(new));

Change the macro definition to use no_printk(), which improves
format string checking and avoids the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-11-03 00:46:12 -07:00
Randy Dunlap ef70454508 security: apparmor: file.h: delete duplicated word
Delete the doubled word "then" in a comment.

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-02-07 04:15:08 -08:00
John Johansen 92de220a7f apparmor: update policy capable checks to use a label
Previously the policy capable checks assumed they were using the
current task. Make them take the task label so the query can be
made against an arbitrary task.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2021-02-07 04:13:54 -08:00
Florian Westphal 41dd9596d6 security: add const qualifier to struct sock in various places
A followup change to tcp_request_sock_op would have to drop the 'const'
qualifier from the 'route_req' function as the
'security_inet_conn_request' call is moved there - and that function
expects a 'struct sock *'.

However, it turns out its also possible to add a const qualifier to
security_inet_conn_request instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-12-03 12:56:03 -08:00
Waiman Long 453431a549 mm, treewide: rename kzfree() to kfree_sensitive()
As said by Linus:

  A symmetric naming is only helpful if it implies symmetries in use.
  Otherwise it's actively misleading.

  In "kzalloc()", the z is meaningful and an important part of what the
  caller wants.

  In "kzfree()", the z is actively detrimental, because maybe in the
  future we really _might_ want to use that "memfill(0xdeadbeef)" or
  something. The "zero" part of the interface isn't even _relevant_.

The main reason that kzfree() exists is to clear sensitive information
that should not be leaked to other future users of the same memory
objects.

Rename kzfree() to kfree_sensitive() to follow the example of the recently
added kvfree_sensitive() and make the intention of the API more explicit.
In addition, memzero_explicit() is used to clear the memory to make sure
that it won't get optimized away by the compiler.

The renaming is done by using the command sequence:

  git grep -w --name-only kzfree |\
  xargs sed -i 's/kzfree/kfree_sensitive/'

followed by some editing of the kfree_sensitive() kerneldoc and adding
a kzfree backward compatibility macro in slab.h.

[akpm@linux-foundation.org: fs/crypto/inline_crypt.c needs linux/slab.h]
[akpm@linux-foundation.org: fix fs/crypto/inline_crypt.c some more]

Suggested-by: Joe Perches <joe@perches.com>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: David Howells <dhowells@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Joe Perches <joe@perches.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
Link: http://lkml.kernel.org/r/20200616154311.12314-3-longman@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-08-07 11:33:22 -07:00
Linus Torvalds a2b447066c Tag summary
+ Features
   - Replace zero-length array with flexible-array
   - add a valid state flags check
   - add consistency check between state and dfa diff encode flags
   - add apparmor subdir to proc attr interface
   - fail unpack if profile mode is unknown
   - add outofband transition and use it in xattr match
   - ensure that dfa state tables have entries
 
 + Cleanups
   - Use true and false for bool variable
   - Remove semicolon
   - Clean code by removing redundant instructions
   - Replace two seq_printf() calls by seq_puts() in aa_label_seq_xprint()
   - remove duplicate check of xattrs on profile attachment
   - remove useless aafs_create_symlink
 
 + Bug fixes
   - Fix memory leak of profile proxy
   - fix introspection of of task mode for unconfined tasks
   - fix nnp subset test for unconfined
   - check/put label on apparmor_sk_clone_security()
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAl7dUf4ACgkQBS82cBjV
 w9j8rA//R3qbVeiN3SJtxLhiF3AAdP2cVbZ/mAhQLwYObI6flb1bliiahJHRf8Ey
 FaVb4srOH8NlmzNINZehXOvD3UDwX/sbpw8h0Y0JolO+v1m3UXkt/eRoMt6gRz7I
 jtaImY1/V+G4O5rV5fGA1HQI8Geg+W9Abt32d16vyKIIpnBS/Pfv8ppM0NcHCZ4G
 e8935T/dMNK5K0Y7HNb1nMjyzEr0LtEXvXznBOrGVpCtDQ45m0/NBvAqpfhuKsVm
 FE5Na8rgtiB9sU72LaoNXNr8Y5LVgkXPmBr/e1FqZtF01XEarKb7yJDGOLrLpp1o
 rGYpY9DQSBT/ZZrwMaLFqCd1XtnN1BAmhlM6TXfnm25ArEnQ49ReHFc7ZHZRSTZz
 LWVBD6atZbapvqckk1SU49eCLuGs5wmRj/CmwdoQUbZ+aOfR68zF+0PANbP5xDo4
 862MmeMsm8JHndeCelpZQRbhtXt0t9MDzwMBevKhxV9hbpt4g8DcnC5tNUc9AnJi
 qJDsMkytYhazIW+/4MsnLTo9wzhqzXq5kBeE++Xl7vDE/V+d5ocvQg73xtwQo9sx
 LzMlh3cPmBvOnlpYfnONZP8pJdjDAuESsi/H5+RKQL3cLz7NX31CLWR8dXLBHy80
 Dvxqvy84Cf7buigqwSzgAGKjDI5HmeOECAMjpLbEB2NS9xxQYuk=
 =U7d2
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2020-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:
   - Replace zero-length array with flexible-array
   - add a valid state flags check
   - add consistency check between state and dfa diff encode flags
   - add apparmor subdir to proc attr interface
   - fail unpack if profile mode is unknown
   - add outofband transition and use it in xattr match
   - ensure that dfa state tables have entries

  Cleanups:
   - Use true and false for bool variable
   - Remove semicolon
   - Clean code by removing redundant instructions
   - Replace two seq_printf() calls by seq_puts() in aa_label_seq_xprint()
   - remove duplicate check of xattrs on profile attachment
   - remove useless aafs_create_symlink

  Bug fixes:
   - Fix memory leak of profile proxy
   - fix introspection of of task mode for unconfined tasks
   - fix nnp subset test for unconfined
   - check/put label on apparmor_sk_clone_security()"

* tag 'apparmor-pr-2020-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: Fix memory leak of profile proxy
  apparmor: fix introspection of of task mode for unconfined tasks
  apparmor: check/put label on apparmor_sk_clone_security()
  apparmor: Use true and false for bool variable
  security/apparmor/label.c: Clean code by removing redundant instructions
  apparmor: Replace zero-length array with flexible-array
  apparmor: ensure that dfa state tables have entries
  apparmor: remove duplicate check of xattrs on profile attachment.
  apparmor: add outofband transition and use it in xattr match
  apparmor: fail unpack if profile mode is unknown
  apparmor: fix nnp subset test for unconfined
  apparmor: remove useless aafs_create_symlink
  apparmor: add proc subdir to attrs
  apparmor: add consistency check between state and dfa diff encode flags
  apparmor: add a valid state flags check
  AppArmor: Remove semicolon
  apparmor: Replace two seq_printf() calls by seq_puts() in aa_label_seq_xprint()
2020-06-07 16:04:49 -07:00
John Johansen 3622ad25d4 apparmor: Fix memory leak of profile proxy
When the proxy isn't replaced and the profile is removed, the proxy
is being leaked resulting in a kmemleak check message of

unreferenced object 0xffff888077a3a490 (size 16):
  comm "apparmor_parser", pid 128041, jiffies 4322684109 (age 1097.028s)
  hex dump (first 16 bytes):
    03 00 00 00 00 00 00 00 b0 92 fd 4b 81 88 ff ff  ...........K....
  backtrace:
    [<0000000084d5daf2>] aa_alloc_proxy+0x58/0xe0
    [<00000000ecc0e21a>] aa_alloc_profile+0x159/0x1a0
    [<000000004cc9ce15>] unpack_profile+0x275/0x1c40
    [<000000007332b3ca>] aa_unpack+0x1e7/0x7e0
    [<00000000e25e31bd>] aa_replace_profiles+0x18a/0x1d10
    [<00000000350d9415>] policy_update+0x237/0x650
    [<000000003fbf934e>] profile_load+0x122/0x160
    [<0000000047f7b781>] vfs_write+0x139/0x290
    [<000000008ad12358>] ksys_write+0xcd/0x170
    [<000000001a9daa7b>] do_syscall_64+0x70/0x310
    [<00000000b9efb0cf>] entry_SYSCALL_64_after_hwframe+0x49/0xb3

Make sure to cleanup the profile's embedded label which will result
on the proxy being properly freed.

Fixes: 637f688dc3 ("apparmor: switch from profiles to using labels on contexts")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-06-07 13:38:55 -07:00
Eric W. Biederman b8bff59926 exec: Factor security_bprm_creds_for_exec out of security_bprm_set_creds
Today security_bprm_set_creds has several implementations:
apparmor_bprm_set_creds, cap_bprm_set_creds, selinux_bprm_set_creds,
smack_bprm_set_creds, and tomoyo_bprm_set_creds.

Except for cap_bprm_set_creds they all test bprm->called_set_creds and
return immediately if it is true.  The function cap_bprm_set_creds
ignores bprm->calld_sed_creds entirely.

Create a new LSM hook security_bprm_creds_for_exec that is called just
before prepare_binprm in __do_execve_file, resulting in a LSM hook
that is called exactly once for the entire of exec.  Modify the bits
of security_bprm_set_creds that only want to be called once per exec
into security_bprm_creds_for_exec, leaving only cap_bprm_set_creds
behind.

Remove bprm->called_set_creds all of it's former users have been moved
to security_bprm_creds_for_exec.

Add or upate comments a appropriate to bring them up to date and
to reflect this change.

Link: https://lkml.kernel.org/r/87v9kszrzh.fsf_-_@x220.int.ebiederm.org
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com> # For the LSM and Smack bits
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2020-05-20 14:45:31 -05:00
John Johansen 0df34a645b apparmor: add outofband transition and use it in xattr match
There are cases where the a special out of band transition that can
not be triggered by input is useful in separating match conditions
in the dfa encoding.

The null_transition is currently used as an out of band transition
for match conditions that can not contain a \0 in their input
but apparmor needs an out of band transition for cases where
the match condition is allowed to contain any input character.

Achieve this by allowing for an explicit transition out of input
range that can only be triggered by code.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-21 06:00:20 -08:00