Commit Graph

490 Commits

Author SHA1 Message Date
Linus Torvalds d81f50bd34 + Features/Improvements
- replace spin_is_locked() with lockdep
   - add base support for secmark labeling and matching
 
 + Cleanups
   - clean an indentation issue, remove extraneous space
   - remove no-op permission check in policy_unpack
   - fix checkpatch missing spaces error in Parse secmark policy
   - fix network performance issue in aa_label_sk_perm
 
 + Bug fixes
   - add #ifdef checks for secmark filtering
   - fix an error code in __aa_create_ns()
   - don't try to replace stale label in ptrace checks
   - fix failure to audit context info in build_change_hat
   - check buffer bounds when mapping permissions mask
   - fully initialize aa_perms struct when answering userspace query
   - fix uninitialized value in aa_split_fqname
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAlvb5PAACgkQBS82cBjV
 w9jrZhAAohmR2SPYDPKsBlmEzEUFg9EgiQmuNTloodZUrc42/cstGsa5B6xxbhZJ
 ke69xnNj7wxokOLMKzZboEjAuFtAmObF4iwOj5w2xuJktpZrTCXawgZppRnJybwk
 U8s1fY7sszjN2pJ7CvFIwHk5UPlncu+RK+/8y8yFcrSlrT3lcrpjL3xt97E6H9WA
 Fv10SQCtw2godT/Je62V83OPG30E6pyUXN+kJeSYGeYaJOnVFCP7wo0muH/UPUU7
 MHzlvjCZ1F8BMtvotk/E/0syeb/mS3tluhMYHysKrcknahMWgmV0vr9NrOsXUzDj
 ExVXmVdtZx3CA7TnOlycJCXv0LK6W0v5FpHTeYket6Dxza7tc4fImQ9lok6vCn2Q
 7kfFeDBbujj4lvIJlgbh7W2Yk4T6HWz6ENaHUJrXKgr2OTqgbvTkHpTyMRkqAWiq
 tcpbhdB7dn+bWw5Ni1OYBfh9pGleOekMuWlB742RoTeml6BFTa9OtOYytdBEogHR
 yjrfxUZwSsVTGc16uqRFK71QZC2mFZNbw1J8eGG8f2YtN/3q+8JYu0JoIXqcSTep
 95mvOwapJ74fy4GyiZdpVvkEozPX/7ITGfKi2f42EPCaC7YKXcdrft0XHJHf6JN5
 peGPOyI8SeiGKm+X0FrGk+eSlJRar+bkCzkDHg/vkQQYmqBn9Ec=
 =GzxZ
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features/Improvements:
   - replace spin_is_locked() with lockdep
   - add base support for secmark labeling and matching

  Cleanups:
   - clean an indentation issue, remove extraneous space
   - remove no-op permission check in policy_unpack
   - fix checkpatch missing spaces error in Parse secmark policy
   - fix network performance issue in aa_label_sk_perm

  Bug fixes:
   - add #ifdef checks for secmark filtering
   - fix an error code in __aa_create_ns()
   - don't try to replace stale label in ptrace checks
   - fix failure to audit context info in build_change_hat
   - check buffer bounds when mapping permissions mask
   - fully initialize aa_perms struct when answering userspace query
   - fix uninitialized value in aa_split_fqname"

* tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: clean an indentation issue, remove extraneous space
  apparmor: fix checkpatch error in Parse secmark policy
  apparmor: add #ifdef checks for secmark filtering
  apparmor: Fix uninitialized value in aa_split_fqname
  apparmor: don't try to replace stale label in ptraceme check
  apparmor: Replace spin_is_locked() with lockdep
  apparmor: Allow filtering based on secmark policy
  apparmor: Parse secmark policy
  apparmor: Add a wildcard secid
  apparmor: don't try to replace stale label in ptrace access check
  apparmor: Fix network performance issue in aa_label_sk_perm
2018-11-02 10:04:26 -07:00
Colin Ian King 566f52ece7 apparmor: clean an indentation issue, remove extraneous space
Trivial fix to clean up an indentation issue, remove space

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-11-01 22:34:25 -07:00
John Johansen 76af016e65 apparmor: fix checkpatch error in Parse secmark policy
Fix missed spacing error reported by checkpatch for
9caafbe2b4 ("Parse secmark policy")

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-11-01 22:28:17 -07:00
Linus Torvalds 638820d8da Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
 "In this patchset, there are a couple of minor updates, as well as some
  reworking of the LSM initialization code from Kees Cook (these prepare
  the way for ordered stackable LSMs, but are a valuable cleanup on
  their own)"

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  LSM: Don't ignore initialization failures
  LSM: Provide init debugging infrastructure
  LSM: Record LSM name in struct lsm_info
  LSM: Convert security_initcall() into DEFINE_LSM()
  vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
  LSM: Convert from initcall to struct lsm_info
  LSM: Remove initcall tracing
  LSM: Rename .security_initcall section to .lsm_info
  vmlinux.lds.h: Avoid copy/paste of security_init section
  LSM: Correctly announce start of LSM initialization
  security: fix LSM description location
  keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h
  seccomp: remove unnecessary unlikely()
  security: tomoyo: Fix obsolete function
  security/capabilities: remove check for -EINVAL
2018-10-24 11:49:35 +01:00
Linus Torvalds ba9f6f8954 Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull siginfo updates from Eric Biederman:
 "I have been slowly sorting out siginfo and this is the culmination of
  that work.

  The primary result is in several ways the signal infrastructure has
  been made less error prone. The code has been updated so that manually
  specifying SEND_SIG_FORCED is never necessary. The conversion to the
  new siginfo sending functions is now complete, which makes it
  difficult to send a signal without filling in the proper siginfo
  fields.

  At the tail end of the patchset comes the optimization of decreasing
  the size of struct siginfo in the kernel from 128 bytes to about 48
  bytes on 64bit. The fundamental observation that enables this is by
  definition none of the known ways to use struct siginfo uses the extra
  bytes.

  This comes at the cost of a small user space observable difference.
  For the rare case of siginfo being injected into the kernel only what
  can be copied into kernel_siginfo is delivered to the destination, the
  rest of the bytes are set to 0. For cases where the signal and the
  si_code are known this is safe, because we know those bytes are not
  used. For cases where the signal and si_code combination is unknown
  the bits that won't fit into struct kernel_siginfo are tested to
  verify they are zero, and the send fails if they are not.

  I made an extensive search through userspace code and I could not find
  anything that would break because of the above change. If it turns out
  I did break something it will take just the revert of a single change
  to restore kernel_siginfo to the same size as userspace siginfo.

  Testing did reveal dependencies on preferring the signo passed to
  sigqueueinfo over si->signo, so bit the bullet and added the
  complexity necessary to handle that case.

  Testing also revealed bad things can happen if a negative signal
  number is passed into the system calls. Something no sane application
  will do but something a malicious program or a fuzzer might do. So I
  have fixed the code that performs the bounds checks to ensure negative
  signal numbers are handled"

* 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (80 commits)
  signal: Guard against negative signal numbers in copy_siginfo_from_user32
  signal: Guard against negative signal numbers in copy_siginfo_from_user
  signal: In sigqueueinfo prefer sig not si_signo
  signal: Use a smaller struct siginfo in the kernel
  signal: Distinguish between kernel_siginfo and siginfo
  signal: Introduce copy_siginfo_from_user and use it's return value
  signal: Remove the need for __ARCH_SI_PREABLE_SIZE and SI_PAD_SIZE
  signal: Fail sigqueueinfo if si_signo != sig
  signal/sparc: Move EMT_TAGOVF into the generic siginfo.h
  signal/unicore32: Use force_sig_fault where appropriate
  signal/unicore32: Generate siginfo in ucs32_notify_die
  signal/unicore32: Use send_sig_fault where appropriate
  signal/arc: Use force_sig_fault where appropriate
  signal/arc: Push siginfo generation into unhandled_exception
  signal/ia64: Use force_sig_fault where appropriate
  signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
  signal/ia64: Use the generic force_sigsegv in setup_frame
  signal/arm/kvm: Use send_sig_mceerr
  signal/arm: Use send_sig_fault where appropriate
  signal/arm: Use force_sig_fault where appropriate
  ...
2018-10-24 11:22:39 +01:00
Arnd Bergmann e1af477961 apparmor: add #ifdef checks for secmark filtering
The newly added code fails to build when either SECMARK or
NETFILTER are disabled:

security/apparmor/lsm.c: In function 'apparmor_socket_sock_rcv_skb':
security/apparmor/lsm.c:1138:12: error: 'struct sk_buff' has no member named 'secmark'; did you mean 'mark'?

security/apparmor/lsm.c:1671:21: error: 'struct nf_hook_state' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]

Add a set of #ifdef checks around it to only enable the code that
we can compile and that makes sense in that configuration.

Fixes: ab9f211508 ("apparmor: Allow filtering based on secmark policy")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-12 17:09:56 -07:00
Kees Cook 07aed2f2af LSM: Record LSM name in struct lsm_info
In preparation for making LSM selections outside of the LSMs, include
the name of LSMs in struct lsm_info.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
2018-10-10 20:40:22 -07:00
Kees Cook 3d6e5f6dcf LSM: Convert security_initcall() into DEFINE_LSM()
Instead of using argument-based initializers, switch to defining the
contents of struct lsm_info on a per-LSM basis. This also drops
the final use of the now inaccurate "initcall" naming.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
2018-10-10 20:40:21 -07:00
Eric W. Biederman ae7795bc61 signal: Distinguish between kernel_siginfo and siginfo
Linus recently observed that if we did not worry about the padding
member in struct siginfo it is only about 48 bytes, and 48 bytes is
much nicer than 128 bytes for allocating on the stack and copying
around in the kernel.

The obvious thing of only adding the padding when userspace is
including siginfo.h won't work as there are sigframe definitions in
the kernel that embed struct siginfo.

So split siginfo in two; kernel_siginfo and siginfo.  Keeping the
traditional name for the userspace definition.  While the version that
is used internally to the kernel and ultimately will not be padded to
128 bytes is called kernel_siginfo.

The definition of struct kernel_siginfo I have put in include/signal_types.h

A set of buildtime checks has been added to verify the two structures have
the same field offsets.

To make it easy to verify the change kernel_siginfo retains the same
size as siginfo.  The reduction in size comes in a following change.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-03 16:47:43 +02:00
Zubin Mithra 250f2da49c apparmor: Fix uninitialized value in aa_split_fqname
Syzkaller reported a OOB-read with the stacktrace below. This occurs
inside __aa_lookupn_ns as `n` is not initialized. `n` is obtained from
aa_splitn_fqname. In cases where `name` is invalid, aa_splitn_fqname
returns without initializing `ns_name` and `ns_len`.

Fix this by always initializing `ns_name` and `ns_len`.

	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
	print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
	kasan_report_error mm/kasan/report.c:354 [inline]
	kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
	__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
	memcmp+0xe3/0x160 lib/string.c:861
	strnstr+0x4b/0x70 lib/string.c:934
	__aa_lookupn_ns+0xc1/0x570 security/apparmor/policy_ns.c:209
	aa_lookupn_ns+0x88/0x1e0 security/apparmor/policy_ns.c:240
	aa_fqlookupn_profile+0x1b9/0x1010 security/apparmor/policy.c:468
	fqlookupn_profile+0x80/0xc0 security/apparmor/label.c:1844
	aa_label_strn_parse+0xa3a/0x1230 security/apparmor/label.c:1908
	aa_label_parse+0x42/0x50 security/apparmor/label.c:1943
	aa_change_profile+0x513/0x3510 security/apparmor/domain.c:1362
	apparmor_setprocattr+0xaa4/0x1150 security/apparmor/lsm.c:658
	security_setprocattr+0x66/0xc0 security/security.c:1298
	proc_pid_attr_write+0x301/0x540 fs/proc/base.c:2555
	__vfs_write+0x119/0x9f0 fs/read_write.c:485
	vfs_write+0x1fc/0x560 fs/read_write.c:549
	ksys_write+0x101/0x260 fs/read_write.c:598
	__do_sys_write fs/read_write.c:610 [inline]
	__se_sys_write fs/read_write.c:607 [inline]
	__x64_sys_write+0x73/0xb0 fs/read_write.c:607
	do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
	entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3b0aaf5866 ("apparmor: add lib fn to find the "split" for fqnames")
Reported-by: syzbot+61e4b490d9d2da591b50@syzkaller.appspotmail.com
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:29:22 -07:00
Jann Horn ca3fde5214 apparmor: don't try to replace stale label in ptraceme check
begin_current_label_crit_section() must run in sleepable context because
when label_is_stale() is true, aa_replace_current_label() runs, which uses
prepare_creds(), which can sleep.

Until now, the ptraceme access check (which runs with tasklist_lock held)
violated this rule.

Fixes: b2d09ae449 ("apparmor: move ptrace checks to using labels")
Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reported-by: kernel test robot <rong.a.chen@intel.com>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:29:22 -07:00
Lance Roy 0fb871cc42 apparmor: Replace spin_is_locked() with lockdep
lockdep_assert_held() is better suited to checking locking requirements,
since it won't get confused when someone else holds the lock. This is
also a step towards possibly removing spin_is_locked().

Signed-off-by: Lance Roy <ldr709@gmail.com>
Cc: John Johansen <john.johansen@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: <linux-security-module@vger.kernel.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:29:22 -07:00
Matthew Garrett ab9f211508 apparmor: Allow filtering based on secmark policy
Add support for dropping or accepting packets based on their secmark
tags.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:18:55 -07:00
Matthew Garrett 9caafbe2b4 apparmor: Parse secmark policy
Add support for parsing secmark policy provided by userspace, and
store that in the overall policy.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:18:38 -07:00
Matthew Garrett 617a629c08 apparmor: Add a wildcard secid
Reserve a secid value that we can use as a wildcard, allowing us to
define policy that's expected to match against all secids.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:18:17 -07:00
Jann Horn 1f8266ff58 apparmor: don't try to replace stale label in ptrace access check
As a comment above begin_current_label_crit_section() explains,
begin_current_label_crit_section() must run in sleepable context because
when label_is_stale() is true, aa_replace_current_label() runs, which uses
prepare_creds(), which can sleep.
Until now, the ptrace access check (which runs with a task lock held)
violated this rule.

Also add a might_sleep() assertion to begin_current_label_crit_section(),
because asserts are less likely to be ignored than comments.

Fixes: b2d09ae449 ("apparmor: move ptrace checks to using labels")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-09-13 09:44:56 -07:00
Tony Jones 5f997580e8 apparmor: Fix network performance issue in aa_label_sk_perm
The netperf benchmark shows a 5.73% reduction in throughput for
small (64 byte) transfers by unconfined tasks.

DEFINE_AUDIT_SK() in aa_label_sk_perm() should not be performed
unconditionally, rather only when the label is confined.

netperf-tcp
                            56974a6fc^              56974a6fc
Min       64         563.48 (   0.00%)      531.17 (  -5.73%)
Min       128       1056.92 (   0.00%)      999.44 (  -5.44%)
Min       256       1945.95 (   0.00%)     1867.97 (  -4.01%)
Min       1024      6761.40 (   0.00%)     6364.23 (  -5.87%)
Min       2048     11110.53 (   0.00%)    10606.20 (  -4.54%)
Min       3312     13692.67 (   0.00%)    13158.41 (  -3.90%)
Min       4096     14926.29 (   0.00%)    14457.46 (  -3.14%)
Min       8192     18399.34 (   0.00%)    18091.65 (  -1.67%)
Min       16384    21384.13 (   0.00%)    21158.05 (  -1.06%)
Hmean     64         564.96 (   0.00%)      534.38 (  -5.41%)
Hmean     128       1064.42 (   0.00%)     1010.12 (  -5.10%)
Hmean     256       1965.85 (   0.00%)     1879.16 (  -4.41%)
Hmean     1024      6839.77 (   0.00%)     6478.70 (  -5.28%)
Hmean     2048     11154.80 (   0.00%)    10671.13 (  -4.34%)
Hmean     3312     13838.12 (   0.00%)    13249.01 (  -4.26%)
Hmean     4096     15009.99 (   0.00%)    14561.36 (  -2.99%)
Hmean     8192     18975.57 (   0.00%)    18326.54 (  -3.42%)
Hmean     16384    21440.44 (   0.00%)    21324.59 (  -0.54%)
Stddev    64           1.24 (   0.00%)        2.85 (-130.64%)
Stddev    128          4.51 (   0.00%)        6.53 ( -44.84%)
Stddev    256         11.67 (   0.00%)        8.50 (  27.16%)
Stddev    1024        48.33 (   0.00%)       75.07 ( -55.34%)
Stddev    2048        54.82 (   0.00%)       65.16 ( -18.86%)
Stddev    3312       153.57 (   0.00%)       56.29 (  63.35%)
Stddev    4096       100.25 (   0.00%)       88.50 (  11.72%)
Stddev    8192       358.13 (   0.00%)      169.99 (  52.54%)
Stddev    16384       43.99 (   0.00%)      141.82 (-222.39%)

Signed-off-by: Tony Jones <tonyj@suse.de>
Fixes: 56974a6fcf ("apparmor: add base infastructure for socket
mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-09-07 09:33:52 -07:00
John Johansen edf4e7b7b9 apparmor: fix bad debug check in apparmor_secid_to_secctx()
apparmor_secid_to_secctx() has a bad debug statement tripping on a
condition handle by the code.  When kconfig SECURITY_APPARMOR_DEBUG is
enabled the debug WARN_ON will trip when **secdata is NULL resulting
in the following trace.

------------[ cut here ]------------
AppArmor WARN apparmor_secid_to_secctx: ((!secdata)):
WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82 apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 panic+0x238/0x4e7 kernel/panic.c:184
 __warn.cold.8+0x163/0x1ba kernel/panic.c:536
 report_bug+0x252/0x2d0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44 fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9 3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4
RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000
RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001
RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca
R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0
 security_secid_to_secctx+0x63/0xc0 security/security.c:1314
 ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline]
 ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline]
 ctnetlink_conntrack_event+0x303/0x1470 net/netfilter/nf_conntrack_netlink.c:706
 nf_conntrack_eventmask_report+0x55f/0x930 net/netfilter/nf_conntrack_ecache.c:151
 nf_conntrack_event_report include/net/netfilter/nf_conntrack_ecache.h:112 [inline]
 nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601
 nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892
 nf_ct_iterate_cleanup_net+0x23c/0x2d0 net/netfilter/nf_conntrack_core.c:1974
 ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226 [inline]
 ctnetlink_del_conntrack+0x66c/0x850 net/netfilter/nf_conntrack_netlink.c:1258
 nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
 nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
 __sys_sendmsg+0x11d/0x290 net/socket.c:2152
 __do_sys_sendmsg net/socket.c:2161 [inline]
 __se_sys_sendmsg net/socket.c:2159 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457089
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089
RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

CC: <stable@vger.kernel.org> #4.18
Fixes: c092921219 ("apparmor: add support for mapping secids and using secctxes")
Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-09-03 11:15:29 -07:00
Linus Torvalds 57bb8e37d7 + Cleanups
- apparmor: remove no-op permission check in policy_unpack
 
 + Bug fixes
   - apparmor: fix an error code in __aa_create_ns()
   - apparmor: Fix failure to audit context info in build_change_hat
   - apparmor: Check buffer bounds when mapping permissions mask
   - apparmor: Fully initialize aa_perms struct when answering userspace query
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAlt/ZisACgkQBS82cBjV
 w9ggNA//T41KN8bduCf9mwLjYkdU/hUu/tdHnV9Ss/OfnLRo5HzH8MxCHkrdPL6+
 3/Ex69un1X/6jWi1SN5lphj5Y09cbbrn5LWZ/MbTrPehmHe6OCN/fhjKx2HbKt09
 0IwwrmIEwwlYMmDhCe21JqeP6zvSCwPqWcFj73H6MZ8FCItFRfiUevm97G1lzhpP
 s9L6E6TNs27dvFb/V2CqWpKCuCs8byDA7Vd6g7MiuV6ciz1IpoFqMZiXbl1cpnpa
 Qt5vN+b7/BzixQFxC7W8y9D5+5x2nV2U8LEHXP9wn7s+dptTPNilPCEKX2t2qPwq
 3p5zK2s4V3oWiyuzb7I3xK5lvbWBfPY6LphaIODbUqqug/PvRYQrfhT/dgR5SNpQ
 +MnIx742PKn/xZt/q9G2n4vCjVppnWCQNFckyk2+TCT0jWyLqpZPlmp4wwAB0R4e
 oQrEl8y4G8xUX6ufkNFxF3hm5FoXYQgTnVgnkY4ULZ5ZjdPAUJktwWkI4qnS5zeG
 WmtuxvAKaPQl9knk0K4VoTAFAGSHWeojaW0+ptEmm+uehmm7Ck8f/lYLW7tvOEdk
 W1CUv7ubuK4uxIXb38IQxfN2Ehm9xaK5SvUT9wB2sH6HG2WGsZI1Vau0qbOClNdd
 SArqlZCuuZHMs8suqmmVGlS8VRQy4LdHTwfiIpLl7qYdn9yOz4Y=
 =TdN2
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2018-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "There is nothing major this time just four bug fixes and a patch to
  remove some dead code:

  Cleanups:
   - remove no-op permission check in policy_unpack

  Bug fixes:
   - fix an error code in __aa_create_ns()
   - fix failure to audit context info in build_change_hat
   - check buffer bounds when mapping permissions mask
   - fully initialize aa_perms struct when answering userspace query"

* tag 'apparmor-pr-2018-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: remove no-op permission check in policy_unpack
  apparmor: fix an error code in __aa_create_ns()
  apparmor: Fix failure to audit context info in build_change_hat
  apparmor: Fully initialize aa_perms struct when answering userspace query
  apparmor: Check buffer bounds when mapping permissions mask
2018-08-24 13:00:33 -07:00
John Johansen c037bd6158 apparmor: remove no-op permission check in policy_unpack
The patch 736ec752d95e: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:

    security/apparmor/policy_unpack.c:410 verify_accept()
    warn: bitwise AND condition is false here

    security/apparmor/policy_unpack.c:413 verify_accept()
    warn: bitwise AND condition is false here

security/apparmor/policy_unpack.c
   392  #define DFA_VALID_PERM_MASK             0xffffffff
   393  #define DFA_VALID_PERM2_MASK            0xffffffff
   394
   395  /**
   396   * verify_accept - verify the accept tables of a dfa
   397   * @dfa: dfa to verify accept tables of (NOT NULL)
   398   * @flags: flags governing dfa
   399   *
   400   * Returns: 1 if valid accept tables else 0 if error
   401   */
   402  static bool verify_accept(struct aa_dfa *dfa, int flags)
   403  {
   404          int i;
   405
   406          /* verify accept permissions */
   407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
   408                  int mode = ACCEPT_TABLE(dfa)[i];
   409
   410                  if (mode & ~DFA_VALID_PERM_MASK)
   411                          return 0;
   412
   413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
   414                          return 0;

fixes: 736ec752d9 ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-08-22 18:44:42 -07:00
Dan Carpenter 0a6b29230e apparmor: fix an error code in __aa_create_ns()
We should return error pointers in this function.  Returning NULL
results in a NULL dereference in the caller.

Fixes: 73688d1ed0 ("apparmor: refactor prepare_ns() and make usable from different views")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-08-21 16:24:56 -07:00
John Johansen 24b87a16fe apparmor: Fix failure to audit context info in build_change_hat
Cleans up clang warning:
warning: variable 'info' set but not used [-Wunused-but-set-variable]

Fixes: 89dbf1962a ("apparmor: move change_hat mediation to using labels")
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-07-20 03:25:25 -07:00
Tyler Hicks f4585bc20f apparmor: Fully initialize aa_perms struct when answering userspace query
Fully initialize the aa_perms struct in profile_query_cb() to avoid the
potential of using an uninitialized struct member's value in a response
to a query from userspace.

Detected by CoverityScan CID#1415126 ("Uninitialized scalar variable")

Fixes: 4f3b3f2d79 ("apparmor: add profile permission query ability")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-07-19 16:29:13 -07:00
Tyler Hicks 7f3ebcf2b1 apparmor: Check buffer bounds when mapping permissions mask
Don't read past the end of the buffer containing permissions
characters or write past the end of the destination string.

Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")

Fixes: e53cfe6c7c ("apparmor: rework perm mapping to a slightly broader set")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-07-19 16:24:43 -07:00
Al Viro 9481769208 ->file_open(): lose cred argument
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2018-07-12 10:04:15 -04:00
Linus Torvalds 463f202172 + Features
- add support for mapping secids and using secctxes
   - add the ability to get a task's secid
   - add support for audit rule filtering
 
 + Cleanups
   - multiple typo fixes
   - Convert to use match_string() helper
   - update git and wiki locations in AppArmor docs
   - improve get_buffers macro by using get_cpu_ptr
   - Use an IDR to allocate apparmor secids
 
 + Bug fixes
   - fix '*seclen' is never less than zero
   - fix mediation of prlimit
   - fix memory leak when deduping profile load
   - fix ptrace read check
   - fix memory leak of rule on error exit path
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJbIPxYAAoJEAUvNnAY1cPYVOQQAKfVO71Mk1U6zegWk8VJoiRy
 /wb3ZjMy9KCE5UWNPp0jyB3qzFpejZizycRwVS2k1l/SjugACxvq1fyZ85bzys10
 pb8efsWU/Co4l45PfaHpoqCJYr3+3/PBPwSU9vb8ScEFnb95D+0d7KRgA6uIC7lE
 H/zbjot1AXGX0CVKmQkKXdi+Ldnbzqv7GtCzipKWDeD0JJqgOKu8NOnnAfJiSNs7
 YlIhcr6K4nRxHJ6e8vxbYeogbBzmVWZwWHN8ViXj5Bbox93FRlkkSqxw8Ke8SmXi
 y/wQabMQMPZHr2SvQjvFD3cpBmKaMG9NktIjy/4tYcTbhZPNgx/wJSSzRiySFTiW
 hPbXWueI75P3Zepj4rRaXy0T68fQaj4k2lTItxkqGN1UOu8mibMlOkE6ZmllTKO7
 xPvLgZL7/vYS0fKqJaikZbMhWTBtQD/w0ZwYzmT77umOgRHQvrGKi9nk49fIigOo
 aftf8VIjMBUND2JMWCQn1d33CJUXdONpW0aX6cr5Xxthnlz5+aa9Ki2s58BFMVI3
 PSMhOr6kdpxrkemEnoVnFMohxRb+u046ecM5X5E2rMEbH3PHow5bzaXyTBHFAiYY
 rPn/sKNaXtw4hdMcnv9lmFKyObAdoBxY4bRKzrPTC66sIMncLYVzcSzWY6C3bMfm
 tuu+zmVF0v5JENrcwccQ
 =EVj2
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
 "Features
   - add support for mapping secids and using secctxes
   - add the ability to get a task's secid
   - add support for audit rule filtering

  Cleanups:
   - multiple typo fixes
   - Convert to use match_string() helper
   - update git and wiki locations in AppArmor docs
   - improve get_buffers macro by using get_cpu_ptr
   - Use an IDR to allocate apparmor secids

  Bug fixes:
   - fix '*seclen' is never less than zero
   - fix mediation of prlimit
   - fix memory leak when deduping profile load
   - fix ptrace read check
   - fix memory leak of rule on error exit path"

* tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (21 commits)
  apparmor: fix ptrace read check
  apparmor: fix memory leak when deduping profile load
  apparmor: fix mediation of prlimit
  apparmor: fixup secid map conversion to using IDR
  apparmor: Use an IDR to allocate apparmor secids
  apparmor: Fix memory leak of rule on error exit path
  apparmor: modify audit rule support to support profile stacks
  apparmor: Add support for audit rule filtering
  apparmor: update git and wiki locations in AppArmor docs
  apparmor: Convert to use match_string() helper
  apparmor: improve get_buffers macro by using get_cpu_ptr
  apparmor: fix '*seclen' is never less than zero
  apparmor: fix typo "preconfinement"
  apparmor: fix typo "independent"
  apparmor: fix typo "traverse"
  apparmor: fix typo "type"
  apparmor: fix typo "replace"
  apparmor: fix typo "comparison"
  apparmor: fix typo "loosen"
  apparmor: add the ability to get a task's secid
  ...
2018-06-14 16:11:28 +09:00
Kees Cook 6396bb2215 treewide: kzalloc() -> kcalloc()
The kzalloc() function has a 2-factor argument form, kcalloc(). This
patch replaces cases of:

        kzalloc(a * b, gfp)

with:
        kcalloc(a * b, gfp)

as well as handling cases of:

        kzalloc(a * b * c, gfp)

with:

        kzalloc(array3_size(a, b, c), gfp)

as it's slightly less ugly than:

        kzalloc_array(array_size(a, b), c, gfp)

This does, however, attempt to ignore constant size factors like:

        kzalloc(4 * 1024, gfp)

though any constants defined via macros get caught up in the conversion.

Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.

The Coccinelle script used for this was:

// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@

(
  kzalloc(
-	(sizeof(TYPE)) * E
+	sizeof(TYPE) * E
  , ...)
|
  kzalloc(
-	(sizeof(THING)) * E
+	sizeof(THING) * E
  , ...)
)

// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@

(
  kzalloc(
-	sizeof(u8) * (COUNT)
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(__u8) * (COUNT)
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(char) * (COUNT)
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(unsigned char) * (COUNT)
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(u8) * COUNT
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(__u8) * COUNT
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(char) * COUNT
+	COUNT
  , ...)
|
  kzalloc(
-	sizeof(unsigned char) * COUNT
+	COUNT
  , ...)
)

// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@

(
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * (COUNT_ID)
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * COUNT_ID
+	COUNT_ID, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * (COUNT_CONST)
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * COUNT_CONST
+	COUNT_CONST, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * (COUNT_ID)
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * COUNT_ID
+	COUNT_ID, sizeof(THING)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * (COUNT_CONST)
+	COUNT_CONST, sizeof(THING)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * COUNT_CONST
+	COUNT_CONST, sizeof(THING)
  , ...)
)

// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@

- kzalloc
+ kcalloc
  (
-	SIZE * COUNT
+	COUNT, SIZE
  , ...)

// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@

(
  kzalloc(
-	sizeof(TYPE) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kzalloc(
-	sizeof(TYPE) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kzalloc(
-	sizeof(TYPE) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kzalloc(
-	sizeof(TYPE) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(TYPE))
  , ...)
|
  kzalloc(
-	sizeof(THING) * (COUNT) * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kzalloc(
-	sizeof(THING) * (COUNT) * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kzalloc(
-	sizeof(THING) * COUNT * (STRIDE)
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
|
  kzalloc(
-	sizeof(THING) * COUNT * STRIDE
+	array3_size(COUNT, STRIDE, sizeof(THING))
  , ...)
)

// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@

(
  kzalloc(
-	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kzalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
  , ...)
|
  kzalloc(
-	sizeof(THING1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kzalloc(
-	sizeof(THING1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
  , ...)
|
  kzalloc(
-	sizeof(TYPE1) * sizeof(THING2) * COUNT
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
|
  kzalloc(
-	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
  , ...)
)

// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@

(
  kzalloc(
-	(COUNT) * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	COUNT * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	COUNT * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	(COUNT) * (STRIDE) * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	COUNT * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	(COUNT) * STRIDE * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	(COUNT) * (STRIDE) * (SIZE)
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
|
  kzalloc(
-	COUNT * STRIDE * SIZE
+	array3_size(COUNT, STRIDE, SIZE)
  , ...)
)

// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@

(
  kzalloc(C1 * C2 * C3, ...)
|
  kzalloc(
-	(E1) * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kzalloc(
-	(E1) * (E2) * E3
+	array3_size(E1, E2, E3)
  , ...)
|
  kzalloc(
-	(E1) * (E2) * (E3)
+	array3_size(E1, E2, E3)
  , ...)
|
  kzalloc(
-	E1 * E2 * E3
+	array3_size(E1, E2, E3)
  , ...)
)

// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@

(
  kzalloc(sizeof(THING) * C2, ...)
|
  kzalloc(sizeof(TYPE) * C2, ...)
|
  kzalloc(C1 * C2 * C3, ...)
|
  kzalloc(C1 * C2, ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * (E2)
+	E2, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(TYPE) * E2
+	E2, sizeof(TYPE)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * (E2)
+	E2, sizeof(THING)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	sizeof(THING) * E2
+	E2, sizeof(THING)
  , ...)
|
- kzalloc
+ kcalloc
  (
-	(E1) * E2
+	E1, E2
  , ...)
|
- kzalloc
+ kcalloc
  (
-	(E1) * (E2)
+	E1, E2
  , ...)
|
- kzalloc
+ kcalloc
  (
-	E1 * E2
+	E1, E2
  , ...)
)

Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-12 16:19:22 -07:00
John Johansen 338d0be437 apparmor: fix ptrace read check
The ptrace read check is incorrect resulting in policy that is
broader than it needs to be. Fix the check so that read access
permission can be properly detected when other ptrace flags are
set.

Fixes: b2d09ae449 ("apparmor: move ptrace checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:51:02 -07:00
John Johansen 3ddae9876a apparmor: fix memory leak when deduping profile load
AppArmor is leaking the newly loaded profile and its proxy when
the profile is an exact match to the currently loaded version.

In this case the dedup check results in the profile being skipped and
put without dealing with the proxy ref thus not breaking a circular
refcount and causing a leak.

BugLink: http://bugs.launchpad.net/bugs/1750594
Fixes: 5d5182cae4 ("apparmor: move to per loaddata files, instead of replicating in profiles")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:51:01 -07:00
John Johansen 11c92f144b apparmor: fix mediation of prlimit
For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.

Unfortunately this was broken when rlimit enforcement was reworked to
support labels.

Fixes: 86b92cb782 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:51:01 -07:00
John Johansen a4c3f89c9b apparmor: fixup secid map conversion to using IDR
The IDR conversion did not handle an error case for when allocating a
mapping fails, and it did not ensure that mappings did not allocate or
use a 0 value, which is used as an invalid secid. Which is used when a
mapping fails.

Fixes: 3ae7eb49a2be ("apparmor: Use an IDR to allocate apparmor secids")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:49 -07:00
Matthew Wilcox 99cc45e486 apparmor: Use an IDR to allocate apparmor secids
Replace the custom usage of the radix tree to store a list of free IDs
with the IDR.

Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:49 -07:00
Tyler Hicks 52e8c38001 apparmor: Fix memory leak of rule on error exit path
Currently on the error exit path the allocated rule is not free'd
causing a memory leak. Fix this by calling aa_audit_rule_free().

Detected by CoverityScan, CID#1468966 ("Resource leaks")

Fixes: cb740f574c7b ("apparmor: modify audit rule support to support profile stacks")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:48 -07:00
John Johansen 2ab47dae54 apparmor: modify audit rule support to support profile stacks
Allows for audit rules, where a rule could specify a profile stack
A//&B, while extending the current semantic so if the label specified
in the audit rule is a subset of the secid it is considered a match.

Eg. if the secid resolves to the label stack A//&B//&C

Then an audit rule specifying a label of

  A - would match
  B - would match
  C - would match
  D - would not
  A//&B - would match as a subset
  A//&C - would match as a subset
  B//&C - would match as a subset
  A//&B//&C - would match

  A//&D - would not match, because while A does match, D is also
  specified and does not

Note: audit rules are currently assumed to be coming from the root
namespace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:48 -07:00
Matthew Garrett e79c26d040 apparmor: Add support for audit rule filtering
This patch adds support to Apparmor for integrating with audit rule
filtering. Right now it only handles SUBJ_ROLE, interpreting it as a
single component of a label. This is sufficient to get Apparmor working
with IMA's appraisal rules without any modifications on the IMA side.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:47 -07:00
Andy Shevchenko 5d8779a5cd apparmor: Convert to use match_string() helper
The new helper returns index of the matching string in an array.
We are going to use it here.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jay Freyensee <why2jjj.linux@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:40 -07:00
John Johansen 38125c2c2b apparmor: improve get_buffers macro by using get_cpu_ptr
Refactor get_buffers so the cpu_ptr can be obtained in the outer
layer, instead of inside the macro.

This also enables us to cleanup the code and use get_cpu_ptr,
to handle the preempt_disable()

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-06-07 01:49:21 -07:00
John Johansen 52e7128ebb apparmor: fix '*seclen' is never less than zero
smatch warnings:
security/apparmor/secid.c:162 apparmor_secid_to_secctx() warn: unsigned '*seclen' is never less than zero.

vim +162 security/apparmor/secid.c

   140
   141	int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
   142	{
   143		/* TODO: cache secctx and ref count so we don't have to recreate */
   144		struct aa_label *label = aa_secid_to_label(secid);
   145
   146		AA_BUG(!secdata);
   147		AA_BUG(!seclen);
   148
   149		if (!label)
   150			return -EINVAL;
   151
   152		if (secdata)
   153			*seclen = aa_label_asxprint(secdata, root_ns, label,
   154						    FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
   155						    FLAG_HIDDEN_UNCONFINED |
   156						    FLAG_ABS_ROOT, GFP_ATOMIC);
   157		else
   158			*seclen = aa_label_snxprint(NULL, 0, root_ns, label,
   159						    FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
   160						    FLAG_HIDDEN_UNCONFINED |
   161						    FLAG_ABS_ROOT);
 > 162		if (*seclen < 0)
   163			return -ENOMEM;
   164
   165		return 0;
   166	}
   167

Fixes: c092921219 ("apparmor: add support for mapping secids and using secctxes")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-08 08:34:08 -07:00
Zygmunt Krynicki 3107e8cb92 apparmor: fix typo "preconfinement"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:50:46 -07:00
Zygmunt Krynicki 68a1a0c68c apparmor: fix typo "independent"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:50:30 -07:00
Zygmunt Krynicki 5d2371e123 apparmor: fix typo "traverse"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:50:12 -07:00
Zygmunt Krynicki 69ad4a44a2 apparmor: fix typo "type"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:49:56 -07:00
Zygmunt Krynicki b62fb22674 apparmor: fix typo "replace"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:49:35 -07:00
Zygmunt Krynicki a18f902888 apparmor: fix typo "comparison"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:48:58 -07:00
Zygmunt Krynicki b2c2086c39 apparmor: fix typo "loosen"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:47:56 -07:00
John Johansen a7ae3645f5 apparmor: add the ability to get a task's secid
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-02 00:49:11 -07:00
John Johansen c092921219 apparmor: add support for mapping secids and using secctxes
Use a radix tree to provide a map between the secid and the label,
and along with it a basic ability to provide secctx conversion.

Shared/cached secctx will be added later.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-02 00:48:55 -07:00
Linus Torvalds 80a17a5f50 + Features
- add base infrastructure for socket mediation. ABI bump and
     additional checks to ensure only v8 compliant policy uses
     socket af mediation.
   - improve and cleanup dfa verification
   - improve profile attachment logic
     - improve overlapping expression handling
     - add the xattr matching to the attachment logic
   - improve signal mediation handling with stacked labels
   - improve handling of no_new_privs in a label stack
 
 + Cleanups and changes
   - use dfa to parse string split
   - bounded version of label_parse
   - proper line wrap nulldfa.in
   - split context out into task and cred naming to better match usage
   - simplify code in aafs
 
 + Bug fixes
   - fix display of .ns_name for containers
   - fix resource audit messages when auditing peer
   - fix logging of the existence test for signals
   - fix resource audit messages when auditing peer
   - fix display of .ns_name for containers
   - fix an error code in verify_table_headers()
   - fix memory leak on buffer on error exit path
   - fix error returns checks by making size a ssize_t
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJazWpMAAoJEAUvNnAY1cPY2wwP/2ZmzyITY7xW3Cpz8ynKOTyZ
 hD2ahIjLWxcQwMZUoHXIa4TTK5EThlhKcTa0+sdMJGsIsRyXLoyBcd/VST0F9ZrA
 OWn1uL2ASeNroNw+88P6qU03+cT2eEohM3vvlNy2ud98EBiTyxB6L4VLpy3xDKAd
 zblojxqegRO7WRfEFCR2kHmnrL0Z3oxPBahnuVitfrwO76WFUSM9EYm67Xtf4yjJ
 qQ7ocGdhxiULNdceoIke11e8iNwiQyY4O+E24qVAJw66arxIByMKo+cLjeTxMbZR
 z4/pVd664wiK7mW0In7bJWOfXLJHxHALpuCc82wFgiLPdfSpJzT1nx+Xjaw8DhdZ
 FBoHLpHjJT3dTpYoQTjqtNdvHgXryL/OOllm+I8DPMu/nfcp8qsOru5bEXg+j/90
 CRo1OqrWZhUkKHnQs12QIJS+Gt7qByQB6tDMDbjkIC71vKUWA4wnp7zLZHYd9T0L
 6kZ2aWKiOXM6VRZ5V5HVLhrTajiubyBg3y3Eur4HwuGzquBmxAp1RhS8oiOpgzgW
 jVI92/P2XjhnU9E2J5m+mzjh11i+D51homtz1y4vB53Ye/WLy1S0o4StDAiLfgw3
 q/581V342vl6X46GlgcS5G7QeIkzFiCUe5H3t2/unCRnI+PxabwRmbaTqWq47xzQ
 umwlYfok3ALSzdgnv2sT
 =XhxG
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:
  - add base infrastructure for socket mediation. ABI bump and
    additional checks to ensure only v8 compliant policy uses socket af
    mediation.
  - improve and cleanup dfa verification
  - improve profile attachment logic
     - improve overlapping expression handling
     - add the xattr matching to the attachment logic
  - improve signal mediation handling with stacked labels
  - improve handling of no_new_privs in a label stack

  Cleanups and changes:
  - use dfa to parse string split
  - bounded version of label_parse
  - proper line wrap nulldfa.in
  - split context out into task and cred naming to better match usage
  - simplify code in aafs

  Bug fixes:
  - fix display of .ns_name for containers
  - fix resource audit messages when auditing peer
  - fix logging of the existence test for signals
  - fix resource audit messages when auditing peer
  - fix display of .ns_name for containers
  - fix an error code in verify_table_headers()
  - fix memory leak on buffer on error exit path
  - fix error returns checks by making size a ssize_t"

* tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (36 commits)
  apparmor: fix memory leak on buffer on error exit path
  apparmor: fix dangling symlinks to policy rawdata after replacement
  apparmor: Fix an error code in verify_table_headers()
  apparmor: fix error returns checks by making size a ssize_t
  apparmor: update MAINTAINERS file git and wiki locations
  apparmor: remove POLICY_MEDIATES_SAFE
  apparmor: add base infastructure for socket mediation
  apparmor: improve overlapping domain attachment resolution
  apparmor: convert attaching profiles via xattrs to use dfa matching
  apparmor: Add support for attaching profiles via xattr, presence and value
  apparmor: cleanup: simplify code to get ns symlink name
  apparmor: cleanup create_aafs() error path
  apparmor: dfa split verification of table headers
  apparmor: dfa add support for state differential encoding
  apparmor: dfa move character match into a macro
  apparmor: update domain transitions that are subsets of confinement at nnp
  apparmor: move context.h to cred.h
  apparmor: move task related defines and fns to task.X files
  apparmor: cleanup, drop unused fn __aa_task_is_confined()
  apparmor: cleanup fixup description of aa_replace_profiles
  ...
2018-04-13 15:38:53 -07:00
Linus Torvalds 3612605a5a Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull general security layer updates from James Morris:

 - Convert security hooks from list to hlist, a nice cleanup, saving
   about 50% of space, from Sargun Dhillon.

 - Only pass the cred, not the secid, to kill_pid_info_as_cred and
   security_task_kill (as the secid can be determined from the cred),
   from Stephen Smalley.

 - Close a potential race in kernel_read_file(), by making the file
   unwritable before calling the LSM check (vs after), from Kees Cook.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: convert security hooks to use hlist
  exec: Set file unwritable before LSM check
  usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
2018-04-07 11:11:41 -07:00
Randy Dunlap 514c603249 headers: untangle kmemleak.h from mm.h
Currently <linux/slab.h> #includes <linux/kmemleak.h> for no obvious
reason.  It looks like it's only a convenience, so remove kmemleak.h
from slab.h and add <linux/kmemleak.h> to any users of kmemleak_* that
don't already #include it.  Also remove <linux/kmemleak.h> from source
files that do not use it.

This is tested on i386 allmodconfig and x86_64 allmodconfig.  It would
be good to run it through the 0day bot for other $ARCHes.  I have
neither the horsepower nor the storage space for the other $ARCHes.

Update: This patch has been extensively build-tested by both the 0day
bot & kisskb/ozlabs build farms.  Both of them reported 2 build failures
for which patches are included here (in v2).

[ slab.h is the second most used header file after module.h; kernel.h is
  right there with slab.h. There could be some minor error in the
  counting due to some #includes having comments after them and I didn't
  combine all of those. ]

[akpm@linux-foundation.org: security/keys/big_key.c needs vmalloc.h, per sfr]
Link: http://lkml.kernel.org/r/e4309f98-3749-93e1-4bb7-d9501a39d015@infradead.org
Link: http://kisskb.ellerman.id.au/kisskb/head/13396/
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Reported-by: Michael Ellerman <mpe@ellerman.id.au>	[2 build failures]
Reported-by: Fengguang Wu <fengguang.wu@intel.com>	[2 build failures]
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-04-05 21:36:27 -07:00