Commit Graph

80 Commits

Author SHA1 Message Date
John Johansen 3ed4aaa94f apparmor: fix nnp subset test for unconfined
The subset test is not taking into account the unconfined exception
which will cause profile transitions in the stacked confinement
case to fail when no_new_privs is applied.

This fixes a regression introduced in the fix for
https://bugs.launchpad.net/bugs/1839037

BugLink: https://bugs.launchpad.net/bugs/1844186
Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-21 05:58:04 -08:00
John Johansen 8c62ed27a1 apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock
aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a
context protected by an rcu_read_lock. This can not be done as
vfs_getxattr_alloc() may sleep regardles of the gfp_t value being
passed to it.

Fix this by breaking the rcu_read_lock on the policy search when the
xattr match feature is requested and restarting the search if a policy
changes occur.

Fixes: 8e51f9087f ("apparmor: Add support for attaching profiles via xattr, presence and value")
Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-04 15:56:44 -08:00
Linus Torvalds 79e178a57d + Features
- increase left match history buffer size to provide inproved conflict
     resolution in overlapping execution rules.
   - switch buffer allocation to use a memory pool and GFP_KERNEL
     where possible.
   - add compression of policy blobs to reduce memory usage.
 + Cleanups
   - fix spelling mistake "immutible" -> "immutable"
 + Bug fixes
   - fix unsigned len comparison in update_for_len macro
   - fix sparse warning for type-casting of current->real_cred
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAl3mvPUACgkQBS82cBjV
 w9gM8hAArhbBiGHlYlsGCOws4+ObCSIAxPkKw9ZC+FjTOKE6uN+GDUM+s4TWjbkL
 65NKGBqHfHIzRYHD6BNi5I3Yf0xKCXuMenZVptiDHYQ+65mCL6QlZOA5K2Mp67fY
 uMKoOIMSAkDkLJHEsH8o1YURAlvY5DjK2XfSrc2GeaExnBZTisfhDwbYjv9OYI6U
 JPDP361zzJMSpkcDf5WX5vVuvfjTnAXjfH3av61hiSNAzivd4P1Mp34ellOkz7Ya
 Ch6K+32agVcE8LIbalRKhWVw7Fhfbys2+/nBZ0Tb5HPG0tRWbm+ueggOsp8/liWQ
 Ik9NigK61lHjd5ttDrswD0UfslTxac2pPFhlYRYoSUSMITOjJke50Q12ZosK4wUY
 pdsBiWVDo2W3/E9sretmFpWlzish8q3tNJU55aKD+FTo0yqMC3X7H/l9xGLuLUt/
 vHwUcGZNSrAWqc8yMamzEvqj9e1DECMJZQIlE3YJgGLCkcO6LFY+5pSWSvMQIG7v
 451oob3QalzqIDyh3OOxlA8pfUVyk9HL48Kw7+0ZJrbJK6pAjHZhE8gFVMPECB7b
 n22XrABdPdjAFvlqCzkm4qZ5sjqdk8T9Iexc5bnrFvBW4teHnAX0xrk+gxVpnEYf
 dV6ERcxmRjnZhT6FtOQkLOia3gIiAQVi6Rd9K6HHhPH83wNyjjI=
 =lPsA
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:

   - increase left match history buffer size to provide improved
     conflict resolution in overlapping execution rules.

   - switch buffer allocation to use a memory pool and GFP_KERNEL where
     possible.

   - add compression of policy blobs to reduce memory usage.

  Cleanups:

   - fix spelling mistake "immutible" -> "immutable"

  Bug fixes:

   - fix unsigned len comparison in update_for_len macro

   - fix sparse warning for type-casting of current->real_cred"

* tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: make it so work buffers can be allocated from atomic context
  apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
  apparmor: fix wrong buffer allocation in aa_new_mount
  apparmor: fix unsigned len comparison with less than zero
  apparmor: increase left match history buffer size
  apparmor: Switch to GFP_KERNEL where possible
  apparmor: Use a memory pool instead per-CPU caches
  apparmor: Force type-casting of current->real_cred
  apparmor: fix spelling mistake "immutible" -> "immutable"
  apparmor: fix blob compression when ns is forced on a policy load
  apparmor: fix missing ZLIB defines
  apparmor: fix blob compression build failure on ppc
  apparmor: Initial implementation of raw policy blob compression
2019-12-03 12:51:35 -08:00
John Johansen 341c1fda5e apparmor: make it so work buffers can be allocated from atomic context
In some situations AppArmor needs to be able to use its work buffers
from atomic context. Add the ability to specify when in atomic context
and hold a set of work buffers in reserve for atomic context to
reduce the chance that a large work buffer allocation will need to
be done.

Fixes: df323337e5 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-11-22 16:41:08 -08:00
Sebastian Andrzej Siewior 8ac2ca328e apparmor: Switch to GFP_KERNEL where possible
After removing preempt_disable() from get_buffers() it is possible to
replace a few GFP_ATOMIC allocations with GFP_KERNEL.

Replace GFP_ATOMIC allocations with GFP_KERNEL where the context looks
to bee preepmtible.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-06-20 10:33:31 -07:00
Sebastian Andrzej Siewior df323337e5 apparmor: Use a memory pool instead per-CPU caches
The get_buffers() macro may provide one or two buffers to the caller.
Those buffers are pre-allocated on init for each CPU. By default it
allocates
	2* 2 * MAX_PATH * POSSIBLE_CPU

which equals 64KiB on a system with 4 CPUs or 1MiB with 64 CPUs and so
on.

Replace the per-CPU buffers with a common memory pool which is shared
across all CPUs. The pool grows on demand and never shrinks. The pool
starts with two (UP) or four (SMP) elements. By using this pool it is
possible to request a buffer and keeping preemption enabled which avoids
the hack in profile_transition().

It has been pointed out by Tetsuo Handa that GFP_KERNEL allocations for
small amount of memory do not fail. In order not to have an endless
retry, __GFP_RETRY_MAYFAIL is passed (so the memory allocation is not
repeated until success) and retried once hoping that in the meantime a
buffer has been returned to the pool. Since now NULL is possible all
allocation paths check the buffer pointer and return -ENOMEM on failure.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-06-20 10:33:31 -07:00
Thomas Gleixner b886d83c5b treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation version 2 of the license

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 315 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Armijn Hemel <armijn@tjaldur.nl>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-05 17:37:17 +02:00
Linus Torvalds ae5906ceee Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:

 - Extend LSM stacking to allow sharing of cred, file, ipc, inode, and
   task blobs. This paves the way for more full-featured LSMs to be
   merged, and is specifically aimed at LandLock and SARA LSMs. This
   work is from Casey and Kees.

 - There's a new LSM from Micah Morton: "SafeSetID gates the setid
   family of syscalls to restrict UID/GID transitions from a given
   UID/GID to only those approved by a system-wide whitelist." This
   feature is currently shipping in ChromeOS.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (62 commits)
  keys: fix missing __user in KEYCTL_PKEY_QUERY
  LSM: Update list of SECURITYFS users in Kconfig
  LSM: Ignore "security=" when "lsm=" is specified
  LSM: Update function documentation for cap_capable
  security: mark expected switch fall-throughs and add a missing break
  tomoyo: Bump version.
  LSM: fix return value check in safesetid_init_securityfs()
  LSM: SafeSetID: add selftest
  LSM: SafeSetID: remove unused include
  LSM: SafeSetID: 'depend' on CONFIG_SECURITY
  LSM: Add 'name' field for SafeSetID in DEFINE_LSM
  LSM: add SafeSetID module that gates setid calls
  LSM: add SafeSetID module that gates setid calls
  tomoyo: Allow multiple use_group lines.
  tomoyo: Coding style fix.
  tomoyo: Swicth from cred->security to task_struct->security.
  security: keys: annotate implicit fall throughs
  security: keys: annotate implicit fall throughs
  security: keys: annotate implicit fall through
  capabilities:: annotate implicit fall through
  ...
2019-03-07 11:44:01 -08:00
Gustavo A. R. Silva 09186e5034 security: mark expected switch fall-throughs and add a missing break
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.

This patch fixes the following warnings:

security/integrity/ima/ima_template_lib.c:85:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/integrity/ima/ima_policy.c:940:18: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/integrity/ima/ima_policy.c:943:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/integrity/ima/ima_policy.c:972:21: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/integrity/ima/ima_policy.c:974:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/smack/smack_lsm.c:3391:9: warning: this statement may fall through [-Wimplicit-fallthrough=]
security/apparmor/domain.c:569:6: warning: this statement may fall through [-Wimplicit-fallthrough=]

Warning level 3 was used: -Wimplicit-fallthrough=3

Also, add a missing break statement to fix the following warning:

security/integrity/ima/ima_appraise.c:116:26: warning: this statement may fall through [-Wimplicit-fallthrough=]

Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-02-22 09:56:09 -08:00
John Johansen d6d478aee0 apparmor: Fix aa_label_build() error handling for failed merges
aa_label_merge() can return NULL for memory allocations failures
make sure to handle and set the correct error in this case.

Reported-by: Peng Hao <peng.hao2@zte.com.cn>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-02-01 08:01:39 -08:00
Casey Schaufler 69b5a44a95 AppArmor: Abstract use of cred security blob
Don't use the cred->security pointer directly.
Provide a helper function that provides the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-01-08 13:18:44 -08:00
John Johansen 24b87a16fe apparmor: Fix failure to audit context info in build_change_hat
Cleans up clang warning:
warning: variable 'info' set but not used [-Wunused-but-set-variable]

Fixes: 89dbf1962a ("apparmor: move change_hat mediation to using labels")
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-07-20 03:25:25 -07:00
Zygmunt Krynicki b2c2086c39 apparmor: fix typo "loosen"
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-03 00:47:56 -07:00
Colin Ian King a61ecd329c apparmor: fix error returns checks by making size a ssize_t
Currently variable size is a unsigned size_t, hence comparisons to
see if it is less than zero (for error checking) will always be
false.  Fix this by making size a ssize_t

Detected by CoverityScan, CID#1466080 ("Unsigned compared against 0")

Fixes: 8e51f9087f ("apparmor: Add support for attaching profiles via xattr, presence and value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-03-23 17:25:25 -07:00
John Johansen 21f6066105 apparmor: improve overlapping domain attachment resolution
Overlapping domain attachments using the current longest left exact
match fail in some simple cases, and with the fix to ensure consistent
behavior by failing unresolvable attachments it becomes important to
do a better job.

eg. under the current match the following are unresolvable where
the alternation is clearly a better match under the most specific
left match rule.
  /**
  /{bin/,}usr/

Use a counting match that detects when a loop in the state machine is
enter, and return the match count to provide a better specific left
match resolution.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:02 -08:00
John Johansen 73f488cd90 apparmor: convert attaching profiles via xattrs to use dfa matching
This converts profile attachment based on xattrs to a fixed extended
conditional using dfa matching.

This has a couple of advantages
- pattern matching can be used for the xattr match

- xattrs can be optional for an attachment or marked as required

- the xattr attachment conditional will be able to be combined with
  other extended conditionals when the flexible extended conditional
  work lands.

The xattr fixed extended conditional is appended to the xmatch
conditional. If an xattr attachment is specified the profile xmatch
will be generated regardless of whether there is a pattern match on
the executable name.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-02-09 11:30:02 -08:00
Matthew Garrett 8e51f9087f apparmor: Add support for attaching profiles via xattr, presence and value
Make it possible to tie Apparmor profiles to the presence of one or more
extended attributes, and optionally their values. An example usecase for
this is to automatically transition to a more privileged Apparmor profile
if an executable has a valid IMA signature, which can then be appraised
by the IMA subsystem.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:02 -08:00
John Johansen 9fcf78cca1 apparmor: update domain transitions that are subsets of confinement at nnp
Domain transition so far have been largely blocked by no new privs,
unless the transition has been provably a subset of the previous
confinement. There was a couple problems with the previous
implementations,

- transitions that weren't explicitly a stack but resulted in a subset
  of confinement were disallowed

- confinement subsets were only calculated from the previous
  confinement instead of the confinement being enforced at the time of
  no new privs, so transitions would have to get progressively
  tighter.

Fix this by detecting and storing a reference to the task's
confinement at the "time" no new privs is set. This reference is then
used to determine whether a transition is a subsystem of the
confinement at the time no new privs was set.

Unfortunately the implementation is less than ideal in that we have to
detect no new privs after the fact when a task attempts a domain
transition. This is adequate for the currently but will not work in a
stacking situation where no new privs could be conceivably be set in
both the "host" and in the container.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen d8889d49e4 apparmor: move context.h to cred.h
Now that file contexts have been moved into file, and task context
fns() and data have been split from the context, only the cred context
remains in context.h so rename to cred.h to better reflect what it
deals with.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen de62de59c2 apparmor: move task related defines and fns to task.X files
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen f175221af3 apparmor: rename tctx to ctx
now that cred_ctx has been removed we can rename task_ctxs from tctx
without causing confusion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen d9087c49d4 apparmor: drop cred_ctx and reference the label directly
With the task domain change information now stored in the task->security
context, the cred->security context only stores the label. We can get
rid of the cred_ctx and directly reference the label, removing a layer
of indirection, and unneeded extra allocations.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen 3b529a7600 apparmor: move task domain change info to task security
The task domain change info is task specific and its and abuse of
the cred to store the information in there. Now that a task->security
field exists store it in the proper place.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen 4d2f8ba3e3 apparmor: rename task_ctx to the more accurate cred_ctx
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
Matthew Garrett 1a3881d305 apparmor: Fix regression in profile conflict logic
The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.

Fixes: 844b8292b6 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-01-12 15:56:50 -08:00
John Johansen 5d7c44ef5e apparmor: fix locking when creating a new complain profile.
Break the per cpu buffer atomic section when creating a new null
complain profile. In learning mode this won't matter and we can
safely re-aquire the buffer.

This fixes the following lockdep BUG trace
   nov. 14 14:09:09 cyclope audit[7152]: AVC apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" name="/usr/sbin/adcli" pid=7152 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-/usr/sbin/adcli"
    nov. 14 14:09:09 cyclope kernel: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747
    nov. 14 14:09:09 cyclope kernel: in_atomic(): 1, irqs_disabled(): 0, pid: 7152, name: sssd_be
    nov. 14 14:09:09 cyclope kernel: 1 lock held by sssd_be/7152:
    nov. 14 14:09:09 cyclope kernel:  #0:  (&sig->cred_guard_mutex){....}, at: [<ffffffff8182d53e>] prepare_bprm_creds+0x4e/0x100
    nov. 14 14:09:09 cyclope kernel: CPU: 3 PID: 7152 Comm: sssd_be Not tainted 4.14.0prahal+intel #150
    nov. 14 14:09:09 cyclope kernel: Hardware name: LENOVO 20CDCTO1WW/20CDCTO1WW, BIOS GQET53WW (1.33 ) 09/15/2017
    nov. 14 14:09:09 cyclope kernel: Call Trace:
    nov. 14 14:09:09 cyclope kernel:  dump_stack+0xb0/0x135
    nov. 14 14:09:09 cyclope kernel:  ? _atomic_dec_and_lock+0x15b/0x15b
    nov. 14 14:09:09 cyclope kernel:  ? lockdep_print_held_locks+0xc4/0x130
    nov. 14 14:09:09 cyclope kernel:  ___might_sleep+0x29c/0x320
    nov. 14 14:09:09 cyclope kernel:  ? rq_clock+0xf0/0xf0
    nov. 14 14:09:09 cyclope kernel:  ? __kernel_text_address+0xd/0x40
    nov. 14 14:09:09 cyclope kernel:  __might_sleep+0x95/0x190
    nov. 14 14:09:09 cyclope kernel:  ? aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  __mutex_lock+0x13e/0x1a20
    nov. 14 14:09:09 cyclope kernel:  ? aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  ? save_stack+0x43/0xd0
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? mutex_lock_io_nested+0x1880/0x1880
    nov. 14 14:09:09 cyclope kernel:  ? profile_transition+0x932/0x2d40
    nov. 14 14:09:09 cyclope kernel:  ? apparmor_bprm_set_creds+0x1479/0x1f70
    nov. 14 14:09:09 cyclope kernel:  ? security_bprm_set_creds+0x5a/0x80
    nov. 14 14:09:09 cyclope kernel:  ? prepare_binprm+0x366/0x980
    nov. 14 14:09:09 cyclope kernel:  ? do_execveat_common.isra.30+0x12a9/0x2350
    nov. 14 14:09:09 cyclope kernel:  ? SyS_execve+0x2c/0x40
    nov. 14 14:09:09 cyclope kernel:  ? do_syscall_64+0x228/0x650
    nov. 14 14:09:09 cyclope kernel:  ? entry_SYSCALL64_slow_path+0x25/0x25
    nov. 14 14:09:09 cyclope kernel:  ? deactivate_slab.isra.62+0x49d/0x5e0
    nov. 14 14:09:09 cyclope kernel:  ? save_stack_trace+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? init_object+0x88/0x90
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? lock_downgrade+0x7e0/0x7e0
    nov. 14 14:09:09 cyclope kernel:  ? memcg_kmem_get_cache+0x970/0x970
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? kasan_kmalloc+0xad/0xe0
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_proxy+0xab/0x200
    nov. 14 14:09:09 cyclope kernel:  ? _raw_spin_unlock+0x22/0x30
    nov. 14 14:09:09 cyclope kernel:  ? vec_find+0xa0/0xa0
    nov. 14 14:09:09 cyclope kernel:  ? aa_label_init+0x6f/0x230
    nov. 14 14:09:09 cyclope kernel:  ? __label_insert+0x3e0/0x3e0
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc_trace+0x13f/0x290
    nov. 14 14:09:09 cyclope kernel:  ? aa_alloc_profile+0x58/0x200
    nov. 14 14:09:09 cyclope kernel:  mutex_lock_nested+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? mutex_lock_nested+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  aa_new_null_profile+0x50a/0x960
    nov. 14 14:09:09 cyclope kernel:  ? aa_fqlookupn_profile+0xdc0/0xdc0
    nov. 14 14:09:09 cyclope kernel:  ? aa_compute_fperms+0x4b5/0x640
    nov. 14 14:09:09 cyclope kernel:  ? disconnect.isra.2+0x1b0/0x1b0
    nov. 14 14:09:09 cyclope kernel:  ? aa_str_perms+0x8d/0xe0
    nov. 14 14:09:09 cyclope kernel:  profile_transition+0x932/0x2d40
    nov. 14 14:09:09 cyclope kernel:  ? up_read+0x1a/0x40
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_get+0x15c/0xaf0 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? x_table_lookup+0x190/0x190
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_ibody_get+0x590/0x590 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? ext4_xattr_security_get+0x1a/0x20 [ext4]
    nov. 14 14:09:09 cyclope kernel:  ? __vfs_getxattr+0x6d/0xa0
    nov. 14 14:09:09 cyclope kernel:  ? get_vfs_caps_from_disk+0x114/0x720
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? get_vfs_caps_from_disk+0x720/0x720
    nov. 14 14:09:09 cyclope kernel:  ? native_sched_clock_from_tsc+0x201/0x2b0
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? find_held_lock+0x3c/0x1e0
    nov. 14 14:09:09 cyclope kernel:  ? rb_insert_color_cached+0x1660/0x1660
    nov. 14 14:09:09 cyclope kernel:  apparmor_bprm_set_creds+0x1479/0x1f70
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? handle_onexec+0x31d0/0x31d0
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? graph_lock+0xd0/0xd0
    nov. 14 14:09:09 cyclope kernel:  ? tsc_resume+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock+0x9/0x10
    nov. 14 14:09:09 cyclope kernel:  ? sched_clock_cpu+0x1b/0x170
    nov. 14 14:09:09 cyclope kernel:  ? find_held_lock+0x3c/0x1e0
    nov. 14 14:09:09 cyclope kernel:  security_bprm_set_creds+0x5a/0x80
    nov. 14 14:09:09 cyclope kernel:  prepare_binprm+0x366/0x980
    nov. 14 14:09:09 cyclope kernel:  ? install_exec_creds+0x150/0x150
    nov. 14 14:09:09 cyclope kernel:  ? __might_fault+0x89/0xb0
    nov. 14 14:09:09 cyclope kernel:  ? up_read+0x40/0x40
    nov. 14 14:09:09 cyclope kernel:  ? get_user_arg_ptr.isra.18+0x2c/0x70
    nov. 14 14:09:09 cyclope kernel:  ? count.isra.20.constprop.32+0x7c/0xf0
    nov. 14 14:09:09 cyclope kernel:  do_execveat_common.isra.30+0x12a9/0x2350
    nov. 14 14:09:09 cyclope kernel:  ? prepare_bprm_creds+0x100/0x100
    nov. 14 14:09:09 cyclope kernel:  ? _raw_spin_unlock+0x22/0x30
    nov. 14 14:09:09 cyclope kernel:  ? deactivate_slab.isra.62+0x49d/0x5e0
    nov. 14 14:09:09 cyclope kernel:  ? save_stack_trace+0x16/0x20
    nov. 14 14:09:09 cyclope kernel:  ? init_object+0x88/0x90
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? ___slab_alloc+0x520/0x590
    nov. 14 14:09:09 cyclope kernel:  ? kasan_check_write+0x14/0x20
    nov. 14 14:09:09 cyclope kernel:  ? memcg_kmem_get_cache+0x970/0x970
    nov. 14 14:09:09 cyclope kernel:  ? kasan_unpoison_shadow+0x35/0x50
    nov. 14 14:09:09 cyclope kernel:  ? glob_match+0x730/0x730
    nov. 14 14:09:09 cyclope kernel:  ? kmem_cache_alloc+0x225/0x280
    nov. 14 14:09:09 cyclope kernel:  ? getname_flags+0xb8/0x510
    nov. 14 14:09:09 cyclope kernel:  ? mm_fault_error+0x2e0/0x2e0
    nov. 14 14:09:09 cyclope kernel:  ? getname_flags+0xf6/0x510
    nov. 14 14:09:09 cyclope kernel:  ? ptregs_sys_vfork+0x10/0x10
    nov. 14 14:09:09 cyclope kernel:  SyS_execve+0x2c/0x40
    nov. 14 14:09:09 cyclope kernel:  do_syscall_64+0x228/0x650
    nov. 14 14:09:09 cyclope kernel:  ? syscall_return_slowpath+0x2f0/0x2f0
    nov. 14 14:09:09 cyclope kernel:  ? syscall_return_slowpath+0x167/0x2f0
    nov. 14 14:09:09 cyclope kernel:  ? prepare_exit_to_usermode+0x220/0x220
    nov. 14 14:09:09 cyclope kernel:  ? prepare_exit_to_usermode+0xda/0x220
    nov. 14 14:09:09 cyclope kernel:  ? perf_trace_sys_enter+0x1060/0x1060
    nov. 14 14:09:09 cyclope kernel:  ? __put_user_4+0x1c/0x30
    nov. 14 14:09:09 cyclope kernel:  entry_SYSCALL64_slow_path+0x25/0x25
    nov. 14 14:09:09 cyclope kernel: RIP: 0033:0x7f9320f23637
    nov. 14 14:09:09 cyclope kernel: RSP: 002b:00007fff783be338 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
    nov. 14 14:09:09 cyclope kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9320f23637
    nov. 14 14:09:09 cyclope kernel: RDX: 0000558c35002a70 RSI: 0000558c3505bd10 RDI: 0000558c35018b90
    nov. 14 14:09:09 cyclope kernel: RBP: 0000558c34b63ae8 R08: 0000558c3505bd10 R09: 0000000000000080
    nov. 14 14:09:09 cyclope kernel: R10: 0000000000000095 R11: 0000000000000202 R12: 0000000000000001
    nov. 14 14:09:09 cyclope kernel: R13: 0000558c35018b90 R14: 0000558c3505bd18 R15: 0000558c3505bd10

Fixes: 4227c333f6 ("apparmor: Move path lookup to using preallocated buffers")
BugLink: http://bugs.launchpad.net/bugs/173228
Reported-by: Alban Browaeys <prahal@yahoo.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-21 02:17:15 -08:00
John Johansen 06d426d113 apparmor: fix profile attachment for special unconfined profiles
It used to be that unconfined would never attach. However that is not
the case anymore as some special profiles can be marked as unconfined,
that are not the namespaces unconfined profile, and may have an
attachment.

Fixes: f1bd904175 ("apparmor: add the base fns() for domain labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-21 02:17:15 -08:00
John Johansen 844b8292b6 apparmor: ensure that undecidable profile attachments fail
Profiles that have an undecidable overlap in their attachments are
being incorrectly handled. Instead of failing to attach the first one
encountered is being used.

eg.
  profile A /** { .. }
  profile B /*foo { .. }

have an unresolvable longest left attachment, they both have an exact
match on / and then have an overlapping expression that has no clear
winner.

Currently the winner will be the profile that is loaded first which
can result in non-deterministic behavior. Instead in this situation
the exec should fail.

Fixes: 898127c34e ("AppArmor: functions for domain transitions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-21 02:17:14 -08:00
Linus Torvalds 79444df4e7 + Features
- in preparation for secid mapping add support for absolute root view
     based labels
   - add base infastructure for socket mediation
   - add mount mediation
   - add signal mediation
 
 + minor cleanups and changes
   - be defensive, ensure unconfined profiles have dfas initialized
   - add more debug asserts to apparmorfs
   - enable policy unpacking to audit different reasons for failure
   - cleanup conditional check for label in label_print
   - Redundant condition: prev_ns. in [label.c:1498]
 
 + Bug Fixes
   - fix regression in apparmorfs DAC access permissions
   - fix build failure on sparc caused by undeclared signals
   - fix sparse report of incorrect type assignment when freeing label proxies
   - fix race condition in null profile creation
   - Fix an error code in aafs_create()
   - Fix logical error in verify_header()
   - Fix shadowed local variable in unpack_trans_table()
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJZxZP9AAoJEAUvNnAY1cPY+psP/Rx7Nu2T9kHpotLeyOznrTvK
 iOrFR4Xj1exLNfwUJcjiDcrYRhEdqamduiJvEZinQLPN8vapXfiUmjXIW1sgYJnO
 X6NDeFObo/VJz0L8rZZdJbxykWfGjzQa4zXf177ztMvY+ME9kagOaHowqRom8obv
 5bi83Dc8wjUOVkvmH9yuHHUkI9knXrtUUnYb3xY1kEVlHi1ujElkQvAx1q+IkOw9
 vN74YGTDZCsd+cSRbmhbK7Mur1Q8BDy2EeG1k26Tr7VELmNL8tnsOpJYEiIWOhYl
 Lh1aA3RPGTN0dWfZn2qfB2a1NevFXERaM1zKs1ZNykg+hI4om99gt8mXqe+i+Kuc
 qoWF59NF426mmywSYjKOMHGPBooVAiGmKPRjsIee6HTV4bGkcxYsYiV/VcrS9J9V
 dpCBBU0stnGpStwfSBL5JWwMMilJSkSETX7XLxJ5lhhHhi7jM2Dd9aAkbIPcQYPD
 v2XjKxW2tOhxmEaige/rS2s7rbxBlLhJ8MR07FR8znL0idILAufnWlLeqJG1X9rO
 FBbqqyTqyx8ca5v1c751jTXZ39cArVmlwnw2ZNjEaXrGaTsIssYPC5B9poSU/OlT
 IAYQe9sZndqFn1Lom0gbdTe3RTnR4/22uNQYW/3TG3JP52ui0wQZFNJtRCP3mmIq
 bFlKKqVkAKETun8WyUfz
 =iDCd
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "This is the apparmor pull request, similar to SELinux and seccomp.

  It's the same series that I was sent to James' security tree + one
  regression fix that was found after the series was sent to James and
  would have been sent for v4.14-rc2.

  Features:
  - in preparation for secid mapping add support for absolute root view
    based labels
  - add base infastructure for socket mediation
  - add mount mediation
  - add signal mediation

  minor cleanups and changes:
  - be defensive, ensure unconfined profiles have dfas initialized
  - add more debug asserts to apparmorfs
  - enable policy unpacking to audit different reasons for failure
  - cleanup conditional check for label in label_print
  - Redundant condition: prev_ns. in [label.c:1498]

  Bug Fixes:
  - fix regression in apparmorfs DAC access permissions
  - fix build failure on sparc caused by undeclared signals
  - fix sparse report of incorrect type assignment when freeing label proxies
  - fix race condition in null profile creation
  - Fix an error code in aafs_create()
  - Fix logical error in verify_header()
  - Fix shadowed local variable in unpack_trans_table()"

* tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: fix apparmorfs DAC access permissions
  apparmor: fix build failure on sparc caused by undeclared signals
  apparmor: fix incorrect type assignment when freeing proxies
  apparmor: ensure unconfined profiles have dfas initialized
  apparmor: fix race condition in null profile creation
  apparmor: move new_null_profile to after profile lookup fns()
  apparmor: add base infastructure for socket mediation
  apparmor: add more debug asserts to apparmorfs
  apparmor: make policy_unpack able to audit different info messages
  apparmor: add support for absolute root view based labels
  apparmor: cleanup conditional check for label in label_print
  apparmor: add mount mediation
  apparmor: add the ability to mediate signals
  apparmor: Redundant condition: prev_ns. in [label.c:1498]
  apparmor: Fix an error code in aafs_create()
  apparmor: Fix logical error in verify_header()
  apparmor: Fix shadowed local variable in unpack_trans_table()
2017-09-23 05:33:29 -10:00
John Johansen 2ea3ffb778 apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.

default userspace policy rules have the form of
  MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

  MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
          [ '->' MOUNTPOINT FILEGLOB ]

  REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
            MOUNTPOINT FILEGLOB

  UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

  MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
                       MOUNT FSTYPE EXPRESSION ]
		       [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

  MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

  MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
                      virtual filesystem types (eg ext4, debugfs, etc)

  MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

  MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

  MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
                  'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
		  'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
		  'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
		  'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
		  'unbindable' | 'runbindable' | 'private' | 'rprivate' |
		  'slave' | 'rslave' | 'shared' | 'rshared' |
		  'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
		  'strictatime' | 'nouser' | 'user' )

  MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

  PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
                    [ NEW ROOT FILEGLOB ]

  SOURCE FILEGLOB = FILEGLOB

  MOUNTPOINT FILEGLOB = FILEGLOB

eg.
  mount,
  mount /dev/foo,
  mount options=ro /dev/foo -> /mnt/,
  mount options in (ro,atime) /dev/foo -> /mnt/,
  mount options=ro options=atime,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:57 -07:00
Kees Cook 993b3ab064 apparmor: Refactor to remove bprm_secureexec hook
The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).

Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
2017-08-01 12:03:06 -07:00
Kees Cook ddb4a1442d exec: Rename bprm->cred_prepared to called_set_creds
The cred_prepared bprm flag has a misleading name. It has nothing to do
with the bprm_prepare_cred hook, and actually tracks if bprm_set_creds has
been called. Rename this flag and improve its comment.

Cc: David Howells <dhowells@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
2017-08-01 12:02:48 -07:00
John Johansen e00b02bb6a apparmor: move change_profile mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:47 -07:00
John Johansen 89dbf1962a apparmor: move change_hat mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:46 -07:00
John Johansen 93c98a484c apparmor: move exec domain mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:46 -07:00
John Johansen 98c3d18232 apparmor: update aa_audit_file() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:43 -07:00
John Johansen b2d09ae449 apparmor: move ptrace checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:41 -07:00
John Johansen 637f688dc3 apparmor: switch from profiles to using labels on contexts
Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:38 -07:00
John Johansen df8073c67f apparmor: convert aa_change_XXX bool parameters to flags
Instead of passing multiple booleans consolidate on a single flags
field.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:36 -07:00
John Johansen cf797c0e5e apparmor: convert to profile block critical sections
There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:34 -07:00
John Johansen fe864821d5 apparmor: move bprm_committing_creds/committed_creds to lsm.c
There is no reason to have the small stubs that don't use domain
private functions in domain.c, instead move them to lsm.c and make
them static.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:34 -07:00
John Johansen 2d679f3cb0 apparmor: switch from file_perms to aa_perms
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:30 -07:00
John Johansen 4227c333f6 apparmor: Move path lookup to using preallocated buffers
Dynamically allocating buffers is problematic and is an extra layer
that is a potntial point of failure and can slow down mediation.
Change path lookup to use the preallocated per cpu buffers.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-08 11:29:34 -07:00
John Johansen 72c8a76864 apparmor: allow profiles to provide info to disconnected paths
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-08 11:29:34 -07:00
Linus Torvalds f1ef09fde1 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull namespace updates from Eric Biederman:
 "There is a lot here. A lot of these changes result in subtle user
  visible differences in kernel behavior. I don't expect anything will
  care but I will revert/fix things immediately if any regressions show
  up.

  From Seth Forshee there is a continuation of the work to make the vfs
  ready for unpriviled mounts. We had thought the previous changes
  prevented the creation of files outside of s_user_ns of a filesystem,
  but it turns we missed the O_CREAT path. Ooops.

  Pavel Tikhomirov and Oleg Nesterov worked together to fix a long
  standing bug in the implemenation of PR_SET_CHILD_SUBREAPER where only
  children that are forked after the prctl are considered and not
  children forked before the prctl. The only known user of this prctl
  systemd forks all children after the prctl. So no userspace
  regressions will occur. Holding earlier forked children to the same
  rules as later forked children creates a semantic that is sane enough
  to allow checkpoing of processes that use this feature.

  There is a long delayed change by Nikolay Borisov to limit inotify
  instances inside a user namespace.

  Michael Kerrisk extends the API for files used to maniuplate
  namespaces with two new trivial ioctls to allow discovery of the
  hierachy and properties of namespaces.

  Konstantin Khlebnikov with the help of Al Viro adds code that when a
  network namespace exits purges it's sysctl entries from the dcache. As
  in some circumstances this could use a lot of memory.

  Vivek Goyal fixed a bug with stacked filesystems where the permissions
  on the wrong inode were being checked.

  I continue previous work on ptracing across exec. Allowing a file to
  be setuid across exec while being ptraced if the tracer has enough
  credentials in the user namespace, and if the process has CAP_SETUID
  in it's own namespace. Proc files for setuid or otherwise undumpable
  executables are now owned by the root in the user namespace of their
  mm. Allowing debugging of setuid applications in containers to work
  better.

  A bug I introduced with permission checking and automount is now
  fixed. The big change is to mark the mounts that the kernel initiates
  as a result of an automount. This allows the permission checks in sget
  to be safely suppressed for this kind of mount. As the permission
  check happened when the original filesystem was mounted.

  Finally a special case in the mount namespace is removed preventing
  unbounded chains in the mount hash table, and making the semantics
  simpler which benefits CRIU.

  The vfs fix along with related work in ima and evm I believe makes us
  ready to finish developing and merge fully unprivileged mounts of the
  fuse filesystem. The cleanups of the mount namespace makes discussing
  how to fix the worst case complexity of umount. The stacked filesystem
  fixes pave the way for adding multiple mappings for the filesystem
  uids so that efficient and safer containers can be implemented"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  proc/sysctl: Don't grab i_lock under sysctl_lock.
  vfs: Use upper filesystem inode in bprm_fill_uid()
  proc/sysctl: prune stale dentries during unregistering
  mnt: Tuck mounts under others instead of creating shadow/side mounts.
  prctl: propagate has_child_subreaper flag to every descendant
  introduce the walk_process_tree() helper
  nsfs: Add an ioctl() to return owner UID of a userns
  fs: Better permission checking for submounts
  exit: fix the setns() && PR_SET_CHILD_SUBREAPER interaction
  vfs: open() with O_CREAT should not create inodes with unknown ids
  nsfs: Add an ioctl() to return the namespace type
  proc: Better ownership of files for non-dumpable tasks in user namespaces
  exec: Remove LSM_UNSAFE_PTRACE_CAP
  exec: Test the ptracer's saved cred to see if the tracee can gain caps
  exec: Don't reset euid and egid when the tracee has CAP_SETUID
  inotify: Convert to using per-namespace limits
2017-02-23 20:33:51 -08:00
Eric W. Biederman 9227dd2a84 exec: Remove LSM_UNSAFE_PTRACE_CAP
With previous changes every location that tests for
LSM_UNSAFE_PTRACE_CAP also tests for LSM_UNSAFE_PTRACE making the
LSM_UNSAFE_PTRACE_CAP redundant, so remove it.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-01-24 12:03:08 +13:00
John Johansen aa9a39ad8f apparmor: convert change_profile to use fqname later to give better control
Moving the use of fqname to later allows learning profiles to be based
on the fqname request instead of just the hname. It also allows cleaning
up some of the name parsing and lookup by allowing the use of
the fqlookupn_profile() lib fn.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 01:18:49 -08:00
John Johansen ef88a7ac55 apparmor: change aad apparmor_audit_data macro to a fn macro
The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.

Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 01:18:47 -08:00
John Johansen 47f6e5cc73 apparmor: change op from int to const char *
Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 01:18:46 -08:00
John Johansen 55a26ebf63 apparmor: rename context abreviation cxt to the more standard ctx
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 01:18:45 -08:00