hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
723,800 Commits 9 Branches 1 Tag 4.8 GiB
Commit Graph

8 Commits

Author SHA1 Message Date
Linus Torvalds 80c094a47d Revert "apparmor: add base infastructure for socket mediation" 
This reverts commit 651e28c553.

This caused a regression:
 "The specific problem is that dnsmasq refuses to start on openSUSE Leap
  42.2.  The specific cause is that and attempt to open a PF_LOCAL socket
  gets EACCES.  This means that networking doesn't function on a system
  with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert.  This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 2017-10-26 19:35:35 +02:00
John Johansen 651e28c553 apparmor: add base infastructure for socket mediation 
Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.

the user space rule hav the basic form of
  NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
                 [ TYPE | PROTOCOL ]

  DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
             'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
	     'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
	     'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
	     'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
	     'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
	     'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
	     'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

  TYPE = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' |
           'packet' )

  PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

eg.
  network,
  network inet,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
 2017-09-22 13:00:58 -07:00
John Johansen ca916e8e2d apparmor: add cross check permission helper macros 
The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-10 17:11:41 -07:00
John Johansen 637f688dc3 apparmor: switch from profiles to using labels on contexts 
Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-10 17:11:38 -07:00
John Johansen 2d679f3cb0 apparmor: switch from file_perms to aa_perms 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-10 17:11:30 -07:00
John Johansen aa9aeea8d4 apparmor: add gerneric permissions struct and support fns 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-10 17:11:30 -07:00
John Johansen e53cfe6c7c apparmor: rework perm mapping to a slightly broader set 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-09 05:59:22 -07:00
John Johansen fc7e0b26b8 apparmor: move permissions into their own file to be more easily shared 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2017-06-08 12:51:53 -07:00