-commit 5ea33f587f5f7324c40c5986286d0f38307923bb
-Author: John Johansen <john.johansen@canonical.com>
-Date: Mon Apr 11 16:55:10 2016 -0700
-
- apparmor: fix refcount bug in profile replacement
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index 705c287..222052f 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- aa_get_profile(newest);
- aa_put_profile(parent);
- rcu_assign_pointer(ent->new->parent, newest);
-- } else
-- aa_put_profile(newest);
-+ }
- /* aafs interface uses replacedby */
- rcu_assign_pointer(ent->new->replacedby->profile,
- aa_get_profile(ent->new));
- __list_add_profile(&parent->base.profiles, ent->new);
-+ aa_put_profile(newest);
- } else {
- /* aafs interface uses replacedby */
- rcu_assign_pointer(ent->new->replacedby->profile,
-
-commit f65b1c9b72442e6166332c04f332e4b4d4797887
-Author: John Johansen <john.johansen@canonical.com>
-Date: Mon Apr 11 16:57:19 2016 -0700
-
- apparmor: fix replacement bug that adds new child to old parent
-
- When set atomic replacement is used and the parent is updated before the
- child, and the child did not exist in the old parent so there is no
- direct replacement then the new child is incorrectly added to the old
- parent. This results in the new parent not having the child(ren) that
- it should and the old parent when being destroyed asserting the
- following error.
-
- AppArmor: policy_destroy: internal error, policy '<profile/name>' still
- contains profiles
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index 222052f..c92a9f6 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- /* aafs interface uses replacedby */
- rcu_assign_pointer(ent->new->replacedby->profile,
- aa_get_profile(ent->new));
-- __list_add_profile(&parent->base.profiles, ent->new);
-+ __list_add_profile(&newest->base.profiles, ent->new);
- aa_put_profile(newest);
- } else {
- /* aafs interface uses replacedby */
-
-commit b6669bef20c9d934bc6498e79fffa220f6226518
-Author: John Johansen <john.johansen@canonical.com>
-Date: Sun Jun 8 11:20:54 2014 -0700
-
- apparmor: fix uninitialized lsm_audit member
-
- BugLink: http://bugs.launchpad.net/bugs/1268727
-
- The task field in the lsm_audit struct needs to be initialized if
- a change_hat fails, otherwise the following oops will occur
-
- BUG: unable to handle kernel paging request at 0000002fbead7d08
- IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
- PGD 1e3f35067 PUD 0
- Oops: 0002 [#1] SMP
- Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
- CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
- Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
- task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
- RIP: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
- RSP: 0018:ffff880212987b68 EFLAGS: 00010006
- RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
- RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
- RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
- R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
- R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
- FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
- CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
- Stack:
- ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
- 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
- 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
- Call Trace:
- [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
- [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
- [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
- [<ffffffff81075fee>] send_sig_info+0x1e/0x30
- [<ffffffff8130242d>] aa_audit+0x13d/0x190
- [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
- [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
- [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
- [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
- [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
- [<ffffffff812cee56>] security_setprocattr+0x16/0x20
- [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
- [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
- [<ffffffff811b8039>] SyS_write+0x49/0xa0
- [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
-index 89c7865..3a7f1da 100644
---- a/security/apparmor/audit.c
-+++ b/security/apparmor/audit.c
-@@ -200,7 +200,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
-
- if (sa->aad->type == AUDIT_APPARMOR_KILL)
- (void)send_sig_info(SIGKILL, NULL,
-- sa->u.tsk ? sa->u.tsk : current);
-+ sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
-+ sa->u.tsk : current);
-
- if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
- return complain_error(sa->aad->error);
-diff --git a/security/apparmor/file.c b/security/apparmor/file.c
-index d186674..4d2af4b 100644
---- a/security/apparmor/file.c
-+++ b/security/apparmor/file.c
-@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
- int type = AUDIT_APPARMOR_AUTO;
- struct common_audit_data sa;
- struct apparmor_audit_data aad = {0,};
-- sa.type = LSM_AUDIT_DATA_NONE;
-+ sa.type = LSM_AUDIT_DATA_TASK;
-+ sa.u.tsk = NULL;
- sa.aad = &aad;
- aad.op = op,
- aad.fs.request = request;
-
-commit aeab4cbfb86d0faeeb709e8201672e0662aa2c6f
-Author: John Johansen <john.johansen@canonical.com>
-Date: Fri Jul 25 04:02:03 2014 -0700
-
- apparmor: exec should not be returning ENOENT when it denies
-
- The current behavior is confusing as it causes exec failures to report
- the executable is missing instead of identifying that apparmor
- caused the failure.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index dc0027b..67a7418 100644
---- a/security/apparmor/domain.c
-+++ b/security/apparmor/domain.c
-@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- new_profile = aa_get_newest_profile(ns->unconfined);
- info = "ux fallback";
- } else {
-- error = -ENOENT;
-+ error = -EACCES;
- info = "profile not found";
- /* remove MAY_EXEC to audit as failure */
- perms.allow &= ~MAY_EXEC;
-
-commit 752e4263021d90cf23c262f2fd3ebfd6dbccd455
-Author: John Johansen <john.johansen@canonical.com>
-Date: Fri Jul 25 04:01:56 2014 -0700
-
- apparmor: fix update the mtime of the profile file on replacement
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index ad4fa49..45a6199 100644
---- a/security/apparmor/apparmorfs.c
-+++ b/security/apparmor/apparmorfs.c
-@@ -379,6 +379,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old,
-
- for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
- new->dents[i] = old->dents[i];
-+ if (new->dents[i])
-+ new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
- old->dents[i] = NULL;
- }
- }
-
-commit 0c67233b18406dc7a8629faf8f9452feace6fb13
-Author: John Johansen <john.johansen@canonical.com>
-Date: Fri Jul 25 04:02:08 2014 -0700
-
- apparmor: fix disconnected bind mnts reconnection
-
- Bind mounts can fail to be properly reconnected when PATH_CONNECT is
- specified. Ensure that when PATH_CONNECT is specified the path has
- a root.
-
- BugLink: http://bugs.launchpad.net/bugs/1319984
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/path.c b/security/apparmor/path.c
-index edddc02..f261678 100644
---- a/security/apparmor/path.c
-+++ b/security/apparmor/path.c
-@@ -141,7 +141,10 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
- error = -EACCES;
- if (*res == '/')
- *name = res + 1;
-- }
-+ } else if (*res != '/')
-+ /* CONNECT_PATH with missing root */
-+ error = prepend(name, *name - buf, "/", 1);
-+
- }
-
- out:
-
-commit 30c2b759b4f456e97e859ca550666c8abe84ff3c
-Author: John Johansen <john.johansen@canonical.com>
-Date: Fri Jul 25 04:02:10 2014 -0700
-
- apparmor: internal paths should be treated as disconnected
-
- Internal mounts are not mounted anywhere and as such should be treated
- as disconnected paths.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/path.c b/security/apparmor/path.c
-index f261678..a8fc7d0 100644
---- a/security/apparmor/path.c
-+++ b/security/apparmor/path.c
-@@ -25,7 +25,6 @@
- #include "include/path.h"
- #include "include/policy.h"
-
--
- /* modified from dcache.c */
- static int prepend(char **buffer, int buflen, const char *str, int namelen)
- {
-@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
-
- #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
-
-+/* If the path is not connected to the expected root,
-+ * check if it is a sysctl and handle specially else remove any
-+ * leading / that __d_path may have returned.
-+ * Unless
-+ * specifically directed to connect the path,
-+ * OR
-+ * if in a chroot and doing chroot relative paths and the path
-+ * resolves to the namespace root (would be connected outside
-+ * of chroot) and specifically directed to connect paths to
-+ * namespace root.
-+ */
-+static int disconnect(const struct path *path, char *buf, char **name,
-+ int flags)
-+{
-+ int error = 0;
-+
-+ if (!(flags & PATH_CONNECT_PATH) &&
-+ !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
-+ our_mnt(path->mnt))) {
-+ /* disconnected path, don't return pathname starting
-+ * with '/'
-+ */
-+ error = -EACCES;
-+ if (**name == '/')
-+ *name = *name + 1;
-+ } else if (**name != '/')
-+ /* CONNECT_PATH with missing root */
-+ error = prepend(name, *name - buf, "/", 1);
-+
-+ return error;
-+}
-+
- /**
- * d_namespace_path - lookup a name associated with a given path
- * @path: path to lookup (NOT NULL)
-@@ -74,7 +105,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
- * control instead of hard coded /proc
- */
- return prepend(name, *name - buf, "/proc", 5);
-- }
-+ } else
-+ return disconnect(path, buf, name, flags);
- return 0;
- }
-
-@@ -120,32 +152,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
- goto out;
- }
-
-- /* If the path is not connected to the expected root,
-- * check if it is a sysctl and handle specially else remove any
-- * leading / that __d_path may have returned.
-- * Unless
-- * specifically directed to connect the path,
-- * OR
-- * if in a chroot and doing chroot relative paths and the path
-- * resolves to the namespace root (would be connected outside
-- * of chroot) and specifically directed to connect paths to
-- * namespace root.
-- */
-- if (!connected) {
-- if (!(flags & PATH_CONNECT_PATH) &&
-- !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
-- our_mnt(path->mnt))) {
-- /* disconnected path, don't return pathname starting
-- * with '/'
-- */
-- error = -EACCES;
-- if (*res == '/')
-- *name = res + 1;
-- } else if (*res != '/')
-- /* CONNECT_PATH with missing root */
-- error = prepend(name, *name - buf, "/", 1);
--
-- }
-+ if (!connected)
-+ error = disconnect(path, buf, name, flags);
-
- out:
- return error;
-
-commit 35f89b597a40c870f93a068bc92a7ef4f9b16a66
-Author: John Johansen <john.johansen@canonical.com>
-Date: Sat Apr 16 13:59:02 2016 -0700
-
- apparmor: fix put() parent ref after updating the active ref
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index c92a9f6..455c9f8 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- /* parent replaced in this atomic set? */
- if (newest != parent) {
- aa_get_profile(newest);
-- aa_put_profile(parent);
- rcu_assign_pointer(ent->new->parent, newest);
-+ aa_put_profile(parent);
- }
- /* aafs interface uses replacedby */
- rcu_assign_pointer(ent->new->replacedby->profile,
-
-commit 7b1ec6a04ca57fabe250f1102f2803dea7fbd03b
-Author: John Johansen <john.johansen@canonical.com>
-Date: Sat Apr 16 14:16:50 2016 -0700
-
- apparmor: fix log failures for all profiles in a set
-
- currently only the profile that is causing the failure is logged. This
- makes it more confusing than necessary about which profiles loaded
- and which didn't. So make sure to log success and failure messages for
- all profiles in the set being loaded.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index 455c9f8..db31bc5 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
- */
- ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- {
-- const char *ns_name, *name = NULL, *info = NULL;
-+ const char *ns_name, *info = NULL;
- struct aa_namespace *ns = NULL;
- struct aa_load_ent *ent, *tmp;
- int op = OP_PROF_REPL;
-@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- /* released below */
- ns = aa_prepare_namespace(ns_name);
- if (!ns) {
-- info = "failed to prepare namespace";
-- error = -ENOMEM;
-- name = ns_name;
-- goto fail;
-+ error = audit_policy(op, GFP_KERNEL, ns_name,
-+ "failed to prepare namespace", -ENOMEM);
-+ goto free;
- }
-
- mutex_lock(&ns->lock);
- /* setup parent and ns info */
- list_for_each_entry(ent, &lh, list) {
- struct aa_policy *policy;
--
-- name = ent->new->base.hname;
- error = __lookup_replace(ns, ent->new->base.hname, noreplace,
- &ent->old, &info);
- if (error)
-@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- if (!p) {
- error = -ENOENT;
- info = "parent does not exist";
-- name = ent->new->base.hname;
- goto fail_lock;
- }
- rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
-@@ -1214,9 +1210,22 @@ out:
-
- fail_lock:
- mutex_unlock(&ns->lock);
--fail:
-- error = audit_policy(op, GFP_KERNEL, name, info, error);
-
-+ /* audit cause of failure */
-+ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
-+ audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
-+ /* audit status that rest of profiles in the atomic set failed too */
-+ info = "valid profile in failed atomic policy load";
-+ list_for_each_entry(tmp, &lh, list) {
-+ if (tmp == ent) {
-+ info = "unchecked profile in failed atomic policy load";
-+ /* skip entry that caused failure */
-+ continue;
-+ }
-+ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
-+ audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
-+ }
-+free:
- list_for_each_entry_safe(ent, tmp, &lh, list) {
- list_del_init(&ent->list);
- aa_load_ent_free(ent);
-
-commit 4c475747a31b0637f0d47cb9bddaf2c6efb02854
-Author: John Johansen <john.johansen@canonical.com>
-Date: Sat Apr 16 14:19:38 2016 -0700
-
- apparmor: fix audit full profile hname on successful load
-
- Currently logging of a successful profile load only logs the basename
- of the profile. This can result in confusion when a child profile has
- the same name as the another profile in the set. Logging the hname
- will ensure there is no confusion.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index db31bc5..ca402d0 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
- list_del_init(&ent->list);
- op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
-
-- audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
-+ audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
-
- if (ent->old) {
- __replace_profile(ent->old, ent->new, 1);
-
-commit 430741dd766291d2e618b04e918ee6da844c230a
-Author: John Johansen <john.johansen@canonical.com>
-Date: Wed Apr 20 14:18:18 2016 -0700
-
- apparmor: ensure the target profile name is always audited
-
- The target profile name was not being correctly audited in a few
- cases because the target variable was not being set and gotos
- passed the code to set it at apply:
-
- Since it is always based on new_profile just drop the target var
- and conditionally report based on new_profile.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index 67a7418..fc3036b 100644
---- a/security/apparmor/domain.c
-+++ b/security/apparmor/domain.c
-@@ -346,7 +346,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- file_inode(bprm->file)->i_uid,
- file_inode(bprm->file)->i_mode
- };
-- const char *name = NULL, *target = NULL, *info = NULL;
-+ const char *name = NULL, *info = NULL;
- int error = 0;
-
- if (bprm->cred_prepared)
-@@ -399,6 +399,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- if (cxt->onexec) {
- struct file_perms cp;
- info = "change_profile onexec";
-+ new_profile = aa_get_newest_profile(cxt->onexec);
- if (!(perms.allow & AA_MAY_ONEXEC))
- goto audit;
-
-@@ -413,7 +414,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
-
- if (!(cp.allow & AA_MAY_ONEXEC))
- goto audit;
-- new_profile = aa_get_newest_profile(cxt->onexec);
- goto apply;
- }
-
-@@ -445,10 +445,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- if (!new_profile) {
- error = -ENOMEM;
- info = "could not create null profile";
-- } else {
-+ } else
- error = -EACCES;
-- target = new_profile->base.hname;
-- }
- perms.xindex |= AA_X_UNSAFE;
- } else
- /* fail exec */
-@@ -459,7 +457,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- * fail the exec.
- */
- if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
-- aa_put_profile(new_profile);
- error = -EPERM;
- goto cleanup;
- }
-@@ -474,10 +471,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
-
- if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
- error = may_change_ptraced_domain(new_profile);
-- if (error) {
-- aa_put_profile(new_profile);
-+ if (error)
- goto audit;
-- }
- }
-
- /* Determine if secure exec is needed.
-@@ -498,7 +493,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
- bprm->unsafe |= AA_SECURE_X_NEEDED;
- }
- apply:
-- target = new_profile->base.hname;
- /* when transitioning profiles clear unsafe personality bits */
- bprm->per_clear |= PER_CLEAR_ON_SETID;
-
-@@ -506,15 +500,19 @@ x_clear:
- aa_put_profile(cxt->profile);
- /* transfer new profile reference will be released when cxt is freed */
- cxt->profile = new_profile;
-+ new_profile = NULL;
-
- /* clear out all temporary/transitional state from the context */
- aa_clear_task_cxt_trans(cxt);
-
- audit:
- error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
-- name, target, cond.uid, info, error);
-+ name,
-+ new_profile ? new_profile->base.hname : NULL,
-+ cond.uid, info, error);
-
- cleanup:
-+ aa_put_profile(new_profile);
- aa_put_profile(profile);
- kfree(buffer);
-
-
-commit 06763d057300b3d5bbe1894acfe236cf193bab78
-Author: John Johansen <john.johansen@canonical.com>
-Date: Thu Mar 17 12:02:54 2016 -0700
-
- apparmor: check that xindex is in trans_table bounds
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
- Acked-by: Seth Arnold <seth.arnold@canonical.com>
-
-diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index a689f10..c841b12 100644
---- a/security/apparmor/policy_unpack.c
-+++ b/security/apparmor/policy_unpack.c
-@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size)
- int index, xtype;
- xtype = xindex & AA_X_TYPE_MASK;
- index = xindex & AA_X_INDEX_MASK;
-- if (xtype == AA_X_TABLE && index > table_size)
-+ if (xtype == AA_X_TABLE && index >= table_size)
- return 0;
- return 1;
- }
-
-commit 5833ccff1227fbc8f1bab64351f6747a6c71bdeb
-Author: Geliang Tang <geliangtang@163.com>
-Date: Mon Nov 16 21:46:33 2015 +0800
-
- apparmor: use list_next_entry instead of list_entry_next
-
- list_next_entry has been defined in list.h, so I replace list_entry_next
- with it.
-
- Signed-off-by: Geliang Tang <geliangtang@163.com>
- Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 0d8dd71..729e595 100644
---- a/security/apparmor/apparmorfs.c
-+++ b/security/apparmor/apparmorfs.c
-@@ -553,8 +553,6 @@ fail2:
- }
-
-
--#define list_entry_next(pos, member) \
-- list_entry(pos->member.next, typeof(*pos), member)
- #define list_entry_is_head(pos, head, member) (&pos->member == (head))
-
- /**
-@@ -585,7 +583,7 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
- parent = ns->parent;
- while (ns != root) {
- mutex_unlock(&ns->lock);
-- next = list_entry_next(ns, base.list);
-+ next = list_next_entry(ns, base.list);
- if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
- mutex_lock(&next->lock);
- return next;
-@@ -639,7 +637,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
- parent = rcu_dereference_protected(p->parent,
- mutex_is_locked(&p->ns->lock));
- while (parent) {
-- p = list_entry_next(p, base.list);
-+ p = list_next_entry(p, base.list);
- if (!list_entry_is_head(p, &parent->base.profiles, base.list))
- return p;
- p = parent;
-@@ -648,7 +646,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
- }
-
- /* is next another profile in the namespace */
-- p = list_entry_next(p, base.list);
-+ p = list_next_entry(p, base.list);
- if (!list_entry_is_head(p, &ns->base.profiles, base.list))
- return p;
-
-
-commit 645801f1ddd183109c011e5ecee23ed3fdcae244
-Author: Jeff Mahoney <jeffm@suse.com>
-Date: Fri Nov 6 15:17:30 2015 -0500
-
- apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
-
- While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
- on another task. The only other example of a AppArmor mediating access to
- another, already running, task (ignoring fork+exec) is ptrace.
-
- The AppArmor model for ptrace is that one of the following must be true:
- 1) The tracer is unconfined
- 2) The tracer is in complain mode
- 3) The tracer and tracee are confined by the same profile
- 4) The tracer is confined but has SYS_CAP_PTRACE
-
- 1), 2, and 3) are already true for setrlimit.
-
- We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
-
- We still test the values of the rlimit since it can always be overridden
- using a value that means unlimited for a particular resource.
-
- Signed-off-by: Jeff Mahoney <jeffm@suse.com>
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
-index 748bf0c..67a6072 100644
---- a/security/apparmor/resource.c
-+++ b/security/apparmor/resource.c
-@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
- /* TODO: extend resource control to handle other (non current)
- * profiles. AppArmor rules currently have the implicit assumption
- * that the task is setting the resource of a task confined with
-- * the same profile.
-+ * the same profile or that the task setting the resource of another
-+ * task has CAP_SYS_RESOURCE.
- */
-- if (profile != task_profile ||
-+ if ((profile != task_profile &&
-+ aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
- (profile->rlimits.mask & (1 << resource) &&
- new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
- error = -EACCES;
-
-commit 2be4aed1f3332d87273eb593944332054f3cffac
-Author: John Johansen <john.johansen@canonical.com>
-Date: Thu Jun 2 02:37:02 2016 -0700
-
- apparmor: add missing id bounds check on dfa verification
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
-index 001c43a..a1c04fe 100644
---- a/security/apparmor/include/match.h
-+++ b/security/apparmor/include/match.h
-@@ -62,6 +62,7 @@ struct table_set_header {
- #define YYTD_ID_ACCEPT2 6
- #define YYTD_ID_NXT 7
- #define YYTD_ID_TSIZE 8
-+#define YYTD_ID_MAX 8
-
- #define YYTD_DATA8 1
- #define YYTD_DATA16 2
-diff --git a/security/apparmor/match.c b/security/apparmor/match.c
-index 727eb42..f9f57c6 100644
---- a/security/apparmor/match.c
-+++ b/security/apparmor/match.c
-@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
- * it every time we use td_id as an index
- */
- th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
-+ if (th.td_id > YYTD_ID_MAX)
-+ goto out;
- th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
- th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
- blob += sizeof(struct table_header);
-
-commit c7f87d3c3363b1a0c4724e627e5c8e640a883c89
-Author: John Johansen <john.johansen@canonical.com>
-Date: Wed Jun 15 09:57:55 2016 +0300
-
- apparmor: don't check for vmalloc_addr if kvzalloc() failed
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/match.c b/security/apparmor/match.c
-index f9f57c6..32b72eb 100644
---- a/security/apparmor/match.c
-+++ b/security/apparmor/match.c
-@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
- u32, be32_to_cpu);
- else
- goto fail;
-+ /* if table was vmalloced make sure the page tables are synced
-+ * before it is used, as it goes live to all cpus.
-+ */
-+ if (is_vmalloc_addr(table))
-+ vm_unmap_aliases();
- }
-
- out:
-- /* if table was vmalloced make sure the page tables are synced
-- * before it is used, as it goes live to all cpus.
-- */
-- if (is_vmalloc_addr(table))
-- vm_unmap_aliases();
- return table;
- fail:
- kvfree(table);
-
-commit 0f7e61013dd1e67ebb54d58eee11ab009ceb5ef3
-Author: John Johansen <john.johansen@canonical.com>
-Date: Wed Jun 15 10:00:55 2016 +0300
-
- apparmor: fix oops in profile_unpack() when policy_db is not present
-
- BugLink: http://bugs.launchpad.net/bugs/1592547
-
- If unpack_dfa() returns NULL due to the dfa not being present,
- profile_unpack() is not checking if the dfa is not present (NULL).
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index c841b12..dac2121 100644
---- a/security/apparmor/policy_unpack.c
-+++ b/security/apparmor/policy_unpack.c
-@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
- error = PTR_ERR(profile->policy.dfa);
- profile->policy.dfa = NULL;
- goto fail;
-+ } else if (!profile->policy.dfa) {
-+ error = -EPROTO;
-+ goto fail;
- }
- if (!unpack_u32(e, &profile->policy.start[0], "start"))
- /* default start state */
-
-commit de4ca46ec035283928e8fa40797897cefcf6ec3e
-Author: John Johansen <john.johansen@canonical.com>
-Date: Wed Jun 22 18:01:08 2016 -0700
-
- apparmor: fix module parameters can be changed after policy is locked
-
- the policy_lock parameter is a one way switch that prevents policy
- from being further modified. Unfortunately some of the module parameters
- can effectively modify policy by turning off enforcement.
-
- split policy_admin_capable into a view check and a full admin check,
- and update the admin check to test the policy_lock parameter.
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
-index c28b0f2..52275f0 100644
---- a/security/apparmor/include/policy.h
-+++ b/security/apparmor/include/policy.h
-@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
- return profile->audit;
- }
-
-+bool policy_view_capable(void);
-+bool policy_admin_capable(void);
- bool aa_may_manage_policy(int op);
-
- #endif /* __AA_POLICY_H */
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 7798e16..e83eefb 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -728,51 +728,49 @@ __setup("apparmor=", apparmor_enabled_setup);
- /* set global flag turning off the ability to load policy */
- static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
-- if (aa_g_lock_policy)
-- return -EACCES;
- return param_set_bool(val, kp);
- }
-
- static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_view_capable())
- return -EPERM;
- return param_get_bool(buffer, kp);
- }
-
- static int param_set_aabool(const char *val, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
- return param_set_bool(val, kp);
- }
-
- static int param_get_aabool(char *buffer, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_view_capable())
- return -EPERM;
- return param_get_bool(buffer, kp);
- }
-
- static int param_set_aauint(const char *val, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
- return param_set_uint(val, kp);
- }
-
- static int param_get_aauint(char *buffer, const struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_view_capable())
- return -EPERM;
- return param_get_uint(buffer, kp);
- }
-
- static int param_get_audit(char *buffer, struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_view_capable())
- return -EPERM;
-
- if (!apparmor_enabled)
-@@ -784,7 +782,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
- static int param_set_audit(const char *val, struct kernel_param *kp)
- {
- int i;
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
-
- if (!apparmor_enabled)
-@@ -805,7 +803,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
-
- static int param_get_mode(char *buffer, struct kernel_param *kp)
- {
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
-
- if (!apparmor_enabled)
-@@ -817,7 +815,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
- static int param_set_mode(const char *val, struct kernel_param *kp)
- {
- int i;
-- if (!capable(CAP_MAC_ADMIN))
-+ if (!policy_admin_capable())
- return -EPERM;
-
- if (!apparmor_enabled)
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index 7807125..179e68d 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
- &sa, NULL);
- }
-
-+bool policy_view_capable(void)
-+{
-+ struct user_namespace *user_ns = current_user_ns();
-+ bool response = false;
-+
-+ if (ns_capable(user_ns, CAP_MAC_ADMIN))
-+ response = true;
-+
-+ return response;
-+}
-+
-+bool policy_admin_capable(void)
-+{
-+ return policy_view_capable() && !aa_g_lock_policy;
-+}
-+
- /**
- * aa_may_manage_policy - can the current task manage policy
- * @op: the policy manipulation operation being done
-@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op)
- return 0;
- }
-
-- if (!capable(CAP_MAC_ADMIN)) {
-+ if (!policy_admin_capable()) {
- audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
- return 0;
- }
-
-commit 46c339f46b83e4cf8098f599cd182e65e9d054fc
-Author: Heinrich Schuchardt <xypron.glpk@gmx.de>
-Date: Fri Jun 10 23:34:26 2016 +0200
-
- apparmor: do not expose kernel stack
-
- Do not copy uninitalized fields th.td_hilen, th.td_data.
-
- Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/match.c b/security/apparmor/match.c
-index 32b72eb..3f900fc 100644
---- a/security/apparmor/match.c
-+++ b/security/apparmor/match.c
-@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
-
- table = kvzalloc(tsize);
- if (table) {
-- *table = th;
-+ table->td_id = th.td_id;
-+ table->td_flags = th.td_flags;
-+ table->td_lolen = th.td_lolen;
- if (th.td_flags == YYTD_DATA8)
- UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
- u8, byte_to_byte);
-
-commit 7e65e8142b2ea4891581173d6e92fc337b02ff8b
-Author: John Johansen <john.johansen@canonical.com>
-Date: Sat Jul 9 23:46:33 2016 -0700
-
- apparmor: fix arg_size computation for when setprocattr is null terminated
-
- Signed-off-by: John Johansen <john.johansen@canonical.com>
-
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index e83eefb..ba8207b 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -529,7 +529,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
- if (!*args)
- goto out;
-
-- arg_size = size - (args - (char *) value);
-+ arg_size = size - (args - (largs ? largs : (char *) value));
- if (strcmp(name, "current") == 0) {
- if (strcmp(command, "changehat") == 0) {
- error = aa_setprocattr_changehat(args, arg_size,
-
-commit b661b13237991be6b5cdf0849f137c5ec58217bf
+commit 09aa4788d6052c6dc423d939319334ebb5d00847
Author: John Johansen <john.johansen@canonical.com>
Date: Mon Oct 4 15:03:36 2010 -0700
unsigned char *hash;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index ba8207b..88d3b0a 100644
+index 41b8cb1..d96b5f7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -32,6 +32,7 @@
kzfree(profile->dirname);
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index dac2121..0107bc4 100644
+index 1381206..7dc15ff 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -193,6 +193,19 @@ fail:
/* generic policy dfa - optional and may be NULL */
profile->policy.dfa = unpack_dfa(e);
-commit 64c5e24470a219c79c2870c63f18f6bd55648b1b
+commit f5c5644745201b5b7d398e841e5045d0a5d14b18
Author: John Johansen <john.johansen@canonical.com>
Date: Fri Jun 29 17:34:00 2012 -0700
if (denied & kill_mask)
audit_type = AUDIT_APPARMOR_KILL;
-commit f7cef61751a2382fb4ea26c18736d7552ffdb24a
+commit 0269f1631e1496798e5b0a319ff05b1133cfeaa3
Author: John Johansen <john.johansen@canonical.com>
Date: Wed May 16 10:58:05 2012 -0700
struct aa_profile *new_profile = NULL;
struct aa_namespace *ns = profile->ns;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
-index e4ea626..ce6ff6a 100644
+index 5d721e9..b57da7b 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -30,8 +30,9 @@
+
+#endif /* __AA_MOUNT_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 88d3b0a..432cbd3 100644
+index d96b5f7..7a02376 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -36,6 +36,7 @@
+
+ return error;
+}
+
+