summaryrefslogtreecommitdiffstats
path: root/security/apparmor/include (follow)
Commit message (Collapse)AuthorAgeFilesLines
* mm: introduce kv[mz]alloc helpersMichal Hocko2017-05-091-11/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patch series "kvmalloc", v5. There are many open coded kmalloc with vmalloc fallback instances in the tree. Most of them are not careful enough or simply do not care about the underlying semantic of the kmalloc/page allocator which means that a) some vmalloc fallbacks are basically unreachable because the kmalloc part will keep retrying until it succeeds b) the page allocator can invoke a really disruptive steps like the OOM killer to move forward which doesn't sound appropriate when we consider that the vmalloc fallback is available. As it can be seen implementing kvmalloc requires quite an intimate knowledge if the page allocator and the memory reclaim internals which strongly suggests that a helper should be implemented in the memory subsystem proper. Most callers, I could find, have been converted to use the helper instead. This is patch 6. There are some more relying on __GFP_REPEAT in the networking stack which I have converted as well and Eric Dumazet was not opposed [2] to convert them as well. [1] http://lkml.kernel.org/r/20170130094940.13546-1-mhocko@kernel.org [2] http://lkml.kernel.org/r/1485273626.16328.301.camel@edumazet-glaptop3.roam.corp.google.com This patch (of 9): Using kmalloc with the vmalloc fallback for larger allocations is a common pattern in the kernel code. Yet we do not have any common helper for that and so users have invented their own helpers. Some of them are really creative when doing so. Let's just add kv[mz]alloc and make sure it is implemented properly. This implementation makes sure to not make a large memory pressure for > PAGE_SZE requests (__GFP_NORETRY) and also to not warn about allocation failures. This also rules out the OOM killer as the vmalloc is a more approapriate fallback than a disruptive user visible action. This patch also changes some existing users and removes helpers which are specific for them. In some cases this is not possible (e.g. ext4_kvmalloc, libcfs_kvzalloc) because those seems to be broken and require GFP_NO{FS,IO} context which is not vmalloc compatible in general (note that the page table allocation is GFP_KERNEL). Those need to be fixed separately. While we are at it, document that __vmalloc{_node} about unsupported gfp mask because there seems to be a lot of confusion out there. kvmalloc_node will warn about GFP_KERNEL incompatible (which are not superset) flags to catch new abusers. Existing ones would have to die slowly. [sfr@canb.auug.org.au: f2fs fixup] Link: http://lkml.kernel.org/r/20170320163735.332e64b7@canb.auug.org.au Link: http://lkml.kernel.org/r/20170306103032.2540-2-mhocko@kernel.org Signed-off-by: Michal Hocko <mhocko@suse.com> Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Reviewed-by: Andreas Dilger <adilger@dilger.ca> [ext4 part] Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: John Hubbard <jhubbard@nvidia.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* apparmor: fix parameters so that the permission test is bypassed at bootJohn Johansen2017-04-071-1/+1
| | | | | | | | | | | | | Boot parameters are written before apparmor is ready to answer whether the user is policy_view_capable(). Setting the parameters at boot results in an oops and failure to boot. Setting the parameters at boot is obviously allowed so skip the permission check when apparmor is not initialized. While we are at it move the more complicated check to last. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* Merge branch 'next' of ↵Linus Torvalds2017-02-2114-344/+672
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security layer updates from James Morris: "Highlights: - major AppArmor update: policy namespaces & lots of fixes - add /sys/kernel/security/lsm node for easy detection of loaded LSMs - SELinux cgroupfs labeling support - SELinux context mounts on tmpfs, ramfs, devpts within user namespaces - improved TPM 2.0 support" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (117 commits) tpm: declare tpm2_get_pcr_allocation() as static tpm: Fix expected number of response bytes of TPM1.2 PCR Extend tpm xen: drop unneeded chip variable tpm: fix misspelled "facilitate" in module parameter description tpm_tis: fix the error handling of init_tis() KEYS: Use memzero_explicit() for secret data KEYS: Fix an error code in request_master_key() sign-file: fix build error in sign-file.c with libressl selinux: allow changing labels for cgroupfs selinux: fix off-by-one in setprocattr tpm: silence an array overflow warning tpm: fix the type of owned field in cap_t tpm: add securityfs support for TPM 2.0 firmware event log tpm: enhance read_log_of() to support Physical TPM event log tpm: enhance TPM 2.0 PCR extend to support multiple banks tpm: implement TPM 2.0 capability to get active PCR banks tpm: fix RC value check in tpm2_seal_trusted tpm_tis: fix iTPM probe via probe_itpm() function tpm: Begin the process to deprecate user_read_timer tpm: remove tpm_read_index and tpm_write_index from tpm.h ...
| * apparmor: fix restricted endian type warnings for dfa unpackJohn Johansen2017-01-161-3/+3
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add per cpu work buffers to avoid allocating buffers at every hookJohn Johansen2017-01-161-0/+53
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: support querying extended trusted helper extra dataWilliam Hua2017-01-161-0/+16
| | | | | | | | | | | | | | | | | | Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: convert change_profile to use fqname later to give better controlJohn Johansen2017-01-161-2/+2
| | | | | | | | | | | | | | | | | | Moving the use of fqname to later allows learning profiles to be based on the fqname request instead of just the hname. It also allows cleaning up some of the name parsing and lookup by allowing the use of the fqlookupn_profile() lib fn. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: change aad apparmor_audit_data macro to a fn macroJohn Johansen2017-01-162-13/+32
| | | | | | | | | | | | | | | | | | | | | | The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: change op from int to const char *John Johansen2017-01-163-60/+60
| | | | | | | | | | | | | | | | | | | | Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename context abreviation cxt to the more standard ctxJohn Johansen2017-01-161-38/+40
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add per policy ns .load, .replace, .remove interface filesJohn Johansen2017-01-161-0/+6
| | | | | | | | | | | | | | Having per policy ns interface files helps with containers restoring policy. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: pass the subject profile into profile replace/removeJohn Johansen2017-01-161-3/+4
| | | | | | | | | | | | | | This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: audit policy ns specified in policy loadJohn Johansen2017-01-161-0/+1
| | | | | | | | | | | | | | Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: allow introspecting the loaded policy pre internal transformJohn Johansen2017-01-164-3/+39
| | | | | | | | | | | | | | | | Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add ns name to the audit data for policy loadsJohn Johansen2017-01-161-0/+1
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add profile and ns params to aa_may_manage_policy()John Johansen2017-01-161-1/+1
| | | | | | | | | | | | | | | | Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add ns being viewed as a param to policy_admin_capable()John Johansen2017-01-161-1/+1
| | | | | | | | | | | | | | Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add ns being viewed as a param to policy_view_capable()John Johansen2017-01-162-1/+9
| | | | | | | | | | | | | | | | | | | | | | Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: Make aa_remove_profile() callable from a different viewJohn Johansen2017-01-161-1/+1
| | | | | | | | | | | | This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add special .null file used to "close" fds at execJohn Johansen2017-01-162-0/+4
| | | | | | | | | | | | | | Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add a default null dfaJohn Johansen2017-01-161-0/+5
| | | | | | | | | | | | | | | | | | | | | | Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add get_dfa() fnJohn Johansen2017-01-161-0/+15
| | | | | | | | | | | | | | The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: name null-XXX profiles after the executableJohn Johansen2017-01-161-1/+2
| | | | | | | | | | | | | | | | When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: pass gfp_t parameter into profile allocationJohn Johansen2017-01-161-1/+1
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: refactor prepare_ns() and make usable from different viewsJohn Johansen2017-01-162-2/+5
| | | | | | | | | | | | | | | | prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: pass gfp param into aa_policy_init()John Johansen2017-01-161-1/+1
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: constify policy name and hnameJohn Johansen2017-01-161-2/+2
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename hname_tail to basenameJohn Johansen2017-01-161-2/+2
| | | | | | | | | | | | Rename to the shorter and more familiar shell cmd name Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename mediated_filesystem() to path_mediated_fs()John Johansen2017-01-161-1/+1
| | | | | | | | | | | | | | Rename to indicate the test is only about whether path mediation is used, not whether other types of mediation might be used. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add debug assert AA_BUG and Kconfig to control debug infoJohn Johansen2017-01-161-1/+13
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add macro for bug asserts to check that a lock is heldJohn Johansen2017-01-161-0/+11
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: allow ns visibility question to consider subnsesJohn Johansen2017-01-161-2/+2
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add fn to lookup profiles by fqnameJohn Johansen2017-01-162-5/+7
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add lib fn to find the "split" for fqnamesJohn Johansen2017-01-161-0/+2
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add strn version of aa_find_nsJohn Johansen2017-01-161-3/+10
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: add strn version of lookup_profile fnJohn Johansen2017-01-161-0/+2
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename replacedby to proxyJohn Johansen2017-01-161-10/+10
| | | | | | | | | | | | Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename PFLAG_INVALID to PFLAG_STALEJohn Johansen2017-01-162-4/+4
| | | | | | | | | | | | Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename sid to secidJohn Johansen2017-01-161-9/+9
| | | | | | | | | | | | Move to common terminology with other LSMs and kernel infrastucture Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: rename namespace to ns to improve code line lengthsJohn Johansen2017-01-163-30/+29
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: split apparmor policy namespaces code into its own fileJohn Johansen2017-01-162-106/+143
| | | | | | | | | | | | | | Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: split out shared policy_XXX fns to libJohn Johansen2017-01-162-13/+81
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
| * apparmor: move lib definitions into separate lib includeJohn Johansen2017-01-163-80/+97
| | | | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* | locking/atomic, kref: Use kref_get_unless_zero() morePeter Zijlstra2017-01-142-8/+2
|/ | | | | | | | | | | | | | | For some obscure reason apparmor thinks its needs to locally implement kref primitives that already exist. Stop doing this. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
* apparmor: fix module parameters can be changed after policy is lockedJohn Johansen2016-07-121-0/+2
| | | | | | | | | | | the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add missing id bounds check on dfa verificationJohn Johansen2016-07-121-0/+1
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add parameter to control whether policy hashing is usedJohn Johansen2016-07-121-0/+1
| | | | | | Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
* apparmor: constify aa_path_link()Al Viro2016-03-281-1/+1
| | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* [apparmor] constify struct path * in a bunch of helpersAl Viro2016-03-282-2/+2
| | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* Apparmor: mediated_filesystem() should use dentry->d_sb not inode->i_sbDavid Howells2015-02-221-2/+2
| | | | | | | | mediated_filesystem() should use dentry->d_sb not dentry->d_inode->i_sb and should avoid file_inode() also since it is really dealing with the path. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-31 11:53:59 +0100