linux-toradex.git/security/apparmor/capability.c, branch v4.0-rc1 Linux kernel for Apalis and Colibri modules apparmor: fix capability to not use the current task, during reporting 2013-10-30T04:33:37+00:00 John Johansen john.johansen@canonical.com 2013-10-08T12:37:18+00:00 dd0c6e86f66080869ca0a48c78fb9bfbe4cf156f Mediation is based off of the cred but auditing includes the current task which may not be related to the actual request. Signed-off-by: John Johansen <john.johansen@canonical.com> 
Mediation is based off of the cred but auditing includes the current
task which may not be related to the actual request.

Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: export set of capabilities supported by the apparmor module 2013-08-14T18:42:07+00:00 John Johansen john.johansen@canonical.com 2013-08-14T18:27:32+00:00 84f1f787421cd83bb7dfb34d584586f6a5fe7baa Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
LSM: do not initialize common_audit_data to 0 2012-04-09T16:23:04+00:00 Eric Paris eparis@redhat.com 2012-04-04T19:01:43+00:00 50c205f5e5c2e2af002fd4ef537ded79b90b1b56 It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com> 
It isn't needed.  If you don't set the type of the data associated with
that type it is a pretty obvious programming bug.  So why waste the cycles?

Signed-off-by: Eric Paris <eparis@redhat.com>
apparmor: move task from common_audit_data to apparmor_audit_data 2012-04-09T16:23:02+00:00 Eric Paris eparis@redhat.com 2012-04-04T19:01:42+00:00 0972c74ecba4878baa5f97bb78b242c0eefacfb6 apparmor is the only LSM that uses the common_audit_data tsk field. Instead of making all LSMs pay for the stack space move the aa usage into the apparmor_audit_data. Signed-off-by: Eric Paris <eparis@redhat.com> 
apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.

Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion 2012-04-09T16:23:01+00:00 Eric Paris eparis@redhat.com 2012-04-04T19:01:42+00:00 bd5e50f9c1c71daac273fa586424f07205f6b13b Just open code it so grep on the source code works better. Signed-off-by: Eric Paris <eparis@redhat.com> 
Just open code it so grep on the source code works better.

Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: shrink sizeof LSM specific portion of common_audit_data 2012-04-03T16:48:40+00:00 Eric Paris eparis@redhat.com 2012-04-03T16:37:02+00:00 3b3b0e4fc15efa507b902d90cea39e496a523c3b Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop.  This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union.  Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
AppArmor: mediation of non file objects 2010-08-02T05:38:35+00:00 John Johansen john.johansen@canonical.com 2010-07-29T21:48:05+00:00 0ed3b28ab8bf460a3a026f3f1782bf4c53840184 ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 
ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests.  Improved mediation is a wip.

rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level.  Only resources specified in a profile are controled
or set.  AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.

AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.

Capabilities:  AppArmor provides a per profile mask of capabilities,
that will further restrict.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>