linux-toradex.git/security/apparmor, branch v4.8-rc6 Linux kernel for Apalis and Colibri modules apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling 2016-07-27T07:39:26+00:00 Arnd Bergmann arnd@arndb.de 2016-07-25T17:59:07+00:00 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 The newly added Kconfig option could never work and just causes a build error when disabled: security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function) bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT; The problem is that the macro undefined in this case, and we need to use the IS_ENABLED() helper to turn it into a boolean constant. Another minor problem with the original patch is that the option is even offered in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option in that case. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 
The newly added Kconfig option could never work and just causes a build error
when disabled:

security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
 bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;

The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
helper to turn it into a boolean constant.

Another minor problem with the original patch is that the option is even offered
in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
in that case.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
apparmor: fix arg_size computation for when setprocattr is null terminated 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-07-10T06:46:33+00:00 d4d03f74a73f3b8b2801d4d02011b6b69778cbcc Signed-off-by: John Johansen <john.johansen@canonical.com> 
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix oops, validate buffer size in apparmor_setprocattr() 2016-07-12T15:43:10+00:00 Vegard Nossum vegard.nossum@oracle.com 2016-07-07T20:41:11+00:00 e89b8081327ac9efbf273e790b8677e64fd0361a When proc_pid_attr_write() was changed to use memdup_user apparmor's (interface violating) assumption that the setprocattr buffer was always a single page was violated. The size test is not strictly speaking needed as proc_pid_attr_write() will reject anything larger, but for the sake of robustness we can keep it in. SMACK and SELinux look safe to me, but somebody else should probably have a look just in case. Based on original patch from Vegard Nossum <vegard.nossum@oracle.com> modified for the case that apparmor provides null termination. Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 
When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.

The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.

SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.

Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
modified for the case that apparmor provides null termination.

Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@kernel.org
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
apparmor: do not expose kernel stack 2016-07-12T15:43:10+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2016-06-10T21:34:26+00:00 f4ee2def2d70692ccff0d55353df4ee594fd0017 Do not copy uninitalized fields th.td_hilen, th.td_data. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: John Johansen <john.johansen@canonical.com> 
Do not copy uninitalized fields th.td_hilen, th.td_data.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix module parameters can be changed after policy is locked 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-06-23T01:01:08+00:00 58acf9d911c8831156634a44d0b022d683e1e50c the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. Signed-off-by: John Johansen <john.johansen@canonical.com> 
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.

split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.

Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix oops in profile_unpack() when policy_db is not present 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-06-15T07:00:55+00:00 5f20fdfed16bc599a325a145bf0123a8e1c9beea BugLink: http://bugs.launchpad.net/bugs/1592547 If unpack_dfa() returns NULL due to the dfa not being present, profile_unpack() is not checking if the dfa is not present (NULL). Signed-off-by: John Johansen <john.johansen@canonical.com> 
BugLink: http://bugs.launchpad.net/bugs/1592547

If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).

Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: don't check for vmalloc_addr if kvzalloc() failed 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-06-15T06:57:55+00:00 3197f5adf539a3ee6331f433a51483f8c842f890 Signed-off-by: John Johansen <john.johansen@canonical.com> 
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add missing id bounds check on dfa verification 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-06-02T09:37:02+00:00 15756178c6a65b261a080e21af4766f59cafc112 Signed-off-by: John Johansen <john.johansen@canonical.com> 
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task 2016-07-12T15:43:10+00:00 Jeff Mahoney jeffm@suse.com 2015-11-06T20:17:30+00:00 ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0 While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit on another task. The only other example of a AppArmor mediating access to another, already running, task (ignoring fork+exec) is ptrace. The AppArmor model for ptrace is that one of the following must be true: 1) The tracer is unconfined 2) The tracer is in complain mode 3) The tracer and tracee are confined by the same profile 4) The tracer is confined but has SYS_CAP_PTRACE 1), 2, and 3) are already true for setrlimit. We can match the ptrace model just by allowing CAP_SYS_RESOURCE. We still test the values of the rlimit since it can always be overridden using a value that means unlimited for a particular resource. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.

The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE

1), 2, and 3) are already true for setrlimit.

We can match the ptrace model just by allowing CAP_SYS_RESOURCE.

We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: use list_next_entry instead of list_entry_next 2016-07-12T15:43:10+00:00 Geliang Tang geliangtang@163.com 2015-11-16T13:46:33+00:00 38dbd7d8be36b5e68c96a24b406f3653180c1c03 list_next_entry has been defined in list.h, so I replace list_entry_next with it. Signed-off-by: Geliang Tang <geliangtang@163.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 
list_next_entry has been defined in list.h, so I replace list_entry_next
with it.

Signed-off-by: Geliang Tang <geliangtang@163.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>