summaryrefslogtreecommitdiff
path: root/security/apparmor
AgeCommit message (Collapse)Author
2017-07-05Merge branch 'next' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security layer updates from James Morris: - a major update for AppArmor. From JJ: * several bug fixes and cleanups * the patch to add symlink support to securityfs that was floated on the list earlier and the apparmorfs changes that make use of securityfs symlinks * it introduces the domain labeling base code that Ubuntu has been carrying for several years, with several cleanups applied. And it converts the current mediation over to using the domain labeling base, which brings domain stacking support with it. This finally will bring the base upstream code in line with Ubuntu and provide a base to upstream the new feature work that Ubuntu carries. * This does _not_ contain any of the newer apparmor mediation features/controls (mount, signals, network, keys, ...) that Ubuntu is currently carrying, all of which will be RFC'd on top of this. - Notable also is the Infiniband work in SELinux, and the new file:map permission. From Paul: "While we're down to 21 patches for v4.13 (it was 31 for v4.12), the diffstat jumps up tremendously with over 2k of line changes. Almost all of these changes are the SELinux/IB work done by Daniel Jurgens; some other noteworthy changes include a NFS v4.2 labeling fix, a new file:map permission, and reporting of policy capabilities on policy load" There's also now genfscon labeling support for tracefs, which was lost in v4.1 with the separation from debugfs. - Smack incorporates a safer socket check in file_receive, and adds a cap_capable call in privilege check. - TPM as usual has a bunch of fixes and enhancements. - Multiple calls to security_add_hooks() can now be made for the same LSM, to allow LSMs to have hook declarations across multiple files. - IMA now supports different "ima_appraise=" modes (eg. log, fix) from the boot command line. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (126 commits) apparmor: put back designators in struct initialisers seccomp: Switch from atomic_t to recount_t seccomp: Adjust selftests to avoid double-join seccomp: Clean up core dump logic IMA: update IMA policy documentation to include pcr= option ima: Log the same audit cause whenever a file has no signature ima: Simplify policy_func_show. integrity: Small code improvements ima: fix get_binary_runtime_size() ima: use ima_parse_buf() to parse template data ima: use ima_parse_buf() to parse measurements headers ima: introduce ima_parse_buf() ima: Add cgroups2 to the defaults list ima: use memdup_user_nul ima: fix up #endif comments IMA: Correct Kconfig dependencies for hash selection ima: define is_ima_appraise_enabled() ima: define Kconfig IMA_APPRAISE_BOOTPARAM option ima: define a set of appraisal rules requiring file signatures ima: extend the "ima_policy" boot command line to support multiple policies ...
2017-06-28apparmor: put back designators in struct initialisersStephen Rothwell
Fixes: 8014370f1257 ("apparmor: move path_link mediation to using labels") Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-06-10apparmor: export that basic profile namespaces are supportedJohn Johansen
Allow userspace to detect that basic profile policy namespaces are available. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add stacked domain labels interfaceJohn Johansen
Update the user interface to support the stacked change_profile transition. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add domain label stacking info to apparmorfsJohn Johansen
Now that the domain label transition is complete advertise it to userspace. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move change_profile mediation to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move change_hat mediation to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move exec domain mediation to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: support v7 transition format compatible with label_parseJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: mediate files when they are receivedJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: rework file permission to cache file access in file->ctxJohn Johansen
This is a temporary step, towards using the file->ctx for delegation, and also helps speed up file queries, until the permission lookup cache is introduced. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move path_link mediation to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: refactor path name lookup and permission checks around labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: update aa_audit_file() to use labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move aa_file_perm() to use labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: allow ptrace checks to be finer grained than just capabilityJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move ptrace checks to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add cross check permission helper macrosJohn Johansen
The cross check permission helper macros will help simplify code that does cross task permission checks like ptrace. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move resource checks to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move capability checks to using labelsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: update query interface to support label queriesJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: switch getprocattr to using label_print fns()John Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: switch from profiles to using labels on contextsJohn Johansen
Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add the base fns() for domain labelsJohn Johansen
Begin moving apparmor to using broader domain labels, that will allow run time computation of domain type splitting via "stacking" of profiles into a domain label vec. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: revalidate files during execJohn Johansen
Instead of running file revalidation lazily when read/write are called copy selinux and revalidate the file table on exec. This avoids extra mediation overhead in read/write and also prevents file handles being passed through to a grand child unchecked. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: cleanup rename XXX_file_context() to XXX_file_ctx()John Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: convert aa_change_XXX bool parameters to flagsJohn Johansen
Instead of passing multiple booleans consolidate on a single flags field. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: cleanup remove unused and not fully implemented profile renameJohn Johansen
Remove the partially implemented code, until this can be properly implemented. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: refactor updating profiles to the newest parentJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: share profile name on replacementJohn Johansen
The profile names are the same, leverage this. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: convert to profile block critical sectionsJohn Johansen
There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing the current label through a critical section that will always ensure mediation is using the current label regardless of whether the tasks cred has been updated or not. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move bprm_committing_creds/committed_creds to lsm.cJohn Johansen
There is no reason to have the small stubs that don't use domain private functions in domain.c, instead move them to lsm.c and make them static. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: fix display of ns nameJohn Johansen
The ns name being displayed should go through an ns view lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: fix apparmor_query dataJohn Johansen
The data being queried isn't always the current profile and a lookup relative to the current profile should be done. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: fix policy load/remove semanticsJohn Johansen
The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add namespace lookup fns()John Johansen
Currently lookups are restricted to a single ns component in the path. However when namespaces are allowed to have separate views, and scopes this will not be sufficient, as it will be possible to have a multiple component ns path in scope. Add some ns lookup fns() to allow this and use them. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: cleanup __find_child()John Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: provide information about path buffer size at bootJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add profile permission query abilityJohn Johansen
Allow userspace to query a profile about permissions, through the transaction interface that is already used to allow userspace to query about key,value data. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: switch from file_perms to aa_permsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add gerneric permissions struct and support fnsJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add fn to test if profile supports a given mediation classJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: speed up transactional queriesJohn Johansen
The simple_transaction interface is slow. It requires 4 syscalls (open, write, read, close) per query and shares a single lock for each queries. So replace its use with a compatible in multi_transaction interface. It allows for a faster 2 syscall pattern per query. After an initial open, an arbitrary number of writes and reads can be issued. Each write will reset the query with new data that can be read. Reads do not clear the data, and can be issued multiple times, and used with seek, until a new write is performed which will reset the data available and the seek position. Note: this keeps the single lock design, if needed moving to a per file lock will have to come later. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add label data availability to the feature setJohn Johansen
gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support but its failure is indistinguishable from other failures, making it an unreliable indicator. Fix by making support of label data queries available as a flag in the apparmorfs features dir tree. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add mkdir/rmdir interface to manage policy namespacesJohn Johansen
When setting up namespaces for containers its easier for them to use an fs interface to create the namespace for the containers policy. Allow mkdir/rmdir under the policy/namespaces/ dir to be used to create and remove namespaces. BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: add policy revision file interfaceJohn Johansen
Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace. The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: provide finer control over policy managementJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-09apparmor: rework perm mapping to a slightly broader setJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-08apparmor: move permissions into their own file to be more easily sharedJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-08apparmor: convert from securityfs to apparmorfs for policy ns filesJohn Johansen
Virtualize the apparmor policy/ directory so that the current namespace affects what part of policy is seen. To do this convert to using apparmorfs for policy namespace files and setup a magic symlink in the securityfs apparmor dir to access those files. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>