kernel/linux.git/security/apparmor/Kconfig, branch v6.1.168

apparmor: test: make static symbols visible during kunit testing

2023-11-20T10:52:09+00:00

[ Upstream commit b11e51dd70947107fa4076c6286dce301671afc1 ] Use macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allow static symbols to be conditionally set to be visible during apparmor_policy_unpack_test, which removes the need to include the testing file in the implementation file. Change the namespace of the symbols that are now conditionally visible (by adding the prefix aa_) to avoid confusion with symbols of the same name. Allow the test to be built as a module and namespace the module name from policy_unpack_test to apparmor_policy_unpack_test to improve clarity of the module name. Provide an example of how static symbols can be dealt with in testing. Signed-off-by: Rae Moar Reviewed-by: David Gow Acked-by: John Johansen Signed-off-by: Shuah Khan Stable-dep-of: 8884ba07786c ("apparmor: fix invalid reference on profile->disconnected") Signed-off-by: Sasha Levin

apparmor: Enable tuning of policy paranoid load for embedded systems

2022-07-09T22:13:59+00:00

AppArmor by default does an extensive check on loaded policy that can take quite some time on limited resource systems. Allow disabling this check for embedded systems where system images are readonly and have checksumming making the need for the embedded policy to be fully checked to be redundant. Note: basic policy checks are still done. Signed-off-by: John Johansen

apparmor: make export of raw binary profile to userspace optional

2022-07-09T22:13:59+00:00

Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen

apparmor: Update help description of policy hash for introspection

2022-07-09T22:13:59+00:00

Update help to note this option is not needed for small embedded systems where regular policy introspection is not used. Signed-off-by: John Johansen

Merge tag 'for-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2020-08-11T21:30:36+00:00

Pull security subsystem updates from James Morris: "A couple of minor documentation updates only for this release" * tag 'for-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: LSM: drop duplicated words in header file comments Replace HTTP links with HTTPS ones: security

Replace HTTP links with HTTPS ones: security

2020-08-06T19:00:05+00:00

Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov Acked-by: John Johansen Signed-off-by: James Morris

security: apparmor: default KUNIT_* fragments to KUNIT_ALL_TESTS

2020-06-01T20:25:15+00:00

This makes it easier to enable all KUnit fragments. Adding 'if !KUNIT_ALL_TESTS' so individual tests can not be turned off. Therefore if KUNIT_ALL_TESTS is enabled that will hide the prompt in menuconfig. Reviewed-by: David Gow Signed-off-by: Anders Roxell Acked-by: John Johansen Signed-off-by: Shuah Khan

kunit: building kunit as a module breaks allmodconfig

2020-01-10T21:36:37+00:00

kunit tests that do not support module build should depend on KUNIT=y rather than just KUNIT in Kconfig, otherwise they will trigger compilation errors for "make allmodconfig" builds. Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module") Reported-by: Stephen Rothwell Signed-off-by: Alan Maguire Signed-off-by: Shuah Khan

apparmor: add AppArmor KUnit tests for policy unpack

2020-01-09T23:27:43+00:00

Add KUnit tests to test AppArmor unpacking of userspace policies. AppArmor uses a serialized binary format for loading policies. To find policy format documentation see Documentation/admin-guide/LSM/apparmor.rst. In order to write the tests against the policy unpacking code, some static functions needed to be exposed for testing purposes. One of the goals of this patch is to establish a pattern for which testing these kinds of functions should be done in the future. Signed-off-by: Brendan Higgins Signed-off-by: Mike Salvatore Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Shuah Khan

Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

2019-12-03T20:51:35+00:00

Pull apparmor updates from John Johansen: "Features: - increase left match history buffer size to provide improved conflict resolution in overlapping execution rules. - switch buffer allocation to use a memory pool and GFP_KERNEL where possible. - add compression of policy blobs to reduce memory usage. Cleanups: - fix spelling mistake "immutible" -> "immutable" Bug fixes: - fix unsigned len comparison in update_for_len macro - fix sparse warning for type-casting of current->real_cred" * tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: make it so work buffers can be allocated from atomic context apparmor: reduce rcu_read_lock scope for aa_file_perm mediation apparmor: fix wrong buffer allocation in aa_new_mount apparmor: fix unsigned len comparison with less than zero apparmor: increase left match history buffer size apparmor: Switch to GFP_KERNEL where possible apparmor: Use a memory pool instead per-CPU caches apparmor: Force type-casting of current->real_cred apparmor: fix spelling mistake "immutible" -> "immutable" apparmor: fix blob compression when ns is forced on a policy load apparmor: fix missing ZLIB defines apparmor: fix blob compression build failure on ppc apparmor: Initial implementation of raw policy blob compression