Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.131 2022-12-14T21:42:09+00:00 2022-12-14T21:42:09+00:00 Linus Torvalds torvalds@linux-foundation.org 2022-12-14T21:42:09+00:00 urn:sha1:93761c93e9da28d8a020777cee2a84133082b477 Pull apparmor updates from John Johansen: "Features: - switch to zstd compression for profile raw data Cleanups: - simplify obtaining the newest label on a cred - remove useless static inline functions - compute permission conversion on policy unpack - refactor code to share common permissins - refactor unpack to group policy backwards compatiblity code - add __init annotation to aa_{setup/teardown}_dfa_engine() Bug Fixes: - fix a memleak in - multi_transaction_new() - free_ruleset() - unpack_profile() - alloc_ns() - fix lockdep warning when removing a namespace - fix regression in stacking due to label flags - fix loading of child before parent - fix kernel-doc comments that differ from fns - fix spelling errors in comments - store return value of unpack_perms_table() to signed variable" * tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (64 commits) apparmor: Fix uninitialized symbol 'array_size' in policy_unpack_test.c apparmor: Add __init annotation to aa_{setup/teardown}_dfa_engine() apparmor: Fix memleak in alloc_ns() apparmor: Fix memleak issue in unpack_profile() apparmor: fix a memleak in free_ruleset() apparmor: Fix spelling of function name in comment block apparmor: Use pointer to struct aa_label for lbs_cred AppArmor: Fix kernel-doc LSM: Fix kernel-doc AppArmor: Fix kernel-doc apparmor: Fix loading of child before parent apparmor: refactor code that alloc null profiles apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource() apparmor: remove useless static inline functions apparmor: Fix unpack_profile() warn: passing zero to 'ERR_PTR' apparmor: fix uninitialize table variable in error in unpack_trans_table apparmor: store return value of unpack_perms_table() to signed variable apparmor: Fix kunit test for out of bounds array apparmor: Fix decompression of rawdata for read back to userspace apparmor: Fix undefined references to zstd_ symbols ... 2022-12-12T21:13:48+00:00 Rae Moar rmoar@google.com 2022-12-07T01:40:24+00:00 urn:sha1:b11e51dd70947107fa4076c6286dce301671afc1 Use macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allow static symbols to be conditionally set to be visible during apparmor_policy_unpack_test, which removes the need to include the testing file in the implementation file. Change the namespace of the symbols that are now conditionally visible (by adding the prefix aa_) to avoid confusion with symbols of the same name. Allow the test to be built as a module and namespace the module name from policy_unpack_test to apparmor_policy_unpack_test to improve clarity of the module name. Provide an example of how static symbols can be dealt with in testing. Signed-off-by: Rae Moar <rmoar@google.com> Reviewed-by: David Gow <davidgow@google.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 2022-10-03T21:49:02+00:00 Jon Tourville jon.tourville@canonical.com 2022-07-11T16:36:08+00:00 urn:sha1:f4d6b94b40c966ddd9eeb0d451e8a02c595ec7e3 Change the algorithm used by apparmor to compress profile data from zlib to zstd, using the new zstd API introduced in 5.16. Zstd provides a larger range of compression levels than zlib and significantly better performance at the default level (for a relatively small increase in compressed size). The apparmor module parameter raw_data_compression_level is now clamped to the minimum and maximum compression levels reported by the zstd library. A compression level of 0 retains the previous behavior of disabling policy compression instead of using zstd's behavior, which is to use the default compression level. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-09T22:13:59+00:00 John Johansen john.johansen@canonical.com 2021-02-03T09:35:12+00:00 urn:sha1:5bfcbd22ee4e6ad5ae698518fadd0f03ea109537 AppArmor by default does an extensive check on loaded policy that can take quite some time on limited resource systems. Allow disabling this check for embedded systems where system images are readonly and have checksumming making the need for the embedded policy to be fully checked to be redundant. Note: basic policy checks are still done. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-09T22:13:59+00:00 John Johansen john.johansen@canonical.com 2021-02-01T11:43:18+00:00 urn:sha1:d61c57fde81915c04b41982f66a159ccc014e799 Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-07-09T22:13:59+00:00 John Johansen john.johansen@canonical.com 2021-02-01T10:20:35+00:00 urn:sha1:65cc9c391c3c4096ccc47ecd8b9f58f470b57225 Update help to note this option is not needed for small embedded systems where regular policy introspection is not used. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-08-11T21:30:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-08-11T21:30:36+00:00 urn:sha1:ce13266d97b198934e86166491bfa4938e96508f Pull security subsystem updates from James Morris: "A couple of minor documentation updates only for this release" * tag 'for-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: LSM: drop duplicated words in header file comments Replace HTTP links with HTTPS ones: security 2020-08-06T19:00:05+00:00 Alexander A. Klimov grandmaster@al2klimov.de 2020-07-05T21:45:12+00:00 urn:sha1:c9fecf505a3421752a598227f8ef895e97966c4b Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2020-06-01T20:25:15+00:00 Anders Roxell anders.roxell@linaro.org 2020-05-11T13:14:42+00:00 urn:sha1:6d6861d45e38d42a7df9db244c871ee3856acf57 This makes it easier to enable all KUnit fragments. Adding 'if !KUNIT_ALL_TESTS' so individual tests can not be turned off. Therefore if KUNIT_ALL_TESTS is enabled that will hide the prompt in menuconfig. Reviewed-by: David Gow <davidgow@google.com> Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> 2020-01-10T21:36:37+00:00 Alan Maguire alan.maguire@oracle.com 2020-01-10T11:49:25+00:00 urn:sha1:35c57fc3f8eac81b38664a0fe160e267b908d8b8 kunit tests that do not support module build should depend on KUNIT=y rather than just KUNIT in Kconfig, otherwise they will trigger compilation errors for "make allmodconfig" builds. Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module") Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>