kernel/linux.git/security/apparmor/capability.c, branch v6.6.132 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.132 2024-12-09T09:32:38+00:00 apparmor: fix 'Do simple duplicate message elimination' 2024-12-09T09:32:38+00:00 chao liu liuzgyid@outlook.com 2023-06-27T02:03:16+00:00 urn:sha1:2c9a5607ecbab4b41e8b24eec5c1f6ff2a3b8a8f [ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ] Multiple profiles shared 'ent->caps', so some logs missed. Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects") Signed-off-by: chao liu <liuzgyid@outlook.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> apparmor: pass cred through to audit info. 2023-11-28T17:20:07+00:00 John Johansen john.johansen@canonical.com 2022-09-20T03:48:48+00:00 urn:sha1:690f33e1edf5cd996b54094409de0067ae3fa216 [ Upstream commit 90c436a64a6e20482a9a613c47eb4af2e8a5328e ] The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Stable-dep-of: 157a3537d6bc ("apparmor: Fix regression in mount mediation") Signed-off-by: Sasha Levin <sashal@kernel.org> apparmor: combine common_audit_data and apparmor_audit_data 2023-11-28T17:20:07+00:00 John Johansen john.johansen@canonical.com 2022-09-14T07:20:12+00:00 urn:sha1:c57bc80f4508acd8c52bd89b01d324889065320d [ Upstream commit bd7bd201ca46c211c3ab251ca9854787d1331a2f ] Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Stable-dep-of: 157a3537d6bc ("apparmor: Fix regression in mount mediation") Signed-off-by: Sasha Levin <sashal@kernel.org> apparmor: rework profile->rules to be a list 2022-10-03T21:49:04+00:00 John Johansen john.johansen@canonical.com 2022-09-06T03:47:36+00:00 urn:sha1:1ad22fcc4d0d2fb2e0f35aed555a86d016d5e590 Convert profile->rules to a list as the next step towards supporting multiple rulesets in a profile. For this step only support a single list entry item. The logic for iterating the list will come as a separate step. Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: refactor profile rules and attachments 2022-10-03T21:49:04+00:00 John Johansen john.johansen@canonical.com 2022-07-30T00:17:31+00:00 urn:sha1:217af7e2f4deb629aaa49622685ccfee923898ca In preparation for moving from a single set of rules and a single attachment to multiple rulesets and attachments separate from the profile refactor attachment information and ruleset info into their own structures. Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: add mediation class information to auditing 2022-10-03T21:49:03+00:00 John Johansen john.johansen@canonical.com 2022-04-19T23:25:55+00:00 urn:sha1:8c4b785a86be1219f7d50f7b38266c454d6a9bbc Audit messages currently don't contain the mediation class which can make them less clear than they should be in some circumstances. With newer mediation classes coming this potential confusion will become worse. Fix this by adding the mediatin class to the messages. Signed-off-by: John Johansen <john.johansen@canonical.com> treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05T15:37:17+00:00 Thomas Gleixner tglx@linutronix.de 2019-06-01T08:08:55+00:00 urn:sha1:b886d83c5b621abc84ff9616f14c529be3f6b147 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> LSM: generalize flag passing to security_capable 2019-01-10T22:16:06+00:00 Micah Morton mortonm@chromium.org 2019-01-08T00:10:53+00:00 urn:sha1:c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM). Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com> apparmor: move context.h to cred.h 2018-02-09T19:30:01+00:00 John Johansen john.johansen@canonical.com 2017-10-11T08:04:48+00:00 urn:sha1:d8889d49e414b371eb235c08c3a759ab3e0cfa51 Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: move capability checks to using labels 2017-06-11T00:11:40+00:00 John Johansen john.johansen@canonical.com 2017-06-09T21:07:02+00:00 urn:sha1:c70c86c421427fd8487867de66c4104b15abd772 Signed-off-by: John Johansen <john.johansen@canonical.com>