Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.12 2025-07-20T09:31:06+00:00 2025-07-20T09:31:06+00:00 John Johansen john.johansen@canonical.com 2025-02-17T09:46:37+00:00 urn:sha1:9afdc6abb007d5a86f54e9f10870ac1468155ca5 The set of rules on a profile is not dynamically extended, instead if a new ruleset is needed a new version of the profile is created. This allows us to use a vector of rules instead of a list, slightly reducing memory usage and simplifying the code. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-07-20T09:19:28+00:00 Ryan Lee ryan.lee@canonical.com 2025-06-23T21:58:00+00:00 urn:sha1:4ce7d3cf5ad846a8843f8afc78de2a8309f74f12 This section of profile_transition that occurs after x_to_label only happens if perms.allow already has the MAY_EXEC bit set, so we don't need to set it again. Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined") Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-05-26T03:15:01+00:00 Ryan Lee ryan.lee@canonical.com 2025-05-02T00:55:46+00:00 urn:sha1:16916b17b4f80f99aad2ad29ad112313539ad219 Conflicting attachment paths are an error state that result in the binary in question executing under an unexpected ix/ux fallback. As such, it should be audited to record the occurrence of conflicting attachments. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-05-26T03:15:01+00:00 Ryan Lee ryan.lee@canonical.com 2025-05-02T00:55:45+00:00 urn:sha1:b824b5f82bbc8ace0982391a1718b04a1f93346e Instead of silently overwriting the conflicting profile attachment string, include that information in the ix/ux fallback string that gets set as info instead. Also add a warning print if some other info is set that would be overwritten by the ix/ux fallback string or by the profile not found error. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-05-26T03:15:01+00:00 Ryan Lee ryan.lee@canonical.com 2025-05-02T00:55:44+00:00 urn:sha1:e76d733b1b1ff0bec6a305341fda3fe937fbf51f Instead of having a literal, making this a constant will allow for (hacky) detection of conflicting profile attachments from inspection of the info pointer. This is used in the next patch to augment the information provided through domain.c:x_to_label for ix/ux fallback. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-05-26T03:15:01+00:00 Ryan Lee ryan.lee@canonical.com 2025-05-02T00:55:43+00:00 urn:sha1:89a3561e69e5187fcce302eef429acd38aec1277 find_attach may set info if something unusual happens during that process (currently only used to signal conflicting attachments, but this could be expanded in the future). This is information that should be propagated to userspace via an audit message. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-02-10T19:17:49+00:00 Tanya Agarwal tanyaagarwal25699@gmail.com 2025-01-23T19:21:00+00:00 urn:sha1:aabbe6f908d8264cd8aeeef8141665f71668ef36 Fix typos and spelling errors in apparmor module comments that were identified using the codespell tool. No functional changes - documentation only. Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2024-01-03T05:54:30+00:00 urn:sha1:a9eb185be84e998aa9a99c7760534ccc06216705 x_table_lookup currently does stacking during label_parse() if the target specifies a stack but its only caller ensures that it will never be used with stacking. Refactor to slightly simplify the code in x_to_label(), this also fixes a long standing problem where x_to_labels check on stacking is only on the first element to the table option list, instead of the element that is found and used. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2023-07-23T09:30:33+00:00 urn:sha1:2e12c5f060176ede209673e4f63ea5d0e3c5814c This is a step towards merging the file and policy state machines. With the switch to extended permissions the state machine's ACCEPT2 table became unused freeing it up to store state specific flags. The first flags to be stored are FLAG_OWNER and FLAG other which paves the way towards merging the file and policydb perms into a single permission table. Currently Lookups based on the objects ownership conditional will still need separate fns, this will be address in a following patch. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2024-01-19T08:24:03+00:00 urn:sha1:35fad5b462224e0da3764f68b69827281eeaac8c There does not need to be an explicit restriction that unconfined can't use change_hat. Traditionally unconfined doesn't have hats so change_hat could not be used. But newer unconfined profiles have the potential of having hats, and even system unconfined will be able to be replaced with a profile that allows for hats. To remain backwards compitible with expected return codes, continue to return -EPERM if the unconfined profile does not have any hats. Signed-off-by: John Johansen <john.johansen@canonical.com>