kernel/linux.git/security/apparmor/include/capability.h, branch v6.6.132

apparmor: pass cred through to audit info.

2023-11-28T17:20:07+00:00

[ Upstream commit 90c436a64a6e20482a9a613c47eb4af2e8a5328e ] The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia Signed-off-by: John Johansen Stable-dep-of: 157a3537d6bc ("apparmor: Fix regression in mount mediation") Signed-off-by: Sasha Levin

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

2019-06-05T15:37:17+00:00

Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman

LSM: generalize flag passing to security_capable

2019-01-10T22:16:06+00:00

This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM). Signed-off-by: Micah Morton Reviewed-by: Kees Cook Signed-off-by: James Morris

apparmor: move capability checks to using labels

2017-06-11T00:11:40+00:00

Signed-off-by: John Johansen

apparmor: rename apparmor file fns and data to indicate use

2017-06-08T19:51:52+00:00

prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook

apparmor: fix capability to not use the current task, during reporting

2013-10-30T04:33:37+00:00

Mediation is based off of the cred but auditing includes the current task which may not be related to the actual request. Signed-off-by: John Johansen

apparmor: export set of capabilities supported by the apparmor module

2013-08-14T18:42:07+00:00

Signed-off-by: John Johansen Acked-by: Seth Arnold

AppArmor: mediation of non file objects

2010-08-02T05:38:35+00:00

ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen Signed-off-by: James Morris