Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.20.9 2018-02-09T19:30:02+00:00 2018-02-09T19:30:02+00:00 John Johansen john.johansen@canonical.com 2017-11-19T03:43:13+00:00 urn:sha1:21f606610502ef56f9180b1529fc7e02957564c8 Overlapping domain attachments using the current longest left exact match fail in some simple cases, and with the fix to ensure consistent behavior by failing unresolvable attachments it becomes important to do a better job. eg. under the current match the following are unresolvable where the alternation is clearly a better match under the most specific left match rule. /** /{bin/,}usr/ Use a counting match that detects when a loop in the state machine is enter, and return the match count to provide a better specific left match resolution. Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-02-09T19:30:01+00:00 John Johansen john.johansen@canonical.com 2017-08-08T19:10:50+00:00 urn:sha1:031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 State differential encoding can provide better compression for apparmor policy, without having significant impact on match time. Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-02-09T19:30:01+00:00 John Johansen john.johansen@canonical.com 2017-09-06T21:57:59+00:00 urn:sha1:6e0654d20ed9679cbf75a0ff7cd786e364f7f09a The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2018-02-09T19:30:01+00:00 John Johansen john.johansen@canonical.com 2017-09-06T09:53:15+00:00 urn:sha1:cf65fabc2a2c8c12031678d86a2bd4a660865011 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-01-16T09:18:54+00:00 John Johansen john.johansen@canonical.com 2017-01-16T08:43:13+00:00 urn:sha1:e6e8bf418850d7958311a96ccfb594f2bcc8313e Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-01-16T09:18:34+00:00 John Johansen john.johansen@canonical.com 2017-01-16T08:42:42+00:00 urn:sha1:11c236b89d7c26d58c55d5613a858600a4d2ab3a Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-01-16T09:18:32+00:00 John Johansen john.johansen@canonical.com 2017-01-16T08:42:40+00:00 urn:sha1:293a4886f93f1d4f01ef2642b81c2509a5376ce5 The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com> 2016-07-12T15:43:10+00:00 John Johansen john.johansen@canonical.com 2016-06-02T09:37:02+00:00 urn:sha1:15756178c6a65b261a080e21af4766f59cafc112 Signed-off-by: John Johansen <john.johansen@canonical.com> 2013-04-28T07:37:04+00:00 John Johansen john.johansen@canonical.com 2013-02-19T00:09:34+00:00 urn:sha1:180a6f5965a49535a7704c07691a6d1209904971 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com> 2013-04-28T07:36:55+00:00 John Johansen john.johansen@canonical.com 2013-02-19T00:08:34+00:00 urn:sha1:8e4ff109d0d2194d98e9e16325bb4102f6463b43 tidying up comments, includes and defines Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>