Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2024-07-29T20:54:50+00:00 2024-07-29T20:54:50+00:00 Casey Schaufler casey@schaufler-ca.com 2024-07-10T21:32:25+00:00 urn:sha1:2aff9d20d50ac45dd13a013ef5231f4fb8912356 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-10-18T22:30:38+00:00 John Johansen john.johansen@canonical.com 2022-09-20T03:48:48+00:00 urn:sha1:90c436a64a6e20482a9a613c47eb4af2e8a5328e The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-10-18T22:30:29+00:00 John Johansen john.johansen@canonical.com 2022-09-14T07:20:12+00:00 urn:sha1:bd7bd201ca46c211c3ab251ca9854787d1331a2f Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-10-18T22:29:55+00:00 John Johansen john.johansen@canonical.com 2023-03-06T15:27:55+00:00 urn:sha1:79ddd4a7c5fa8883f99a88409e5ad9812e484094 In preparation for LSM stacking rework the macro to an inline fn Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-10T00:31:11+00:00 GONG, Ruiqi gongruiqi@huaweicloud.com 2023-05-31T11:18:33+00:00 urn:sha1:8de4a7de1950e88c233b105faf24666db348e65a SOCK_ctx() doesn't seem to be used anywhere in the code, so remove it. Signed-off-by: GONG, Ruiqi <gongruiqi@huaweicloud.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2022-10-03T21:49:03+00:00 John Johansen john.johansen@canonical.com 2022-04-19T23:25:55+00:00 urn:sha1:8c4b785a86be1219f7d50f7b38266c454d6a9bbc Audit messages currently don't contain the mediation class which can make them less clear than they should be in some circumstances. With newer mediation classes coming this potential confusion will become worse. Fix this by adding the mediatin class to the messages. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-12-03T20:56:03+00:00 Florian Westphal fw@strlen.de 2020-11-30T15:36:29+00:00 urn:sha1:41dd9596d6b239a125c3d19f9d0ca90bdbfbf876 A followup change to tcp_request_sock_op would have to drop the 'const' qualifier from the 'route_req' function as the 'security_inet_conn_request' call is moved there - and that function expects a 'struct sock *'. However, it turns out its also possible to add a const qualifier to security_inet_conn_request instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2019-06-05T15:37:17+00:00 Thomas Gleixner tglx@linutronix.de 2019-06-01T08:08:55+00:00 urn:sha1:b886d83c5b621abc84ff9616f14c529be3f6b147 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-10-03T13:18:38+00:00 Matthew Garrett mjg59@google.com 2018-05-24T20:27:46+00:00 urn:sha1:9caafbe2b4cf4c635826a2832e93cf648605de8b Add support for parsing secmark policy provided by userspace, and store that in the overall policy. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-03-14T00:25:48+00:00 John Johansen john.johansen@canonical.com 2017-07-19T06:18:33+00:00 urn:sha1:56974a6fcfef69ee0825bd66ed13e92070ac5224 version 2 - Force an abi break. Network mediation will only be available in v8 abi complaint policy. Provide a basic mediation of sockets. This is not a full net mediation but just whether a spcific family of socket can be used by an application, along with setting up some basic infrastructure for network mediation to follow. the user space rule hav the basic form of NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ] [ TYPE | PROTOCOL ] DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ',' TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) PROTOCOL = ( 'tcp' | 'udp' | 'icmp' ) eg. network, network inet, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>