Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.15.6 2018-01-12T23:49:59+00:00 2018-01-12T23:49:59+00:00 John Johansen john.johansen@canonical.com 2017-12-09T01:43:18+00:00 urn:sha1:0dda0b3fb255048a221f736c8a2a24c674da8bf3 Given a label with a profile stack of A//&B or A//&C ... A ptrace rule should be able to specify a generic trace pattern with a rule like ptrace trace A//&**, however this is failing because while the correct label match routine is called, it is being done post label decomposition so it is always being done against a profile instead of the stacked label. To fix this refactor the cross check to pass the full peer label in to the label_match. Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability") Cc: Stable <stable@vger.kernel.org> Reported-by: Matthew Garrett <mjg59@google.com> Tested-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-11-08T18:56:22+00:00 John Johansen john.johansen@canonical.com 2017-11-08T16:09:52+00:00 urn:sha1:f7dc4c9a855a13dbb33294c9fc94f17af03f6291 This came in yesterday, and I have verified our regression tests were missing this and it can cause an oops. Please apply. There is a an off-by-one comparision on sig against MAXMAPPED_SIG that can lead to a read outside the sig_map array if sig is MAXMAPPED_SIG. Fix this. Verified that the check is an out of bounds case that can cause an oops. Revised: add comparison fix to second case Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2017-09-22T20:00:57+00:00 John Johansen john.johansen@canonical.com 2017-07-19T05:56:22+00:00 urn:sha1:cd1dbf76b23d5ab2cba5e657fe20b1e236a408cc Add signal mediation where the signal can be mediated based on the signal, direction, or the label or the peer/target. The signal perms are verified on a cross check to ensure policy consistency in the case of incremental policy load/replacement. The optimization of skipping the cross check when policy is guaranteed to be consistent (single compile unit) remains to be done. policy rules have the form of SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ] [ SIGNAL SET ] [ SIGNAL PEER ] SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL ACCESS ')' SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' ) SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')' SIGNAL LIST = Comma or space separated list of SIGNALS SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' ) SIGNAL PEER = 'peer' '=' AARE eg. signal, # allow all signals signal send set=(hup, kill) peer=foo, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-06-11T00:11:42+00:00 John Johansen john.johansen@canonical.com 2017-06-09T21:38:35+00:00 urn:sha1:290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-06-11T00:11:41+00:00 John Johansen john.johansen@canonical.com 2017-06-09T21:22:14+00:00 urn:sha1:b2d09ae449cedc6f276ac485c013d22a97d36992 Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-06-11T00:11:40+00:00 John Johansen john.johansen@canonical.com 2017-06-09T21:07:02+00:00 urn:sha1:c70c86c421427fd8487867de66c4104b15abd772 Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-06-11T00:11:38+00:00 John Johansen john.johansen@canonical.com 2017-06-09T15:14:28+00:00 urn:sha1:637f688dc3dc304a89f441d76f49a0e35bc49c08 Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-01-16T09:18:47+00:00 John Johansen john.johansen@canonical.com 2017-01-16T08:43:02+00:00 urn:sha1:ef88a7ac55fdd3bf6ac3942b83aa29311b45339b The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com> 2013-10-30T04:33:37+00:00 John Johansen john.johansen@canonical.com 2013-10-08T12:37:18+00:00 urn:sha1:dd0c6e86f66080869ca0a48c78fb9bfbe4cf156f Mediation is based off of the cred but auditing includes the current task which may not be related to the actual request. Signed-off-by: John Johansen <john.johansen@canonical.com> 2013-04-28T07:35:53+00:00 John Johansen john.johansen@canonical.com 2013-02-19T00:03:34+00:00 urn:sha1:3cfcc19e0b5390c04cb5bfa4e8fde39395410e61 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>