Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.14.192 2020-06-25T13:41:50+00:00 2020-06-25T13:41:50+00:00 John Johansen john.johansen@canonical.com 2020-06-06T01:12:21+00:00 urn:sha1:8906aa8e570562f289b8e42657121225f15f7453 [ Upstream commit dd2569fbb053719f7df7ef8fdbb45cf47156a701 ] Fix two issues with introspecting the task mode. 1. If a task is attached to a unconfined profile that is not the ns->unconfined profile then. Mode the mode is always reported as - $ ps -Z LABEL PID TTY TIME CMD unconfined 1287 pts/0 00:00:01 bash test (-) 1892 pts/0 00:00:00 ps instead of the correct value of (unconfined) as shown below $ ps -Z LABEL PID TTY TIME CMD unconfined 2483 pts/0 00:00:01 bash test (unconfined) 3591 pts/0 00:00:00 ps 2. if a task is confined by a stack of profiles that are unconfined the output of label mode is again the incorrect value of (-) like above, instead of (unconfined). This is because the visibile profile count increment is skipped by the special casing of unconfined. Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-01-04T12:59:51+00:00 Colin Ian King colin.king@canonical.com 2019-06-27T13:09:04+00:00 urn:sha1:04db2eb6686a0de1ff934656791d4225d201a6d2 [ Upstream commit 00e0590dbaec6f1bcaa36a85467d7e3497ced522 ] The sanity check in macro update_for_len checks to see if len is less than zero, however, len is a size_t so it can never be less than zero, so this sanity check is a no-op. Fix this by making len a ssize_t so the comparison will work and add ulen that is a size_t copy of len so that the min() macro won't throw warnings about comparing different types. Addresses-Coverity: ("Macro compares unsigned to 0") Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2017-09-22T20:00:58+00:00 John Johansen john.johansen@canonical.com 2017-08-16T16:33:48+00:00 urn:sha1:bc4d82fb946e7b471eab2a80e384227c4eb15652 sparse reports poisoning the proxy->label before freeing the struct is resulting in a sparse build warning. ../security/apparmor/label.c:52:30: warning: incorrect type in assignment (different address spaces) ../security/apparmor/label.c:52:30: expected struct aa_label [noderef] <asn:4>*label ../security/apparmor/label.c:52:30: got struct aa_label *<noident> fix with RCU_INIT_POINTER as this is one of those cases where rcu_assign_pointer() is not needed. Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-09-22T20:00:58+00:00 John Johansen john.johansen@canonical.com 2017-08-06T12:39:08+00:00 urn:sha1:26b7899510ae243e392960704ebdba52d05fbb13 With apparmor policy virtualization based on policy namespace View's we don't generally want/need absolute root based views, however there are cases like debugging and some secid based conversions where using a root based view is important. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-09-22T20:00:57+00:00 John Johansen john.johansen@canonical.com 2017-08-06T12:36:40+00:00 urn:sha1:f872af75d325cc449b6621a0d30a4f2ba77dd092 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-09-22T20:00:57+00:00 John Johansen john.johansen@canonical.com 2017-08-01T06:44:37+00:00 urn:sha1:c5561700c9cb951ec3a33a0914c840423b09d7c9 Reported-by: David Binderman <dcb314@hotmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-06-11T00:11:38+00:00 John Johansen john.johansen@canonical.com 2017-06-09T13:19:19+00:00 urn:sha1:f1bd904175e8190ce14aedee37e207ab51fe3b30 Begin moving apparmor to using broader domain labels, that will allow run time computation of domain type splitting via "stacking" of profiles into a domain label vec. Signed-off-by: John Johansen <john.johansen@canonical.com>