kernel/linux.git/security/apparmor/lsm.c, branch linux-7.1.y Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y 2026-04-23T03:11:08+00:00 apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine 2026-04-23T03:11:08+00:00 GONG Ruiqi gongruiqi1@huawei.com 2026-04-23T03:10:56+00:00 urn:sha1:11b7df0952663f20ce72c9a22a3cf9278cf84db7 aa_dfa_unpack returns ERR_PTR not NULL when it fails, but aa_put_dfa only checks NULL for its input, which would cause invalid memory access in aa_put_dfa. Set nulldfa to NULL explicitly to fix that. Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check 2026-04-23T03:08:09+00:00 Dudu Lu phx0fer@gmail.com 2026-04-13T09:03:13+00:00 urn:sha1:ef78fdc4724190fbd4e66d80bcdf4d08045f5e98 In apparmor_path_rename(), when handling RENAME_EXCHANGE, the cond_exchange structure is supposed to carry the attributes of the *new* dentry (since it is used to authorize moving new_dentry to the old location). However, line 412 reads: vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); This fetches the uid of old_dentry instead of new_dentry. As a result, the RENAME_EXCHANGE permission check uses the wrong file owner, which can allow a rename that should be denied (if old_dentry's owner has more privileges) or deny one that should be allowed. Note that cond_exchange.mode on the line above correctly uses new_dentry. Only the uid lookup is wrong. Fix by changing old_dentry to new_dentry in the i_uid_into_vfsuid call. Fixes: 5e26a01e56fd ("apparmor: use type safe idmapping helpers") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Dudu Lu <phx0fer@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: Use sysfs_emit in param_get_{audit,mode} 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-02-22T21:40:38+00:00 urn:sha1:497ad4be355b70a6786dd9344710d98b14b92848 Replace sprintf() with sysfs_emit() in param_get_audit() and param_get_mode(). sysfs_emit() is preferred for formatting sysfs output because it provides safer bounds checking. Add terminating newlines as suggested by checkpatch. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: Remove redundant if check in sk_peer_get_label 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-02-04T22:07:35+00:00 urn:sha1:e6a522c5b4803b8f5632d5ce8f27431a1ae73222 Remove the redundant if check in sk_peer_get_label() and return ERR_PTR(-ENOPROTOOPT) directly. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: Replace memcpy + NUL termination with kmemdup_nul in do_setattr 2026-04-22T17:57:52+00:00 Thorsten Blum thorsten.blum@linux.dev 2026-01-25T21:00:15+00:00 urn:sha1:46401cc99c6237ba825cfd65ef023955ce2a6316 Use kmemdup_nul() to copy 'value' instead of using memcpy() followed by a manual NUL termination. No functional changes. Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: use target task's context in apparmor_getprocattr() 2026-02-24T04:57:46+00:00 Cengiz Can cengiz.can@canonical.com 2026-02-10T08:17:14+00:00 urn:sha1:4afc61702bdcc3b9b519749ef966cf762a6e7051 apparmor_getprocattr() incorrectly calls task_ctx(current) instead of task_ctx(task) when retrieving prev and exec attributes, returning the caller's labels rather than the target's. Fix by passing task to task_ctx(). The issue can be reproduced when a process with an onexec transition (e.g., configured by a container runtime) is inspected via /proc/<pid>/attr/apparmor/exec. The reader's own value is returned instead of the target's. Reported-by: Qualys Security Advisory <qsa@qualys.com> Fixes: 3b529a7600d8 ("apparmor: move task domain change info to task security") Cc: stable@vger.kernel.org Co-developed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Cengiz Can <cengiz.can@canonical.com> Co-developed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> apparmor: cleanup remove unused percpu critical sections in buffer management 2026-01-29T09:27:55+00:00 John Johansen john.johansen@canonical.com 2026-01-21T09:09:11+00:00 urn:sha1:859b725579718ad1b66a81237df9d786f38679da There are two unused percpu critical sections in the buffer management code. These are remanents from when a more complex hold algorithm was used. Remove them, as they serve no purpose. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> apparmor: document the buffer hold, add an overflow guard 2026-01-29T09:27:55+00:00 John Johansen john.johansen@canonical.com 2026-01-21T02:18:51+00:00 urn:sha1:0b6a6b72b329c34a13a13908d5e8df9fb46eaa1f The buffer hold is a measure of contention, but it is tracked per cpu where the lock is a globabl resource. On some systems (eg. real time) there is no guarantee that the code will be on the same cpu pre, and post spinlock acquisition, nor that the buffer will be put back to the same percpu cache when we are done with it. Because of this the hold value can move asynchronous to the buffers on the cache, meaning it is possible to underflow, and potentially in really pathelogical cases overflow. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>