kernel/linux.git/security/apparmor/match.c, branch v4.19.77

apparmor: fix typo "traverse"

2018-05-03T07:50:12+00:00

Signed-off-by: Zygmunt Krynicki Acked-by: Christian Boltz Signed-off-by: John Johansen

apparmor: Fix an error code in verify_table_headers()

2018-03-24T00:28:38+00:00

We accidentally return a positive EPROTO instead of a negative -EPROTO. Since 71 is not an error pointer, that means it eventually results in an Oops in the caller. Fixes: d901d6a298dc ("apparmor: dfa split verification of table headers") Signed-off-by: Dan Carpenter Signed-off-by: John Johansen

apparmor: improve overlapping domain attachment resolution

2018-02-09T19:30:02+00:00

Overlapping domain attachments using the current longest left exact match fail in some simple cases, and with the fix to ensure consistent behavior by failing unresolvable attachments it becomes important to do a better job. eg. under the current match the following are unresolvable where the alternation is clearly a better match under the most specific left match rule. /** /{bin/,}usr/ Use a counting match that detects when a loop in the state machine is enter, and return the match count to provide a better specific left match resolution. Signed-off-by: John Johansen

apparmor: dfa split verification of table headers

2018-02-09T19:30:02+00:00

separate the different types of verification so they are logically separate and can be reused separate of each other. Signed-off-by: John Johansen

apparmor: dfa add support for state differential encoding

2018-02-09T19:30:01+00:00

State differential encoding can provide better compression for apparmor policy, without having significant impact on match time. Signed-off-by: John Johansen

apparmor: dfa move character match into a macro

2018-02-09T19:30:01+00:00

Signed-off-by: John Johansen

apparmor: use the dfa to do label parse string splitting

2018-02-09T19:30:01+00:00

The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen Acked-by: Seth Arnold

apparmor: add first substr match to dfa

2018-02-09T19:30:01+00:00

Signed-off-by: John Johansen Acked-by: Seth Arnold

doc: ReSTify apparmor.txt

2017-05-18T16:32:38+00:00

Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen Signed-off-by: Kees Cook Signed-off-by: Jonathan Corbet

mm: introduce kv[mz]alloc helpers

2017-05-09T00:15:12+00:00

Patch series "kvmalloc", v5. There are many open coded kmalloc with vmalloc fallback instances in the tree. Most of them are not careful enough or simply do not care about the underlying semantic of the kmalloc/page allocator which means that a) some vmalloc fallbacks are basically unreachable because the kmalloc part will keep retrying until it succeeds b) the page allocator can invoke a really disruptive steps like the OOM killer to move forward which doesn't sound appropriate when we consider that the vmalloc fallback is available. As it can be seen implementing kvmalloc requires quite an intimate knowledge if the page allocator and the memory reclaim internals which strongly suggests that a helper should be implemented in the memory subsystem proper. Most callers, I could find, have been converted to use the helper instead. This is patch 6. There are some more relying on __GFP_REPEAT in the networking stack which I have converted as well and Eric Dumazet was not opposed [2] to convert them as well. [1] http://lkml.kernel.org/r/20170130094940.13546-1-mhocko@kernel.org [2] http://lkml.kernel.org/r/1485273626.16328.301.camel@edumazet-glaptop3.roam.corp.google.com This patch (of 9): Using kmalloc with the vmalloc fallback for larger allocations is a common pattern in the kernel code. Yet we do not have any common helper for that and so users have invented their own helpers. Some of them are really creative when doing so. Let's just add kv[mz]alloc and make sure it is implemented properly. This implementation makes sure to not make a large memory pressure for > PAGE_SZE requests (__GFP_NORETRY) and also to not warn about allocation failures. This also rules out the OOM killer as the vmalloc is a more approapriate fallback than a disruptive user visible action. This patch also changes some existing users and removes helpers which are specific for them. In some cases this is not possible (e.g. ext4_kvmalloc, libcfs_kvzalloc) because those seems to be broken and require GFP_NO{FS,IO} context which is not vmalloc compatible in general (note that the page table allocation is GFP_KERNEL). Those need to be fixed separately. While we are at it, document that __vmalloc{_node} about unsupported gfp mask because there seems to be a lot of confusion out there. kvmalloc_node will warn about GFP_KERNEL incompatible (which are not superset) flags to catch new abusers. Existing ones would have to die slowly. [sfr@canb.auug.org.au: f2fs fixup] Link: http://lkml.kernel.org/r/20170320163735.332e64b7@canb.auug.org.au Link: http://lkml.kernel.org/r/20170306103032.2540-2-mhocko@kernel.org Signed-off-by: Michal Hocko Signed-off-by: Stephen Rothwell Reviewed-by: Andreas Dilger [ext4 part] Acked-by: Vlastimil Babka Cc: John Hubbard Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds