Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2026-02-26T22:59:41+00:00 2026-02-26T22:59:41+00:00 John Johansen john.johansen@canonical.com 2025-11-24T23:07:42+00:00 urn:sha1:ccb66a3c6c8f51b3ed1bc003b70bb9ff99e8d835 [ Upstream commit 00b67657535dfea56e84d11492f5c0f61d0af297 ] Deal with the potential that sock and sock-sk can be NULL during socket setup or teardown. This could lead to an oops. The fix for NULL pointer dereference in __unix_needs_revalidation shows this is at least possible for af_unix sockets. While the fix for af_unix sockets applies for newer mediation this is still the fall back path for older af_unix mediation and other sockets, so ensure it is covered. Fixes: 56974a6fcfef6 ("apparmor: add base infastructure for socket mediation") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-07-20T09:31:06+00:00 John Johansen john.johansen@canonical.com 2025-02-17T09:46:37+00:00 urn:sha1:9afdc6abb007d5a86f54e9f10870ac1468155ca5 The set of rules on a profile is not dynamically extended, instead if a new ruleset is needed a new version of the profile is created. This allows us to use a vector of rules instead of a list, slightly reducing memory usage and simplifying the code. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-07-20T09:19:27+00:00 John Johansen john.johansen@canonical.com 2025-06-20T05:11:52+00:00 urn:sha1:88fec3526e84123997ecebd6bb6778eb4ce779b7 When a unix socket is passed into a different confinement domain make sure its cached mediation labeling is updated to correctly reflect which domains are using the socket. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-07-16T05:39:43+00:00 John Johansen john.johansen@canonical.com 2025-06-14T20:49:02+00:00 urn:sha1:a30a9fdb66319466a7c76b455524d27c75d2b05b The auditing of addresses currently doesn't include the source address and mixes source and foreign/peer under the same audit name. Fix this so source is always addr, and the foreign/peer is peer_addr. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-07-16T05:39:43+00:00 John Johansen john.johansen@canonical.com 2025-04-01T22:28:13+00:00 urn:sha1:bc6e5f6933b8e7b74858ac830d5b9b4ca10a099a The use of the double lock is not necessary and problematic. Instead pull the bits that need locks into their own sections and grab the needed references. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2022-09-07T19:46:30+00:00 urn:sha1:c05e705812d179f4b85aeacc34a555a42bc4f9ac Extend af_unix mediation to support fine grained controls based on the type (abstract, anonymous, fs), the address, and the labeling on the socket. This allows for using socket addresses to label and the socket and control which subjects can communicate. The unix rule format follows standard apparmor rules except that fs based unix sockets can be mediated by existing file rules. None fs unix sockets can be mediated by a unix socket rule. Where The address of an abstract unix domain socket begins with the @ character, similar to how they are reported (as paths) by netstat -x. The address then follows and may contain pattern matching and any characters including the null character. In apparmor null characters must be specified by using an escape sequence \000 or \x00. The pattern matching is the same as is used by file path matching so * will not match / even though it has no special meaning with in an abstract socket name. Eg. allow unix addr=@*, Autobound unix domain sockets have a unix sun_path assigned to them by the kernel, as such specifying a policy based address is not possible. The autobinding of sockets can be controlled by specifying the special auto keyword. Eg. allow unix addr=auto, To indicate that the rule only applies to auto binding of unix domain sockets. It is important to note this only applies to the bind permission as once the socket is bound to an address it is indistinguishable from a socket that have an addr bound with a specified name. When the auto keyword is used with other permissions or as part of a peer addr it will be replaced with a pattern that can match an autobound socket. Eg. For some kernels allow unix rw addr=auto, It is important to note, this pattern may match abstract sockets that were not autobound but have an addr that fits what is generated by the kernel when autobinding a socket. Anonymous unix domain sockets have no sun_path associated with the socket address, however it can be specified with the special none keyword to indicate the rule only applies to anonymous unix domain sockets. Eg. allow unix addr=none, If the address component of a rule is not specified then the rule applies to autobind, abstract and anonymous sockets. The label on the socket can be compared using the standard label= rule conditional. Eg. allow unix addr=@foo peer=(label=bar), see man apparmor.d for full syntax description. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2024-04-24T22:54:26+00:00 urn:sha1:b4940d913cc2c67f8f6bf17abbf3e5301f95e260 Rework match_prot into a common fn that can be shared by all the networking rules. This will provide compatibility with current socket mediation, via the early bailout permission encoding. Signed-off-by: John Johansen <john.johansen@canonical.com> 2025-01-18T14:47:12+00:00 John Johansen john.johansen@canonical.com 2023-01-29T09:55:03+00:00 urn:sha1:46b9b994dd554099b3ca74a20a0d1fb392c83a87 profile_af_perm and profile_af_sk_perm are only ever called after checking that the profile is not unconfined. So we can drop these redundant checks. Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-07-29T20:54:50+00:00 Casey Schaufler casey@schaufler-ca.com 2024-07-10T21:32:25+00:00 urn:sha1:2aff9d20d50ac45dd13a013ef5231f4fb8912356 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-10-18T22:30:47+00:00 John Johansen john.johansen@canonical.com 2023-04-28T12:32:52+00:00 urn:sha1:98b824ff8984fd523fc264fbb13208098ab09da3 With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>