kernel/linux.git/security/apparmor, branch v6.5.12

apparmor: fix invalid reference on profile->disconnected

2023-11-20T10:57:12+00:00

[ Upstream commit 8884ba07786c718771cf7b78cb3024924b27ec2b ] profile->disconnected was storing an invalid reference to the disconnected path. Fix it by duplicating the string using aa_unpack_strdup and freeing accordingly. Fixes: 72c8a768641d ("apparmor: allow profiles to provide info to disconnected paths") Signed-off-by: Georgia Garcia Signed-off-by: John Johansen Signed-off-by: Sasha Levin

Merge tag 'apparmor-pr-2023-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

2023-07-07T16:55:31+00:00

Pull apparmor updates from John Johansen: - fix missing error check for rhashtable_insert_fast - add missing failure check in compute_xmatch_perms - fix policy_compat permission remap with extended permissions - fix profile verification and enable it - fix kzalloc perms tables for shared dfas - Fix kernel-doc header for verify_dfa_accept_index - aa_buffer: Convert 1-element array to flexible array - Return directly after a failed kzalloc() in two functions - fix use of strcpy in policy_unpack_test - fix kernel-doc complaints - Fix some kernel-doc comments * tag 'apparmor-pr-2023-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: Fix kernel-doc header for verify_dfa_accept_index apparmor: fix: kzalloc perms tables for shared dfas apparmor: fix profile verification and enable it apparmor: fix policy_compat permission remap with extended permissions apparmor: aa_buffer: Convert 1-element array to flexible array apparmor: add missing failure check in compute_xmatch_perms apparmor: fix missing error check for rhashtable_insert_fast apparmor: Return directly after a failed kzalloc() in two functions AppArmor: Fix some kernel-doc comments apparmor: fix use of strcpy in policy_unpack_test apparmor: fix kernel-doc complaints

apparmor: Fix kernel-doc header for verify_dfa_accept_index

2023-07-06T18:12:10+00:00

Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202306141934.UKmM9bFX-lkp@intel.com/ Signed-off-by: John Johansen

apparmor: fix: kzalloc perms tables for shared dfas

2023-07-06T18:05:58+00:00

Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen Reviewed-by: Jon Tourville

apparmor: fix profile verification and enable it

2023-07-06T17:59:55+00:00

The transition table size was not being set by compat mappings resulting in the profile verification code not being run. Unfortunately the checks were also buggy not being correctly updated from the old accept perms, to the new layout. Also indicate to userspace that the kernel has the permstable verification fixes. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 670f31774ab6 ("apparmor: verify permission table indexes") Signed-off-by: John Johansen Reviewed-by: Jon Tourville

apparmor: fix policy_compat permission remap with extended permissions

2023-07-06T17:58:49+00:00

If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen Reviewed-by: Jon Tourville

apparmor: aa_buffer: Convert 1-element array to flexible array

2023-07-06T17:58:49+00:00

In the ongoing effort to convert all fake flexible arrays to proper flexible arrays, replace aa_buffer's 1-element "buffer" member with a flexible array. Signed-off-by: Kees Cook Signed-off-by: John Johansen

apparmor: add missing failure check in compute_xmatch_perms

2023-07-06T17:58:49+00:00

Add check for failure to allocate the permission table. Fixes: caa9f579ca72 ("apparmor: isolate policy backwards compatibility to its own file") Signed-off-by: John Johansen

apparmor: fix missing error check for rhashtable_insert_fast

2023-07-06T17:58:49+00:00

rhashtable_insert_fast() could return err value when memory allocation is failed. but unpack_profile() do not check values and this always returns success value. This patch just adds error check code. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") Signed-off-by: Danila Chernetsov Signed-off-by: John Johansen

apparmor: Return directly after a failed kzalloc() in two functions

2023-07-06T17:58:49+00:00

1. Return directly after a call of the function “kzalloc” failed at the beginning in these function implementations. 2. Omit extra initialisations (for a few local variables) which became unnecessary with this refactoring. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Signed-off-by: John Johansen