summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2025-08-04Merge tag 'apparmor-pr-2025-08-04' of ↵Linus Torvalds38-430/+2178
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "This has one major feature, it pulls in a cleaned up version of af_unix mediation that Ubuntu has been carrying for years. It is placed behind a new abi to ensure that it does cause policy regressions. With pulling in the af_unix mediation there have been cleanups and some refactoring of network socket mediation. This accounts for the majority of the changes in the diff. In addition there are a few improvements providing minor code optimizations. several code cleanups, and bug fixes. Features: - improve debug printing - carry mediation check on label (optimization) - improve ability for compiler to optimize __begin_current_label_crit_section - transition for a linked list of rulesets to a vector of rulesets - don't hardcode profile signal, allow it to be set by policy - ability to mediate caps via the state machine instead of lut - Add Ubuntu af_unix mediation, put it behind new v9 abi Cleanups: - fix typos and spelling errors - cleanup kernel doc and code inconsistencies - remove redundant checks/code - remove unused variables - Use str_yes_no() helper function - mark tables static where appropriate - make all generated string array headers const char *const - refactor to doc semantics of file_perm checks - replace macro calls to network/socket fns with explicit calls - refactor/cleanup socket mediation code preparing for finer grained mediation of different network families - several updates to kernel doc comments Bug fixes: - fix incorrect profile->signal range check - idmap mount fixes - policy unpack unaligned access fixes - kfree_sensitive() where appropriate - fix oops when freeing policy - fix conflicting attachment resolution - fix exec table look-ups when stacking isn't first - fix exec auditing - mitigate userspace generating overly large xtables" * tag 'apparmor-pr-2025-08-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (60 commits) apparmor: fix: oops when trying to free null ruleset apparmor: fix Regression on linux-next (next-20250721) apparmor: fix test error: WARNING in apparmor_unix_stream_connect apparmor: Remove the unused variable rules apparmor: fix: accept2 being specifie even when permission table is presnt apparmor: transition from a list of rules to a vector of rules apparmor: fix documentation mismatches in val_mask_to_str and socket functions apparmor: remove redundant perms.allow MAY_EXEC bitflag set apparmor: fix kernel doc warnings for kernel test robot apparmor: Fix unaligned memory accesses in KUnit test apparmor: Fix 8-byte alignment for initial dfa blob streams apparmor: shift uid when mediating af_unix in userns apparmor: shift ouid when mediating hard links in userns apparmor: make sure unix socket labeling is correctly updated. apparmor: fix regression in fs based unix sockets when using old abi apparmor: fix AA_DEBUG_LABEL() apparmor: fix af_unix auditing to include all address information apparmor: Remove use of the double lock apparmor: update kernel doc comments for xxx_label_crit_section apparmor: make __begin_current_label_crit_section() indicate whether put is needed ...
2025-08-04apparmor: fix: oops when trying to free null rulesetJohn Johansen1-1/+4
profile allocation is wrongly setting the number of entries on the rules vector before any ruleset is assigned. If profile allocation fails between ruleset allocation and assigning the first ruleset, free_ruleset() will be called with a null pointer resulting in an oops. [ 107.350226] kernel BUG at mm/slub.c:545! [ 107.350912] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 107.351447] CPU: 1 UID: 0 PID: 27 Comm: ksoftirqd/1 Not tainted 6.14.6-hwe-rlee287-dev+ #5 [ 107.353279] Hardware name:[ 107.350218] -QE-----------[ cutMU here ]--------- Ub--- [ 107.3502untu26] kernel BUG a 24t mm/slub.c:545.!04 P [ 107.350912]C ( Oops: invalid oi4pcode: 0000 [#1]40 PREEMPT SMP NOPFXTI + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 107.356054] RIP: 0010:__slab_free+0x152/0x340 [ 107.356444] Code: 00 4c 89 ff e8 0f ac df 00 48 8b 14 24 48 8b 4c 24 20 48 89 44 24 08 48 8b 03 48 c1 e8 09 83 e0 01 88 44 24 13 e9 71 ff ff ff <0f> 0b 41 f7 44 24 08 87 04 00 00 75 b2 eb a8 41 f7 44 24 08 87 04 [ 107.357856] RSP: 0018:ffffad4a800fbbb0 EFLAGS: 00010246 [ 107.358937] RAX: ffff97ebc2a88e70 RBX: ffffd759400aa200 RCX: 0000000000800074 [ 107.359976] RDX: ffff97ebc2a88e60 RSI: ffffd759400aa200 RDI: ffffad4a800fbc20 [ 107.360600] RBP: ffffad4a800fbc50 R08: 0000000000000001 R09: ffffffff86f02cf2 [ 107.361254] R10: 0000000000000000 R11: 0000000000000000 R12: ffff97ecc0049400 [ 107.361934] R13: ffff97ebc2a88e60 R14: ffff97ecc0049400 R15: 0000000000000000 [ 107.362597] FS: 0000000000000000(0000) GS:ffff97ecfb200000(0000) knlGS:0000000000000000 [ 107.363332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 107.363784] CR2: 000061c9545ac000 CR3: 0000000047aa6000 CR4: 0000000000750ef0 [ 107.364331] PKRU: 55555554 [ 107.364545] Call Trace: [ 107.364761] <TASK> [ 107.364931] ? local_clock+0x15/0x30 [ 107.365219] ? srso_alias_return_thunk+0x5/0xfbef5 [ 107.365593] ? kfree_sensitive+0x32/0x70 [ 107.365900] kfree+0x29d/0x3a0 [ 107.366144] ? srso_alias_return_thunk+0x5/0xfbef5 [ 107.366510] ? local_clock_noinstr+0xe/0xd0 [ 107.366841] ? srso_alias_return_thunk+0x5/0xfbef5 [ 107.367209] kfree_sensitive+0x32/0x70 [ 107.367502] aa_free_profile.part.0+0xa2/0x400 [ 107.367850] ? rcu_do_batch+0x1e6/0x5e0 [ 107.368148] aa_free_profile+0x23/0x60 [ 107.368438] label_free_switch+0x4c/0x80 [ 107.368751] label_free_rcu+0x1c/0x50 [ 107.369038] rcu_do_batch+0x1e8/0x5e0 [ 107.369324] ? rcu_do_batch+0x157/0x5e0 [ 107.369626] rcu_core+0x1b0/0x2f0 [ 107.369888] rcu_core_si+0xe/0x20 [ 107.370156] handle_softirqs+0x9b/0x3d0 [ 107.370460] ? smpboot_thread_fn+0x26/0x210 [ 107.370790] run_ksoftirqd+0x3a/0x70 [ 107.371070] smpboot_thread_fn+0xf9/0x210 [ 107.371383] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 107.371746] kthread+0x10d/0x280 [ 107.372010] ? __pfx_kthread+0x10/0x10 [ 107.372310] ret_from_fork+0x44/0x70 [ 107.372655] ? __pfx_kthread+0x10/0x10 [ 107.372974] ret_from_fork_asm+0x1a/0x30 [ 107.373316] </TASK> [ 107.373505] Modules linked in: af_packet_diag mptcp_diag tcp_diag udp_diag raw_diag inet_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore qrtr binfmt_misc intel_rapl_msr intel_rapl_common kvm_amd ccp kvm irqbypass polyval_clmulni polyval_generic ghash_clmulni_intel sha256_ssse3 sha1_ssse3 aesni_intel crypto_simd cryptd i2c_piix4 i2c_smbus input_leds joydev sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid psmouse serio_raw floppy bochs pata_acpi [ 107.379086] ---[ end trace 0000000000000000 ]--- Don't set the count until a ruleset is actually allocated and guard against free_ruleset() being called with a null pointer. Reported-by: Ryan Lee <ryan.lee@canonical.com> Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-31Merge tag 'integrity-v6.17' of ↵Linus Torvalds1-0/+26
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity update from Mimi Zohar: "A single commit to permit disabling IMA from the boot command line for just the kdump kernel. The exception itself sort of makes sense. My concern is that exceptions do not remain as exceptions, but somehow morph to become the norm" * tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: add a knob ima= to allow disabling IMA in kdump kernel
2025-07-31Merge tag 'caps-pr-20250729' of ↵Linus Torvalds1-12/+8
git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux Pull capabilities update from Serge Hallyn: - Fix broken link in documentation in capability.h - Correct the permission check for unsafe exec During exec, different effective and real credentials were assumed to mean changed credentials, making it impossible in the no-new-privs case to keep different uid and euid * tag 'caps-pr-20250729' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux: uapi: fix broken link in linux/capability.h exec: Correct the permission check for unsafe exec
2025-07-31Merge tag 'ipe-pr-20250728' of ↵Linus Torvalds2-28/+6
git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe Pull ipe update from Fan Wu: "A single commit from Eric Biggers to simplify the IPE (Integrity Policy Enforcement) policy audit with the SHA-256 library API" * tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: use SHA-256 library API instead of crypto_shash API
2025-07-30apparmor: fix Regression on linux-next (next-20250721)John Johansen1-0/+1
sk lock initialization was incorrectly removed, from apparmor_file_alloc_security() while testing changes to changes to apparmor_sk_alloc_security() resulting in the following regression. [ 48.056654] INFO: trying to register non-static key. [ 48.057480] The code is fine but needs lockdep annotation, or maybe [ 48.058416] you didn't initialize this object before use? [ 48.059209] turning off the locking correctness validator. [ 48.060040] CPU: 0 UID: 0 PID: 648 Comm: chronyd Not tainted 6.16.0-rc7-test-next-20250721-11410-g1ee809985e11-dirty #577 NONE [ 48.060049] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 48.060055] Call Trace: [ 48.060059] <TASK> [ 48.060063] dump_stack_lvl (lib/dump_stack.c:122) [ 48.060075] register_lock_class (kernel/locking/lockdep.c:988 kernel/locking/lockdep.c:1302) [ 48.060084] ? path_name (security/apparmor/file.c:159) [ 48.060093] __lock_acquire (kernel/locking/lockdep.c:5116) [ 48.060103] lock_acquire (kernel/locking/lockdep.c:473 (discriminator 4) kernel/locking/lockdep.c:5873 (discriminator 4) kernel/locking/lockdep.c:5828 (discriminator 4)) [ 48.060109] ? update_file_ctx (security/apparmor/file.c:464) [ 48.060115] ? __pfx_profile_path_perm (security/apparmor/file.c:247) [ 48.060121] _raw_spin_lock (include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) [ 48.060130] ? update_file_ctx (security/apparmor/file.c:464) [ 48.060134] update_file_ctx (security/apparmor/file.c:464) [ 48.060140] aa_file_perm (security/apparmor/file.c:532 (discriminator 1) security/apparmor/file.c:642 (discriminator 1)) [ 48.060147] ? __pfx_aa_file_perm (security/apparmor/file.c:607) [ 48.060152] ? do_mmap (mm/mmap.c:558) [ 48.060160] ? __pfx_userfaultfd_unmap_complete (fs/userfaultfd.c:841) [ 48.060170] ? __lock_acquire (kernel/locking/lockdep.c:4677 (discriminator 1) kernel/locking/lockdep.c:5194 (discriminator 1)) [ 48.060176] ? common_file_perm (security/apparmor/lsm.c:535 (discriminator 1)) [ 48.060185] security_mmap_file (security/security.c:3012 (discriminator 2)) [ 48.060192] vm_mmap_pgoff (mm/util.c:574 (discriminator 1)) [ 48.060200] ? find_held_lock (kernel/locking/lockdep.c:5353 (discriminator 1)) [ 48.060206] ? __pfx_vm_mmap_pgoff (mm/util.c:568) [ 48.060212] ? lock_release (kernel/locking/lockdep.c:5539 kernel/locking/lockdep.c:5892 kernel/locking/lockdep.c:5878) [ 48.060219] ? __fget_files (arch/x86/include/asm/preempt.h:85 (discriminator 13) include/linux/rcupdate.h:100 (discriminator 13) include/linux/rcupdate.h:873 (discriminator 13) fs/file.c:1072 (discriminator 13)) [ 48.060229] ksys_mmap_pgoff (mm/mmap.c:604) [ 48.060239] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 48.060248] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 48.060254] RIP: 0033:0x7fb6920e30a2 [ 48.060265] Code: 08 00 04 00 00 eb e2 90 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 33 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5e 5b 5d c3 0f 1f 00 c7 05 e6 41 01 00 16 00 All code ======== 0: 08 00 or %al,(%rax) 2: 04 00 add $0x0,%al 4: 00 eb add %ch,%bl 6: e2 90 loop 0xffffffffffffff98 8: 41 f7 c1 ff 0f 00 00 test $0xfff,%r9d f: 75 27 jne 0x38 11: 55 push %rbp 12: 89 cd mov %ecx,%ebp 14: 53 push %rbx 15: 48 89 fb mov %rdi,%rbx 18: 48 85 ff test %rdi,%rdi 1b: 74 33 je 0x50 1d: 41 89 ea mov %ebp,%r10d 20: 48 89 df mov %rbx,%rdi 23: b8 09 00 00 00 mov $0x9,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 5e ja 0x90 32: 5b pop %rbx 33: 5d pop %rbp 34: c3 ret 35: 0f 1f 00 nopl (%rax) 38: c7 .byte 0xc7 39: 05 e6 41 01 00 add $0x141e6,%eax 3e: 16 (bad) ... Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 5e ja 0x66 8: 5b pop %rbx 9: 5d pop %rbp a: c3 ret b: 0f 1f 00 nopl (%rax) e: c7 .byte 0xc7 f: 05 e6 41 01 00 add $0x141e6,%eax 14: 16 (bad) ... [ 48.060270] RSP: 002b:00007ffd2c0d3528 EFLAGS: 00000206 ORIG_RAX: 0000000000000009 [ 48.060279] RAX: ffffffffffffffda RBX: 00007fb691fc8000 RCX: 00007fb6920e30a2 [ 48.060283] RDX: 0000000000000005 RSI: 000000000007d000 RDI: 00007fb691fc8000 [ 48.060287] RBP: 0000000000000812 R08: 0000000000000003 R09: 0000000000011000 [ 48.060290] R10: 0000000000000812 R11: 0000000000000206 R12: 00007ffd2c0d3578 [ 48.060293] R13: 00007fb6920b6160 R14: 00007ffd2c0d39f0 R15: 00000fffa581a6a8 Fixes: 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly updated.") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-30apparmor: fix test error: WARNING in apparmor_unix_stream_connectJohn Johansen1-2/+3
commit 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly updated.") added the use of security_sk_alloc() which ensures the sk label is initialized. This means that the AA_BUG in apparmor_unix_stream_connect() is no longer correct, because while the sk is still not being initialized by going through post_create, it is now initialize in sk_alloc(). Remove the now invalid check. Reported-by: syzbot+cd38ee04bcb3866b0c6d@syzkaller.appspotmail.com Fixes: 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly updated.") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-30apparmor: Remove the unused variable rulesJiapeng Chong1-2/+0
Variable rules is not effectively used, so delete it. security/apparmor/lsm.c:182:23: warning: variable ‘rules’ set but not used. Reported-by: Abaci Robot <abaci@linux.alibaba.com> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=22942 Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-30Merge tag 'powerpc-6.17-1' of ↵Linus Torvalds1-2/+3
git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc updates from Madhavan Srinivasan: - CONFIG_HZ changes to move the base_slice from 10ms to 1ms - Patchset to move some of the mutex handling to lock guard - Expose secvars relevant to the key management mode - Misc cleanups and fixes Thanks to Ankit Chauhan, Christophe Leroy, Donet Tom, Gautam Menghani, Haren Myneni, Johan Korsnes, Madadi Vineeth Reddy, Paul Mackerras, Shrikanth Hegde, Srish Srinivasan, Thomas Fourier, Thomas Huth, Thomas Weißschuh, Souradeep, Amit Machhiwal, R Nageswara Sastry, Venkat Rao Bagalkote, Andrew Donnellan, Greg Kroah-Hartman, Mimi Zohar, Mukesh Kumar Chaurasiya, Nayna Jain, Ritesh Harjani (IBM), Sourabh Jain, Srikar Dronamraju, Stefan Berger, Tyrel Datwyler, and Kowshik Jois. * tag 'powerpc-6.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: (23 commits) arch/powerpc: Remove .interp section in vmlinux powerpc: Drop GPL boilerplate text with obsolete FSF address powerpc: Don't use %pK through printk arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX misc: ocxl: Replace scnprintf() with sysfs_emit() in sysfs show functions integrity/platform_certs: Allow loading of keys in the static key management mode powerpc/secvar: Expose secvars relevant to the key management mode powerpc/pseries: Correct secvar format representation for static key management (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer powerpc: floppy: Add missing checks after DMA map book3s64/radix : Optimize vmemmap start alignment book3s64/radix : Handle error conditions properly in radix_vmemmap_populate powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO add KVM: PPC: Book3S HV: Add H_VIRT mapping for tracing exits powerpc: sysdev: use lock guard for mutex powerpc: powernv: ocxl: use lock guard for mutex powerpc: book3s: vas: use lock guard for mutex powerpc: fadump: use lock guard for mutex powerpc: rtas: use lock guard for mutex powerpc: eeh: use lock guard for mutex ...
2025-07-29Merge tag 'landlock-6.17-rc1' of ↵Linus Torvalds2-27/+43
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull landlock update from Mickaël Salaün: "Fix test issues, improve build compatibility, and add new tests" * tag 'landlock-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: landlock: Fix cosmetic change samples/landlock: Fix building on musl libc landlock: Fix warning from KUnit tests selftests/landlock: Add test to check rule tied to covered mount point selftests/landlock: Fix build of audit_test selftests/landlock: Fix readlink check
2025-07-29ipe: use SHA-256 library API instead of crypto_shash APIEric Biggers2-28/+6
audit_policy() does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Fan Wu <wufan@kernel.org>
2025-07-29Merge tag 'selinux-pr-20250725' of ↵Linus Torvalds9-5/+72
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Introduce the concept of a SELinux "neveraudit" type which prevents all auditing of the given type/domain. Taken by itself, the benefit of marking a SELinux domain with the "neveraudit" tag is likely not very interesting, especially given the significant overlap with the "dontaudit" tag. However, given that the "neveraudit" tag applies to *all* auditing of the tagged domain, we can do some fairly interesting optimizations when a SELinux domain is marked as both "permissive" and "dontaudit" (think of the unconfined_t domain). While this pull request includes optimized inode permission and getattr hooks, these optimizations require SELinux policy changes, therefore the improvements may not be visible on standard downstream Linux distos for a period of time. - Continue the deprecation process of /sys/fs/selinux/user. After removing the associated userspace code in 2020, we marked the /sys/fs/selinux/user interface as deprecated in Linux v6.13 with pr_warn() and the usual documention update. This adds a five second sleep after the pr_warn(), following a previous deprecation process pattern that has worked well for us in the past in helping identify any existing users that we haven't yet reached. - Add a __GFP_NOWARN flag to our initial hash table allocation. Fuzzers such a syzbot often attempt abnormally large SELinux policy loads, which the SELinux code gracefully handles by checking for allocation failures, but not before the allocator emits a warning which causes the automated fuzzing to flag this as an error and report it to the list. While we want to continue to support the work done by the fuzzing teams, we want to focus on proper issues and not an error case that is already handled safely. Add a NOWARN flag to quiet the allocator and prevent syzbot from tripping on this again. - Remove some unnecessary selinuxfs cleanup code, courtesy of Al. - Update the SELinux in-kernel documentation with pointers to additional information. * tag 'selinux-pr-20250725' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: don't bother with selinuxfs_info_free() on failures selinux: add __GFP_NOWARN to hashtab_init() allocations selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive selinux: introduce neveraudit types documentation: add links to SELinux resources selinux: add a 5 second sleep to /sys/fs/selinux/user
2025-07-29Merge tag 'lsm-pr-20250725' of ↵Linus Torvalds1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm updates from Paul Moore: - Add Nicolas Bouchinet and Xiu Jianfeng as Lockdown maintainers The Lockdown LSM has been without a dedicated mantainer since its original acceptance upstream, and it has suffered as a result. Thankfully we have two new volunteers who together I believe have the background and desire to help ensure Lockdown is properly supported. - Remove the unused cap_mmap_file() declaration * tag 'lsm-pr-20250725' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: MAINTAINERS: Add Xiu and myself as Lockdown maintainers security: Remove unused declaration cap_mmap_file() lsm: trivial comment fix
2025-07-29Merge tag 'libcrypto-conversions-for-linus' of ↵Linus Torvalds2-75/+13
git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux Pull crypto library conversions from Eric Biggers: "Convert fsverity and apparmor to use the SHA-2 library functions instead of crypto_shash. This is simpler and also slightly faster" * tag 'libcrypto-conversions-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: fsverity: Switch from crypto_shash to SHA-2 library fsverity: Explicitly include <linux/export.h> apparmor: use SHA-256 library API instead of crypto_shash API
2025-07-29Merge tag 'hardening-v6.17-rc1' of ↵Linus Torvalds1-19/+26
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening updates from Kees Cook: - Introduce and start using TRAILING_OVERLAP() helper for fixing embedded flex array instances (Gustavo A. R. Silva) - mux: Convert mux_control_ops to a flex array member in mux_chip (Thorsten Blum) - string: Group str_has_prefix() and strstarts() (Andy Shevchenko) - Remove KCOV instrumentation from __init and __head (Ritesh Harjani, Kees Cook) - Refactor and rename stackleak feature to support Clang - Add KUnit test for seq_buf API - Fix KUnit fortify test under LTO * tag 'hardening-v6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (22 commits) sched/task_stack: Add missing const qualifier to end_of_stack() kstack_erase: Support Clang stack depth tracking kstack_erase: Add -mgeneral-regs-only to silence Clang warnings init.h: Disable sanitizer coverage for __init and __head kstack_erase: Disable kstack_erase for all of arm compressed boot code x86: Handle KCOV __init vs inline mismatches arm64: Handle KCOV __init vs inline mismatches s390: Handle KCOV __init vs inline mismatches arm: Handle KCOV __init vs inline mismatches mips: Handle KCOV __init vs inline mismatch powerpc/mm/book3s64: Move kfence and debug_pagealloc related calls to __init section configs/hardening: Enable CONFIG_INIT_ON_FREE_DEFAULT_ON configs/hardening: Enable CONFIG_KSTACK_ERASE stackleak: Split KSTACK_ERASE_CFLAGS from GCC_PLUGINS_CFLAGS stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depth stackleak: Rename STACKLEAK to KSTACK_ERASE seq_buf: Introduce KUnit tests string: Group str_has_prefix() and strstarts() kunit/fortify: Add back "volatile" for sizeof() constants acpi: nfit: intel: avoid multiple -Wflex-array-member-not-at-end warnings ...
2025-07-29Merge tag 'vfs-6.17-rc1.fileattr' of ↵Linus Torvalds2-0/+44
git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull fileattr updates from Christian Brauner: "This introduces the new file_getattr() and file_setattr() system calls after lengthy discussions. Both system calls serve as successors and extensible companions to the FS_IOC_FSGETXATTR and FS_IOC_FSSETXATTR system calls which have started to show their age in addition to being named in a way that makes it easy to conflate them with extended attribute related operations. These syscalls allow userspace to set filesystem inode attributes on special files. One of the usage examples is the XFS quota projects. XFS has project quotas which could be attached to a directory. All new inodes in these directories inherit project ID set on parent directory. The project is created from userspace by opening and calling FS_IOC_FSSETXATTR on each inode. This is not possible for special files such as FIFO, SOCK, BLK etc. Therefore, some inodes are left with empty project ID. Those inodes then are not shown in the quota accounting but still exist in the directory. This is not critical but in the case when special files are created in the directory with already existing project quota, these new inodes inherit extended attributes. This creates a mix of special files with and without attributes. Moreover, special files with attributes don't have a possibility to become clear or change the attributes. This, in turn, prevents userspace from re-creating quota project on these existing files. In addition, these new system calls allow the implementation of additional attributes that we couldn't or didn't want to fit into the legacy ioctls anymore" * tag 'vfs-6.17-rc1.fileattr' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: fs: tighten a sanity check in file_attr_to_fileattr() tree-wide: s/struct fileattr/struct file_kattr/g fs: introduce file_getattr and file_setattr syscalls fs: prepare for extending file_get/setattr() fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP selinux: implement inode_file_[g|s]etattr hooks lsm: introduce new hooks for setting/getting inode fsxattr fs: split fileattr related helpers into separate file
2025-07-28Merge tag 'pull-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfsLinus Torvalds2-2/+1
Pull misc VFS updates from Al Viro: "VFS-related cleanups in various places (mostly of the "that really can't happen" or "there's a better way to do it" variety)" * tag 'pull-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: gpib: use file_inode() binder_ioctl_write_read(): simplify control flow a bit secretmem: move setting O_LARGEFILE and bumping users' count to the place where we create the file apparmor: file never has NULL f_path.mnt landlock: opened file never has a negative dentry
2025-07-28Merge tag 'pull-securityfs' of ↵Linus Torvalds5-177/+73
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull securityfs updates from Al Viro: "Securityfs cleanups and fixes: - one extra reference is enough to pin a dentry down; no need for two. Switch to regular scheme, similar to shmem, debugfs, etc. This fixes a securityfs_recursive_remove() dentry leak, among other things. - we need to have the filesystem pinned to prevent the contents disappearing; what we do not need is pinning it for each file. Doing that only for files and directories in the root is enough. - the previous two changes allow us to get rid of the racy kludges in efi_secret_unlink(), where we can use simple_unlink() instead of securityfs_remove(). Which does not require unlocking and relocking the parent, with all deadlocks that invites. - Make securityfs_remove() take the entire subtree out, turning securityfs_recursive_remove() into its alias. Makes a lot more sense for callers and fixes a mount leak, while we are at it. - Making securityfs_remove() remove the entire subtree allows for much simpler life in most of the users - efi_secret, ima_fs, evm, ipe, tmp get cleaner. I hadn't touched apparmor use of securityfs, but I suspect that it would be useful there as well" * tag 'pull-securityfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: tpm: don't bother with removal of files in directory we'll be removing ipe: don't bother with removal of files in directory we'll be removing evm_secfs: clear securityfs interactions ima_fs: get rid of lookup-by-dentry stuff ima_fs: don't bother with removal of files in directory we'll be removing efi_secret: clean securityfs use up make securityfs_remove() remove the entire subtree fix locking in efi_secret_unlink() securityfs: pin filesystem only for objects directly in root securityfs: don't pin dentries twice, once is enough...
2025-07-27kstack_erase: Support Clang stack depth trackingKees Cook1-1/+4
Wire up CONFIG_KSTACK_ERASE to Clang 21's new stack depth tracking callback[1] option. Link: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-stack-depth [1] Acked-by: Nicolas Schier <n.schier@avm.de> Link: https://lore.kernel.org/r/20250724055029.3623499-4-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
2025-07-22stackleak: Rename stackleak_track_stack to __sanitizer_cov_stack_depthKees Cook1-2/+2
The Clang stack depth tracking implementation has a fixed name for the stack depth tracking callback, "__sanitizer_cov_stack_depth", so rename the GCC plugin function to match since the plugin has no external dependencies on naming. Link: https://lore.kernel.org/r/20250717232519.2984886-2-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
2025-07-22stackleak: Rename STACKLEAK to KSTACK_ERASEKees Cook1-16/+20
In preparation for adding Clang sanitizer coverage stack depth tracking that can support stack depth callbacks: - Add the new top-level CONFIG_KSTACK_ERASE option which will be implemented either with the stackleak GCC plugin, or with the Clang stack depth callback support. - Rename CONFIG_GCC_PLUGIN_STACKLEAK as needed to CONFIG_KSTACK_ERASE, but keep it for anything specific to the GCC plugin itself. - Rename all exposed "STACKLEAK" names and files to "KSTACK_ERASE" (named for what it does rather than what it protects against), but leave as many of the internals alone as possible to avoid even more churn. While here, also split "prev_lowest_stack" into CONFIG_KSTACK_ERASE_METRICS, since that's the only place it is referenced from. Suggested-by: Ingo Molnar <mingo@kernel.org> Link: https://lore.kernel.org/r/20250717232519.2984886-1-kees@kernel.org Signed-off-by: Kees Cook <kees@kernel.org>
2025-07-20apparmor: fix: accept2 being specifie even when permission table is presntJohn Johansen1-1/+2
The transition to the perms32 permission table dropped the need for the accept2 table as permissions. However accept2 can be used for flags and may be present even when the perms32 table is present. So instead of checking on version, check whether the table is present. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: transition from a list of rules to a vector of rulesJohn Johansen15-113/+85
The set of rules on a profile is not dynamically extended, instead if a new ruleset is needed a new version of the profile is created. This allows us to use a vector of rules instead of a list, slightly reducing memory usage and simplifying the code. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: fix documentation mismatches in val_mask_to_str and socket functionsPeng Jiang2-3/+23
This patch fixes kernel-doc warnings: 1. val_mask_to_str: - Added missing descriptions for `size` and `table` parameters. - Removed outdated str_size and chrs references. 2. Socket Functions: - Makes non-null requirements clear for socket/address args. - Standardizes return values per kernel conventions. - Adds Unix domain socket protocol details. These changes silence doc validation warnings and improve accuracy for AppArmor LSM docs. Signed-off-by: Peng Jiang <jiang.peng9@zte.com.cn> Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: remove redundant perms.allow MAY_EXEC bitflag setRyan Lee1-3/+1
This section of profile_transition that occurs after x_to_label only happens if perms.allow already has the MAY_EXEC bit set, so we don't need to set it again. Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined") Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: fix kernel doc warnings for kernel test robotJohn Johansen2-4/+10
Fix kernel doc warnings for the functions - apparmor_socket_bind - apparmor_unix_may_send - apparmor_unix_stream_connect - val_mask_to_str Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202506070127.B1bc3da4-lkp@intel.com/ Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: Fix unaligned memory accesses in KUnit testHelge Deller1-2/+4
The testcase triggers some unnecessary unaligned memory accesses on the parisc architecture: Kernel: unaligned access to 0x12f28e27 in policy_unpack_test_init+0x180/0x374 (iir 0x0cdc1280) Kernel: unaligned access to 0x12f28e67 in policy_unpack_test_init+0x270/0x374 (iir 0x64dc00ce) Use the existing helper functions put_unaligned_le32() and put_unaligned_le16() to avoid such warnings on architectures which prefer aligned memory accesses. Signed-off-by: Helge Deller <deller@gmx.de> Fixes: 98c0cc48e27e ("apparmor: fix policy_unpack_test on big endian systems") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: Fix 8-byte alignment for initial dfa blob streamsHelge Deller1-2/+2
The dfa blob stream for the aa_dfa_unpack() function is expected to be aligned on a 8 byte boundary. The static nulldfa_src[] and stacksplitdfa_src[] arrays store the initial apparmor dfa blob streams, but since they are declared as an array-of-chars the compiler and linker will only ensure a "char" (1-byte) alignment. Add an __aligned(8) annotation to the arrays to tell the linker to always align them on a 8-byte boundary. This avoids runtime warnings at startup on alignment-sensitive platforms like parisc such as: Kernel: unaligned access to 0x7f2a584a in aa_dfa_unpack+0x124/0x788 (iir 0xca0109f) Kernel: unaligned access to 0x7f2a584e in aa_dfa_unpack+0x210/0x788 (iir 0xca8109c) Kernel: unaligned access to 0x7f2a586a in aa_dfa_unpack+0x278/0x788 (iir 0xcb01090) Signed-off-by: Helge Deller <deller@gmx.de> Cc: stable@vger.kernel.org Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: shift uid when mediating af_unix in usernsGabriel Totev1-2/+6
Avoid unshifted ouids for socket file operations as observed when using AppArmor profiles in unprivileged containers with LXD or Incus. For example, root inside container and uid 1000000 outside, with `owner /root/sock rw,` profile entry for nc: /root$ nc -lkU sock & nc -U sock ==> dmesg apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [<== should be 1000000] Fix by performing uid mapping as per common_perm_cond() in lsm.c Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com> Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: shift ouid when mediating hard links in usernsGabriel Totev1-2/+4
When using AppArmor profiles inside an unprivileged container, the link operation observes an unshifted ouid. (tested with LXD and Incus) For example, root inside container and uid 1000000 outside, with `owner /root/link l,` profile entry for ln: /root$ touch chain && ln chain link ==> dmesg apparmor="DENIED" operation="link" class="file" namespace="root//lxd-feet_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" fsuid=1000000 ouid=0 [<== should be 1000000] target="/root/chain" Fix by mapping inode uid of old_dentry in aa_path_link() rather than using it directly, similarly to how it's mapped in __file_path_perm() later in the file. Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-20apparmor: make sure unix socket labeling is correctly updated.John Johansen6-62/+231
When a unix socket is passed into a different confinement domain make sure its cached mediation labeling is updated to correctly reflect which domains are using the socket. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-19landlock: Fix cosmetic changeMickaël Salaün1-0/+1
This line removal should not be there and it makes it more difficult to backport the following patch. Cc: Günther Noack <gnoack@google.com> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Fixes: 7a11275c3787 ("landlock: Refactor layer helpers") Link: https://lore.kernel.org/r/20250719104204.545188-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
2025-07-16apparmor: fix regression in fs based unix sockets when using old abiJohn Johansen2-51/+71
Policy loaded using abi 7 socket mediation was not being applied correctly in all cases. In some cases with fs based unix sockets a subset of permissions where allowed when they should have been denied. This was happening because the check for if the socket was an fs based unix socket came before the abi check. But the abi check is where the correct path is selected, so having the fs unix socket check occur early would cause the wrong code path to be used. Fix this by pushing the fs unix to be done after the abi check. Fixes: dcd7a559411e ("apparmor: gate make fine grained unix mediation behind v9 abi") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: fix AA_DEBUG_LABEL()John Johansen1-1/+1
AA_DEBUG_LABEL() was not specifying it vargs, which is needed so it can output debug parameters. Fixes: 71e6cff3e0dd ("apparmor: Improve debug print infrastructure") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: fix af_unix auditing to include all address informationJohn Johansen3-10/+18
The auditing of addresses currently doesn't include the source address and mixes source and foreign/peer under the same audit name. Fix this so source is always addr, and the foreign/peer is peer_addr. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: Remove use of the double lockJohn Johansen5-102/+104
The use of the double lock is not necessary and problematic. Instead pull the bits that need locks into their own sections and grab the needed references. Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: update kernel doc comments for xxx_label_crit_sectionJohn Johansen1-0/+8
Add a kernel doc header for __end_current_label_crit_section(), and update the header for __begin_current_label_crit_section(). Fixes: b42ecc5f58ef ("apparmor: make __begin_current_label_crit_section() indicate whether put is needed") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: make __begin_current_label_crit_section() indicate whether put is ↵Mateusz Guzik3-41/+67
needed Same as aa_get_newest_cred_label_condref(). This avoids a bunch of work overall and allows the compiler to note when no clean up is necessary, allowing for tail calls. This in particular happens in apparmor_file_permission(), which manages to tail call aa_file_perm() 105 bytes in (vs a regular call 112 bytes in followed by branches to figure out if clean up is needed). Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16Revert "apparmor: use SHA-256 library API instead of crypto_shash API"John Johansen2-13/+75
This reverts commit e9ed1eb8f6217e53843d82ecf2d50f8d1a93e77c. Eric has requested that this patch be taken through the libcrypto-next tree, instead. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-16apparmor: mitigate parser generating large xtablesJohn Johansen3-6/+45
Some versions of the parser are generating an xtable transition per state in the state machine, even when the state machine isn't using the transition table. The parser bug is triggered by commit 2e12c5f06017 ("apparmor: add additional flags to extended permission.") In addition to fixing this in userspace, mitigate this in the kernel as part of the policy verification checks by detecting this situation and adjusting to what is actually used, or if not used at all freeing it, so we are not wasting unneeded memory on policy. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-07-14apparmor: use SHA-256 library API instead of crypto_shash APIEric Biggers2-75/+13
This user of SHA-256 does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Acked-by: John Johansen <john.johansen@canonical.com> Link: https://lore.kernel.org/r/20250630174805.59010-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
2025-07-09integrity/platform_certs: Allow loading of keys in the static key management ↵Srish Srinivasan1-2/+3
mode On PLPKS enabled PowerVM LPAR, there is no provision to load signed third-party kernel modules when the key management mode is static. This is because keys from secure boot secvars are only loaded when the key management mode is dynamic. Allow loading of the trustedcadb and moduledb keys even in the static key management mode, where the secvar format string takes the form "ibm,plpks-sb-v0". Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20250610211907.101384-4-ssrish@linux.ibm.com
2025-07-04tree-wide: s/struct fileattr/struct file_kattr/gChristian Brauner2-4/+4
Now that we expose struct file_attr as our uapi struct rename all the internal struct to struct file_kattr to clearly communicate that it is a kernel internal struct. This is similar to struct mount_{k}attr and others. Link: https://lore.kernel.org/20250703-restlaufzeit-baurecht-9ed44552b481@brauner Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-07-01selinux: implement inode_file_[g|s]etattr hooksAndrey Albershteyn1-0/+14
These hooks are called on inode extended attribute retrieval/change. Cc: selinux@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Andrey Albershteyn <aalbersh@kernel.org> Link: https://lore.kernel.org/20250630-xattrat-syscall-v6-3-c4e3bc35227b@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-07-01lsm: introduce new hooks for setting/getting inode fsxattrAndrey Albershteyn1-0/+30
Introduce new hooks for setting and getting filesystem extended attributes on inode (FS_IOC_FSGETXATTR). Cc: selinux@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Andrey Albershteyn <aalbersh@kernel.org> Link: https://lore.kernel.org/20250630-xattrat-syscall-v6-2-c4e3bc35227b@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-06-27landlock: Fix warning from KUnit testsTingmao Wang1-27/+42
get_id_range() expects a positive value as first argument but get_random_u8() can return 0. Fix this by clamping it. Validated by running the test in a for loop for 1000 times. Note that MAX() is wrong as it is only supposed to be used for constants, but max() is good here. [..] ok 9 test_range2_rand1 [..] ok 10 test_range2_rand2 [..] ok 11 test_range2_rand15 [..] ------------[ cut here ]------------ [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) [..] Modules linked in: [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef) [..] Tainted: [N]=TEST [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff <0f> 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31 [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246 [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000 ^^^^^^^^^^^^^^^^ [..] [..] Call Trace: [..] [..] ---[ end trace 0000000000000000 ]--- [..] ok 12 test_range2_rand16 [..] # landlock_id: pass:12 fail:0 skip:0 total:12 [..] # Totals: pass:12 fail:0 skip:0 total:12 [..] ok 1 landlock_id Fixes: d9d2a68ed44b ("landlock: Add unique ID generator") Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/73e28efc5b8cc394608b99d5bc2596ca917d7c4a.1750003733.git.m@maowtm.org [mic: Minor cosmetic improvements] Signed-off-by: Mickaël Salaün <mic@digikod.net>
2025-06-25selinux: don't bother with selinuxfs_info_free() on failuresAl Viro1-2/+0
Failures in sel_fill_super() will be followed by sel_kill_sb(), which will call selinuxfs_info_free() anyway. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Reviewed-by: Christian Brauner <brauner@kernel.org> [PM: subj and description tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com>
2025-06-23exec: Correct the permission check for unsafe execEric W. Biederman1-12/+8
Max Kellerman recently experienced a problem[1] when calling exec with differing uid and euid's and he triggered the logic that is supposed to only handle setuid executables. When exec isn't changing anything in struct cred it doesn't make sense to go into the code that is there to handle the case when the credentials change. When looking into the history of the code I discovered that this issue was not present in Linux-2.4.0-test12 and was introduced in Linux-2.4.0-prerelease when the logic for handling this case was moved from prepare_binprm to compute_creds in fs/exec.c. The bug introdused was to comparing euid in the new credentials with uid instead of euid in the old credentials, when testing if setuid had changed the euid. Since triggering the keep ptrace limping along case for setuid executables makes no sense when it was not a setuid exec revert back to the logic present in Linux-2.4.0-test12. This removes the confusingly named and subtlety incorrect helpers is_setuid and is_setgid, that helped this bug to persist. The varaiable is_setid is renamed to id_changed (it's Linux-2.4.0-test12) as the old name describes what matters rather than it's cause. The code removed in Linux-2.4.0-prerelease was: - /* Set-uid? */ - if (mode & S_ISUID) { - bprm->e_uid = inode->i_uid; - if (bprm->e_uid != current->euid) - id_change = 1; - } - - /* Set-gid? */ - /* - * If setgid is set but no group execute bit then this - * is a candidate for mandatory locking, not a setgid - * executable. - */ - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { - bprm->e_gid = inode->i_gid; - if (!in_group_p(bprm->e_gid)) - id_change = 1; Linux-2.4.0-prerelease added the current logic as: + if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || + !cap_issubset(new_permitted, current->cap_permitted)) { + current->dumpable = 0; + + lock_kernel(); + if (must_not_trace_exec(current) + || atomic_read(&current->fs->count) > 1 + || atomic_read(&current->files->count) > 1 + || atomic_read(&current->sig->count) > 1) { + if(!capable(CAP_SETUID)) { + bprm->e_uid = current->uid; + bprm->e_gid = current->gid; + } + if(!capable(CAP_SETPCAP)) { + new_permitted = cap_intersect(new_permitted, + current->cap_permitted); + } + } + do_unlock = 1; + } I have condenced the logic from Linux-2.4.0-test12 to just: id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid); This change is userspace visible, but I don't expect anyone to care. For the bug that is being fixed to trigger bprm->unsafe has to be set. The variable bprm->unsafe is set when ptracing an executable, when sharing a working directory, or when no_new_privs is set. Properly testing for cases that are safe even in those conditions and doing nothing special should not affect anyone. Especially if they were previously ok with their credentials getting munged To minimize behavioural changes the code continues to set secureexec when euid != uid or when egid != gid. [1] https://lkml.kernel.org/r/20250306082615.174777-1-max.kellermann@ionos.com Reported-by: Max Kellermann <max.kellermann@ionos.com> Fixes: 64444d3d0d7f ("Linux version 2.4.0-prerelease") v1: https://lkml.kernel.org/r/878qmxsuy8.fsf@email.froward.int.ebiederm.org Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Reviewed-by: Jann Horn <jannh@google.com> Acked-by: Kees Cook <kees@kernel.org>
2025-06-20selinux: add __GFP_NOWARN to hashtab_init() allocationsPaul Moore1-1/+2
As reported by syzbot, hashtab_init() can be affected by abnormally large policy loads which would cause the kernel's allocator to emit a warning in some configurations. Since the SELinux hashtab_init() code handles the case where the allocation fails, due to a large request or some other reason, we can safely add the __GFP_NOWARN flag to squelch these abnormally large allocation warnings. Reported-by: syzbot+bc2c99c2929c3d219fb3@syzkaller.appspotmail.com Tested-by: syzbot+bc2c99c2929c3d219fb3@syzkaller.appspotmail.com Signed-off-by: Paul Moore <paul@paul-moore.com>
2025-06-20selinux: optimize selinux_inode_getattr/permission() based on ↵Stephen Smalley2-1/+21
neveraudit|permissive Extend the task avdcache to also cache whether the task SID is both permissive and neveraudit, and return immediately if so in both selinux_inode_getattr() and selinux_inode_permission(). The same approach could be applied to many of the hook functions although the avdcache would need to be updated for more than directory search checks in order for this optimization to be beneficial for checks on objects other than directories. To test, apply https://github.com/SELinuxProject/selinux/pull/473 to your selinux userspace, build and install libsepol, and use the following CIL policy module: $ cat neverauditpermissive.cil (typeneveraudit unconfined_t) (typepermissive unconfined_t) Without this module inserted, running the following commands: perf record make -jN # on an already built allmodconfig tree perf report --sort=symbol,dso yields the following percentages (only showing __d_lookup_rcu for reference and only showing relevant SELinux functions): 1.65% [k] __d_lookup_rcu 0.53% [k] selinux_inode_permission 0.40% [k] selinux_inode_getattr 0.15% [k] avc_lookup 0.05% [k] avc_has_perm 0.05% [k] avc_has_perm_noaudit 0.02% [k] avc_policy_seqno 0.02% [k] selinux_file_permission 0.01% [k] selinux_inode_alloc_security 0.01% [k] selinux_file_alloc_security for a total of 1.24% for SELinux compared to 1.65% for __d_lookup_rcu(). After running the following command to insert this module: semodule -i neverauditpermissive.cil and then re-running the same perf commands from above yields the following non-zero percentages: 1.74% [k] __d_lookup_rcu 0.31% [k] selinux_inode_permission 0.03% [k] selinux_inode_getattr 0.03% [k] avc_policy_seqno 0.01% [k] avc_lookup 0.01% [k] selinux_file_permission 0.01% [k] selinux_file_open for a total of 0.40% for SELinux compared to 1.74% for __d_lookup_rcu(). Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>