Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.16 2024-12-04T19:42:31Z 2024-12-04T19:42:31Z Casey Schaufler casey@schaufler-ca.com 2024-10-23T21:21:55Z urn:sha1:2d470c778120d3cdb8d8ab250329ca85f49f12b1 Replace the (secctx,seclen) pointer pair with a single lsm_context pointer to allow return of the LSM identifier along with the context and context length. This allows security_release_secctx() to know how to release the context. Callers have been modified to use or save the returned data from the new structure. security_secid_to_secctx() and security_lsmproc_to_secctx() will now return the length value on success instead of 0. Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org Cc: Todd Kjos <tkjos@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak, kdoc fix, signedness fix from Dan Carpenter] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-12-04T15:46:26Z Casey Schaufler casey@schaufler-ca.com 2024-10-23T21:21:54Z urn:sha1:6fba89813ccf333d2bc4d5caea04cd5f3c39eb50 Add a new lsm_context data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Update security_release_secctx() to use the lsm_context instead of a (char *, len) pair. Change its callers to do likewise. The LSMs supporting this hook have had comments added to remind the developer that there is more work to be done. The BPF security module provides all LSM hooks. While there has yet to be a known instance of a BPF configuration that uses security contexts, the possibility is real. In the existing implementation there is potential for multiple frees in that case. Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: audit@vger.kernel.org Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: linux-nfs@vger.kernel.org Cc: Todd Kjos <tkjos@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-11-27T03:21:06Z John Johansen john.johansen@canonical.com 2024-11-09T20:47:24Z urn:sha1:9133493a76d741e1ce00a140be3d2d7791ca3a04 The macros for label combination XXX_comb are no longer used and there are no plans to use them so remove the dead code. Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-11-27T03:21:06Z Jinjie Ruan ruanjinjie@huawei.com 2024-09-02T07:39:04Z urn:sha1:211551768291a9accdd0d033c6d9ff51dc4e9840 In the macro definition of next_comb(), a parameter L1 is accepted, but it is not used. Hence, it should be removed. Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-11-27T03:21:05Z Dr. David Alan Gilbert linux@treblig.org 2024-09-20T23:55:17Z urn:sha1:75535669c9c1647e8098947f045c95db1bbdfa8c aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name were added by commit f1bd904175e8 ("apparmor: add the base fns() for domain labels") but never used. aa_profile_label_perm was added by commit 637f688dc3dc ("apparmor: switch from profiles to using labels on contexts") but never used. aa_secid_update was added by commit c092921219d2 ("apparmor: add support for mapping secids and using secctxes") but never used. aa_split_fqname has been unused since commit 3664268f19ea ("apparmor: add namespace lookup fns()") aa_lookup_profile has been unused since commit 93c98a484c49 ("apparmor: move exec domain mediation to using labels") aa_audit_perms_cb was only used by aa_profile_label_perm (see above). All of these commits are from around 2017. Remove them. Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-11-27T03:21:05Z John Johansen john.johansen@canonical.com 2024-08-24T04:40:47Z urn:sha1:9208c05f9fdfd927ea160b97dfef3c379049fff2 Currently the dfa state machine is limited by its default, next, and check tables using u16. Allow loading of u32 tables, and if u16 tables are loaded map them to u32. The number of states allowed does not increase to 2^32 because the base table uses the top 8 bits of its u32 for flags. Moving the flags into a separate table allowing a full 2^32 bit range wil be done in a separate patch. Link: https://gitlab.com/apparmor/apparmor/-/issues/419 Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-10-11T18:34:12Z Casey Schaufler casey@schaufler-ca.com 2024-10-09T17:32:11Z urn:sha1:6f2f724f0e116d9ea960ff3dd645add12e60e176 Add a new hook security_lsmprop_to_secctx() and its LSM specific implementations. The LSM specific code will use the lsm_prop element allocated for that module. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-10-11T18:34:12Z Casey Schaufler casey@schaufler-ca.com 2024-10-09T17:32:10Z urn:sha1:870b7fdc660b38c4e1bd8bf48e62aa352ddf8f42 Change the secid parameter of security_audit_rule_match to a lsm_prop structure pointer. Pass the entry from the lsm_prop structure for the approprite slot to the LSM hook. Change the users of security_audit_rule_match to use the lsm_prop instead of a u32. The scaffolding function lsmprop_init() fills the structure with the value of the old secid, ensuring that it is available to the appropriate module hook. The sources of the secid, security_task_getsecid() and security_inode_getsecid(), will be converted to use the lsm_prop structure later in the series. At that point the use of lsmprop_init() is dropped. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-07-29T20:54:50Z Casey Schaufler casey@schaufler-ca.com 2024-07-10T21:32:25Z urn:sha1:2aff9d20d50ac45dd13a013ef5231f4fb8912356 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-07-27T20:28:39Z Linus Torvalds torvalds@linux-foundation.org 2024-07-27T20:28:39Z urn:sha1:ff30564411ffdcee49d579cb15eb13185a36e253 Pull apparmor updates from John Johansen: "Cleanups - optimization: try to avoid refing the label in apparmor_file_open - remove useless static inline function is_deleted - use kvfree_sensitive to free data->data - fix typo in kernel doc Bug fixes: - unpack transition table if dfa is not present - test: add MODULE_DESCRIPTION() - take nosymfollow flag into account - fix possible NULL pointer dereference - fix null pointer deref when receiving skb during sock creation" * tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: unpack transition table if dfa is not present apparmor: try to avoid refing the label in apparmor_file_open apparmor: test: add MODULE_DESCRIPTION() apparmor: take nosymfollow flag into account apparmor: fix possible NULL pointer dereference apparmor: fix typo in kernel doc apparmor: remove useless static inline function is_deleted apparmor: use kvfree_sensitive to free data->data apparmor: Fix null pointer deref when receiving skb during sock creation