linux/security/apparmor, branch v6.0

apparmor: correct config reference to intended one

2022-07-20T20:22:19Z

Commit 5bfcbd22ee4e ("apparmor: Enable tuning of policy paranoid load for embedded systems") introduces the config SECURITY_APPARMOR_PARANOID_LOAD, but then refers in the code to SECURITY_PARANOID_LOAD; note the missing APPARMOR in the middle. Correct this to the introduced and intended config option. Fixes: 5bfcbd22ee4e ("apparmor: Enable tuning of policy paranoid load for embedded systems") Signed-off-by: Lukas Bulwahn Signed-off-by: John Johansen

apparmor: move ptrace mediation to more logical task.{h,c}

2022-07-19T11:14:22Z

AppArmor split out task oriented controls to their own logical file a while ago. Ptrace mediation is better grouped with task than ipc, so move it. Signed-off-by: John Johansen

apparmor: extend policydb permission set by making use of the xbits

2022-07-19T09:57:15Z

The policydb permission set has left the xbits unused. Make them available for mediation. Signed-off-by: John Johansen

apparmor: allow label to carry debug flags

2022-07-19T09:55:45Z

Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen

apparmor: fix overlapping attachment computation

2022-07-19T09:52:36Z

When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen

apparmor: fix setting unconfined mode on a loaded profile

2022-07-19T09:43:12Z

When loading a profile that is set to unconfined mode, that label flag is not set when it should be. Ensure it is set so that when used in a label the unconfined check will be applied correctly. Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state") Signed-off-by: John Johansen

apparmor: Fix some kernel-doc comments

2022-07-19T09:39:15Z

Remove warnings found by running scripts/kernel-doc, which is caused by using 'make W=1'. security/apparmor/policy_ns.c:65: warning: Function parameter or member 'curr' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: Function parameter or member 'view' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: Function parameter or member 'subns' not described in 'aa_ns_name' security/apparmor/policy_ns.c:65: warning: expecting prototype for aa_na_name(). Prototype was for aa_ns_name() instead security/apparmor/policy_ns.c:214: warning: Function parameter or member 'view' not described in '__aa_lookupn_ns' security/apparmor/policy_ns.c:214: warning: Excess function parameter 'base' description in '__aa_lookupn_ns' security/apparmor/policy_ns.c:297: warning: expecting prototype for aa_create_ns(). Prototype was for __aa_find_or_create_ns() instead Reported-by: Abaci Robot Signed-off-by: Yang Li Signed-off-by: John Johansen

apparmor: Mark alloc_unconfined() as static

2022-07-19T09:38:34Z

Kernel test robot throws below warning -> security/apparmor/policy_ns.c:83:20: warning: no previous prototype for function 'alloc_unconfined' [-Wmissing-prototypes] Mark it as static. Reported-by: kernel test robot Signed-off-by: Souptick Joarder (HPE) Signed-off-by: John Johansen

apparmor: disable showing the mode as part of a secid to secctx

2022-07-14T00:18:29Z

Displaying the mode as part of the seectx takes up unnecessary memory, makes it so we can't use refcounted secctx so we need to alloc/free on every conversion from secid to secctx and introduces a space that could be potentially mishandled by tooling. Eg. In an audit record we get subj_type=firefix (enforce) Having the mode reported is not necessary, and might even be confusing eg. when writing an audit rule to match the above record field you would use -F subj_type=firefox ie. the mode is not included. AppArmor provides ways to find the mode without reporting as part of the secctx. So disable this by default before its use is wide spread and we can't. For now we add a sysctl to control the behavior as we can't guarantee no one is using this. Acked-by: Andrea Righi Signed-off-by: John Johansen

apparmor: Convert secid mapping to XArrays instead of IDR

2022-07-14T00:16:02Z

XArrays are a better match than IDR for how AppArmor is mapping secids. Specifically AppArmor is trying to keep the allocation dense. XArrays also have the advantage of avoiding the complexity IDRs preallocation. In addition this avoids/fixes a lockdep issue raised in the LKML thread "Linux 5.18-rc4" where there is a report of an interaction between apparmor and IPC, this warning may have been spurious as the reported issue is in a per-cpu local lock taken by the IDR. With the one side in the IPC id allocation and the other in AppArmor's secid allocation. Description by John Johansen Message-Id: <226cee6a-6ca1-b603-db08-8500cd8f77b7@gnuweeb.org> Signed-off-by: Matthew Wilcox Signed-off-by: John Johansen