#
2ea3ffb7 |
| 19-Jul-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic mount parameters. It does not include special mount parameters for apparmor, super block labeling, or
apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic mount parameters. It does not include special mount parameters for apparmor, super block labeling, or any triggers for apparmor namespace parameter modifications on pivot root.
default userspace policy rules have the form of MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )
MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ] [ '->' MOUNTPOINT FILEGLOB ]
REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB
UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB
MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) MOUNT FSTYPE EXPRESSION ] [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]
MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )
MOUNT FSTYPE LIST = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, etc)
MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )
MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.
MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...
PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ] [ NEW ROOT FILEGLOB ]
SOURCE FILEGLOB = FILEGLOB
MOUNTPOINT FILEGLOB = FILEGLOB
eg. mount, mount /dev/foo, mount options=ro /dev/foo -> /mnt/, mount options in (ro,atime) /dev/foo -> /mnt/, mount options=ro options=atime,
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
show more ...
|
#
cd1dbf76 |
| 19-Jul-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add the ability to mediate signals
Add signal mediation where the signal can be mediated based on the signal, direction, or the label or the peer/target. The signal perms are verified on a
apparmor: add the ability to mediate signals
Add signal mediation where the signal can be mediated based on the signal, direction, or the label or the peer/target. The signal perms are verified on a cross check to ensure policy consistency in the case of incremental policy load/replacement.
The optimization of skipping the cross check when policy is guaranteed to be consistent (single compile unit) remains to be done.
policy rules have the form of SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ] [ SIGNAL SET ] [ SIGNAL PEER ]
SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST
SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL ACCESS ')'
SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' )
SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')'
SIGNAL LIST = Comma or space separated list of SIGNALS
SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )
SIGNAL PEER = 'peer' '=' AARE
eg. signal, # allow all signals signal send set=(hup, kill) peer=foo,
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
show more ...
|
#
5d314a81 |
| 13-Jul-2017 |
Dan Carpenter <dan.carpenter@oracle.com> |
apparmor: Fix an error code in aafs_create()
We accidentally forgot to set the error code on this path. It means we return NULL instead of an error pointer. I looked through a bunch of callers and
apparmor: Fix an error code in aafs_create()
We accidentally forgot to set the error code on this path. It means we return NULL instead of an error pointer. I looked through a bunch of callers and I don't think it really causes a big issue, but the documentation says we're supposed to return error pointers here.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
Revision tags: v4.12 |
|
#
33f2eada |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: export that basic profile namespaces are supported
Allow userspace to detect that basic profile policy namespaces are available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
6c5fc8f1 |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add stacked domain labels interface
Update the user interface to support the stacked change_profile transition.
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
40cde7fc |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add domain label stacking info to apparmorfs
Now that the domain label transition is complete advertise it to userspace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
5379a331 |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: support v7 transition format compatible with label_parse
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
290f458a |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow ptrace checks to be finer grained than just capability
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
317d9a05 |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: update query interface to support label queries
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
637f688d |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: switch from profiles to using labels on contexts
Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible
apparmor: switch from profiles to using labels on contexts
Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
cf797c0e |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert to profile block critical sections
There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing
apparmor: convert to profile block critical sections
There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing the current label through a critical section that will always ensure mediation is using the current label regardless of whether the tasks cred has been updated or not.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
d9f02d9c |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix display of ns name
The ns name being displayed should go through an ns view lookup.
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
5262ef60 |
| 09-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix apparmor_query data
The data being queried isn't always the current profile and a lookup relative to the current profile should be done.
Signed-off-by: John Johansen <john.johansen@ca
apparmor: fix apparmor_query data
The data being queried isn't always the current profile and a lookup relative to the current profile should be done.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
60285eb3 |
| 04-Jun-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: fix policy load/remove semantics
The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present)
apparmor: fix policy load/remove semantics
The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
4f3b3f2d |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add profile permission query ability
Allow userspace to query a profile about permissions, through the transaction interface that is already used to allow userspace to query about key,valu
apparmor: add profile permission query ability
Allow userspace to query a profile about permissions, through the transaction interface that is already used to allow userspace to query about key,value data.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
1dea3b41 |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: speed up transactional queries
The simple_transaction interface is slow. It requires 4 syscalls (open, write, read, close) per query and shares a single lock for each queries.
So replace
apparmor: speed up transactional queries
The simple_transaction interface is slow. It requires 4 syscalls (open, write, read, close) per query and shares a single lock for each queries.
So replace its use with a compatible in multi_transaction interface. It allows for a faster 2 syscall pattern per query. After an initial open, an arbitrary number of writes and reads can be issued. Each write will reset the query with new data that can be read. Reads do not clear the data, and can be issued multiple times, and used with seek, until a new write is performed which will reset the data available and the seek position.
Note: this keeps the single lock design, if needed moving to a per file lock will have to come later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
a83bd86e |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add label data availability to the feature set
gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support
apparmor: add label data availability to the feature set
gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support but its failure is indistinguishable from other failures, making it an unreliable indicator.
Fix by making support of label data queries available as a flag in the apparmorfs features dir tree.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
4ae47f33 |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add mkdir/rmdir interface to manage policy namespaces
When setting up namespaces for containers its easier for them to use an fs interface to create the namespace for the containers policy
apparmor: add mkdir/rmdir interface to manage policy namespaces
When setting up namespaces for containers its easier for them to use an fs interface to create the namespace for the containers policy. Allow mkdir/rmdir under the policy/namespaces/ dir to be used to create and remove namespaces.
BugLink: http://bugs.launchpad.net/bugs/1611078
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
d9bf2c26 |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add policy revision file interface
Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file
apparmor: add policy revision file interface
Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace.
The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
18e99f19 |
| 26-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: provide finer control over policy management
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
#
c961ee5f |
| 25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert from securityfs to apparmorfs for policy ns files
Virtualize the apparmor policy/ directory so that the current namespace affects what part of policy is seen. To do this convert to
apparmor: convert from securityfs to apparmorfs for policy ns files
Virtualize the apparmor policy/ directory so that the current namespace affects what part of policy is seen. To do this convert to using apparmorfs for policy namespace files and setup a magic symlink in the securityfs apparmor dir to access those files.
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
98407f0a |
| 25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: allow specifying an already created dir to create ns entries in
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by:
apparmor: allow specifying an already created dir to create ns entries in
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
c97204ba |
| 25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: rename apparmor file fns and data to indicate use
prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy
apparmor: rename apparmor file fns and data to indicate use
prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
a481f4d9 |
| 25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: add custom apparmorfs that will be used by policy namespace files
AppArmor policy needs to be able to be resolved based on the policy namespace a task is confined by. Add a base apparmorfs
apparmor: add custom apparmorfs that will be used by policy namespace files
AppArmor policy needs to be able to be resolved based on the policy namespace a task is confined by. Add a base apparmorfs filesystem that (like nsfs) will exist as a kern mount and be accessed via jump_link through a securityfs file.
Setup the base apparmorfs fns and data, but don't use it yet.
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
64c86970 |
| 25-May-2017 |
John Johansen <john.johansen@canonical.com> |
apparmor: use macro template to simplify namespace seq_files
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <k
apparmor: use macro template to simplify namespace seq_files
Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
show more ...
|