96af4515 | 10-Sep-2023 |
John Johansen <john.johansen@canonical.com> |
apparmor: Fix regression in mount mediation
[ Upstream commit 157a3537d6bc28ceb9a11fc8cb67f2152d860146 ]
commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
introduced a
apparmor: Fix regression in mount mediation
[ Upstream commit 157a3537d6bc28ceb9a11fc8cb67f2152d860146 ]
commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for AppArmor mediation of mount. This patch provides a base mapping of the move_mount syscall to the existing mount mediation. In the future we may introduce additional mediations around the new mount calls.
Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") CC: stable@vger.kernel.org Reported-by: Andreas Steinmetz <anstein99@googlemail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
65f7f666 | 14-Sep-2022 |
Xiu Jianfeng <xiujianfeng@huawei.com> |
apparmor: make __aa_path_perm() static
Make __aa_path_perm() static as it's only used inside apparmor/file.c.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john
apparmor: make __aa_path_perm() static
Make __aa_path_perm() static as it's only used inside apparmor/file.c.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
adaa9a3f | 23-Sep-2022 |
Gaosheng Cui <cuigaosheng1@huawei.com> |
apparmor: Simplify obtain the newest label on a cred
In aa_get_task_label(), aa_get_newest_cred_label(__task_cred(task)) can do the same things as aa_get_newest_label(__aa_task_raw_label(task)), so
apparmor: Simplify obtain the newest label on a cred
In aa_get_task_label(), aa_get_newest_cred_label(__task_cred(task)) can do the same things as aa_get_newest_label(__aa_task_raw_label(task)), so we can replace it and remove __aa_task_raw_label() to simplify the code.
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
3dfd16ab | 06-Sep-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: cleanup: move perm accumulation into perms.h
Perm accumulation is going to be used much more frequently so let the compiler figure out if it can be optimized when used.
Signed-off-by: Joh
apparmor: cleanup: move perm accumulation into perms.h
Perm accumulation is going to be used much more frequently so let the compiler figure out if it can be optimized when used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
fd1b2b95 | 26-Aug-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: add the ability for policy to specify a permission table
Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits t
apparmor: add the ability for policy to specify a permission table
Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits the permissions that userspace can specify, so allow userspace to directly specify the permission table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
caa9f579 | 22-Aug-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: isolate policy backwards compatibility to its own file
The details of mapping old policy into newer policy formats clutters up the unpack code and makes it possible to accidentally use old
apparmor: isolate policy backwards compatibility to its own file
The details of mapping old policy into newer policy formats clutters up the unpack code and makes it possible to accidentally use old mappings in code, so isolate the mapping code into its own file.
This will become more important when the dfa remapping code lands, as it will greatly expand the compat code base.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
b06a62eb | 16-May-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: move dfa perm macros into policy_unpack
Now that the permission remapping macros aren't needed anywhere except during profile unpack, move them.
Signed-off-by: John Johansen <john.johanse
apparmor: move dfa perm macros into policy_unpack
Now that the permission remapping macros aren't needed anywhere except during profile unpack, move them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|
e844fe9b | 16-Jul-2022 |
John Johansen <john.johansen@canonical.com> |
apparmor: convert policy lookup to use accept as an index
Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the
apparmor: convert policy lookup to use accept as an index
Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the perm table. This is done so that the perm table can be separated from the dfa, allowing dfa accept to index to share expanded permission sets.
Signed-off-by: John Johansen <john.johansen@canonical.com>
show more ...
|