Merge tag 'v4.14-rc7' into x86/mm, to pick up fixes

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Revert "apparmor: add base infastructure for socket mediation"

This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e.

This caused a regression:
"The specific problem is that dnsmasq refuses

Revert "apparmor: add base infastructure for socket mediation"

This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e.

This caused a regression:
"The specific problem is that dnsmasq refuses to start on openSUSE Leap
42.2. The specific cause is that and attempt to open a PF_LOCAL socket
gets EACCES. This means that networking doesn't function on a system
with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert. This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

show more ...

Merge tag 'v4.14-rc6' into next

Merge with mainline to bring in the timer API changes.

Merge branch 'x86/urgent' into x86/mm, to pick up fixes

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge branch 'linus-4.14-rc4-acp-prereq' of git://people.freedesktop.org/~agd5f/linux into asoc-amd

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4

Merge 4.14-rc5 into char-misc-next

We need the fixes in here to resolve merge issues and for testing.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge branch 'core/urgent' into x86/asm, to pick up dependency

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge tag 'v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into fbdev-for-next

Linux 4.14-rc4

Merge 4.14-rc4 into usb-next

This merges in the USB fixes that we need here.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge 4.14-rc4 into tty-next

We want the tty/serial fixes in here as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge 4.14-rc4 into staging-next

We want the staging/iio fixes in here as well to handle merge issues.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge remote-tracking branch 'net-next/master' into mac80211-next

Merging this brings in the timer_setup() change, which allows
me to apply Kees's mac80211 changes for it.

Signed-off-by: Johannes B

Merge remote-tracking branch 'net-next/master' into mac80211-next

Merging this brings in the timer_setup() change, which allows
me to apply Kees's mac80211 changes for it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

show more ...

Merge branch 'topic/timer-api' into for-next

Merge airlied/drm-next into drm-misc-next

Just catching up with upstream.

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Merge tag 'v4.14-rc2' into patchwork

Linux 4.14-rc2

* tag 'v4.14-rc2': (12066 commits)
Linux 4.14-rc2
tpm: ibmvtpm: simplify crq initialization and document crq format
tpm: replace msleep() w

Merge tag 'v4.14-rc2' into patchwork

Linux 4.14-rc2

* tag 'v4.14-rc2': (12066 commits)
Linux 4.14-rc2
tpm: ibmvtpm: simplify crq initialization and document crq format
tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers
Documentation: tpm: add powered-while-suspended binding documentation
tpm: tpm_crb: constify acpi_device_id.
tpm: vtpm: constify vio_device_id
security: fix description of values returned by cap_inode_need_killpriv
x86/asm: Fix inline asm call constraints for Clang
objtool: Handle another GCC stack pointer adjustment bug
inet: fix improper empty comparison
net: use inet6_rcv_saddr to compare sockets
net: set tb->fast_sk_family
net: orphan frags on stand-alone ptype in dev_queue_xmit_nit
MAINTAINERS: update git tree locations for ieee802154 subsystem
SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
SMB3: handle new statx fields
arch: remove unused *_segments() macros/functions
parisc: Unbreak bootloader due to gcc-7 optimizations
parisc: Reintroduce option to gzip-compress the kernel
apparmor: fix apparmorfs DAC access permissions
...

show more ...

Merge drm-upstream/drm-next into drm-intel-next-queued

Need MST sideband message transaction to power up/down nodes.

Signed-off-by: Jani Nikula <jani.nikula@intel.com>

Merge branch 'linus' into perf/core, to refresh the branch

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge tag 'v4.14-rc2' into k.o/for-next

Merge my for-next branch to Linux 4.14-rc2 and open up the for-next area
for 4.15 kernel development.

Signed-off-by: Doug Ledford <dledford@redhat.com>

Merge tag 'v4.14-rc2' into next-general

Linux 4.14-rc2

Sync to v4.14-rc2 for security subsystem developers to track.

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Merge tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
"This is the apparmor pull request, similar to SELinu

Merge tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
"This is the apparmor pull request, similar to SELinux and seccomp.

It's the same series that I was sent to James' security tree + one
regression fix that was found after the series was sent to James and
would have been sent for v4.14-rc2.

Features:
- in preparation for secid mapping add support for absolute root view
based labels
- add base infastructure for socket mediation
- add mount mediation
- add signal mediation

minor cleanups and changes:
- be defensive, ensure unconfined profiles have dfas initialized
- add more debug asserts to apparmorfs
- enable policy unpacking to audit different reasons for failure
- cleanup conditional check for label in label_print
- Redundant condition: prev_ns. in [label.c:1498]

Bug Fixes:
- fix regression in apparmorfs DAC access permissions
- fix build failure on sparc caused by undeclared signals
- fix sparse report of incorrect type assignment when freeing label proxies
- fix race condition in null profile creation
- Fix an error code in aafs_create()
- Fix logical error in verify_header()
- Fix shadowed local variable in unpack_trans_table()"

* tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
apparmor: fix apparmorfs DAC access permissions
apparmor: fix build failure on sparc caused by undeclared signals
apparmor: fix incorrect type assignment when freeing proxies
apparmor: ensure unconfined profiles have dfas initialized
apparmor: fix race condition in null profile creation
apparmor: move new_null_profile to after profile lookup fns()
apparmor: add base infastructure for socket mediation
apparmor: add more debug asserts to apparmorfs
apparmor: make policy_unpack able to audit different info messages
apparmor: add support for absolute root view based labels
apparmor: cleanup conditional check for label in label_print
apparmor: add mount mediation
apparmor: add the ability to mediate signals
apparmor: Redundant condition: prev_ns. in [label.c:1498]
apparmor: Fix an error code in aafs_create()
apparmor: Fix logical error in verify_header()
apparmor: Fix shadowed local variable in unpack_trans_table()

show more ...

apparmor: add base infastructure for socket mediation

Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application

apparmor: add base infastructure for socket mediation

Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.

the user space rule hav the basic form of
NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
[ TYPE | PROTOCOL ]

DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' |
'packet' )

PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

eg.
network,
network inet,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

show more ...

apparmor: make policy_unpack able to audit different info messages

Switch unpack auditing to using the generic name field in the audit
struct and make it so we can start adding new info messages abo

apparmor: make policy_unpack able to audit different info messages

Switch unpack auditing to using the generic name field in the audit
struct and make it so we can start adding new info messages about
why an unpack failed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

show more ...

apparmor: add mount mediation

Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or

apparmor: add mount mediation

Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.

default userspace policy rules have the form of
MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
[ '->' MOUNTPOINT FILEGLOB ]

REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
MOUNTPOINT FILEGLOB

UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
MOUNT FSTYPE EXPRESSION ]
[ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
virtual filesystem types (eg ext4, debugfs, etc)

MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
'unbindable' | 'runbindable' | 'private' | 'rprivate' |
'slave' | 'rslave' | 'shared' | 'rshared' |
'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
'strictatime' | 'nouser' | 'user' )

MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
[ NEW ROOT FILEGLOB ]

SOURCE FILEGLOB = FILEGLOB

MOUNTPOINT FILEGLOB = FILEGLOB

eg.
mount,
mount /dev/foo,
mount options=ro /dev/foo -> /mnt/,
mount options in (ro,atime) /dev/foo -> /mnt/,
mount options=ro options=atime,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

show more ...