On Wed, May 01, 2013 at 02:30:52PM -0700, John Johansen wrote:
> aa_put_profile causes profiles to go throw an rcu based delayed free
> cycle. Discard profiles that can't be in use and hence don't need the delayed
> free call free_profile directly.
This description doesn't seem to match the code,
On Wed, May 01, 2013 at 02:30:50PM -0700, John Johansen wrote:
> Namespace lookups are RCU lists just like profile lookups, so the
> free path for namespaces need to be done using RCU just as is being
> done for profiles.
>
> Add the missing rcu_call back for freeing namespaces.
>
> Signed-off-by
On Wed, May 01, 2013 at 02:30:46PM -0700, John Johansen wrote:
> previously profiles had to be loaded one at a time, which could result
> in cases where a replacement would partially succeed, and then fail
> resulting in inconsitent policy.
>
> Allow multiple profiles to replaced atomically so tha
On Tue, Apr 30, 2013 at 10:00:08PM +0200, Daniel Curtis wrote:
> Since I've put a Firefox default profile in 'enforce' mode,
> from some time in '/var/log/syslog' and '/var/log/kern.log'
> files, I see some entries about AppArmor activity. It always
> refers to one thing: '/dev/nvidiactl'.
There i
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 5121596..b637ea9 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/appa
Add a dbus directory to the apparmor securityfs features subdirectory to
contain a mask file with the supported D-Bus mediation rules.
Signed-off-by: Tyler Hicks
Ackedy-by: John Johansen
Acked-by: Seth Arnold
---
security/apparmor/apparmorfs.c | 6 ++
1 file changed, 6 insertions(+)
diff
From: Tyler Hicks
Allow userspace applications to query for allowed, denied, audit, and
quiet permissions using a profile name and a DFA match string. Userspace
applications that wish to enforce access controls defined in the
system's AppArmor policy can use this interface to perform access
contr
Signed-off-by: John Johansen
---
security/apparmor/mount.c | 311 +-
1 file changed, 194 insertions(+), 117 deletions(-)
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index b3e019b..7188a82 100644
--- a/security/apparmor/mount.c
++
Signed-off-by: John Johansen
---
security/apparmor/audit.c | 23 +++
security/apparmor/include/audit.h | 5 ++---
security/apparmor/lsm.c | 2 +-
3 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/security/apparmor/audit.c b/security/apparmor/
moving replacedby to use labels will allow for faster label lookup
when a label is replaced and also remove the need to create replacement
labels to get a none stale version during task confinement lookup.
this is a first step just handling single profile labels, a second patch
to actually handle
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 9397542..e4d6853 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index b079cea..bfc8015 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/appa
Baby step to using labels instead of profiles. Switch from using profile
refs to label refs. Note this step does not make any functional changes
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 2 +-
security/apparmor/audit.c| 2 +-
security/apparmor/context.
next baby step to labels. Update most code to walk labels as if there
is multiple entries in a label, even though atm there can only be
one.
This does not update the domain transitions, exec, change_hat, change_profile
(separate patch).
Also it bails on first error, where for learning purposes it
Signed-off-by: John Johansen
---
security/apparmor/include/label.h | 20 +-
security/apparmor/include/policy.h | 2 +
security/apparmor/label.c | 529 +
security/apparmor/policy.c | 22 ++
security/apparmor/procattr.c | 53 ++--
5 f
In error conditions is possible to put a label that has not been added
to a labelset. In this case just directly free it.
Signed-off-by: John Johansen
---
security/apparmor/label.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/security/apparmor/label.c b/secur
For profiles that have been replaced reuse the name string so the
old and new version of the profile share the same string. This will
make some checks/comparisons in labeling quicker.
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 2 +-
security/apparmor/include/apparm
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 101 +
1 file changed, 53 insertions(+), 48 deletions(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 917e5ec..e3bef94 100644
--- a/security/apparmor/ap
Signed-off-by: John Johansen
---
security/apparmor/include/mount.h | 16
security/apparmor/lsm.c | 32
security/apparmor/mount.c | 25 -
3 files changed, 40 insertions(+), 33 deletions(-)
diff --git a/sec
Add the ability for apparmor to do mediation of mount operations. Mount
rules require an updated apparmor_parser (2.8 series) for policy compilation.
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [
Signed-off-by: John Johansen
---
security/apparmor/.gitignore | 1 +
security/apparmor/Makefile | 42 +++-
security/apparmor/apparmorfs.c | 1 +
security/apparmor/include/audit.h | 4 +
security/apparmor/include/file.h | 2 +
security/apparmor/include/net.h| 54
The label FLAG_MEDIATE_DELETED will never be set as it is not part of
the policy stream (PATH_MEDIATED_DELETED is used), and it is never
used outside of policy load (where it has no affect).
Signed-off-by: John Johansen
---
security/apparmor/include/label.h | 2 +-
security/apparmor/include/path
unconfined profiles where not having their profile or namespace audited.
However there are only a few special cases where unconfined will result
in an audit message, like during policy load.
In these cases it is useful to know which namespace is in use so log
the unconfined profile and its namespa
Just add the labels to the tree to make sure insertions and deletions
into the rb tree are working.
Signed-off-by: John Johansen
---
security/apparmor/policy.c | 53 +++---
1 file changed, 36 insertions(+), 17 deletions(-)
diff --git a/security/apparmor/p
The labeling of files is implied by the set of rules and profiles.
Add the ability to set implicit labels on files to reduce the number
of path and rule lookups that are needed.
Signed-off-by: John Johansen
---
security/apparmor/Kconfig | 11 +
security/apparmor/Makefile | 2
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 17 +
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e33a4c5..6d0f0f8 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/a
Add the ability to take in and report a human readable profile attachment
string.
Signed-off-by: John Johansen
Acked-By: Seth Arnold
---
security/apparmor/apparmorfs.c | 34 ++
security/apparmor/include/apparmorfs.h | 1 +
security/apparmor/include/polic
Allow emulating the default profile behavior from boot, by allowing
loading of a profile in the unconfined state into a new NS.
Signed-off-by: John Johansen
---
security/apparmor/domain.c| 4 ++--
security/apparmor/include/policy.h| 6 +++---
security/apparmor/include/pol
aa_put_profile causes profiles to go throw an rcu based delayed free
cycle. Discard profiles that can't be in use and hence don't need the delayed
free call free_profile directly.
Signed-off-by: John Johansen
---
security/apparmor/include/policy.h | 1 +
security/apparmor/policy.c | 10
add the ability to boot with a basic default profile instead of the
unconfined state. This provides a way to provide total system confinement
without having to load policy in the init ramfs.
The basic default profile can be replaced during early boot to achieve
system confinement.
Signed-off-by:
Add the dynamic profiles file to the interace, to allow load policy
introspection.
Signed-off-by: John Johansen
Acked-by: Kees Cook
---
security/apparmor/apparmorfs.c | 228 +
1 file changed, 228 insertions(+)
diff --git a/security/apparmor/apparmorfs.c
Namespace lookups are RCU lists just like profile lookups, so the
free path for namespaces need to be done using RCU just as is being
done for profiles.
Add the missing rcu_call back for freeing namespaces.
Signed-off-by: John Johansen
---
security/apparmor/policy.c | 28 ---
introspection patch introduced a second copy of profile mode names in audit
that is not in sync with the one in policy. Merge them into a single
entity.
Signed-off-by: John Johansen
---
security/apparmor/audit.c | 6 --
security/apparmor/include/audit.h | 3 ---
security/apparmor/i
Add basic interface files to access namespace and profile information.
The interface files are created when a profile is loaded and removed
when the profile or namespace is removed.
Signed-off-by: John Johansen
---
security/apparmor/apparmorfs.c | 328 +++--
s
namespaces now completely use the unconfined profile to track the
refcount and rcu freeing cycle. So rework the code to simplify (track
everything through the profile path right up to the end), and move the
rcu_head from policy base to profile as the namespace no longer needs
it.
Signed-off-by: Jo
The default profile needs its replaced by information set as its on
the profile list and will have an fs interface (and the fs interface
files require a valid replacedby).
Signed-off-by: John Johansen
---
security/apparmor/policy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/
ns->unconfined is being used read side without locking, nor rcu but is
being updated when a namespace is removed. This works for the root ns
which is never removed but has a race window and can cause failures when
children namespaces are removed.
Also ns and ns->unconfined have a circular refcount
signed-offby: John Johansen
---
security/apparmor/domain.c | 16 ++-
security/apparmor/include/apparmor.h | 6 +
security/apparmor/include/policy.h | 44 +++-
security/apparmor/policy.c | 212 ++-
4 files changed, 170 insertions(+), 10
previously profiles had to be loaded one at a time, which could result
in cases where a replacement would partially succeed, and then fail
resulting in inconsitent policy.
Allow multiple profiles to replaced atomically so that the replacement
either succeeeds or fails atomically for the set of pro
remove the use of replaced by chaining and move to profile invalidation
and lookup to handle task replacement.
Replacement chaining can result in large chains of profiles being pinned
in memory when one profile in the chain is use. With implicit labeling
this will be even more of a problem, so mov
This is an updated set of apparmor 3 kernel patches. It is not the full
set of patches but covers the set currently being used in the apparmor-devel
and dbus-dev ppas.
This is largely the same set the was in the v3 patchset but its had some
iteration and cleanup.
The atomic load (1/36) and rcu pa
On Wed, May 01, 2013 at 05:35:03PM +0200, Christian Boltz wrote:
> Am Sonntag, 28. April 2013 schrieb Seth Arnold:
> > I don't know anything about the GSoC project or process, but it'd be
>
> Let's change that ;-)
>
> We (Kshitij, John and I) discussed several things in private mails,
> but Kshi
Hello,
Am Sonntag, 28. April 2013 schrieb Seth Arnold:
> I don't know anything about the GSoC project or process, but it'd be
Let's change that ;-)
We (Kshitij, John and I) discussed several things in private mails,
but Kshitij's proposal is public - feel free to have a look at it ;-)
http://w
43 matches
Mail list logo
