Bumping this now that we're past the holidays :)
On Fri, Dec 21, 2018 at 11:25 AM Eric Chiang wrote:
>
> Hey Seth,
>
> The proposed userland parser changes explicitly won't pass a
> zero-sized array. However, modifying the parser to pass zero-sized
> arrays causes kcalloc(0) to return ZERO_SIZE_P
Hey Seth,
The proposed userland parser changes explicitly won't pass a
zero-sized array. However, modifying the parser to pass zero-sized
arrays causes kcalloc(0) to return ZERO_SIZE_PTR and the policy still
works as if the array hadn't been passed at all.
Note that other uses of unpack_array don
On Thu, Dec 20, 2018 at 01:28:38PM -0800, Eric Chiang wrote:
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -535,6 +535,24 @@ static bool unpack_xattrs(struct aa_ext *e, struct
> aa_profile *profile)
> goto fail;
> }
>
> +
AppArmor recently added the ability for profiles to match extended
attributes, with the intent of targeting "security.ima" and
"security.evm" to differentiate between sign and unsigned files.
The current implementation uses a path glob to match the extended
attribute value. To require the presence
