linux/security/apparmor, branch v3.6Linux kernel source treehttps://git.amat.us/linux/atom/security/apparmor?h=v3.62012-05-31T17:11:54Zsplit ->file_mmap() into ->mmap_addr()/->mmap_file()2012-05-31T17:11:54ZAl Viroviro@zeniv.linux.org.uk2012-05-30T17:30:51Zurn:sha1:e5467859f7f79b69fc49004403009dfdba3bec53
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
split cap_mmap_addr() out of cap_file_mmap()2012-05-31T17:10:54ZAl Viroviro@zeniv.linux.org.uk2012-05-30T17:11:37Zurn:sha1:d007794a182bc072a7b7479909dbd0d67ba341be
... switch callers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next2012-05-22T01:21:06ZJames Morrisjames.l.morris@oracle.com2012-05-22T01:21:06Zurn:sha1:ff2bb047c4bce9742e94911eeb44b4d6ff4734ab
Per pull request, for 3.5.
apparmor: fix long path failure due to disconnected path2012-05-18T18:09:52ZJohn Johansenjohn.johansen@canonical.com2012-05-16T18:01:05Zurn:sha1:cffee16e8b997ab947de661e8820e486b0830c94
BugLink: http://bugs.launchpad.net/bugs/955892
All failures from __d_path where being treated as disconnected paths,
however __d_path can also fail when the generated pathname is too long.
The initial ENAMETOOLONG error was being lost, and ENAMETOOLONG was only
returned if the subsequent dentry_path call resulted in that error. Other
wise if the path was split across a mount point such that the dentry_path
fit within the buffer when the __d_path did not the failure was treated
as a disconnected path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix profile lookup for unconfined2012-05-18T18:09:28ZJohn Johansenjohn.johansen@canonical.com2012-05-16T18:00:05Zurn:sha1:bf83208e0b7f5938f5a7f6d9dfa9960bf04692fa
BugLink: http://bugs.launchpad.net/bugs/978038
also affects apparmor portion of
BugLink: http://bugs.launchpad.net/bugs/987371
The unconfined profile is not stored in the regular profile list, but
change_profile and exec transitions may want access to it when setting
up specialized transitions like switch to the unconfined profile of a
new policy namespace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS2012-04-14T01:13:18ZJohn Johansenjohn.johansen@canonical.com2012-04-12T21:47:51Zurn:sha1:c29bceb3967398cf2ac8bf8edf9634fdb722df7d
Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.
Transitions from unconfined are still allowed because this always results
in a reduction of privileges.
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
v18: new acked-by, new description
Signed-off-by: James Morris <james.l.morris@oracle.com>
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs2012-04-14T01:13:18ZAndy Lutomirskiluto@amacapital.net2012-04-12T21:47:50Zurn:sha1:259e5e6c75a910f3b5e656151dc602f53f9d7548
With this change, calling
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
disables privilege granting operations at execve-time. For example, a
process will not be able to execute a setuid binary to change their uid
or gid if this bit is set. The same is true for file capabilities.
Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
LSMs respect the requested behavior.
To determine if the NO_NEW_PRIVS bit is set, a task may call
prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
It returns 1 if set and 0 if it is not set. If any of the arguments are
non-zero, it will return -1 and set errno to -EINVAL.
(PR_SET_NO_NEW_PRIVS behaves similarly.)
This functionality is desired for the proposed seccomp filter patch
series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
system call behavior for itself and its child tasks without being
able to impact the behavior of a more privileged task.
Another potential use is making certain privileged operations
unprivileged. For example, chroot may be considered "safe" if it cannot
affect privileged tasks.
Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use. It is fixed in a subsequent patch.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Will Drewry <wad@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
v18: updated change desc
v17: using new define values as per 3.4
Signed-off-by: James Morris <james.l.morris@oracle.com>
LSM: do not initialize common_audit_data to 02012-04-09T16:23:04ZEric Pariseparis@redhat.com2012-04-04T19:01:43Zurn:sha1:50c205f5e5c2e2af002fd4ef537ded79b90b1b56
It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?
Signed-off-by: Eric Paris <eparis@redhat.com>
apparmor: move task from common_audit_data to apparmor_audit_data2012-04-09T16:23:02ZEric Pariseparis@redhat.com2012-04-04T19:01:42Zurn:sha1:0972c74ecba4878baa5f97bb78b242c0eefacfb6
apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.
Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion2012-04-09T16:23:01ZEric Pariseparis@redhat.com2012-04-04T19:01:42Zurn:sha1:bd5e50f9c1c71daac273fa586424f07205f6b13b
Just open code it so grep on the source code works better.
Signed-off-by: Eric Paris <eparis@redhat.com>