Commit 5593a733 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'apparmor-pr-2021-11-10' of... 

Merge tag 'apparmor-pr-2021-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features
   - use per file locks for transactional queries
   - update policy management capability checks to work with LSM stacking

  Bug Fixes:
   - check/put label on apparmor_sk_clone_security()
   - fix error check on update of label hname
   - fix introspection of of task mode for unconfined tasks

  Cleanups:
   - avoid -Wempty-body warning
   - remove duplicated 'Returns:' comments
   - fix doc warning
   - remove unneeded one-line hook wrappers
   - use struct_size() helper in kzalloc()
   - fix zero-length compiler warning in AA_BUG()
   - file.h: delete duplicated word
   - delete repeated words in comments
   - remove repeated declaration"

* tag 'apparmor-pr-2021-11-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: remove duplicated 'Returns:' comments
  apparmor: remove unneeded one-line hook wrappers
  apparmor: Use struct_size() helper in kzalloc()
  apparmor: fix zero-length compiler warning in AA_BUG()
  apparmor: use per file locks for transactional queries
  apparmor: fix doc warning
  apparmor: Remove the repeated declaration
  apparmor: avoid -Wempty-body warning
  apparmor: Fix internal policy capable check for policy management
  apparmor: fix error check
  security: apparmor: delete repeated words in comments
  security: apparmor: file.h: delete duplicated word
  apparmor: switch to apparmor to internal capable check for policy management
  apparmor: update policy capable checks to use a label
  apparmor: fix introspection of of task mode for unconfined tasks
  apparmor: check/put label on apparmor_sk_clone_security()
parents dbf49896 582122f1

security/apparmor/apparmorfs.c

+8 −9
Original line number Diff line number Diff line
@@ -812,8 +812,6 @@ struct multi_transaction { 
};



#define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction))

/* TODO: replace with per file lock */

static DEFINE_SPINLOCK(multi_transaction_lock);



static void multi_transaction_kref(struct kref *kref)

{
@@ -847,10 +845,10 @@ static void multi_transaction_set(struct file *file, 
	AA_BUG(n > MULTI_TRANSACTION_LIMIT);



	new->size = n;

	spin_lock(&multi_transaction_lock);

	spin_lock(&file->f_lock);

	old = (struct multi_transaction *) file->private_data;

	file->private_data = new;

	spin_unlock(&multi_transaction_lock);

	spin_unlock(&file->f_lock);

	put_multi_transaction(old);

}
@@ -879,9 +877,10 @@ static ssize_t multi_transaction_read(struct file *file, char __user *buf, 
	struct multi_transaction *t;

	ssize_t ret;



	spin_lock(&multi_transaction_lock);

	spin_lock(&file->f_lock);

	t = get_multi_transaction(file->private_data);

	spin_unlock(&multi_transaction_lock);

	spin_unlock(&file->f_lock);



	if (!t)

		return 0;
@@ -1358,7 +1357,7 @@ static int rawdata_open(struct inode *inode, struct file *file) 
	struct aa_loaddata *loaddata;

	struct rawdata_f_data *private;



	if (!policy_view_capable(NULL))

	if (!aa_current_policy_view_capable(NULL))

		return -EACCES;



	loaddata = __aa_get_loaddata(inode->i_private);
@@ -2114,7 +2113,7 @@ static struct aa_profile *__first_profile(struct aa_ns *root, 


/**

 * __next_profile - step to the next profile in a profile tree

 * @profile: current profile in tree (NOT NULL)

 * @p: current profile in tree (NOT NULL)

 *

 * Perform a depth first traversal on the profile tree in a namespace

 *
@@ -2265,7 +2264,7 @@ static const struct seq_operations aa_sfs_profiles_op = { 


static int profiles_open(struct inode *inode, struct file *file)

{

	if (!policy_view_capable(NULL))

	if (!aa_current_policy_view_capable(NULL))

		return -EACCES;



	return seq_open(file, &aa_sfs_profiles_op);

security/apparmor/include/file.h

+1 −1
Original line number Diff line number Diff line
@@ -167,7 +167,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, 
 * @perms: permission table indexed by the matched state accept entry of @dfa

 * @trans: transition table for indexed by named x transitions

 *

 * File permission are determined by matching a path against @dfa and then

 * File permission are determined by matching a path against @dfa and

 * then using the value of the accept entry for the matching state as

 * an index into @perms.  If a named exec transition is required it is

 * looked up in the transition table.

security/apparmor/include/label.h

+1 −4
Original line number Diff line number Diff line
@@ -77,10 +77,6 @@ struct aa_labelset { 
#define __labelset_for_each(LS, N) \

	for ((N) = rb_first(&(LS)->root); (N); (N) = rb_next(N))



void aa_labelset_destroy(struct aa_labelset *ls);

void aa_labelset_init(struct aa_labelset *ls);





enum label_flags {

	FLAG_HAT = 1,			/* profile is a hat */

	FLAG_UNCONFINED = 2,		/* label unconfined only if all */
@@ -148,6 +144,7 @@ do { \ 
#define __label_make_stale(X) ((X)->flags |= FLAG_STALE)

#define labels_ns(X) (vec_ns(&((X)->vec[0]), (X)->size))

#define labels_set(X) (&labels_ns(X)->labels)

#define labels_view(X) labels_ns(X)

#define labels_profile(X) ((X)->vec[(X)->size - 1])

security/apparmor/include/lib.h

+7 −2
Original line number Diff line number Diff line
@@ -31,12 +31,17 @@ 


#define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X)



#define AA_BUG(X, args...) AA_BUG_FMT((X), "" args)

#define AA_BUG(X, args...)						    \

	do {								    \

		_Pragma("GCC diagnostic ignored \"-Wformat-zero-length\""); \

		AA_BUG_FMT((X), "" args);				    \

		_Pragma("GCC diagnostic warning \"-Wformat-zero-length\""); \

	} while (0)

#ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS

#define AA_BUG_FMT(X, fmt, args...)					\

	WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)

#else

#define AA_BUG_FMT(X, fmt, args...)

#define AA_BUG_FMT(X, fmt, args...) no_printk(fmt, ##args)

#endif



#define AA_ERROR(fmt, args...)						\

security/apparmor/include/policy.h

+4 −2
Original line number Diff line number Diff line
@@ -301,9 +301,11 @@ static inline int AUDIT_MODE(struct aa_profile *profile) 
	return profile->audit;

}



bool policy_view_capable(struct aa_ns *ns);

bool policy_admin_capable(struct aa_ns *ns);

bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns);

bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns);

int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,

			 u32 mask);

bool aa_current_policy_view_capable(struct aa_ns *ns);

bool aa_current_policy_admin_capable(struct aa_ns *ns);



#endif /* __AA_POLICY_H */