apparmor: Remove deadcode

aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name
were added by commit
f1bd904175e8 ("apparmor: add the base fns() for domain labels")
but never us

apparmor: Remove deadcode

aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name
were added by commit
f1bd904175e8 ("apparmor: add the base fns() for domain labels")
but never used.

aa_profile_label_perm was added by commit
637f688dc3dc ("apparmor: switch from profiles to using labels on contexts")
but never used.

aa_secid_update was added by commit
c092921219d2 ("apparmor: add support for mapping secids and using secctxes")
but never used.

aa_split_fqname has been unused since commit
3664268f19ea ("apparmor: add namespace lookup fns()")

aa_lookup_profile has been unused since commit
93c98a484c49 ("apparmor: move exec domain mediation to using labels")

aa_audit_perms_cb was only used by aa_profile_label_perm (see above).

All of these commits are from around 2017.

Remove them.

Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among dif

apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among different pdbs each using
a different permission table.

Instead of duping the permission table when sharing a pdb, add a
refcount to the pdb so it can be easily shared.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Free up __cleanup() name

In order to use __cleanup for __attribute__((__cleanup__(func))) the
name must not be used for anything else. Avoid the conflict.

Signed-off-by: Peter Zijlstra (I

apparmor: Free up __cleanup() name

In order to use __cleanup for __attribute__((__cleanup__(func))) the
name must not be used for anything else. Avoid the conflict.

Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Acked-by: John Johansen <[email protected]>
Link: https://lkml.kernel.org/r/20230612093537.536441207%40infradead.org

show more ...

apparmor: extend permissions to support a label and tag string

add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.

Sign

apparmor: extend permissions to support a label and tag string

add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix absroot causing audited secids to begin with =

AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
P

apparmor: fix absroot causing audited secids to begin with =

AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix zero-length compiler warning in AA_BUG()

Uses of AA_BUG() without a message can result in the compiler warning

warning: zero-length gnu_printf format string [-Wformat-zero-length]

apparmor: fix zero-length compiler warning in AA_BUG()

Uses of AA_BUG() without a message can result in the compiler warning

warning: zero-length gnu_printf format string [-Wformat-zero-length]

Fix this with a pragma for now. A larger rework of AA_BUG() will
follow.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: avoid -Wempty-body warning

Building with 'make W=1' shows a warning for an empty macro:

security/apparmor/label.c: In function '__label_update':
security/apparmor/label.c:2096:59: error:

apparmor: avoid -Wempty-body warning

Building with 'make W=1' shows a warning for an empty macro:

security/apparmor/label.c: In function '__label_update':
security/apparmor/label.c:2096:59: error: suggest braces around empty body in an 'else' statement [-Werror=empty-body]
2096 | AA_BUG(labels_ns(label) != labels_ns(new));

Change the macro definition to use no_printk(), which improves
format string checking and avoids the warning.

Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of th

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2 of the license

extracted by the scancode license scanner the SPDX license identifier

GPL-2.0-only

has been chosen to replace the boilerplate/reference in 315 file(s).

Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Allison Randal <[email protected]>
Reviewed-by: Armijn Hemel <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

show more ...

Infrastructure management of the cred security blob

Move management of the cred security blob out of the
security modules and into the security infrastructre.
Instead of allocating and freeing space

Infrastructure management of the cred security blob

Move management of the cred security blob out of the
security modules and into the security infrastructre.
Instead of allocating and freeing space the security
modules tell the infrastructure how much space they
require.

Signed-off-by: Casey Schaufler <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <[email protected]>

show more ...

Rename superblock flags (MS_xyz -> SB_xyz)

This is a pure automated search-and-replace of the internal kernel
superblock flags.

The s_flags are now called SB_*, with the names and the values for th

Rename superblock flags (MS_xyz -> SB_xyz)

This is a pure automated search-and-replace of the internal kernel
superblock flags.

The s_flags are now called SB_*, with the names and the values for the
moment mirroring the MS_* flags that they're equivalent to.

Note how the MS_xyz flags are the ones passed to the mount system call,
while the SB_xyz flags are what we then use in sb->s_flags.

The script to do this was:

# places to look in; re security/*: it generally should *not* be
# touched (that stuff parses mount(2) arguments directly), but
# there are two places where we really deal with superblock flags.
FILES="drivers/mtd drivers/staging/lustre fs ipc mm \
include/linux/fs.h include/uapi/linux/bfs_fs.h \
security/apparmor/apparmorfs.c security/apparmor/include/lib.h"
# the list of MS_... constants
SYMS="RDONLY NOSUID NODEV NOEXEC SYNCHRONOUS REMOUNT MANDLOCK \
DIRSYNC NOATIME NODIRATIME BIND MOVE REC VERBOSE SILENT \
POSIXACL UNBINDABLE PRIVATE SLAVE SHARED RELATIME KERNMOUNT \
I_VERSION STRICTATIME LAZYTIME SUBMOUNT NOREMOTELOCK NOSEC BORN \
ACTIVE NOUSER"

SED_PROG=
for i in $SYMS; do SED_PROG="$SED_PROG -e s/MS_$i/SB_$i/g"; done

# we want files that contain at least one of MS_...,
# with fs/namespace.c and fs/pnode.c excluded.
L=$(for i in $SYMS; do git grep -w -l MS_$i $FILES; done| sort|uniq|grep -v '^fs/namespace.c'|grep -v '^fs/pnode.c')

for f in $L; do sed -i $f $SED_PROG; done

Requested-by: Al Viro <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

show more ...

locking/rwsem, security/apparmor: Replace homebrew use of write_can_lock() with lockdep

The lockdep subsystem provides a robust way to assert that a lock is
held, so use that instead of write_can_lo

locking/rwsem, security/apparmor: Replace homebrew use of write_can_lock() with lockdep

The lockdep subsystem provides a robust way to assert that a lock is
held, so use that instead of write_can_lock, which can give incorrect
results for qrwlocks.

Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Acked-by: John Johansen <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>

show more ...

apparmor: move exec domain mediation to using labels

Signed-off-by: John Johansen <[email protected]>

apparmor: share profile name on replacement

The profile names are the same, leverage this.

Signed-off-by: John Johansen <[email protected]>

apparmor: make internal lib fn skipn_spaces available to the rest of apparmor

Signed-off-by: John Johansen <[email protected]>

mm: introduce kv[mz]alloc helpers

Patch series "kvmalloc", v5.

There are many open coded kmalloc with vmalloc fallback instances in the
tree. Most of them are not careful enough or simply do not c

mm: introduce kv[mz]alloc helpers

Patch series "kvmalloc", v5.

There are many open coded kmalloc with vmalloc fallback instances in the
tree. Most of them are not careful enough or simply do not care about
the underlying semantic of the kmalloc/page allocator which means that
a) some vmalloc fallbacks are basically unreachable because the kmalloc
part will keep retrying until it succeeds b) the page allocator can
invoke a really disruptive steps like the OOM killer to move forward
which doesn't sound appropriate when we consider that the vmalloc
fallback is available.

As it can be seen implementing kvmalloc requires quite an intimate
knowledge if the page allocator and the memory reclaim internals which
strongly suggests that a helper should be implemented in the memory
subsystem proper.

Most callers, I could find, have been converted to use the helper
instead. This is patch 6. There are some more relying on __GFP_REPEAT
in the networking stack which I have converted as well and Eric Dumazet
was not opposed [2] to convert them as well.

[1] http://lkml.kernel.org/r/[email protected]
[2] http://lkml.kernel.org/r/1485273626.16328.301.camel@edumazet-glaptop3.roam.corp.google.com

This patch (of 9):

Using kmalloc with the vmalloc fallback for larger allocations is a
common pattern in the kernel code. Yet we do not have any common helper
for that and so users have invented their own helpers. Some of them are
really creative when doing so. Let's just add kv[mz]alloc and make sure
it is implemented properly. This implementation makes sure to not make
a large memory pressure for > PAGE_SZE requests (__GFP_NORETRY) and also
to not warn about allocation failures. This also rules out the OOM
killer as the vmalloc is a more approapriate fallback than a disruptive
user visible action.

This patch also changes some existing users and removes helpers which
are specific for them. In some cases this is not possible (e.g.
ext4_kvmalloc, libcfs_kvzalloc) because those seems to be broken and
require GFP_NO{FS,IO} context which is not vmalloc compatible in general
(note that the page table allocation is GFP_KERNEL). Those need to be
fixed separately.

While we are at it, document that __vmalloc{_node} about unsupported gfp
mask because there seems to be a lot of confusion out there.
kvmalloc_node will warn about GFP_KERNEL incompatible (which are not
superset) flags to catch new abusers. Existing ones would have to die
slowly.

[[email protected]: f2fs fixup]
Link: http://lkml.kernel.org/r/[email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Michal Hocko <[email protected]>
Signed-off-by: Stephen Rothwell <[email protected]>
Reviewed-by: Andreas Dilger <[email protected]> [ext4 part]
Acked-by: Vlastimil Babka <[email protected]>
Cc: John Hubbard <[email protected]>
Cc: David Miller <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

show more ...

apparmor: fix parameters so that the permission test is bypassed at boot

Boot parameters are written before apparmor is ready to answer whether
the user is policy_view_capable(). Setting the paramet

apparmor: fix parameters so that the permission test is bypassed at boot

Boot parameters are written before apparmor is ready to answer whether
the user is policy_view_capable(). Setting the parameters at boot results
in an oops and failure to boot. Setting the parameters at boot is
obviously allowed so skip the permission check when apparmor is not
initialized.

While we are at it move the more complicated check to last.

Signed-off-by: John Johansen <[email protected]>
Signed-off-by: James Morris <[email protected]>

show more ...

apparmor: pass gfp param into aa_policy_init()

Signed-off-by: John Johansen <[email protected]>

apparmor: constify policy name and hname

Signed-off-by: John Johansen <[email protected]>

apparmor: rename hname_tail to basename

Rename to the shorter and more familiar shell cmd name

Signed-off-by: John Johansen <[email protected]>

apparmor: rename mediated_filesystem() to path_mediated_fs()

Rename to indicate the test is only about whether path mediation is used,
not whether other types of mediation might be used.

Signed-off

apparmor: rename mediated_filesystem() to path_mediated_fs()

Rename to indicate the test is only about whether path mediation is used,
not whether other types of mediation might be used.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: add debug assert AA_BUG and Kconfig to control debug info

Signed-off-by: John Johansen <[email protected]>

apparmor: add macro for bug asserts to check that a lock is held

Signed-off-by: John Johansen <[email protected]>

apparmor: add lib fn to find the "split" for fqnames

Signed-off-by: John Johansen <[email protected]>

apparmor: split out shared policy_XXX fns to lib

Signed-off-by: John Johansen <[email protected]>