apparmor: take nosymfollow flag into account

A "nosymfollow" flag was added in commit
dab741e0e02b ("Add a "nosymfollow" mount option.")

While we don't need to implement any special logic on
the Ap

apparmor: take nosymfollow flag into account

A "nosymfollow" flag was added in commit
dab741e0e02b ("Add a "nosymfollow" mount option.")

While we don't need to implement any special logic on
the AppArmor kernel side to handle it, we should provide
user with a correct list of mount flags in audit logs.

Signed-off-by: Alexander Mikhalitsyn <[email protected]>
Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix move_mount mediation by detecting if source is detached

Prevent move_mount from applying the attach_disconnected flag
to move_mount(). This prevents detached mounts from appearing
as /

apparmor: Fix move_mount mediation by detecting if source is detached

Prevent move_mount from applying the attach_disconnected flag
to move_mount(). This prevents detached mounts from appearing
as / when applying mount mediation, which is not only incorrect
but could result in bad policy being generated.

Basic mount rules like
allow mount,
allow mount options=(move) -> /target/,

will allow detached mounts, allowing older policy to continue
to function. New policy gains the ability to specify `detached` as
a source option
allow mount detached -> /target/,

In addition make sure support of move_mount is advertised as
a feature to userspace so that applications that generate policy
can respond to the addition.

Note: this fixes mediation of move_mount when a detached mount is used,
it does not fix the broader regression of apparmor mediation of
mounts under the new mount api.

Link: https://lore.kernel.org/all/[email protected]/T/#mb35fdde37f999f08f0b02d58dc1bf4e6b65b8da2
Fixes: 157a3537d6bc ("apparmor: Fix regression in mount mediation")
Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix regression in mount mediation

commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")

introduced a new move_mount(2) system call and a corresponding new LSM
secu

apparmor: Fix regression in mount mediation

commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")

introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any
existing LSM. This creates a regression for AppArmor mediation of
mount. This patch provides a base mapping of the move_mount syscall to
the existing mount mediation. In the future we may introduce
additional mediations around the new mount calls.

Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
CC: [email protected]
Reported-by: Andreas Steinmetz <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among dif

apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among different pdbs each using
a different permission table.

Instead of duping the permission table when sharing a pdb, add a
refcount to the pdb so it can be easily shared.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: pass cred through to audit info.

The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmo

apparmor: pass cred through to audit info.

The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: combine common_audit_data and apparmor_audit_data

Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
ev

apparmor: combine common_audit_data and apparmor_audit_data

Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.

Reviewed-by: Georgia Garcia <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: rework profile->rules to be a list

Convert profile->rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item.

apparmor: rework profile->rules to be a list

Convert profile->rules to a list as the next step towards supporting
multiple rulesets in a profile. For this step only support a single
list entry item. The logic for iterating the list will come as a
separate step.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: refactor profile rules and attachments

In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor

apparmor: refactor profile rules and attachments

In preparation for moving from a single set of rules and a single
attachment to multiple rulesets and attachments separate from the
profile refactor attachment information and ruleset info into their
own structures.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: add mediation class information to auditing

Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer

apparmor: add mediation class information to auditing

Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: convert policy lookup to use accept as an index

Remap polidydb dfa accept table from embedded perms to an index, and
then move the perm lookup to use the accept entry as an index into the

apparmor: convert policy lookup to use accept as an index

Remap polidydb dfa accept table from embedded perms to an index, and
then move the perm lookup to use the accept entry as an index into the
perm table. This is done so that the perm table can be separated from
the dfa, allowing dfa accept to index to share expanded permission
sets.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: compute policydb permission on profile load

Rather than computing policydb permissions for each access
permissions can be computed once on profile load and stored for lookup.

Signed-off-b

apparmor: compute policydb permission on profile load

Rather than computing policydb permissions for each access
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: extend policydb permission set by making use of the xbits

The policydb permission set has left the xbits unused. Make them available
for mediation.

Signed-off-by: John Johansen <john.joha

apparmor: extend policydb permission set by making use of the xbits

The policydb permission set has left the xbits unused. Make them available
for mediation.

Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix reference count leak in aa_pivotroot()

The aa_pivotroot() function has a reference counting bug in a specific
path. When aa_replace_current_label() returns on success, the function
for

apparmor: fix reference count leak in aa_pivotroot()

The aa_pivotroot() function has a reference counting bug in a specific
path. When aa_replace_current_label() returns on success, the function
forgets to decrement the reference count of “target”, which is
increased earlier by build_pivotroot(), causing a reference leak.

Fix it by decreasing the refcount of “target” in that path.

Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
Co-developed-by: Xiyu Yang <[email protected]>
Signed-off-by: Xiyu Yang <[email protected]>
Co-developed-by: Xin Tan <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
Signed-off-by: Xin Xiong <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix match_mnt_path_str() and match_mnt() kernel-doc comment

Fix a spelling problem and change @mntpath to @path to remove warnings
found by running scripts/kernel-doc, which is caused by u

apparmor: Fix match_mnt_path_str() and match_mnt() kernel-doc comment

Fix a spelling problem and change @mntpath to @path to remove warnings
found by running scripts/kernel-doc, which is caused by using 'make W=1'.

security/apparmor/mount.c:321: warning: Function parameter or member
'devname' not described in 'match_mnt_path_str'
security/apparmor/mount.c:321: warning: Excess function parameter
'devnme' description in 'match_mnt_path_str'
security/apparmor/mount.c:377: warning: Function parameter or member
'path' not described in 'match_mnt'
security/apparmor/mount.c:377: warning: Excess function parameter
'mntpath' description in 'match_mnt'

Reported-by: Abaci Robot <[email protected]>
Signed-off-by: Yang Li <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Fix failed mount permission check error message

When the mount check fails due to a permission check failure instead
of explicitly at one of the subcomponent checks, AppArmor is reporting

apparmor: Fix failed mount permission check error message

When the mount check fails due to a permission check failure instead
of explicitly at one of the subcomponent checks, AppArmor is reporting
a failure in the flags match. However this is not true and AppArmor
can not attribute the error at this point to any particular component,
and should only indicate the mount failed due to missing permissions.

Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor:match_mn() - constify devpath argument

Signed-off-by: Al Viro <[email protected]>

apparmor: fix bind mounts aborting with -ENOMEM

With commit df323337e507 ("apparmor: Use a memory pool instead per-CPU
caches, 2019-05-03"), AppArmor code was converted to use memory pools. In
that

apparmor: fix bind mounts aborting with -ENOMEM

With commit df323337e507 ("apparmor: Use a memory pool instead per-CPU
caches, 2019-05-03"), AppArmor code was converted to use memory pools. In
that conversion, a bug snuck into the code that polices bind mounts that
causes all bind mounts to fail with -ENOMEM, as we erroneously error out
if `aa_get_buffer` returns a pointer instead of erroring out when it
does _not_ return a valid pointer.

Fix the issue by correctly checking for valid pointers returned by
`aa_get_buffer` to fix bind mounts with AppArmor.

Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: Patrick Steinhardt <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: make it so work buffers can be allocated from atomic context

In some situations AppArmor needs to be able to use its work buffers
from atomic context. Add the ability to specify when in at

apparmor: make it so work buffers can be allocated from atomic context

In some situations AppArmor needs to be able to use its work buffers
from atomic context. Add the ability to specify when in atomic context
and hold a set of work buffers in reserve for atomic context to
reduce the chance that a large work buffer allocation will need to
be done.

Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: fix wrong buffer allocation in aa_new_mount

Fix the following trace caused by the dev_path buffer not being
allocated.

[ 641.044262] AppArmor WARN match_mnt: ((devpath && !devbuffer)):
[

apparmor: fix wrong buffer allocation in aa_new_mount

Fix the following trace caused by the dev_path buffer not being
allocated.

[ 641.044262] AppArmor WARN match_mnt: ((devpath && !devbuffer)):
[ 641.044284] WARNING: CPU: 1 PID: 30709 at ../security/apparmor/mount.c:385 match_mnt+0x133/0x180
[ 641.044286] Modules linked in: snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core qxl ttm snd_hwdep snd_pcm drm_kms_helper snd_seq_midi snd_seq_midi_event drm snd_rawmidi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel iptable_mangle aesni_intel aes_x86_64 xt_tcpudp crypto_simd snd_seq cryptd bridge stp llc iptable_filter glue_helper snd_seq_device snd_timer joydev input_leds snd serio_raw fb_sys_fops 9pnet_virtio 9pnet syscopyarea sysfillrect soundcore sysimgblt qemu_fw_cfg mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 8139too psmouse 8139cp i2c_piix4 pata_acpi mii floppy
[ 641.044318] CPU: 1 PID: 30709 Comm: mount Tainted: G D W 5.1.0-rc4+ #223
[ 641.044320] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 641.044323] RIP: 0010:match_mnt+0x133/0x180
[ 641.044325] Code: 41 5d 41 5e 41 5f c3 48 8b 4c 24 18 eb b1 48 c7 c6 08 84 26 83 48 c7 c7 f0 56 54 83 4c 89 54 24 08 48 89 14 24 e8 7d d3 bb ff <0f> 0b 4c 8b 54 24 08 48 8b 14 24 e9 25 ff ff ff 48 c7 c6 08 84 26
[ 641.044327] RSP: 0018:ffffa9b34ac97d08 EFLAGS: 00010282
[ 641.044329] RAX: 0000000000000000 RBX: ffff9a86725a8558 RCX: 0000000000000000
[ 641.044331] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 0000000000000246
[ 641.044333] RBP: ffffa9b34ac97db0 R08: 0000000000000000 R09: 0000000000000000
[ 641.044334] R10: 0000000000000000 R11: 00000000000077f5 R12: 0000000000000000
[ 641.044336] R13: ffffa9b34ac97e98 R14: ffff9a865e000008 R15: ffff9a86c4cf42b8
[ 641.044338] FS: 00007fab73969740(0000) GS:ffff9a86fbb00000(0000) knlGS:0000000000000000
[ 641.044340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 641.044342] CR2: 000055f90bc62035 CR3: 00000000aab5f006 CR4: 00000000003606e0
[ 641.044346] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 641.044348] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 641.044349] Call Trace:
[ 641.044355] aa_new_mount+0x119/0x2c0
[ 641.044363] apparmor_sb_mount+0xd4/0x430
[ 641.044367] security_sb_mount+0x46/0x70
[ 641.044372] do_mount+0xbb/0xeb0
[ 641.044377] ? memdup_user+0x4b/0x70
[ 641.044380] ksys_mount+0x7e/0xd0
[ 641.044384] __x64_sys_mount+0x21/0x30
[ 641.044388] do_syscall_64+0x5a/0x1a0
[ 641.044392] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 641.044394] RIP: 0033:0x7fab73a8790a
[ 641.044397] Code: 48 8b 0d 89 85 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 85 0c 00 f7 d8 64 89 01 48
[ 641.044399] RSP: 002b:00007ffe0ffe4238 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[ 641.044401] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fab73a8790a
[ 641.044429] RDX: 000055f90bc6203b RSI: 00007ffe0ffe57b1 RDI: 00007ffe0ffe57a5
[ 641.044431] RBP: 00007ffe0ffe4250 R08: 0000000000000000 R09: 00007fab73b51d80
[ 641.044433] R10: 00000000c0ed0004 R11: 0000000000000206 R12: 000055f90bc610b0
[ 641.044434] R13: 00007ffe0ffe4330 R14: 0000000000000000 R15: 0000000000000000
[ 641.044457] irq event stamp: 0
[ 641.044460] hardirqs last enabled at (0): [<0000000000000000>] (null)
[ 641.044463] hardirqs last disabled at (0): [<ffffffff82290114>] copy_process.part.30+0x734/0x23f0
[ 641.044467] softirqs last enabled at (0): [<ffffffff82290114>] copy_process.part.30+0x734/0x23f0
[ 641.044469] softirqs last disabled at (0): [<0000000000000000>] (null)
[ 641.044470] ---[ end trace c0d54bdacf6af6b2 ]---

Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Switch to GFP_KERNEL where possible

After removing preempt_disable() from get_buffers() it is possible to
replace a few GFP_ATOMIC allocations with GFP_KERNEL.

Replace GFP_ATOMIC allocati

apparmor: Switch to GFP_KERNEL where possible

After removing preempt_disable() from get_buffers() it is possible to
replace a few GFP_ATOMIC allocations with GFP_KERNEL.

Replace GFP_ATOMIC allocations with GFP_KERNEL where the context looks
to bee preepmtible.

Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

apparmor: Use a memory pool instead per-CPU caches

The get_buffers() macro may provide one or two buffers to the caller.
Those buffers are pre-allocated on init for each CPU. By default it
allocates

apparmor: Use a memory pool instead per-CPU caches

The get_buffers() macro may provide one or two buffers to the caller.
Those buffers are pre-allocated on init for each CPU. By default it
allocates
2* 2 * MAX_PATH * POSSIBLE_CPU

which equals 64KiB on a system with 4 CPUs or 1MiB with 64 CPUs and so
on.

Replace the per-CPU buffers with a common memory pool which is shared
across all CPUs. The pool grows on demand and never shrinks. The pool
starts with two (UP) or four (SMP) elements. By using this pool it is
possible to request a buffer and keeping preemption enabled which avoids
the hack in profile_transition().

It has been pointed out by Tetsuo Handa that GFP_KERNEL allocations for
small amount of memory do not fail. In order not to have an endless
retry, __GFP_RETRY_MAYFAIL is passed (so the memory allocation is not
repeated until success) and retried once hoping that in the meantime a
buffer has been returned to the pool. Since now NULL is possible all
allocation paths check the buffer pointer and return -ENOMEM on failure.

Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of th

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

Based on 1 normalized pattern(s):

this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2 of the license

extracted by the scancode license scanner the SPDX license identifier

GPL-2.0-only

has been chosen to replace the boilerplate/reference in 315 file(s).

Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Allison Randal <[email protected]>
Reviewed-by: Armijn Hemel <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

show more ...

vfs: Suppress MS_* flag defs within the kernel unless explicitly enabled

Only the mount namespace code that implements mount(2) should be using the
MS_* flags. Suppress them inside the kernel unles

vfs: Suppress MS_* flag defs within the kernel unless explicitly enabled

Only the mount namespace code that implements mount(2) should be using the
MS_* flags. Suppress them inside the kernel unless uapi/linux/mount.h is
included.

Signed-off-by: David Howells <[email protected]>
Signed-off-by: Al Viro <[email protected]>
Reviewed-by: David Howells <[email protected]>

show more ...

apparmor: fix typo "independent"

Signed-off-by: Zygmunt Krynicki <[email protected]>
Acked-by: Christian Boltz <[email protected]>
Signed-off-by: John Johansen <john.johansen@canonical

apparmor: fix typo "independent"

Signed-off-by: Zygmunt Krynicki <[email protected]>
Acked-by: Christian Boltz <[email protected]>
Signed-off-by: John Johansen <[email protected]>

show more ...