Changes in Makefile

b11e51dd - apparmor: test: make static symbols visible during kunit testing

Wed, 07 Dec 2022 01:40:24 +0000

apparmor: test: make static symbols visible during kunit testingUse macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allowstatic symbols to be conditionally set to be visible duringapparmor_policy_unpack_test, which removes the need to include the testingfile in the implementation file.Change the namespace of the symbols that are now conditionally visible (byadding the prefix aa_) to avoid confusion with symbols of the same name.Allow the test to be built as a module and namespace the module name frompolicy_unpack_test to apparmor_policy_unpack_test to improve clarity ofthe module name.Provide an example of how static symbols can be dealt with in testing.Signed-off-by: Rae Moar Reviewed-by: David Gow Acked-by: John Johansen Signed-off-by: Shuah Khan List of files: /linux-6.15/security/apparmor/Makefile

caa9f579 - apparmor: isolate policy backwards compatibility to its own file

Mon, 22 Aug 2022 05:48:32 +0000

apparmor: isolate policy backwards compatibility to its own fileThe details of mapping old policy into newer policy formats cluttersup the unpack code and makes it possible to accidentally use oldmappings in code, so isolate the mapping code into its own file.This will become more important when the dfa remapping code lands,as it will greatly expand the compat code base.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

56974a6f - apparmor: add base infastructure for socket mediation

Wed, 19 Jul 2017 06:18:33 +0000

de62de59 - apparmor: move task related defines and fns to task.X files

Sun, 08 Oct 2017 07:43:02 +0000

apparmor: move task related defines and fns to task.X filesSigned-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

b2441318 - License cleanup: add SPDX GPL-2.0 license identifier to files with no license

Wed, 01 Nov 2017 14:07:57 +0000

License cleanup: add SPDX GPL-2.0 license identifier to files with no licenseMany source files in the tree are missing licensing information, whichmakes it harder for compliance tools to determine the correct license.By default all files without license information are under the defaultlicense of the kernel, which is GPL version 2.Update the files which contain no license information with the 'GPL-2.0'SPDX license identifier. The SPDX identifier is a legally bindingshorthand, which can be used instead of the full boiler plate text.This patch is based on work done by Thomas Gleixner and Kate Stewart andPhilippe Ombredanne.How this work was done:Patches were generated and checked against linux-4.14-rc6 for a subset ofthe use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information,Further patches will be generated in subsequent months to fix up caseswhere non-standard license headers were used, and references to licensehad to be inferred by heuristics based on keywords.The analysis to determine which SPDX License Identifier to be applied toa file was done in a spreadsheet of side by side results from of theoutput of two independent scanners (ScanCode & Windriver) producing SPDXtag:value files created by Philippe Ombredanne. Philippe prepared thebase worksheet, and did an initial spot review of a few 1000 files.The 4.13 kernel was the starting point of the analysis with 60,537 filesassessed. Kate Stewart did a file by file comparison of the scannerresults in the spreadsheet to determine which SPDX license identifier(s)to be applied to the file. She confirmed any determination that was notimmediately clear with lawyers working with the Linux Foundation.Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines).All documentation files were explicitly excluded.The following heuristics were used to determine which SPDX licenseidentifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time.In total, over 70 hours of logged manual review was done on thespreadsheet to determine the SPDX license identifiers to apply to thesource files by Kate, Philippe, Thomas and, in some cases, confirmationby lawyers working with the Linux Foundation.Kate also obtained a third independent scan of the 4.13 code base fromFOSSology, and compared selected files where the other two scannersdisagreed against that SPDX file, to see if there was new insights. TheWindriver scanner is based on an older version of FOSSology in part, sothey are related.Thomas did random spot checks in about 500 files from the spreadsheetsfor the uapi headers and agreed with SPDX license identifier in thefiles he inspected. For the non-uapi files Thomas did random spot checksin about 15000 files.In initial set of patches against 4.14-rc6, 3 files were found to havecopy/paste license identifier errors, and have been fixed to reflect thecorrect identifier.Additionally Philippe spent 10 hours this week doing a detailed manualinspection and review of the 12,461 patched files from the initial patchversion early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correctThis produced a worksheet with 20 files needing minor correction. Thisworksheet was then exported into 3 different .csv files for thedifferent types of files to be modified.These .csv files were then reviewed by Greg. Thomas wrote a script toparse the csv files and add the proper SPDX tag to the file, in theformat that the file expected. This script was further refined by Gregbased on the output to detect more types of files automatically and todistinguish between header and source .c files (which need differentcomment types.) Finally Greg ran the script using the .csv files togenerate the patches.Reviewed-by: Kate Stewart Reviewed-by: Philippe Ombredanne Reviewed-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/security/apparmor/Makefile

80c094a4 - Revert "apparmor: add base infastructure for socket mediation"

Thu, 26 Oct 2017 17:35:35 +0000

Revert "apparmor: add base infastructure for socket mediation"This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e.This caused a regression: "The specific problem is that dnsmasq refuses to start on openSUSE Leap 42.2. The specific cause is that and attempt to open a PF_LOCAL socket gets EACCES. This means that networking doesn't function on a system with a 4.14-rc2 system."Sadly, the developers involved seemed to be in denial for several weeksabout this, delaying the revert. This has not been a good release forthe security subsystem, and this area needs to change developmentpractices.Reported-and-bisected-by: James Bottomley Tracked-by: Thorsten Leemhuis Cc: John Johansen Cc: Vlastimil Babka Cc: Seth Arnold Signed-off-by: Linus Torvalds List of files: /linux-6.15/security/apparmor/Makefile

651e28c5 - apparmor: add base infastructure for socket mediation

Wed, 19 Jul 2017 06:18:33 +0000

2ea3ffb7 - apparmor: add mount mediation

Wed, 19 Jul 2017 06:04:47 +0000

637f688d - apparmor: switch from profiles to using labels on contexts

Fri, 09 Jun 2017 15:14:28 +0000

apparmor: switch from profiles to using labels on contextsBegin the actual switch to using domain labels by storing them onthe context and converting the label to a singular profile wherepossible.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

c97204ba - apparmor: rename apparmor file fns and data to indicate use

Thu, 25 May 2017 13:23:42 +0000

apparmor: rename apparmor file fns and data to indicate useprefixes are used for fns/data that are not static to apparmorfs.cwith the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfsSigned-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook List of files: /linux-6.15/security/apparmor/Makefile

651e5495 - security/apparmor: Use POSIX-compatible "printf '%s'"

Fri, 14 Oct 2016 19:29:49 +0000

security/apparmor: Use POSIX-compatible "printf '%s'"When using a strictly POSIX-compliant shell, "-n #define ..." getswritten into the file. Use "printf '%s'" to avoid this.Signed-off-by: Thomas Schneider Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

121d4a91 - apparmor: rename sid to secid

Mon, 16 Jan 2017 08:42:17 +0000

apparmor: rename sid to secidMove to common terminology with other LSMs and kernel infrastuctureSigned-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

cff281f6 - apparmor: split apparmor policy namespaces code into its own file

Mon, 16 Jan 2017 08:42:15 +0000

apparmor: split apparmor policy namespaces code into its own filePolicy namespaces will be diverging from profile management andexpanding so put it in its own file.Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

f8eb8a13 - apparmor: add the ability to report a sha1 hash of loaded policy

Wed, 14 Aug 2013 18:27:36 +0000

apparmor: add the ability to report a sha1 hash of loaded policyProvide userspace the ability to introspect a sha1 hash value for eachprofile currently loaded.Signed-off-by: John Johansen Acked-by: Seth Arnold List of files: /linux-6.15/security/apparmor/Makefile

84f1f787 - apparmor: export set of capabilities supported by the apparmor module

Wed, 14 Aug 2013 18:27:32 +0000

apparmor: export set of capabilities supported by the apparmor moduleSigned-off-by: John Johansen Acked-by: Seth Arnold List of files: /linux-6.15/security/apparmor/Makefile

43c422ed - apparmor: fix apparmor OOPS in audit_log_untrustedstring+0x1c/0x40

Wed, 17 Oct 2012 20:29:33 +0000

apparmor: fix apparmor OOPS in audit_log_untrustedstring+0x1c/0x40The capability defines have moved causing the auto generated namesof capabilities that apparmor uses in logging to be incorrect.Fix the autogenerated table source to uapi/linux/capability.hReported-by: YanHong Reported-by: Krzysztof Kolasa Analyzed-by: Al Viro Signed-off-by: John Johansen Acked-by: David Howells Acked-by: James Morris Signed-off-by: Linus Torvalds List of files: /linux-6.15/security/apparmor/Makefile

8a1ab315 - UAPI: (Scripted) Disintegrate include/asm-generic

Thu, 04 Oct 2012 17:20:15 +0000

UAPI: (Scripted) Disintegrate include/asm-genericSigned-off-by: David Howells Acked-by: Arnd Bergmann Acked-by: Thomas Gleixner Acked-by: Michael Kerrisk Acked-by: Paul E. McKenney Acked-by: Dave Jones List of files: /linux-6.15/security/apparmor/Makefile

7e570145 - AppArmor: Fix location of const qualifier on generated string tables

Thu, 15 Mar 2012 06:41:17 +0000

AppArmor: Fix location of const qualifier on generated string tablesSigned-off-by: Tetsuo Handa Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

33e521ac - AppArmor: Add const qualifiers to generated string tables

Wed, 14 Mar 2012 12:53:40 +0000

AppArmor: Add const qualifiers to generated string tablesSigned-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile

d384b0a1 - AppArmor: export known rlimit names/value mappings in securityfs

Fri, 27 Jan 2012 00:29:23 +0000

AppArmor: export known rlimit names/value mappings in securityfsSince the parser needs to know which rlimits are known to the kernel,export the list via a mask file in the "rlimit" subdirectory in thesecurityfs "features" directory.Signed-off-by: Kees Cook Signed-off-by: John Johansen List of files: /linux-6.15/security/apparmor/Makefile