The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.
Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Trying to update the task cred while the task current cred is not the
real cred will result in an error at the cred layer. Avoid this by
failing early and delaying the update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Verify that profiles in a load set specify the same policy ns and
audit the name of the policy ns that policy is being loaded for.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Store loaded policy and allow introspecting it through apparmorfs. This
has several uses from debugging, policy validation, and policy checkpoint
and restore for containers.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.
This strict pairing will be relaxed once true support of user namespaces
lands.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Borrow the special null device file from selinux to "close" fds that
don't have sufficient permissions at exec time.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Commit 9f834ec18d ("binfmt_elf: switch to new creds when switching to new mm")
changed when the creds are installed by the binfmt_elf handler. This
affects which creds are used to mmap the executable into the address
space. Which can have an affect on apparmor policy.
Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.
BugLink: http://bugs.launchpad.net/bugs/1630069
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.
This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Newer policy will combine the file and policydb dfas, allowing for
better optimizations. However to support older policy we need to
keep the ability to address the "file" dfa separately. So dup
the policydb as if it is the file dfa and set the appropriate start
state.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The dfa is currently setup to be shared (has the basis of refcounting)
but currently can't be because the count can't be increased.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Newer policy encodes more than just version in the version tag,
so add masking to make sure the comparison remains correct.
Note: this is fully compatible with older policy as it will never set
the bits being masked out.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When possible its better to name a learning profile after the missing
profile in question. This allows for both more informative names and
for profile reuse.
Signed-off-by: John Johansen <john.johansen@canonical.com>
prepare_ns() will need to be called from alternate views, and namespaces
will need to be created via different interfaces. So refactor and
allow specifying the view ns.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Rename to indicate the test is only about whether path mediation is used,
not whether other types of mediation might be used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Policy namespaces will be diverging from profile management and
expanding so put it in its own file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not
recommended because it might fall into infinite retry loop without
invoking the OOM killer.
Since aa_dfa_unpack() is the only caller of kvzalloc() and
aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is
doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from
__aa_kvmalloc().
Since aa_simple_write_to_buffer() is the only caller of kvmalloc()
and aa_simple_write_to_buffer() is calling copy_from_user() which
is GFP_KERNEL context (see memdup_user_nul()), it is safe to use
GFP_KERNEL from __aa_kvmalloc().
Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have
vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM
killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen