John Johansen [Wed, 15 Feb 2017 23:13:50 +0000 (15:13 -0800)]
UBUNTU: SAUCE: apparmor: fix link auditing failure due to, uninitialized var
The lperms struct is uninitialized for use with auditing if there is
an early failure due to a path name error. This can result in incorrect
logging or in the extreme case apparmor killing the task with a signal
which results in the failure in the referenced bug.
BugLink: http://bugs.launchpad.net/bugs/1664912 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Hari Bathini [Wed, 15 Feb 2017 18:16:11 +0000 (11:16 -0700)]
UBUNTU: SAUCE: powerpc/fadump: set an upper limit for boot memory size
BugLink: http://bugs.launchpad.net/bugs/1655241
By default, 5% of system RAM is reserved for preserving boot memory.
Alternatively, a user can specify the amount of memory to reserve.
See Documentation/powerpc/firmware-assisted-dump.txt for details. In
addition to the memory reserved for preserving boot memory, some more
memory is reserved, to save HPTE region, CPU state data and ELF core
headers.
Memory Reservation during first kernel looks like below:
Low memory Top of memory
0 boot memory size |
| | |<--Reserved dump area -->|
V V | Permanent Reservation V
+-----------+----------/ /----------+---+----+-----------+----+
| | |CPU|HPTE| DUMP |ELF |
+-----------+----------/ /----------+---+----+-----------+----+
| ^
| |
\ /
-------------------------------------------
Boot memory content gets transferred to
reserved area by firmware at the time of
crash
The implicit rule here is that the sum of the sizes of boot memory,
CPU state data, HPTE region and ELF core headers can't be greater than
the total memory size. But currently, a user is allowed to specify any
value as boot memory size. So, the above rule is violated when a boot
memory size closer to 50% of the total available memory is specified.
As the kernel is not handling this currently, it may lead to undefined
behavior. Fix it by setting an upper limit for boot memory size to 25%
of the total available memory.
Signed-off-by: Hari Bathini <hbathini@linux.vnet.ibm.com>
BugLink: http://bugs.launchpad.net/bugs/1649292
To support unprivileged users mounting filesystems two permission
checks have to be performed: a test to see if the user allowed to
create a mount in the mount namespace, and a test to see if
the user is allowed to access the specified filesystem.
The automount case is special in that mounting the original filesystem
grants permission to mount the sub-filesystems, to any user who
happens to stumble across the their mountpoint and satisfies the
ordinary filesystem permission checks.
Attempting to handle the automount case by using override_creds
almost works. It preserves the idea that permission to mount
the original filesystem is permission to mount the sub-filesystem.
Unfortunately using override_creds messes up the filesystems
ordinary permission checks.
Solve this by being explicit that a mount is a submount by introducing
vfs_submount, and using it where appropriate.
vfs_submount uses a new mount internal mount flags MS_SUBMOUNT, to let
sget and friends know that a mount is a submount so they can take appropriate
action.
sget and sget_userns are modified to not perform any permission checks
on submounts.
follow_automount is modified to stop using override_creds as that
has proven problemantic.
do_mount is modified to always remove the new MS_SUBMOUNT flag so
that we know userspace will never by able to specify it.
autofs4 is modified to stop using current_real_cred that was put in
there to handle the previous version of submount permission checking.
cifs is modified to pass the mountpoint all of the way down to vfs_submount.
debugfs is modified to pass the mountpoint all of the way down to
trace_automount by adding a new parameter. To make this change easier
a new typedef debugfs_automount_t is introduced to capture the type of
the debugfs automount function.
Cc: stable@vger.kernel.org Fixes: 069d5ac9ae0d ("autofs: Fix automounts by using current_real_cred()->uid") Fixes: aeaa4a79ff6a ("fs: Call d_automount with the filesystems creds") Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com> Reviewed-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
(cherry picked from commit 93faccbbfa958a9668d3ab4e30f38dd205cee8d8 linux-next) Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Long Li [Thu, 15 Dec 2016 02:46:03 +0000 (18:46 -0800)]
scsi: storvsc: properly set residual data length on errors
BugLink: http://bugs.launchpad.net/bugs/1663687
On I/O errors, the Windows driver doesn't set data_transfer_length
on error conditions other than SRB_STATUS_DATA_OVERRUN.
In these cases we need to set data_transfer_length to 0,
indicating there is no data transferred. On SRB_STATUS_DATA_OVERRUN,
data_transfer_length is set by the Windows driver to the actual data transferred.
Reported-by: Shiva Krishna <Shiva.Krishna@nimblestorage.com> Signed-off-by: Long Li <longli@microsoft.com> Reviewed-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from linux-next commit 40630f462824ee24bc00d692865c86c3828094e0) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Long Li [Thu, 15 Dec 2016 02:46:02 +0000 (18:46 -0800)]
scsi: storvsc: properly handle SRB_ERROR when sense message is present
BugLink: http://bugs.launchpad.net/bugs/1663687
When sense message is present on error, we should pass along to the upper
layer to decide how to deal with the error.
This patch fixes connectivity issues with Fiber Channel devices.
Signed-off-by: Long Li <longli@microsoft.com> Reviewed-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from linux-next commit bba5dc332ec2d3a685cb4dae668c793f6a3713a3) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Long Li [Thu, 15 Dec 2016 02:46:01 +0000 (18:46 -0800)]
scsi: storvsc: use tagged SRB requests if supported by the device
BugLink: http://bugs.launchpad.net/bugs/1663687
Properly set SRB flags when hosting device supports tagged queuing.
This patch improves the performance on Fiber Channel disks.
Signed-off-by: Long Li <longli@microsoft.com> Reviewed-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from linux-next commit 3cd6d3d9b1abab8dcdf0800224ce26daac24eea2) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
1. We will make every effort to pick a channel that is in the
same NUMA node that is initiating the I/O
2. The mapping between the guest CPU and the outgoing channel
is persistent.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Reviewed-by: Long Li <longli@microsoft.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(back ported from linux-next commit d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
drivers/scsi/storvsc_drv.c
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Reviewed-by: Long Li <longli@microsoft.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from linux-next commit 977965283526dd2e887331365da19b05c909a966) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Reviewed-by: Long Li <longli@microsoft.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from linux-next commit f64dad2628bdf62eac7ac145a6e31430376b65e4) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Li Zhong [Fri, 11 Nov 2016 04:57:36 +0000 (12:57 +0800)]
KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend
BugLink: http://bugs.launchpad.net/bugs/1651248
This patch improves the code that takes lock twice to check the resend flag
and do the actual resending, by checking the resend flag locklessly, and
add a boolean parameter check_resend to icp_[rm_]deliver_irq(), so the
resend flag can be checked in the lock when doing the delivery.
We need make sure when we clear the ics's bit in the icp's resend_map, we
don't miss the resend flag of the irqs that set the bit. It could be
ordered through the barrier in test_and_clear_bit(), and a newly added
wmb between setting irq's resend flag, and icp's resend_map.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from linux-next commit 21acd0e4df04f02176e773468658c3cebff096bb) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
When the interrupt is presented, set P. Present if P was not set.
If P is already set, don't present again, set Q.
When the interrupt is EOI'ed, move Q into P (and clear Q). If it is
set, re-present.
The asserted flag used by LSI is also incorporated into the P bit.
When the irq state is saved, P/Q bits are also saved, they need some
qemu modifications to be recognized and passed around to be restored.
KVM_XICS_PENDING bit set and saved should also indicate
KVM_XICS_PRESENTED bit set and saved. But it is possible some old
code doesn't have/recognize the P bit, so when we restore, we set P
for PENDING bit, too.
The idea and much of the code come from Ben.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from linux-next commit 17d48610ae0fa218aa386b16a538c792991a3652) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
ics_check_resend()
lock ics_lock
see resend set
unlock ics_lock
/* change affinity of the irq */
kvmppc_xics_set_xive()
write_xive()
lock ics_lock
see resend set
unlock ics_lock
icp_deliver_irq() /* resend */
icp_deliver_irq() /* resend again */
It doesn't have any user-visible effect at present, but needs to be avoided
when the following patch implementing the P/Q stuff is applied.
This patch clears the resend flag before releasing the ics lock, when we
know we will do a re-delivery after checking the flag, or setting the flag.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from linux-next commit bf5a71d53835110d46d33eb5335713ffdbff9ab6) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Li Zhong [Fri, 11 Nov 2016 04:57:33 +0000 (12:57 +0800)]
KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
BugLink: http://bugs.launchpad.net/bugs/1651248
Some counters are added in Commit 6e0365b78273 ("KVM: PPC: Book3S HV:
Add ICP real mode counters"), to provide some performance statistics to
determine whether further optimizing is needed for real mode functions.
The n_reject counter counts how many times ICP rejects an irq because of
priority in real mode. The redelivery of an lsi that is still asserted
after eoi doesn't fall into this category, so the increasement there is
removed.
Also, it needs to be increased in icp_rm_deliver_irq() if it rejects
another one.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from linux-next commit 37451bc95dee0e666927d6ffdda302dbbaaae6fa) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Li Zhong [Fri, 11 Nov 2016 04:57:32 +0000 (12:57 +0800)]
KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
BugLink: http://bugs.launchpad.net/bugs/1651248
Commit b0221556dbd3 ("KVM: PPC: Book3S HV: Move virtual mode ICP functions
to real-mode") removed the setting of the XICS_RM_REJECT flag. And
since that commit, nothing else sets the flag any more, so we can remove
the flag and the remaining code that handles it, including the counter
that counts how many times it get set.
Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
(cherry picked from linux-next commit 5efa6605151b84029edeb2e07f2d2d74b52c106f) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Tue, 19 Jan 2016 19:12:02 +0000 (13:12 -0600)]
UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
The original mounter had CAP_SYS_ADMIN in the user namespace
where the mount happened, and the vfs has validated that the user
has permission to do the requested operation. This is sufficient
for allowing the kernel to write these specific xattrs, so we can
bypass the permission checks for these xattrs.
To support this, export __vfs_setxattr_noperm and add an similar
__vfs_removexattr_noperm which is also exported. Use these when
setting or removing trusted.overlayfs.* xattrs.
Colin Ian King [Mon, 6 Feb 2017 15:21:31 +0000 (15:21 +0000)]
UBUNTU: SAUCE: md/raid6 algorithms: scale test duration for speedier boots
The original code runs for a set run time based on 2^RAID6_TIME_JIFFIES_LG2.
The default kernel value for RAID6_TIME_JIFFIES_LG2 is 4, however, emperical
testing shows that a value of 3.5 is the sweet spot for getting consistent
benchmarking results and speeding up the run time of the benchmarking.
To achieve 2^3.5 we use the following:
2^3.5 = 2^4 / 2^0.5
= 2^4 / sqrt(2)
= 2^4 * 0.707106781
Too keep this as integer math that is as accurate as required and avoiding
overflow, this becomes:
= 2^4 * 181 / 256
= (2^4 * 181) >> 8
We also need to scale down perf by the same factor, however, to
get a good approximate integer result without an overflow we scale
by 2^4.0 * sqrt(2) =
= 2 ^ 4 * 1.41421356237
= 2 ^ 4 * 1448 / 1024
= (2 ^ 4 * 1448) >> 10
This has been tested on 2 AWS instances, a small t2 and a medium m3
with 30 boot tests each and compared to the same instances booted 30
times on an umodified kernel. In all results, we get the same
algorithms being selected and a 100% consistent result over the 30
boots, showing that this optimised jiffy timing scaling does not break
the original functionality.
On the t2.small we see a saving of ~0.126 seconds and t3.medium a saving of
~0.177 seconds.
Tested on a 4 CPU VM on an 8 thread Xeon server; seeing a saving of ~0.33
seconds (average over 10 boots).
Tested on a 8 thread Xeon server, seeing a saving of ~1.24 seconds (average
of 10 boots).
The testing included double checking the algorithm chosen by the optimized
selection and seeing the same as pre-optimised version.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 2 Feb 2017 09:09:02 +0000 (01:09 -0800)]
fix regression with domain change in complain mode
The patch
Fix no_new_privs blocking change_onexec when using stacked namespaces
changed when the no_new_privs checks is processed so the test could
be correctly applied in a stacked profile situation.
However it changed the behavior of the error returned in complain mode,
which will have both @error and @new set.
Fix this by introducing a new var to indicate the no_new_privs condition
instead of relying on error. While doing this allow the new label under
no new privs to be audited, by having its reference put in the error path,
instead of in the no_new_privs condition check.
John Johansen [Mon, 30 Jan 2017 10:38:14 +0000 (02:38 -0800)]
UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check
When an open file with cached permissions is checked for the flock
permission. The cache check fails and falls through to no error instead
of auditing, and returning an error.
For the fall through to do a permission check, so it will audit the
failed flock permission check.
BugLink: http://bugs.launchpad.net/bugs/1658219 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 12 Jan 2017 23:12:25 +0000 (15:12 -0800)]
UBUNTU: SAUCE: apparmor: null profiles should inherit parent control flags
null profiles that don't have the same control flags as the parent
behave in unexpected ways and can cause failures.
BugLink: http://bugs.launchpad.net/bugs/1656121 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 18 Jan 2017 09:23:11 +0000 (01:23 -0800)]
UBUNTU: SAUCE: apparmor: fix ns ref count link when removing profiles from policy
BugLink: http://bugs.launchpad.net/bugs/1660849 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 31 Dec 2016 11:55:30 +0000 (03:55 -0800)]
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces
Push the no_new_privs logic into the per profile transition fns, so
that the no_new_privs check can be done at the ns level instead of the
aggregate stack level.
BugLink: http://bugs.launchpad.net/bugs/1648143 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:59:07 +0000 (18:59 -0800)]
UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir
There is a lock inversion that can result in a dead lock when profile
replacements are racing with dir creation for a namespace in apparmorfs.
BugLink: http://bugs.launchpad.net/bugs/1645037 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:56:31 +0000 (18:56 -0800)]
UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count
apparmor is leaking pinfs refcoutn when inode setup fails.
BugLink: http://bugs.launchpad.net/bugs/1660846 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:52:14 +0000 (18:52 -0800)]
UBUNTU: SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode() fails
BugLink: http://bugs.launchpad.net/bugs/1660845 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:50:14 +0000 (18:50 -0800)]
UBUNTU: SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails
BugLink: http://bugs.launchpad.net/bugs/1660842 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 3 Dec 2016 10:36:39 +0000 (02:36 -0800)]
UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails
Bind mounts can oops when devname lookup fails because the devname is
uninitialized and used in auditing the denial.
BugLink: http://bugs.launchpad.net/bugs/1660840 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 00:06:25 +0000 (16:06 -0800)]
UBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file
When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd (eg stdin/stdout etc). This results in
a denial message like
[32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536
Further access to the fd is resultin in the rather useless denial message
of
[32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0
since we have the original denial, the noisy and useless .null based
denials can be skipped.
BugLink: http://bugs.launchpad.net/bugs/1660836 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 19:33:54 +0000 (11:33 -0800)]
UBUNTU: SAUCE: apparmor: fix label leak when new label is unused
When a new label is created, it is created with a proxy in a circular
ref count that is broken by replacement. However if the label is not
used it will never be replaced and the circular ref count will never
be broken resulting in a leak.
BugLink: http://bugs.launchpad.net/bugs/1660834 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 09:39:51 +0000 (01:39 -0800)]
UBUNTU: SAUCE: apparmor: fix reference count bug in label_merge_insert()
@new does not have a reference taken locally and should not have its
reference put locally either.
BugLink: http://bugs.launchpad.net/bugs/1660833 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 05:44:20 +0000 (21:44 -0800)]
UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata
The reading of rawdata is subject to a replacement race when the
rawdata is read in chunks smaller than the data size.
For each read the profile proxy is rechecked for the newest profile;
Which means if a profile is replaced between reads later chunks will
contain data from the new version of the profile while the earlier
reads will contain data from the previous version. This can result in
data that is inconsistent and corrupt.
Instead of rechecking for the current profile at each read. Get the
current profile at the time of the open and use the rawdata of the
profile for the lifetime that the file handle is open.
BugLink: http://bugs.launchpad.net/bugs/1638996 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would allow it.
The check should only be done again policy that is visible.
BugLink: http://bugs.launchpad.net/bugs/1660832 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 4 Oct 2016 00:27:09 +0000 (17:27 -0700)]
UBUNTU: SAUCE: apparmor: add flag to detect semantic change, to binfmt_elf mmap
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 changed when the creds
are installed by the binfmt_elf handler. This affects which creds
are used to mmap the executable into the address space. Which can have
an affect on apparmor policy.
Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.
Note: since 9f834ec1 is a potential information leak fix for prof
events and tracing, it is expected that it could be picked up by
kernels earlier kernels than 4.8 so that detecting the kernel version
is not sufficient.
BugLink: http://bugs.launchpad.net/bugs/1630069 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 03:11:29 +0000 (20:11 -0700)]
apparmor: bump domain stacking version to 1.2
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 00:05:45 +0000 (17:05 -0700)]
apparmor: add per ns policy management interface
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 02:06:51 +0000 (19:06 -0700)]
apparmor: update policy permissions to consider ns being viewed/managed
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 22:14:48 +0000 (15:14 -0700)]
apparmor: add interface to advertise status of current task stacking
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 09:23:56 +0000 (02:23 -0700)]
apparmor: fix warning that fn build_pivotroot discards const
fix mount.c warnings:
warning: passing argument 2 of ‘build_pivotroot’ discards ‘const’ qualifier fro\
m pointer target type [-Wdiscarded-qualifiers]
warning: passing argument 4 of ‘build_pivotroot’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 05:14:12 +0000 (22:14 -0700)]
apparmor: fix oops in pivot_root mediation
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 17:50:42 +0000 (10:50 -0700)]
apparmor: add mkdir/rmdir interface to manage policy namespaces
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 21:53:40 +0000 (14:53 -0700)]
apparmor: add __aa_find_ns fn
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 19:51:11 +0000 (12:51 -0700)]
apparmor: refactor aa_prepare_ns into prepare_ns and create_ns routines
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 14 Sep 2016 22:23:55 +0000 (15:23 -0700)]
apparmor: add interface to be able to grab loaded policy
Check point/restore needs to be able to grab policy currently loaded
into the kernel.
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sun, 14 Aug 2016 22:01:12 +0000 (15:01 -0700)]
apparmor: fix: permissions test to view and manage policy
Drop may_open_profiles and unify with policy_view_capable()
Adjust policy_view_capable() so that it is slightly less restricted.
user_namespaces can now manage policy iff
- the task has cap_mac_admin in the namespace
- the user_namespace->level == apparmor policy_namespace->level.
This ensures a usernamespace can never be used to manage the
system namespace, and can only be used to manage the namespace at its
view level.
If for some reason a user namespace is setup without an apparmor
policy namespace it will not be able to manage or view policy.
However this also means an extra level of apparmor policy namespaces
can not be setup and used with user namespaces at this time.
ie. this blocks user confinement stacking, and user defined policy
use cases from being used with user namespaces atm.
Add the ability to output a debug message in relation to
capable(cap_mac_admin) &&
policy_locked
as it is possible for these to cause failures that are not audited and
thus hard to trace down.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 2 Aug 2016 10:49:35 +0000 (03:49 -0700)]
apparmor: convert delegating deleted files to mediate deleted files
This is a semantic change that may need to be reverted but we can not
properly do delegation atm and doing blind delegation is a security
hole.
Files that have the necessary labeling can still be delegated however
mediation will be required for deleted files that need to be revalidated.
Note: we code is setup to specify DELEGATE_DELETED but aliases it on
the backend to MEDIATE_DELETED. This will have to be partially reverted/
changed for profile replacement causing a revalidation.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 4 Aug 2016 11:35:21 +0000 (04:35 -0700)]
UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing
change_hat using probing to find and transition to the first available
hat. Hats missing as part of this probe are expected and should not
be logged except in complain mode.
BugLink: http://bugs.launchpad.net/bugs/1615893 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is because the unconfined profile is in the special unconfined
mode. Which will result in a (mixed) mode for any stack with profiles
in enforcing or complain mode.
This can however lead to confusion as to what mode is being used as
mixed is also used for enforcing stacked with complain. Since unconfined
doesn't affect the stack just special case it.
BugLink: http://bugs.launchpad.net/bugs/1615890 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 23 Jun 2016 01:01:08 +0000 (18:01 -0700)]
UBUNTU: SAUCE: apparmor: fix: parameters can be changed after policy is locked
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.
split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.
BugLink: http://bugs.launchpad.net/bugs/1615895 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 22 Aug 2016 21:14:48 +0000 (14:14 -0700)]
UBUNTU: SAUCE: apparmor: fix vec_unique for vectors larger than 8
the vec_unique path for large vectors is broken, leading to oopses
when a file handle is shared between 8 different security domains, and
then a profile replacement/removal causing a label invalidation (ie. not
all replacements) is done.
BugLink: http://bugs.launchpad.net/bugs/1579135 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Fri, 19 Aug 2016 10:20:32 +0000 (03:20 -0700)]
UBUNTU: SAUCE: apparmor: profiles in one ns can affect mediation in another ns
When the ns hierarchy a//foo and b//foo are compared the are
incorrectly identified as being the same as they have the same depth
and the same basename.
Instead make sure to compare the full hname to distinguish this case.
BugLink: http://bugs.launchpad.net/bugs/1615887 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 23 May 2016 19:04:57 +0000 (12:04 -0700)]
UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
The label build for onexec when crossing a namespace boundry is not
quite correct. The label needs to be built per profile and not based
on the whole label because the onexec transition only applies to
profiles within the ns. Where merging against the label could include
profile that are transitioned via the profile_transition callback
and should not be in the final label.
BugLink: http://bugs.launchpad.net/bugs/1615881 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
UBUNTU: SAUCE: apparmor: Fix FTBFS due to bad include path
When header files in security/apparmor/includes/ pull in other header
files in that directory, they should only include the file name. This
fixes a build failure reported by Tycho when using `make bindeb-pkg` to
build the Ubuntu kernel tree but, confusingly, isn't seen when building
with `fakeroot debian/rules binary-generic`.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Tycho Andersen <tycho.andersen@canonical.com> Cc: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:41:33 +0000 (16:41 -0500)]
UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
BugLink: https://launchpad.net/bugs/1560583
Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:26:20 +0000 (16:26 -0500)]
UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
BugLink: https://launchpad.net/bugs/1560583
Change the apparmorfs profiles file permissions check to better match
the old requirements before the apparmorfs permissions were changed to
allow profile loads inside of confined, first-level user namespaces.
Historically, the profiles file has been readable by the root user and
group. A recent change added the requirement that the process have the
CAP_MAC_ADMIN capability. This is a problem for confined processes since
keeping the 'capability mac_admin,' rule out of the AppArmor profile is
often desired.
This patch replaces the CAP_MAC_ADMIN requirement with a requirement
that the process is root in its user namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Thu, 17 Mar 2016 00:19:10 +0000 (19:19 -0500)]
UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
BugLink: http://bugs.launchpad.net/bugs/1379535
Disabled by default until the AppArmor kernel code is deemed safe enough
to handle untrusted policy. Only developers of container technologies
should turn this on until that time.
If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in
the root namespace has created an AppArmor policy namespace,
unprivileged processes will be able to change to a profile in the
newly created AppArmor policy namespace and, if the profile allows
CAP_MAC_ADMIN and appropriate file permissions, will be able to load
policy in the respective policy namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 13 Jun 2016 14:05:18 +0000 (17:05 +0300)]
UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
BugLink: http://bugs.launchpad.net/bugs/1379535
This is a sync and squash of the apparmor 3.5-beta1 snapshot. The
set of patches in this squash are available in
git://kernel.ubuntu.com/jj/ubuntu-xenial.git
using the the tag
apparmor-3.5-beta1-presuash-snapshot
This fixes multiple bugs and adds the policy namespace stacking features. BugLink: http://bugs.launchpad.net/bugs/1379535 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1630924
It may happen that secondary CPUs are still alive and resetting
hv_context.tsc_page will cause a consequent crash in read_hv_clock_tsc()
as we don't check for it being not NULL there. It is safe as we're not
freeing this page anyways.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from linux-next commit 56ef6718a1d8d77745033c5291e025ce18504159) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1628889
Add support for automatic message tags to the printk macro
families dev_xyz and pr_xyz. The message tag consists of a
component name and a 24 bit hash of the message text. For
each message that is documented in the included kernel message
catalog a man page can be created with a script (which is
included in the patch). The generated man pages contain
explanatory text that is intended to help understand the
messages.
Note that only s390 specific messages are prepared
appropriately and included in the generated message catalog.
This patch is optional as it is very unlikely to be accepted
in upstream kernel, but is recommended for all distributions
which are built based on the 'Development stream'
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Tue, 31 Jan 2017 13:49:08 +0000 (06:49 -0700)]
UBUNTU: [Config] CONFIG_NET_DROP_MONITOR=m
<zioproto> hello all. I am new here. I would like some feedback
about CONFIG_NET_DROP_MONITOR=n in the Ubuntu Kernel. It would
be of great help to have it set to module. We use ubuntu for the
openstack network node.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>