When user space updates the trip point there is a deadlock, which results
in caller gets blocked forever.
Commit 05eeee2b51b4 ("thermal/core: Protect sysfs accesses to thermal
operations with thermal zone mutex"), added a mutex for tz->lock in the
function trip_point_temp_store(). Hence, trip set callback() can't
call any thermal zone API as they are protected with the same mutex lock.
The callback here calling thermal_zone_device_enable(), which will result
in deadlock.
Move the thermal_zone_device_enable() to proc_thermal_pci_probe() to
avoid this deadlock.
Fixes: 05eeee2b51b4 ("thermal/core: Protect sysfs accesses to thermal operations with thermal zone mutex") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@intel.com> Cc: 6.2+ <stable@vger.kernel.org> # 6.2+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
The RISC-V ELF attributes don't contain any useful information. New
toolchains ignore them, but they frequently trip up various older/mixed
toolchains. So just turn them off.
Tested-by: Conor Dooley <conor.dooley@microchip.com> Link: https://lore.kernel.org/r/20230223224605.6995-1-palmer@rivosinc.com Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Currently, calling clone3() with CLONE_NEWTIME in clone_args->flags
fails with -EINVAL. This is because CLONE_NEWTIME intersects with
CSIGNAL. However, CSIGNAL was deprecated when clone3 was introduced in
commit 7f192e3cd316 ("fork: add clone3"), allowing re-use of that part
of clone flags.
Fix this by explicitly allowing CLONE_NEWTIME in clone3_args_valid. This
is also in line with the respective check in check_unshare_flags which
allow CLONE_NEWTIME for unshare().
Fixes: 769071ac9f20 ("ns: Introduce Time Namespace") Cc: Andrey Vagin <avagin@openvz.org> Cc: Christian Brauner <brauner@kernel.org> Cc: stable@vger.kernel.org Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
When MMAP2 has the PERF_RECORD_MISC_MMAP_BUILD_ID flag, it means the
record already has the build-id info. So it marks the DSO as hit, to
skip if the same DSO is not processed if it happens to miss the build-id
later.
But it missed to copy the MMAP2 record itself so it'd fail to symbolize
samples for those regions.
For example, the following generates 249 MMAP2 events.
Fixes: f7fc0d1c915a74ff ("perf inject: Do not inject BUILD_ID record if MMAP2 has it") Signed-off-by: Namhyung Kim <namhyung@kernel.org> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Ian Rogers <irogers@google.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230223070155.54251-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
It's possible for a file type to support uring commands, but not
pollable ones. Hence before issuing one of those, we should check
that it is supported and error out upfront if it isn't.
Cc: stable@vger.kernel.org Fixes: 5756a3a7e713 ("io_uring: add iopoll infrastructure for io_uring_cmd") Link: https://github.com/axboe/liburing/issues/816 Reviewed-by: Kanchan Joshi <joshi.k@samsung.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
We can often end up inserting a block group item, for a new block group,
with a wrong value for the used bytes field.
This happens if for the new allocated block group, in the same transaction
that created the block group, we have tasks allocating extents from it as
well as tasks removing extents from it.
For example:
1) Task A creates a metadata block group X;
2) Two extents are allocated from block group X, so its "used" field is
updated to 32K, and its "commit_used" field remains as 0;
3) Transaction commit starts, by some task B, and it enters
btrfs_start_dirty_block_groups(). There it tries to update the block
group item for block group X, which currently has its "used" field with
a value of 32K. But that fails since the block group item was not yet
inserted, and so on failure update_block_group_item() sets the
"commit_used" field of the block group back to 0;
4) The block group item is inserted by task A, when for example
btrfs_create_pending_block_groups() is called when releasing its
transaction handle. This results in insert_block_group_item() inserting
the block group item in the extent tree (or block group tree), with a
"used" field having a value of 32K, but without updating the
"commit_used" field in the block group, which remains with value of 0;
5) The two extents are freed from block X, so its "used" field changes
from 32K to 0;
6) The transaction commit by task B continues, it enters
btrfs_write_dirty_block_groups() which calls update_block_group_item()
for block group X, and there it decides to skip the block group item
update, because "used" has a value of 0 and "commit_used" has a value
of 0 too.
As a result, we end up with a block item having a 32K "used" field but
no extents allocated from it.
When this issue happens, a btrfs check reports an error like this:
[1/7] checking root items
[2/7] checking extents
block group [11041505281073741824] used 39796736 but extent items used 0
ERROR: errors found in extent allocation tree or chunk allocation
(...)
Fix this by making insert_block_group_item() update the block group's
"commit_used" field.
Fixes: 7248e0cebbef ("btrfs: skip update of block group item if used bytes are the same") CC: stable@vger.kernel.org # 6.2+ Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Current btrfs_log_dev_io_error() increases the read error count even if the
erroneous IO is a WRITE request. This is because it forget to use "else
if", and all the error WRITE requests counts as READ error as there is (of
course) no REQ_RAHEAD bit set.
Fixes: c3a62baf21ad ("btrfs: use chained bios when cloning") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
The final-checks script is doing some final ABI checkig that should be
skipped if 'do_skip_checks' is true. Just like the other checker scripts
in debian/scripts/checks.
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Andrea Righi [Wed, 12 Apr 2023 13:50:29 +0000 (15:50 +0200)]
UBUNTU: [Packaging] get rid of unnecessary artifacts in linux-headers
There is no sane reason to ship .o and .cmd artifacts in linux-headers,
so simply drop them (this allows to save ~25MB in the latest
linux-headers-generic).
Moreover, strip Rust's libmacros.so shipped in linux-headers to reduce
the size even more.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Wed, 12 Apr 2023 09:48:13 +0000 (11:48 +0200)]
UBUNTU: SAUCE: selftests/bpf: ignore pointer types check with clang
Building bpf selftests with clang can trigger errors like the following:
CLNG-BPF [test_maps] bpf_iter_netlink.bpf.o
progs/bpf_iter_netlink.c:32:4: error: incompatible pointer types assigning to 'struct sock *' from 'struct sock___17 *' [-Werror,-Wincompatible-pointer-types]
s = &nlk->sk;
^ ~~~~~~~~
1 error generated.
This is due to the fact that bpftool emits duplicate data types with
different names in vmlinux.h (i.e., `struct sock` in this case) and
these types, despite having a different name, represent in fact the same
object.
Add -Wno-incompatible-pointer-types to CLANG_CLAGS to prevent these
errors.
(cherry picked from https://lore.kernel.org/lkml/20230412095912.188453-1-andrea.righi@canonical.com/T/#u) Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Ard Biesheuvel [Wed, 22 Mar 2023 14:26:21 +0000 (15:26 +0100)]
efi/libstub: smbios: Drop unused 'recsize' parameter
BugLink: https://bugs.launchpad.net/bugs/2015741
We no longer use the recsize argument for locating the string table in
an SMBIOS record, so we can drop it from the internal API.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Ard Biesheuvel [Tue, 28 Feb 2023 16:00:49 +0000 (17:00 +0100)]
arm64: efi: Use SMBIOS processor version to key off Ampere quirk
BugLink: https://bugs.launchpad.net/bugs/2015741
Instead of using the SMBIOS type 1 record 'family' field, which is often
modified by OEMs, use the type 4 'processor ID' and 'processor version'
fields, which are set to a small set of probe-able values on all known
Ampere EFI systems in the field.
Fixes: 550b33cfd4452968 ("arm64: efi: Force the use of ...") Tested-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
(cherry picked from commit eb684408f3ea4856639675d6465f0024e498e4b1) Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Ard Biesheuvel [Wed, 22 Mar 2023 14:26:19 +0000 (15:26 +0100)]
efi/libstub: smbios: Use length member instead of record struct size
BugLink: https://bugs.launchpad.net/bugs/2015741
The type 1 SMBIOS record happens to always be the same size, but there
are other record types which have been augmented over time, and so we
should really use the length field in the header to decide where the
string table starts.
Fixes: 550b33cfd4452968 ("arm64: efi: Force the use of ...") Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: [Packaging] FTBFS with different dkms or when makeflags are set
BugLink: https://bugs.launchpad.net/bugs/2015361
dkms upstream, debian, lunar-proposed is changing return code for skip
from 9 to 77. To support either editions of the dkms, update
build_dkms invocation to support either return codes.
lunar kernel started to export MAKEFLAGS to speed up and optimize our
packaging builds. However, this can cause build_dkms to FTBFS if a
given dkms module uses submake and relies on built-in Make variables
to be set. Address this by unsetting MAKEFLAGS when invoking
build-dkms.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrei Gherzan [Thu, 30 Mar 2023 14:32:06 +0000 (15:32 +0100)]
UBUNTU: [Packaging] Copy expoline.o only when produced by the build
BugLink: https://bugs.launchpad.net/bugs/2013209
CONFIG_EXPOLINE_EXTERN has been enabled for s390x [LP:#2013209]. While
this works as expected on the base kernels, it might not work on some
derivatives: for example focal:hwe-5.15 (derived from Jammy). On Focal,
this config can't be enabled due to the GCC version it comes with.
CONFIG_EXPOLINE_EXTERN requires >= 110200 while Focal comes with 90400.
This change adds a check on the existence of the expoline object file(s)
that are packaged later. This also makes the code more robust generally.
Signed-off-by: Andrei Gherzan <andrei.gherzan@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Thu, 30 Mar 2023 05:40:11 +0000 (07:40 +0200)]
UBUNTU: SAUCE: l2tp: generate correct module alias strings
BugLink: https://bugs.launchpad.net/bugs/2013014
Commit 65b32f801bfb ("uapi: move IPPROTO_L2TP to in.h") moved the
definition of IPPROTO_L2TP from a define to an enum, but since
__stringify doesn't work properly with enums, we ended up breaking the
modalias strings for the l2tp modules:
Andrea Righi [Tue, 28 Mar 2023 10:50:39 +0000 (12:50 +0200)]
UBUNTU: [Packaging] annotations: prevent duplicate include lines
Includes are always parsed recursively, but when we save them (e.g.,
when the annotations file is updated) we should always save only the
top-level includes, without repeating the recursive ones.
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andy Whitcroft [Fri, 24 Mar 2023 21:50:46 +0000 (21:50 +0000)]
UBUNTU: [Packaging] neuter the signing tarball
We now produce the signing tarball from the generate package so we no
longer this to be produced from the main package. However, in the short
term we wish to produce and publish out empty signing tarballs. We will
do this until we have cleared out the dists versions. Later we will
eliminate the tarball from this package entirely.
BugLink: https://bugs.launchpad.net/bugs/2012136 Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Thu, 16 Mar 2023 23:04:17 +0000 (16:04 -0700)]
UBUNTU: SAUCE: apparmor: advertise availability of exended perms
BugLink: https://bugs.launchpad.net/bugs/2012136
Userspace won't load policy using extended perms unless it knows the
kernel can handle them. Advertise that extended perms are supported in
the feature set.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Fri, 10 Mar 2023 23:59:45 +0000 (15:59 -0800)]
UBUNTU: SAUCE: apparmor: fix policy_compat permission remap with extended permissions
BugLink: https://bugs.launchpad.net/bugs/2012136
If the extended permission table is present we should not be attempting
to do a compat_permission remap as the compat_permissions are not
stored in the dfa accept states.
Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 25 Oct 2022 08:18:41 +0000 (01:18 -0700)]
UBUNTU: SAUCE: apparmor: cache buffers on percpu list if there is lock contention
BugLink: https://bugs.launchpad.net/bugs/2012136 df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
changed buffer allocation to use a memory pool, however on a heavily
loaded machine there can be lock contention on the global buffers
lock. Add a percpu list to cache buffers on when lock contention is
encountered.
When allocating buffers attempt to use cached buffers first,
before taking the global buffers lock. When freeing buffers
try to put them back to the global list but if contention is
encountered, put the buffer on the percpu list.
The length of time a buffer is held on the percpu list is dynamically
adjusted based on lock contention. The amount of hold time is rapidly
increased and slow ramped down.
v4:
- fix percpu ->count buffer count which had been spliced across a
debug patch.
- introduce define for MAX_LOCAL_COUNT
- rework count check and locking around it.
- update commit message to reference commit that introduced the
memory.
v3:
- limit number of buffers that can be pushed onto the percpu
list. This avoids a problem on some kernels where one percpu
list can inherit buffers from another cpu after a reschedule,
causing more kernel memory to used than is necessary. Under
normal conditions this should eventually return to normal
but under pathelogical conditions the extra memory consumption
may have been unbouanded
v2:
- dynamically adjust buffer hold time on percpu list based on
lock contention.
v1:
- cache buffers on percpu list on lock contention
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Wed, 13 Nov 2019 11:48:01 +0000 (03:48 -0800)]
UBUNTU: SAUCE: apparmor: enable userspace upcall for mediation
BugLink: https://bugs.launchpad.net/bugs/2012136
There are cases where userspace can provide additional information
that may be needed to make the correct mediation decision.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 19 Sep 2022 06:55:00 +0000 (23:55 -0700)]
UBUNTU: SAUCE: apparmor: add the ability for profiles to have a learning cache
BugLink: https://bugs.launchpad.net/bugs/2012136
To support a better complain mode allow caching learned entries off
of the profile. This can be used to dedup complain messages and
also as a basis for bulk delivery of complain messages to userspace
through a non audit logging interface.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Make it so apparmor debug output can be controlled by class flags
as well as the debug flag on labels. This provides much finer
control at what is being output so apparmor doesn't flood the
logs with information that is not needed, making it hard to find
what is important.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 20 Sep 2022 03:48:48 +0000 (20:48 -0700)]
UBUNTU: SAUCE: apparmor: pass cred through to audit info.
BugLink: https://bugs.launchpad.net/bugs/2012136
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 19 Sep 2022 07:46:09 +0000 (00:46 -0700)]
UBUNTU: SAUCE: apparmor: rename audit_data->label to audit_data->subj_label
BugLink: https://bugs.launchpad.net/bugs/2012136
rename audit_data's label field to subj_label to better reflect its
use. Also at the same time drop unneeded assignments to ->subj_label
as the later call to aa_check_perms will do the assignment if needed.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 13 Sep 2022 02:15:02 +0000 (19:15 -0700)]
UBUNTU: SAUCE: apparmor: setup slab cache for audit data
BugLink: https://bugs.launchpad.net/bugs/2012136
Audit data will be used for caches and learning. When this happens the
data needs to be off of the stack and a slab cache will help with
improve the dynamic allocation, and reduce overall size used.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Wed, 14 Sep 2022 07:20:12 +0000 (00:20 -0700)]
UBUNTU: SAUCE: apparmor: combine common_audit_data and apparmor_audit_data
BugLink: https://bugs.launchpad.net/bugs/2012136
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 21:02:22 +0000 (14:02 -0700)]
UBUNTU: SAUCE: Stacking v38: AppArmor: Remove the exclusive flag
BugLink: https://bugs.launchpad.net/bugs/2012136
With the inclusion of the interface LSM process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 21:00:57 +0000 (14:00 -0700)]
UBUNTU: SAUCE: Stacking v38: netlabel: Use a struct lsmblob in audit data
BugLink: https://bugs.launchpad.net/bugs/2012136
Remove scaffolding in netlabel audit by keeping subject
lsm information in an lsmblob structure instead of a secid.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record
the "obj=" field in other records in the event will be "obj=?".
An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on an object security context.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Refactor audit_log_task_context(), creating a new
audit_log_subject_context(). This is used in netlabel auditing
to provide multiple subject security contexts as necessary.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
the "subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on a subject security context.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:59:02 +0000 (13:59 -0700)]
UBUNTU: SAUCE: Stacking v38: Audit: Allow multiple records in an audit_buffer
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the single skb pointer in an audit_buffer with
a list of skb pointers. Add the audit_stamp information
to the audit_buffer as there's no guarantee that there
will be an audit_context containing the stamp associated
with the event. At audit_log_end() time create auxiliary
records (none are currently defined) as have been added
to the list. Functions are created to manage the skb list
in the audit_buffer.
Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:58:38 +0000 (13:58 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Add a function to report multiple LSMs
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a new boolean function lsm_multiple_contexts() to
identify when multiple security modules provide security
context strings.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:56:35 +0000 (13:56 -0700)]
UBUNTU: SAUCE: Stacking v38: Audit: Keep multiple LSM data in audit_names
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the osid field in the audit_names structure
with a lsmblob structure. This accommodates the use
of an lsmblob in security_audit_rule_match() and
security_inode_getsecid().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a parameter to security_secid_to_secctx() to identify
which of the security modules that may be active should
provide the security context. If the parameter is greater
than or equal to zero, the security module associated with
that LSM "slot" is used. If the value is LSMBLOB_DISPLAY
the "interface lsm" is used. If the value is LSMBLOB_FIRST
the first security module providing a hook is used.
The integrity IMA subsystem has chosen to always use the
LSMBLOB_FIRST behavior, regardless of the lsm_display values.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:54:54 +0000 (13:54 -0700)]
UBUNTU: SAUCE: Stacking v38: binder: Pass LSM identifier for confirmation
BugLink: https://bugs.launchpad.net/bugs/2012136
Send an identifier for the security module interface_lsm
along with the security context. This allows the receiver
to verify that the receiver and the sender agree on which
security module's context is being used. If they don't
agree the message is rejected.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: NET: Store LSM netlabel data in a lsmblob
BugLink: https://bugs.launchpad.net/bugs/2012136
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using netlabel use the lsm_id.slot to access the
correct secid when using netlabel.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: Use lsmcontext in security_dentry_init_security
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
Special care is taken in the NFS code, which uses the
same data structure for its own copied labels as it does
for the data which comes from security_dentry_init_security().
In the case of copied labels the data has to be freed, not
released.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:52:53 +0000 (13:52 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmcontext in security_inode_getsecctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_inode_getsecctx() interface to fill
a lsmcontext structure instead of data and length pointers.
This provides the information about which LSM created the
context so that security_release_secctx() can use the
correct hook.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-nfs@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmcontext in security_secid_to_secctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
security_secid_to_secctx() will now return the length value
if the passed lsmcontext pointer is NULL.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: linux-nfs@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Specify which LSM to display
BugLink: https://bugs.launchpad.net/bugs/2012136
Create two new prctl() options PR_LSM_ATTR_SET and PR_LSM_ATTR_GET
which change and report the Interface LSM respectively.
The LSM ID number of an active LSM that supplies hooks for
human readable data may be passed in the arg2 value with the
PR_LSM_ATTR_SET option. The PR_LSM_ATT_GET option returns the
LSM ID currently in use. At this point there can only be one LSM
capable of display active. A helper function lsm_task_ilsm() is
provided to get the interface lsm slot for a task_struct.
Security modules that wish to restrict this action may provide
a task_prctl hook to do so. Each such security module is
responsible for defining its policy.
AppArmor hook initially provided by John Johansen
<john.johansen@canonical.com>. SELinux hook initially provided by
Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_cred_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_cred_getsecid() interface to fill in a
lsmblob instead of a u32 secid. The associated data elements
in the audit sub-system are changed from a secid to a lsmblob
to accommodate multiple possible LSM audit users.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:49:46 +0000 (13:49 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_inode_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_current_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_current_getsecid_subj() and
security_task_getsecid_obj() interfaces to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible secids for possible reporting.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:48:53 +0000 (13:48 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_ipc_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
There may be more than one LSM that provides IPC data
for auditing. Change security_ipc_getsecid() to fill in
a lsmblob structure instead of the u32 secid. The
audit data structure containing the secid will be updated
later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_secid_to_secctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Change security_secid_to_secctx() to take a lsmblob as input
instead of a u32 secid. It will then call the LSM hooks
using the lsmblob element allocated for that module. The
callers have been updated as well. This allows for the
possibility that more than one module may be called upon
to translate a secid to a string, as can occur in the
audit code.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:47:49 +0000 (13:47 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_secctx_to_secid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its callers to do the same.
The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the lsmblob.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:47:21 +0000 (13:47 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_kernel_act_as
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_kernel_act_as interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its only caller, set_security_override,
to do the same. Change that one's only caller,
set_security_override_from_ctx, to call it with the new
parameter type.
The security module hook is unchanged, still taking a secid.
The infrastructure passes the correct entry from the lsmblob.
lsmblob_init() is used to fill the lsmblob structure, however
this will be removed later in the series when security_secctx_to_secid()
is updated to provide a lsmblob instead of a secid.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:46:49 +0000 (13:46 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_audit_rule_match
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active security module to apply
filters to. If not specified, use the first registered module
that supports the audit_rule_match() LSM hook. Allow the user
to specify in the IMA policy an lsm= option to specify the
security module to use for a particular rule.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:45:45 +0000 (13:45 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: provide lsm name and id slot mappings
BugLink: https://bugs.launchpad.net/bugs/2012136
Provide interfaces to map LSM slot numbers and LSM names.
Update the LSM registration code to save this information.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Add the lsmblob data structure.
BugLink: https://bugs.launchpad.net/bugs/2012136
When more than one security module is exporting data to
audit and networking sub-systems a single 32 bit integer
is no longer sufficient to represent the data. Add a
structure to be used instead.
The lsmblob structure is currently an array of
u32 "secids". There is an entry for each of the security
modules built into the system that would use secids if
active. The system assigns the module a "slot" when it
registers hooks. If modules are compiled in but not
registered there will be unused slots. The slot number
is added to the lsm_id structure.
The audit rules data is expanded to use an array of
security module data rather than a single instance.
A new structure audit_lsm_rules is defined to avoid the
confusion which commonly accompanies the use of
void ** parameters.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Infrastructure management of the sock security
BugLink: https://bugs.launchpad.net/bugs/2012136
Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:42:35 +0000 (13:42 -0700)]
UBUNTU: SAUCE: Stacking v38: integrity: disassociate ima_filter_rule from security_audit_rule
BugLink: https://bugs.launchpad.net/bugs/2012136
Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new functions are put in security.c because
they use security module registered hooks that we don't
want exported.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com> Cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: proc: Use lsmids instead of lsm names for attrs
BugLink: https://bugs.launchpad.net/bugs/2012136
Use the LSM ID number instead of the LSM name to identify which
security module's attibute data should be shown in /proc/self/attr.
The security_[gs]etprocattr() functions have been changed to expect
the LSM ID. The change from a string comparison to an integer comparison
in these functions will provide a minor performance improvement.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Maintain a table of LSM attribute data
BugLink: https://bugs.launchpad.net/bugs/2012136
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Identify the process attributes for each module
BugLink: https://bugs.launchpad.net/bugs/2012136
Add an integer member "features" to the struct lsm_id which
identifies the API related data associated with each security
module. The initial set of features maps to information that
has traditionaly been available in /proc/self/attr.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Add an LSM identifier for external use
BugLink: https://bugs.launchpad.net/bugs/2012136
Add an integer member "id" to the struct lsm_id. This value is
a unique identifier associated with each security module. The
values are defined in a new UAPI header file. Each existing LSM
has been updated to include it's LSMID in the lsm_id.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Identify modules by more than name
BugLink: https://bugs.launchpad.net/bugs/2012136
Create a struct lsm_id to contain identifying information
about Linux Security Modules (LSMs). At inception this contains
a single member, which is the name of the module. Change the
security_add_hooks() interface to use this structure. Change
the individual modules to maintain their own struct lsm_id and
pass it to security_add_hooks().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 13 Dec 2021 23:46:09 +0000 (15:46 -0800)]
UBUNTU: SAUCE: apparmor: Add fine grained mediation of posix mqueues
BugLink: https://bugs.launchpad.net/bugs/2012136 BugLink: https://bugs.launchpad.net/bugs/1989983
Add fine grained mediation of posix mqueues. Specifically this patch
adds support for differentiating mqueues based on the name in the ipc
namespace. A follow on patch will add support for implied labels, and
a third patch explicit labels. This is done in part because of
dependencies on other patches to apparmor core.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Sun, 23 Oct 2022 11:03:50 +0000 (04:03 -0700)]
UBUNTU: SAUCE: apparmor: Add sysctls for additional controls of unpriv userns restrictions
BugLink: https://bugs.launchpad.net/bugs/2012136
Add apparmor_restrict_unprivileged_userns_force
To force old policies that don't support user namespace restrictions
to apply them anyways.
Add apparmor_restrict_unprivileged_userns_complain
To cause user namespace restrictions to complain instead of fail.
This will work on both profiles and unconfined.
Signed-off-by: John Johansen <john.johansen@canonical.com>
fixup userns
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Fri, 9 Sep 2022 23:00:09 +0000 (16:00 -0700)]
UBUNTU: SAUCE: apparmor: add user namespace creation mediation
BugLink: https://bugs.launchpad.net/bugs/2012136 BugLink: https://bugs.launchpad.net/bugs/1989983
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com>
[ adjustments to apply the patch from 5.19 ] Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>