John Johansen [Thu, 22 Sep 2016 19:51:11 +0000 (12:51 -0700)]
apparmor: refactor aa_prepare_ns into prepare_ns and create_ns routines
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 14 Sep 2016 22:23:55 +0000 (15:23 -0700)]
apparmor: add interface to be able to grab loaded policy
Check point/restore needs to be able to grab policy currently loaded
into the kernel.
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sun, 14 Aug 2016 22:01:12 +0000 (15:01 -0700)]
apparmor: fix: permissions test to view and manage policy
Drop may_open_profiles and unify with policy_view_capable()
Adjust policy_view_capable() so that it is slightly less restricted.
user_namespaces can now manage policy iff
- the task has cap_mac_admin in the namespace
- the user_namespace->level == apparmor policy_namespace->level.
This ensures a usernamespace can never be used to manage the
system namespace, and can only be used to manage the namespace at its
view level.
If for some reason a user namespace is setup without an apparmor
policy namespace it will not be able to manage or view policy.
However this also means an extra level of apparmor policy namespaces
can not be setup and used with user namespaces at this time.
ie. this blocks user confinement stacking, and user defined policy
use cases from being used with user namespaces atm.
Add the ability to output a debug message in relation to
capable(cap_mac_admin) &&
policy_locked
as it is possible for these to cause failures that are not audited and
thus hard to trace down.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 2 Aug 2016 10:49:35 +0000 (03:49 -0700)]
apparmor: convert delegating deleted files to mediate deleted files
This is a semantic change that may need to be reverted but we can not
properly do delegation atm and doing blind delegation is a security
hole.
Files that have the necessary labeling can still be delegated however
mediation will be required for deleted files that need to be revalidated.
Note: we code is setup to specify DELEGATE_DELETED but aliases it on
the backend to MEDIATE_DELETED. This will have to be partially reverted/
changed for profile replacement causing a revalidation.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 4 Aug 2016 11:35:21 +0000 (04:35 -0700)]
UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing
change_hat using probing to find and transition to the first available
hat. Hats missing as part of this probe are expected and should not
be logged except in complain mode.
BugLink: http://bugs.launchpad.net/bugs/1615893 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is because the unconfined profile is in the special unconfined
mode. Which will result in a (mixed) mode for any stack with profiles
in enforcing or complain mode.
This can however lead to confusion as to what mode is being used as
mixed is also used for enforcing stacked with complain. Since unconfined
doesn't affect the stack just special case it.
BugLink: http://bugs.launchpad.net/bugs/1615890 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 23 Jun 2016 01:01:08 +0000 (18:01 -0700)]
UBUNTU: SAUCE: apparmor: fix: parameters can be changed after policy is locked
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.
split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.
BugLink: http://bugs.launchpad.net/bugs/1615895 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 22 Aug 2016 21:14:48 +0000 (14:14 -0700)]
UBUNTU: SAUCE: apparmor: fix vec_unique for vectors larger than 8
the vec_unique path for large vectors is broken, leading to oopses
when a file handle is shared between 8 different security domains, and
then a profile replacement/removal causing a label invalidation (ie. not
all replacements) is done.
BugLink: http://bugs.launchpad.net/bugs/1579135 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Fri, 19 Aug 2016 10:20:32 +0000 (03:20 -0700)]
UBUNTU: SAUCE: apparmor: profiles in one ns can affect mediation in another ns
When the ns hierarchy a//foo and b//foo are compared the are
incorrectly identified as being the same as they have the same depth
and the same basename.
Instead make sure to compare the full hname to distinguish this case.
BugLink: http://bugs.launchpad.net/bugs/1615887 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 23 May 2016 19:04:57 +0000 (12:04 -0700)]
UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
The label build for onexec when crossing a namespace boundry is not
quite correct. The label needs to be built per profile and not based
on the whole label because the onexec transition only applies to
profiles within the ns. Where merging against the label could include
profile that are transitioned via the profile_transition callback
and should not be in the final label.
BugLink: http://bugs.launchpad.net/bugs/1615881 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
UBUNTU: SAUCE: apparmor: Fix FTBFS due to bad include path
When header files in security/apparmor/includes/ pull in other header
files in that directory, they should only include the file name. This
fixes a build failure reported by Tycho when using `make bindeb-pkg` to
build the Ubuntu kernel tree but, confusingly, isn't seen when building
with `fakeroot debian/rules binary-generic`.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Tycho Andersen <tycho.andersen@canonical.com> Cc: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:41:33 +0000 (16:41 -0500)]
UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
BugLink: https://launchpad.net/bugs/1560583
Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:26:20 +0000 (16:26 -0500)]
UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
BugLink: https://launchpad.net/bugs/1560583
Change the apparmorfs profiles file permissions check to better match
the old requirements before the apparmorfs permissions were changed to
allow profile loads inside of confined, first-level user namespaces.
Historically, the profiles file has been readable by the root user and
group. A recent change added the requirement that the process have the
CAP_MAC_ADMIN capability. This is a problem for confined processes since
keeping the 'capability mac_admin,' rule out of the AppArmor profile is
often desired.
This patch replaces the CAP_MAC_ADMIN requirement with a requirement
that the process is root in its user namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Thu, 17 Mar 2016 00:19:10 +0000 (19:19 -0500)]
UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
BugLink: http://bugs.launchpad.net/bugs/1379535
Disabled by default until the AppArmor kernel code is deemed safe enough
to handle untrusted policy. Only developers of container technologies
should turn this on until that time.
If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in
the root namespace has created an AppArmor policy namespace,
unprivileged processes will be able to change to a profile in the
newly created AppArmor policy namespace and, if the profile allows
CAP_MAC_ADMIN and appropriate file permissions, will be able to load
policy in the respective policy namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 13 Jun 2016 14:05:18 +0000 (17:05 +0300)]
UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
BugLink: http://bugs.launchpad.net/bugs/1379535
This is a sync and squash of the apparmor 3.5-beta1 snapshot. The
set of patches in this squash are available in
git://kernel.ubuntu.com/jj/ubuntu-xenial.git
using the the tag
apparmor-3.5-beta1-presuash-snapshot
This fixes multiple bugs and adds the policy namespace stacking features. BugLink: http://bugs.launchpad.net/bugs/1379535 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1630924
It may happen that secondary CPUs are still alive and resetting
hv_context.tsc_page will cause a consequent crash in read_hv_clock_tsc()
as we don't check for it being not NULL there. It is safe as we're not
freeing this page anyways.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from linux-next commit 56ef6718a1d8d77745033c5291e025ce18504159) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1628889
Add support for automatic message tags to the printk macro
families dev_xyz and pr_xyz. The message tag consists of a
component name and a 24 bit hash of the message text. For
each message that is documented in the included kernel message
catalog a man page can be created with a script (which is
included in the patch). The generated man pages contain
explanatory text that is intended to help understand the
messages.
Note that only s390 specific messages are prepared
appropriately and included in the generated message catalog.
This patch is optional as it is very unlikely to be accepted
in upstream kernel, but is recommended for all distributions
which are built based on the 'Development stream'
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Tue, 31 Jan 2017 13:49:08 +0000 (06:49 -0700)]
UBUNTU: [Config] CONFIG_NET_DROP_MONITOR=m
<zioproto> hello all. I am new here. I would like some feedback
about CONFIG_NET_DROP_MONITOR=n in the Ubuntu Kernel. It would
be of great help to have it set to module. We use ubuntu for the
openstack network node.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Kamal Mostafa [Tue, 24 Jan 2017 20:05:20 +0000 (12:05 -0800)]
UBUNTU: [debian] derive indep_hdrs_pkg_name from src_pkg_name
This long-standing oversight in our debian rules hardcodes the string "linux"
instead of using the $(src_pkg_name) for just one of the generated .deb package
names: linux-headers-x.x.x-x. Lets fix it in the generic branches
(T,X,Y,Z,unstable) so that we won't have to keep applying this patch to each of
the derivative/custom kernels.
-----8<-----
Ignore: yes
Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Manoj Iyer [Tue, 24 Jan 2017 17:05:12 +0000 (11:05 -0600)]
UBUNTU: d-i: initrd needs msm_emac on amberwing platform.
Amberwing systems has an onboard two port nic that uses msm_emac
driver. This module is needed in d-i's initrd so that these nics
can be used to d-i install the system. Tested on the amberwing
system at canonical.
Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Thu, 19 Jan 2017 22:05:12 +0000 (16:05 -0600)]
UBUNTU: [Config] Fix up s390x config options changed during 4.10 rebase
Fix the following options mistakenly changed during the rebase
from 4.9 to 4.10.
- CONFIG_I2C was selected by CONFIG_SFC_FALCON but should be
disabled because s390x lacks hw support. Revert these and
related options, and enforce the CONFIG_I2C values to prevent
this in the future.
Ming Lei [Sat, 17 Dec 2016 10:49:09 +0000 (18:49 +0800)]
block: relax check on sg gap
BugLink: http://bugs.launchpad.net/bugs/1657539
If the last bvec of the 1st bio and the 1st bvec of the next
bio are physically contigious, and the latter can be merged
to last segment of the 1st bio, we should think they don't
violate sg gap(or virt boundary) limit.
Both Vitaly and Dexuan reported lots of unmergeable small bios
are observed when running mkfs on Hyper-V virtual storage, and
performance becomes quite low. This patch fixes that performance
issue.
The same issue should exist on NVMe, since it sets virt boundary too.
Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Reported-by: Dexuan Cui <decui@microsoft.com> Tested-by: Dexuan Cui <decui@microsoft.com> Cc: Keith Busch <keith.busch@intel.com> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Jens Axboe <axboe@fb.com>
(cherry picked from linux-next commit 729204ef49ec00b788ce23deb9eb922a5769f55d) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Wed, 18 Jan 2017 18:43:34 +0000 (11:43 -0700)]
UBUNTU: [Config] CONFIG_DEFAULT_IOSCHED=cfq
Hi there,
after several days of running (way too) many tests, I've got some data
to show that it may be a good idea to drop the DEADLINE I/O scheduler
for Zesty and move to CFQ with buffered writeback throttling (WBT) +
WBT_MQ (WBT multi-queu) enabled.
We originally moved to DEADLINE because of the issues with slow I/O (say
to flash drives) causing applications to hang while blocked on the slow
I/O being flushed out. It seems that with the recent 4.10 WBT driver
and (possibly other block driver changes) we see some performance
benefits also with CFQ, namely:
1. Faster boots. On a 8 thread Xeon CPU E3-1275 I'm seeing a reduction
in usertime boots from 33.92s (Deadline) to ~24.5s (CFQ)
There are some places where CFQ + MQ is less performant than CFQ + MQ +
SQ, and vice-versa. However, my general feeling for Zesty is that we
should give this a try as it seems to work well. The config changes are:
This will give us plenty of time to give this a good test in the next
few months and revert them if we find any problematic corner cases.
(The win on boot time, build times and writes to slow devices) is
probably the most compelling choice for these changes IMHO.
Colin King
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Tue, 17 Jan 2017 21:19:39 +0000 (15:19 -0600)]
UBUNTU: SAUCE: (no-up) i915: Remove MODULE_FIRMWARE statements for unreleased firmware
BugLink: http://bugs.launchpad.net/bugs/1626740
Intel has added MODULE_FIRMWARE statements to i915 which refer to
firmware files that they have not yet pushed out to upstream
linux-firmware. This causes the following warnings when
generating the initrd:
W: Possible missing firmware /lib/firmware/i915/kbl_guc_ver9_14.bin for module i915
W: Possible missing firmware /lib/firmware/i915/bxt_guc_ver8_7.bin for module i915
This firmware is clearly optional, and the warnings have been
generating a lot of confusion for users. Remove the offending
MODULE_FIRMWARE statements until Intel makes these files
available.
Tim Gardner [Wed, 11 Jan 2017 14:12:13 +0000 (07:12 -0700)]
UBUNTU: [Config] linux-source Provides should not be a macro
Addresses a review comment from Adam Conrad:
debian.master/control.stub.in:
- when changing linux-source to SRCPKGNAME-source, you also changed the
Provides, which doesn't make sense. That should change back.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Fri, 6 Jan 2017 17:18:41 +0000 (11:18 -0600)]
UBUNTU: [Config] Disble stack protector for powerpc-smp
Fixes FTBFS:
arch/powerpc/platforms/built-in.o: In function `bootx_add_display_props':
/<<PKGBUILDDIR>>/arch/powerpc/platforms/powermac/bootx_init.c:211: undefined reference to `__stack_chk_fail_local'
arch/powerpc/platforms/built-in.o: In function `bootx_scan_dt_build_struct':
/<<PKGBUILDDIR>>/arch/powerpc/platforms/powermac/bootx_init.c:350: undefined reference to `__stack_chk_fail_local'
arch/powerpc/platforms/built-in.o: In function `bootx_init':
/<<PKGBUILDDIR>>/arch/powerpc/platforms/powermac/bootx_init.c:596: undefined reference to `__stack_chk_fail_local'
ld: .tmp_vmlinux1: hidden symbol `__stack_chk_fail_local' isn't defined
ld: final link failed: Bad value
Seth Forshee [Fri, 6 Jan 2017 15:58:11 +0000 (09:58 -0600)]
UBUNTU: [Config] Update and enforce IMA options
BugLink: http://bugs.launchpad.net/bugs/1643652
Set CONFIG_IMA_KEXEC=y for supported powerpc architectures.
Update the annotations for this option, and mark all IMA options
for enforcment. Remove notes for options which have no prompt and
are thus not included in the annotations file.
Seth Forshee [Wed, 4 Jan 2017 16:08:38 +0000 (10:08 -0600)]
UBUNTU: [Config] CONFIG_IPDDP=n
BugLink: http://bugs.launchpad.net/bugs/1559772
This module isn't being actively maintained, and when it is
enabled it prevents a newer userspace implementation from
working.
Craig Magina [Thu, 8 Dec 2016 10:39:31 +0000 (11:39 +0100)]
UBUNTU: d-i initrd needs additional usb modules to support the merlin platform
BugLink: https://launchpad.net/bugs/1625222
Ubuntu builds the uas and xhci-plat-hcd usb drivers as modules, these
module are needed for d-i to use usb in the installer on the merlin platform.
Signed-off-by: Craig Magina <craig.magina@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Tue, 6 Dec 2016 15:51:01 +0000 (09:51 -0600)]
UBUNTU: SAUCE: aufs -- Add flags argument to aufs_rename()
Starting with Linux 4.9-rc1 the rename2 inode operation has
replaced the rename op, so filesystem rename implementations
require an extra flags argument. Add the argument to fix the
FTBFS with Linux 4.9, but since aufs doesn't support any of the
flags return an error if it is non-zero.
Seth Forshee [Tue, 6 Dec 2016 15:27:46 +0000 (09:27 -0600)]
UBUNTU: SAUCE: aufs -- Convert to use xattr handlers
Starting with Linux 4.9-rc1 the {get,set,remove}xattr inode
operations have been removed, and filesystems are required to use
xattr handlers instead. There's some partially implemented xattr
handlers commented out in aufs already. Finish those handlers and
convert aufs over to use them.
Ming Lei [Tue, 6 Dec 2016 17:20:03 +0000 (01:20 +0800)]
UBUNTU: [Config] CONFIG_ARM64_ERRATUM_845719=y
BugLink: http://bugs.launchpad.net/bugs/1647793
Looks this option is missed in Yakkety, and should have been
enabled. It is enabled on Xenial, and used for workaround
the issue of "Cortex-A53: 845719: a load might read incorrect data".
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>