BugLink: https://bugs.launchpad.net/bugs/2012136 Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Thu, 16 Mar 2023 23:04:17 +0000 (16:04 -0700)]
UBUNTU: SAUCE: apparmor: advertise availability of exended perms
BugLink: https://bugs.launchpad.net/bugs/2012136
Userspace won't load policy using extended perms unless it knows the
kernel can handle them. Advertise that extended perms are supported in
the feature set.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Fri, 10 Mar 2023 23:59:45 +0000 (15:59 -0800)]
UBUNTU: SAUCE: apparmor: fix policy_compat permission remap with extended permissions
BugLink: https://bugs.launchpad.net/bugs/2012136
If the extended permission table is present we should not be attempting
to do a compat_permission remap as the compat_permissions are not
stored in the dfa accept states.
Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 25 Oct 2022 08:18:41 +0000 (01:18 -0700)]
UBUNTU: SAUCE: apparmor: cache buffers on percpu list if there is lock contention
BugLink: https://bugs.launchpad.net/bugs/2012136 df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
changed buffer allocation to use a memory pool, however on a heavily
loaded machine there can be lock contention on the global buffers
lock. Add a percpu list to cache buffers on when lock contention is
encountered.
When allocating buffers attempt to use cached buffers first,
before taking the global buffers lock. When freeing buffers
try to put them back to the global list but if contention is
encountered, put the buffer on the percpu list.
The length of time a buffer is held on the percpu list is dynamically
adjusted based on lock contention. The amount of hold time is rapidly
increased and slow ramped down.
v4:
- fix percpu ->count buffer count which had been spliced across a
debug patch.
- introduce define for MAX_LOCAL_COUNT
- rework count check and locking around it.
- update commit message to reference commit that introduced the
memory.
v3:
- limit number of buffers that can be pushed onto the percpu
list. This avoids a problem on some kernels where one percpu
list can inherit buffers from another cpu after a reschedule,
causing more kernel memory to used than is necessary. Under
normal conditions this should eventually return to normal
but under pathelogical conditions the extra memory consumption
may have been unbouanded
v2:
- dynamically adjust buffer hold time on percpu list based on
lock contention.
v1:
- cache buffers on percpu list on lock contention
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Wed, 13 Nov 2019 11:48:01 +0000 (03:48 -0800)]
UBUNTU: SAUCE: apparmor: enable userspace upcall for mediation
BugLink: https://bugs.launchpad.net/bugs/2012136
There are cases where userspace can provide additional information
that may be needed to make the correct mediation decision.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 19 Sep 2022 06:55:00 +0000 (23:55 -0700)]
UBUNTU: SAUCE: apparmor: add the ability for profiles to have a learning cache
BugLink: https://bugs.launchpad.net/bugs/2012136
To support a better complain mode allow caching learned entries off
of the profile. This can be used to dedup complain messages and
also as a basis for bulk delivery of complain messages to userspace
through a non audit logging interface.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Make it so apparmor debug output can be controlled by class flags
as well as the debug flag on labels. This provides much finer
control at what is being output so apparmor doesn't flood the
logs with information that is not needed, making it hard to find
what is important.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 20 Sep 2022 03:48:48 +0000 (20:48 -0700)]
UBUNTU: SAUCE: apparmor: pass cred through to audit info.
BugLink: https://bugs.launchpad.net/bugs/2012136
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 19 Sep 2022 07:46:09 +0000 (00:46 -0700)]
UBUNTU: SAUCE: apparmor: rename audit_data->label to audit_data->subj_label
BugLink: https://bugs.launchpad.net/bugs/2012136
rename audit_data's label field to subj_label to better reflect its
use. Also at the same time drop unneeded assignments to ->subj_label
as the later call to aa_check_perms will do the assignment if needed.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Tue, 13 Sep 2022 02:15:02 +0000 (19:15 -0700)]
UBUNTU: SAUCE: apparmor: setup slab cache for audit data
BugLink: https://bugs.launchpad.net/bugs/2012136
Audit data will be used for caches and learning. When this happens the
data needs to be off of the stack and a slab cache will help with
improve the dynamic allocation, and reduce overall size used.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Wed, 14 Sep 2022 07:20:12 +0000 (00:20 -0700)]
UBUNTU: SAUCE: apparmor: combine common_audit_data and apparmor_audit_data
BugLink: https://bugs.launchpad.net/bugs/2012136
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 21:02:22 +0000 (14:02 -0700)]
UBUNTU: SAUCE: Stacking v38: AppArmor: Remove the exclusive flag
BugLink: https://bugs.launchpad.net/bugs/2012136
With the inclusion of the interface LSM process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 21:00:57 +0000 (14:00 -0700)]
UBUNTU: SAUCE: Stacking v38: netlabel: Use a struct lsmblob in audit data
BugLink: https://bugs.launchpad.net/bugs/2012136
Remove scaffolding in netlabel audit by keeping subject
lsm information in an lsmblob structure instead of a secid.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record
the "obj=" field in other records in the event will be "obj=?".
An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on an object security context.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Refactor audit_log_task_context(), creating a new
audit_log_subject_context(). This is used in netlabel auditing
to provide multiple subject security contexts as necessary.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
the "subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on a subject security context.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:59:02 +0000 (13:59 -0700)]
UBUNTU: SAUCE: Stacking v38: Audit: Allow multiple records in an audit_buffer
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the single skb pointer in an audit_buffer with
a list of skb pointers. Add the audit_stamp information
to the audit_buffer as there's no guarantee that there
will be an audit_context containing the stamp associated
with the event. At audit_log_end() time create auxiliary
records (none are currently defined) as have been added
to the list. Functions are created to manage the skb list
in the audit_buffer.
Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:58:38 +0000 (13:58 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Add a function to report multiple LSMs
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a new boolean function lsm_multiple_contexts() to
identify when multiple security modules provide security
context strings.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:56:35 +0000 (13:56 -0700)]
UBUNTU: SAUCE: Stacking v38: Audit: Keep multiple LSM data in audit_names
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the osid field in the audit_names structure
with a lsmblob structure. This accommodates the use
of an lsmblob in security_audit_rule_match() and
security_inode_getsecid().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a parameter to security_secid_to_secctx() to identify
which of the security modules that may be active should
provide the security context. If the parameter is greater
than or equal to zero, the security module associated with
that LSM "slot" is used. If the value is LSMBLOB_DISPLAY
the "interface lsm" is used. If the value is LSMBLOB_FIRST
the first security module providing a hook is used.
The integrity IMA subsystem has chosen to always use the
LSMBLOB_FIRST behavior, regardless of the lsm_display values.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:54:54 +0000 (13:54 -0700)]
UBUNTU: SAUCE: Stacking v38: binder: Pass LSM identifier for confirmation
BugLink: https://bugs.launchpad.net/bugs/2012136
Send an identifier for the security module interface_lsm
along with the security context. This allows the receiver
to verify that the receiver and the sender agree on which
security module's context is being used. If they don't
agree the message is rejected.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: NET: Store LSM netlabel data in a lsmblob
BugLink: https://bugs.launchpad.net/bugs/2012136
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using netlabel use the lsm_id.slot to access the
correct secid when using netlabel.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: Use lsmcontext in security_dentry_init_security
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
Special care is taken in the NFS code, which uses the
same data structure for its own copied labels as it does
for the data which comes from security_dentry_init_security().
In the case of copied labels the data has to be freed, not
released.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:52:53 +0000 (13:52 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmcontext in security_inode_getsecctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_inode_getsecctx() interface to fill
a lsmcontext structure instead of data and length pointers.
This provides the information about which LSM created the
context so that security_release_secctx() can use the
correct hook.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-nfs@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmcontext in security_secid_to_secctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
security_secid_to_secctx() will now return the length value
if the passed lsmcontext pointer is NULL.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: linux-nfs@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Specify which LSM to display
BugLink: https://bugs.launchpad.net/bugs/2012136
Create two new prctl() options PR_LSM_ATTR_SET and PR_LSM_ATTR_GET
which change and report the Interface LSM respectively.
The LSM ID number of an active LSM that supplies hooks for
human readable data may be passed in the arg2 value with the
PR_LSM_ATTR_SET option. The PR_LSM_ATT_GET option returns the
LSM ID currently in use. At this point there can only be one LSM
capable of display active. A helper function lsm_task_ilsm() is
provided to get the interface lsm slot for a task_struct.
Security modules that wish to restrict this action may provide
a task_prctl hook to do so. Each such security module is
responsible for defining its policy.
AppArmor hook initially provided by John Johansen
<john.johansen@canonical.com>. SELinux hook initially provided by
Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_cred_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_cred_getsecid() interface to fill in a
lsmblob instead of a u32 secid. The associated data elements
in the audit sub-system are changed from a secid to a lsmblob
to accommodate multiple possible LSM audit users.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:49:46 +0000 (13:49 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_inode_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_current_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_current_getsecid_subj() and
security_task_getsecid_obj() interfaces to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible secids for possible reporting.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:48:53 +0000 (13:48 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_ipc_getsecid
BugLink: https://bugs.launchpad.net/bugs/2012136
There may be more than one LSM that provides IPC data
for auditing. Change security_ipc_getsecid() to fill in
a lsmblob structure instead of the u32 secid. The
audit data structure containing the secid will be updated
later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_secid_to_secctx
BugLink: https://bugs.launchpad.net/bugs/2012136
Change security_secid_to_secctx() to take a lsmblob as input
instead of a u32 secid. It will then call the LSM hooks
using the lsmblob element allocated for that module. The
callers have been updated as well. This allows for the
possibility that more than one module may be called upon
to translate a secid to a string, as can occur in the
audit code.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:47:49 +0000 (13:47 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_secctx_to_secid
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its callers to do the same.
The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the lsmblob.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:47:21 +0000 (13:47 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_kernel_act_as
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the security_kernel_act_as interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its only caller, set_security_override,
to do the same. Change that one's only caller,
set_security_override_from_ctx, to call it with the new
parameter type.
The security module hook is unchanged, still taking a secid.
The infrastructure passes the correct entry from the lsmblob.
lsmblob_init() is used to fill the lsmblob structure, however
this will be removed later in the series when security_secctx_to_secid()
is updated to provide a lsmblob instead of a secid.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: David Howells <dhowells@redhat.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:46:49 +0000 (13:46 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_audit_rule_match
BugLink: https://bugs.launchpad.net/bugs/2012136
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/2012136
Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active security module to apply
filters to. If not specified, use the first registered module
that supports the audit_rule_match() LSM hook. Allow the user
to specify in the IMA policy an lsm= option to specify the
security module to use for a particular rule.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:45:45 +0000 (13:45 -0700)]
UBUNTU: SAUCE: Stacking v38: LSM: provide lsm name and id slot mappings
BugLink: https://bugs.launchpad.net/bugs/2012136
Provide interfaces to map LSM slot numbers and LSM names.
Update the LSM registration code to save this information.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Add the lsmblob data structure.
BugLink: https://bugs.launchpad.net/bugs/2012136
When more than one security module is exporting data to
audit and networking sub-systems a single 32 bit integer
is no longer sufficient to represent the data. Add a
structure to be used instead.
The lsmblob structure is currently an array of
u32 "secids". There is an entry for each of the security
modules built into the system that would use secids if
active. The system assigns the module a "slot" when it
registers hooks. If modules are compiled in but not
registered there will be unused slots. The slot number
is added to the lsm_id structure.
The audit rules data is expanded to use an array of
security module data rather than a single instance.
A new structure audit_lsm_rules is defined to avoid the
confusion which commonly accompanies the use of
void ** parameters.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Infrastructure management of the sock security
BugLink: https://bugs.launchpad.net/bugs/2012136
Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Casey Schaufler [Mon, 27 Jun 2022 20:42:35 +0000 (13:42 -0700)]
UBUNTU: SAUCE: Stacking v38: integrity: disassociate ima_filter_rule from security_audit_rule
BugLink: https://bugs.launchpad.net/bugs/2012136
Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new functions are put in security.c because
they use security module registered hooks that we don't
want exported.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com> Cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: proc: Use lsmids instead of lsm names for attrs
BugLink: https://bugs.launchpad.net/bugs/2012136
Use the LSM ID number instead of the LSM name to identify which
security module's attibute data should be shown in /proc/self/attr.
The security_[gs]etprocattr() functions have been changed to expect
the LSM ID. The change from a string comparison to an integer comparison
in these functions will provide a minor performance improvement.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Maintain a table of LSM attribute data
BugLink: https://bugs.launchpad.net/bugs/2012136
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Identify the process attributes for each module
BugLink: https://bugs.launchpad.net/bugs/2012136
Add an integer member "features" to the struct lsm_id which
identifies the API related data associated with each security
module. The initial set of features maps to information that
has traditionaly been available in /proc/self/attr.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Add an LSM identifier for external use
BugLink: https://bugs.launchpad.net/bugs/2012136
Add an integer member "id" to the struct lsm_id. This value is
a unique identifier associated with each security module. The
values are defined in a new UAPI header file. Each existing LSM
has been updated to include it's LSMID in the lsm_id.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: Stacking v38: LSM: Identify modules by more than name
BugLink: https://bugs.launchpad.net/bugs/2012136
Create a struct lsm_id to contain identifying information
about Linux Security Modules (LSMs). At inception this contains
a single member, which is the name of the module. Change the
security_add_hooks() interface to use this structure. Change
the individual modules to maintain their own struct lsm_id and
pass it to security_add_hooks().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Mon, 13 Dec 2021 23:46:09 +0000 (15:46 -0800)]
UBUNTU: SAUCE: apparmor: Add fine grained mediation of posix mqueues
BugLink: https://bugs.launchpad.net/bugs/2012136 BugLink: https://bugs.launchpad.net/bugs/1989983
Add fine grained mediation of posix mqueues. Specifically this patch
adds support for differentiating mqueues based on the name in the ipc
namespace. A follow on patch will add support for implied labels, and
a third patch explicit labels. This is done in part because of
dependencies on other patches to apparmor core.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Sun, 23 Oct 2022 11:03:50 +0000 (04:03 -0700)]
UBUNTU: SAUCE: apparmor: Add sysctls for additional controls of unpriv userns restrictions
BugLink: https://bugs.launchpad.net/bugs/2012136
Add apparmor_restrict_unprivileged_userns_force
To force old policies that don't support user namespace restrictions
to apply them anyways.
Add apparmor_restrict_unprivileged_userns_complain
To cause user namespace restrictions to complain instead of fail.
This will work on both profiles and unconfined.
Signed-off-by: John Johansen <john.johansen@canonical.com>
fixup userns
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
John Johansen [Fri, 9 Sep 2022 23:00:09 +0000 (16:00 -0700)]
UBUNTU: SAUCE: apparmor: add user namespace creation mediation
BugLink: https://bugs.launchpad.net/bugs/2012136 BugLink: https://bugs.launchpad.net/bugs/1989983
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com>
[ adjustments to apply the patch from 5.19 ] Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.
BugLink: https://bugs.launchpad.net/bugs/1989983 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Po-Hsu Lin [Mon, 20 Mar 2023 03:59:47 +0000 (11:59 +0800)]
selftests: net: devlink_port_split.py: skip test if no suitable device available
BugLink: https://bugs.launchpad.net/bugs/1937133
The `devlink -j port show` command output may not contain the "flavour"
key, an example from Ubuntu 22.10 s390x LPAR(5.19.0-37-generic), with
mlx4 driver and iproute2-5.15.0:
{"port":{"pci/0001:00:00.0/1":{"type":"eth","netdev":"ens301"},
"pci/0001:00:00.0/2":{"type":"eth","netdev":"ens301d1"},
"pci/0002:00:00.0/1":{"type":"eth","netdev":"ens317"},
"pci/0002:00:00.0/2":{"type":"eth","netdev":"ens317d1"}}}
This will cause a KeyError exception.
Create a validate_devlink_output() to check for this "flavour" from
devlink command output to avoid this KeyError exception. Also let
it handle the check for `devlink -j dev show` output in main().
Apart from this, if the test was not started because the max lanes of
the designated device is 0. The script will still return 0 and thus
causing a false-negative test result.
Use a found_max_lanes flag to determine if these tests were skipped
due to this reason and return KSFT_SKIP to make it more clear.
Chengen Du [Fri, 17 Mar 2023 02:23:26 +0000 (10:23 +0800)]
NFS: Correct timing for assigning access cache timestamp
BugLink: https://bugs.launchpad.net/bugs/2009325
When the user's login time is newer than the cache's timestamp,
the original entry in the RB-tree will be replaced by a new entry.
Currently, the timestamp is only set if the entry is not found in
the RB-tree, which can cause the timestamp to be undefined when
the entry exists. This may result in a significant increase in
ACCESS operations if the timestamp is set to zero.
Signed-off-by: Chengen Du <chengen.du@canonical.com> Fixes: 0eb43812c027 ("NFS: Clear the file access cache upon login”) Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
(cherry picked from commit 21fd9e8700de86d1169f6336e97d7a74916ed04a) Signed-off-by: Chengen Du <chengen.du@canonical.com> Acked-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>