Seth Forshee [Tue, 19 Jan 2016 19:12:02 +0000 (13:12 -0600)]
UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
The original mounter had CAP_SYS_ADMIN in the user namespace
where the mount happened, and the vfs has validated that the user
has permission to do the requested operation. This is sufficient
for allowing the kernel to write these specific xattrs, so we can
bypass the permission checks for these xattrs.
To support this, export __vfs_setxattr_noperm and add an similar
__vfs_removexattr_noperm which is also exported. Use these when
setting or removing trusted.overlayfs.* xattrs.
Colin Ian King [Mon, 6 Feb 2017 15:21:31 +0000 (15:21 +0000)]
UBUNTU: SAUCE: md/raid6 algorithms: scale test duration for speedier boots
The original code runs for a set run time based on 2^RAID6_TIME_JIFFIES_LG2.
The default kernel value for RAID6_TIME_JIFFIES_LG2 is 4, however, emperical
testing shows that a value of 3.5 is the sweet spot for getting consistent
benchmarking results and speeding up the run time of the benchmarking.
To achieve 2^3.5 we use the following:
2^3.5 = 2^4 / 2^0.5
= 2^4 / sqrt(2)
= 2^4 * 0.707106781
Too keep this as integer math that is as accurate as required and avoiding
overflow, this becomes:
= 2^4 * 181 / 256
= (2^4 * 181) >> 8
We also need to scale down perf by the same factor, however, to
get a good approximate integer result without an overflow we scale
by 2^4.0 * sqrt(2) =
= 2 ^ 4 * 1.41421356237
= 2 ^ 4 * 1448 / 1024
= (2 ^ 4 * 1448) >> 10
This has been tested on 2 AWS instances, a small t2 and a medium m3
with 30 boot tests each and compared to the same instances booted 30
times on an umodified kernel. In all results, we get the same
algorithms being selected and a 100% consistent result over the 30
boots, showing that this optimised jiffy timing scaling does not break
the original functionality.
On the t2.small we see a saving of ~0.126 seconds and t3.medium a saving of
~0.177 seconds.
Tested on a 4 CPU VM on an 8 thread Xeon server; seeing a saving of ~0.33
seconds (average over 10 boots).
Tested on a 8 thread Xeon server, seeing a saving of ~1.24 seconds (average
of 10 boots).
The testing included double checking the algorithm chosen by the optimized
selection and seeing the same as pre-optimised version.
Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 2 Feb 2017 09:09:02 +0000 (01:09 -0800)]
fix regression with domain change in complain mode
The patch
Fix no_new_privs blocking change_onexec when using stacked namespaces
changed when the no_new_privs checks is processed so the test could
be correctly applied in a stacked profile situation.
However it changed the behavior of the error returned in complain mode,
which will have both @error and @new set.
Fix this by introducing a new var to indicate the no_new_privs condition
instead of relying on error. While doing this allow the new label under
no new privs to be audited, by having its reference put in the error path,
instead of in the no_new_privs condition check.
John Johansen [Mon, 30 Jan 2017 10:38:14 +0000 (02:38 -0800)]
UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check
When an open file with cached permissions is checked for the flock
permission. The cache check fails and falls through to no error instead
of auditing, and returning an error.
For the fall through to do a permission check, so it will audit the
failed flock permission check.
BugLink: http://bugs.launchpad.net/bugs/1658219 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 12 Jan 2017 23:12:25 +0000 (15:12 -0800)]
UBUNTU: SAUCE: apparmor: null profiles should inherit parent control flags
null profiles that don't have the same control flags as the parent
behave in unexpected ways and can cause failures.
BugLink: http://bugs.launchpad.net/bugs/1656121 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 18 Jan 2017 09:23:11 +0000 (01:23 -0800)]
UBUNTU: SAUCE: apparmor: fix ns ref count link when removing profiles from policy
BugLink: http://bugs.launchpad.net/bugs/1660849 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 31 Dec 2016 11:55:30 +0000 (03:55 -0800)]
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces
Push the no_new_privs logic into the per profile transition fns, so
that the no_new_privs check can be done at the ns level instead of the
aggregate stack level.
BugLink: http://bugs.launchpad.net/bugs/1648143 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:59:07 +0000 (18:59 -0800)]
UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir
There is a lock inversion that can result in a dead lock when profile
replacements are racing with dir creation for a namespace in apparmorfs.
BugLink: http://bugs.launchpad.net/bugs/1645037 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:56:31 +0000 (18:56 -0800)]
UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count
apparmor is leaking pinfs refcoutn when inode setup fails.
BugLink: http://bugs.launchpad.net/bugs/1660846 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:52:14 +0000 (18:52 -0800)]
UBUNTU: SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode() fails
BugLink: http://bugs.launchpad.net/bugs/1660845 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 8 Dec 2016 02:50:14 +0000 (18:50 -0800)]
UBUNTU: SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails
BugLink: http://bugs.launchpad.net/bugs/1660842 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 3 Dec 2016 10:36:39 +0000 (02:36 -0800)]
UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails
Bind mounts can oops when devname lookup fails because the devname is
uninitialized and used in auditing the denial.
BugLink: http://bugs.launchpad.net/bugs/1660840 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 00:06:25 +0000 (16:06 -0800)]
UBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file
When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd (eg stdin/stdout etc). This results in
a denial message like
[32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536
Further access to the fd is resultin in the rather useless denial message
of
[32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0
since we have the original denial, the noisy and useless .null based
denials can be skipped.
BugLink: http://bugs.launchpad.net/bugs/1660836 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 19:33:54 +0000 (11:33 -0800)]
UBUNTU: SAUCE: apparmor: fix label leak when new label is unused
When a new label is created, it is created with a proxy in a circular
ref count that is broken by replacement. However if the label is not
used it will never be replaced and the circular ref count will never
be broken resulting in a leak.
BugLink: http://bugs.launchpad.net/bugs/1660834 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 09:39:51 +0000 (01:39 -0800)]
UBUNTU: SAUCE: apparmor: fix reference count bug in label_merge_insert()
@new does not have a reference taken locally and should not have its
reference put locally either.
BugLink: http://bugs.launchpad.net/bugs/1660833 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sat, 12 Nov 2016 05:44:20 +0000 (21:44 -0800)]
UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata
The reading of rawdata is subject to a replacement race when the
rawdata is read in chunks smaller than the data size.
For each read the profile proxy is rechecked for the newest profile;
Which means if a profile is replaced between reads later chunks will
contain data from the new version of the profile while the earlier
reads will contain data from the previous version. This can result in
data that is inconsistent and corrupt.
Instead of rechecking for the current profile at each read. Get the
current profile at the time of the open and use the rawdata of the
profile for the lifetime that the file handle is open.
BugLink: http://bugs.launchpad.net/bugs/1638996 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would allow it.
The check should only be done again policy that is visible.
BugLink: http://bugs.launchpad.net/bugs/1660832 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 4 Oct 2016 00:27:09 +0000 (17:27 -0700)]
UBUNTU: SAUCE: apparmor: add flag to detect semantic change, to binfmt_elf mmap
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 changed when the creds
are installed by the binfmt_elf handler. This affects which creds
are used to mmap the executable into the address space. Which can have
an affect on apparmor policy.
Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.
Note: since 9f834ec1 is a potential information leak fix for prof
events and tracing, it is expected that it could be picked up by
kernels earlier kernels than 4.8 so that detecting the kernel version
is not sufficient.
BugLink: http://bugs.launchpad.net/bugs/1630069 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 03:11:29 +0000 (20:11 -0700)]
apparmor: bump domain stacking version to 1.2
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 00:05:45 +0000 (17:05 -0700)]
apparmor: add per ns policy management interface
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 02:06:51 +0000 (19:06 -0700)]
apparmor: update policy permissions to consider ns being viewed/managed
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 27 Sep 2016 22:14:48 +0000 (15:14 -0700)]
apparmor: add interface to advertise status of current task stacking
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 09:23:56 +0000 (02:23 -0700)]
apparmor: fix warning that fn build_pivotroot discards const
fix mount.c warnings:
warning: passing argument 2 of ‘build_pivotroot’ discards ‘const’ qualifier fro\
m pointer target type [-Wdiscarded-qualifiers]
warning: passing argument 4 of ‘build_pivotroot’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 28 Sep 2016 05:14:12 +0000 (22:14 -0700)]
apparmor: fix oops in pivot_root mediation
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 17:50:42 +0000 (10:50 -0700)]
apparmor: add mkdir/rmdir interface to manage policy namespaces
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 21:53:40 +0000 (14:53 -0700)]
apparmor: add __aa_find_ns fn
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 22 Sep 2016 19:51:11 +0000 (12:51 -0700)]
apparmor: refactor aa_prepare_ns into prepare_ns and create_ns routines
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Wed, 14 Sep 2016 22:23:55 +0000 (15:23 -0700)]
apparmor: add interface to be able to grab loaded policy
Check point/restore needs to be able to grab policy currently loaded
into the kernel.
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sun, 14 Aug 2016 22:01:12 +0000 (15:01 -0700)]
apparmor: fix: permissions test to view and manage policy
Drop may_open_profiles and unify with policy_view_capable()
Adjust policy_view_capable() so that it is slightly less restricted.
user_namespaces can now manage policy iff
- the task has cap_mac_admin in the namespace
- the user_namespace->level == apparmor policy_namespace->level.
This ensures a usernamespace can never be used to manage the
system namespace, and can only be used to manage the namespace at its
view level.
If for some reason a user namespace is setup without an apparmor
policy namespace it will not be able to manage or view policy.
However this also means an extra level of apparmor policy namespaces
can not be setup and used with user namespaces at this time.
ie. this blocks user confinement stacking, and user defined policy
use cases from being used with user namespaces atm.
Add the ability to output a debug message in relation to
capable(cap_mac_admin) &&
policy_locked
as it is possible for these to cause failures that are not audited and
thus hard to trace down.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Tue, 2 Aug 2016 10:49:35 +0000 (03:49 -0700)]
apparmor: convert delegating deleted files to mediate deleted files
This is a semantic change that may need to be reverted but we can not
properly do delegation atm and doing blind delegation is a security
hole.
Files that have the necessary labeling can still be delegated however
mediation will be required for deleted files that need to be revalidated.
Note: we code is setup to specify DELEGATE_DELETED but aliases it on
the backend to MEDIATE_DELETED. This will have to be partially reverted/
changed for profile replacement causing a revalidation.
Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 4 Aug 2016 11:35:21 +0000 (04:35 -0700)]
UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing
change_hat using probing to find and transition to the first available
hat. Hats missing as part of this probe are expected and should not
be logged except in complain mode.
BugLink: http://bugs.launchpad.net/bugs/1615893 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is because the unconfined profile is in the special unconfined
mode. Which will result in a (mixed) mode for any stack with profiles
in enforcing or complain mode.
This can however lead to confusion as to what mode is being used as
mixed is also used for enforcing stacked with complain. Since unconfined
doesn't affect the stack just special case it.
BugLink: http://bugs.launchpad.net/bugs/1615890 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Thu, 23 Jun 2016 01:01:08 +0000 (18:01 -0700)]
UBUNTU: SAUCE: apparmor: fix: parameters can be changed after policy is locked
the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.
split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.
BugLink: http://bugs.launchpad.net/bugs/1615895 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 22 Aug 2016 21:14:48 +0000 (14:14 -0700)]
UBUNTU: SAUCE: apparmor: fix vec_unique for vectors larger than 8
the vec_unique path for large vectors is broken, leading to oopses
when a file handle is shared between 8 different security domains, and
then a profile replacement/removal causing a label invalidation (ie. not
all replacements) is done.
BugLink: http://bugs.launchpad.net/bugs/1579135 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Fri, 19 Aug 2016 10:20:32 +0000 (03:20 -0700)]
UBUNTU: SAUCE: apparmor: profiles in one ns can affect mediation in another ns
When the ns hierarchy a//foo and b//foo are compared the are
incorrectly identified as being the same as they have the same depth
and the same basename.
Instead make sure to compare the full hname to distinguish this case.
BugLink: http://bugs.launchpad.net/bugs/1615887 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 23 May 2016 19:04:57 +0000 (12:04 -0700)]
UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
The label build for onexec when crossing a namespace boundry is not
quite correct. The label needs to be built per profile and not based
on the whole label because the onexec transition only applies to
profiles within the ns. Where merging against the label could include
profile that are transitioned via the profile_transition callback
and should not be in the final label.
BugLink: http://bugs.launchpad.net/bugs/1615881 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
UBUNTU: SAUCE: apparmor: Fix FTBFS due to bad include path
When header files in security/apparmor/includes/ pull in other header
files in that directory, they should only include the file name. This
fixes a build failure reported by Tycho when using `make bindeb-pkg` to
build the Ubuntu kernel tree but, confusingly, isn't seen when building
with `fakeroot debian/rules binary-generic`.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Tycho Andersen <tycho.andersen@canonical.com> Cc: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:41:33 +0000 (16:41 -0500)]
UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
BugLink: https://launchpad.net/bugs/1560583
Check the value of the unprivileged_userns_apparmor_policy sysctl when a
namespace root process attempts to read the apparmorfs profiles file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Wed, 23 Mar 2016 21:26:20 +0000 (16:26 -0500)]
UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
BugLink: https://launchpad.net/bugs/1560583
Change the apparmorfs profiles file permissions check to better match
the old requirements before the apparmorfs permissions were changed to
allow profile loads inside of confined, first-level user namespaces.
Historically, the profiles file has been readable by the root user and
group. A recent change added the requirement that the process have the
CAP_MAC_ADMIN capability. This is a problem for confined processes since
keeping the 'capability mac_admin,' rule out of the AppArmor profile is
often desired.
This patch replaces the CAP_MAC_ADMIN requirement with a requirement
that the process is root in its user namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tyler Hicks [Thu, 17 Mar 2016 00:19:10 +0000 (19:19 -0500)]
UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
BugLink: http://bugs.launchpad.net/bugs/1379535
Disabled by default until the AppArmor kernel code is deemed safe enough
to handle untrusted policy. Only developers of container technologies
should turn this on until that time.
If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in
the root namespace has created an AppArmor policy namespace,
unprivileged processes will be able to change to a profile in the
newly created AppArmor policy namespace and, if the profile allows
CAP_MAC_ADMIN and appropriate file permissions, will be able to load
policy in the respective policy namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Mon, 13 Jun 2016 14:05:18 +0000 (17:05 +0300)]
UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
BugLink: http://bugs.launchpad.net/bugs/1379535
This is a sync and squash of the apparmor 3.5-beta1 snapshot. The
set of patches in this squash are available in
git://kernel.ubuntu.com/jj/ubuntu-xenial.git
using the the tag
apparmor-3.5-beta1-presuash-snapshot
This fixes multiple bugs and adds the policy namespace stacking features. BugLink: http://bugs.launchpad.net/bugs/1379535 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1630924
It may happen that secondary CPUs are still alive and resetting
hv_context.tsc_page will cause a consequent crash in read_hv_clock_tsc()
as we don't check for it being not NULL there. It is safe as we're not
freeing this page anyways.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Cc: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from linux-next commit 56ef6718a1d8d77745033c5291e025ce18504159) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1628889
Add support for automatic message tags to the printk macro
families dev_xyz and pr_xyz. The message tag consists of a
component name and a 24 bit hash of the message text. For
each message that is documented in the included kernel message
catalog a man page can be created with a script (which is
included in the patch). The generated man pages contain
explanatory text that is intended to help understand the
messages.
Note that only s390 specific messages are prepared
appropriately and included in the generated message catalog.
This patch is optional as it is very unlikely to be accepted
in upstream kernel, but is recommended for all distributions
which are built based on the 'Development stream'
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Tue, 31 Jan 2017 13:49:08 +0000 (06:49 -0700)]
UBUNTU: [Config] CONFIG_NET_DROP_MONITOR=m
<zioproto> hello all. I am new here. I would like some feedback
about CONFIG_NET_DROP_MONITOR=n in the Ubuntu Kernel. It would
be of great help to have it set to module. We use ubuntu for the
openstack network node.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Kamal Mostafa [Tue, 24 Jan 2017 20:05:20 +0000 (12:05 -0800)]
UBUNTU: [debian] derive indep_hdrs_pkg_name from src_pkg_name
This long-standing oversight in our debian rules hardcodes the string "linux"
instead of using the $(src_pkg_name) for just one of the generated .deb package
names: linux-headers-x.x.x-x. Lets fix it in the generic branches
(T,X,Y,Z,unstable) so that we won't have to keep applying this patch to each of
the derivative/custom kernels.
-----8<-----
Ignore: yes
Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Manoj Iyer [Tue, 24 Jan 2017 17:05:12 +0000 (11:05 -0600)]
UBUNTU: d-i: initrd needs msm_emac on amberwing platform.
Amberwing systems has an onboard two port nic that uses msm_emac
driver. This module is needed in d-i's initrd so that these nics
can be used to d-i install the system. Tested on the amberwing
system at canonical.
Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Thu, 19 Jan 2017 22:05:12 +0000 (16:05 -0600)]
UBUNTU: [Config] Fix up s390x config options changed during 4.10 rebase
Fix the following options mistakenly changed during the rebase
from 4.9 to 4.10.
- CONFIG_I2C was selected by CONFIG_SFC_FALCON but should be
disabled because s390x lacks hw support. Revert these and
related options, and enforce the CONFIG_I2C values to prevent
this in the future.
Ming Lei [Sat, 17 Dec 2016 10:49:09 +0000 (18:49 +0800)]
block: relax check on sg gap
BugLink: http://bugs.launchpad.net/bugs/1657539
If the last bvec of the 1st bio and the 1st bvec of the next
bio are physically contigious, and the latter can be merged
to last segment of the 1st bio, we should think they don't
violate sg gap(or virt boundary) limit.
Both Vitaly and Dexuan reported lots of unmergeable small bios
are observed when running mkfs on Hyper-V virtual storage, and
performance becomes quite low. This patch fixes that performance
issue.
The same issue should exist on NVMe, since it sets virt boundary too.
Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Reported-by: Dexuan Cui <decui@microsoft.com> Tested-by: Dexuan Cui <decui@microsoft.com> Cc: Keith Busch <keith.busch@intel.com> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Jens Axboe <axboe@fb.com>
(cherry picked from linux-next commit 729204ef49ec00b788ce23deb9eb922a5769f55d) Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Wed, 18 Jan 2017 18:43:34 +0000 (11:43 -0700)]
UBUNTU: [Config] CONFIG_DEFAULT_IOSCHED=cfq
Hi there,
after several days of running (way too) many tests, I've got some data
to show that it may be a good idea to drop the DEADLINE I/O scheduler
for Zesty and move to CFQ with buffered writeback throttling (WBT) +
WBT_MQ (WBT multi-queu) enabled.
We originally moved to DEADLINE because of the issues with slow I/O (say
to flash drives) causing applications to hang while blocked on the slow
I/O being flushed out. It seems that with the recent 4.10 WBT driver
and (possibly other block driver changes) we see some performance
benefits also with CFQ, namely:
1. Faster boots. On a 8 thread Xeon CPU E3-1275 I'm seeing a reduction
in usertime boots from 33.92s (Deadline) to ~24.5s (CFQ)
There are some places where CFQ + MQ is less performant than CFQ + MQ +
SQ, and vice-versa. However, my general feeling for Zesty is that we
should give this a try as it seems to work well. The config changes are:
This will give us plenty of time to give this a good test in the next
few months and revert them if we find any problematic corner cases.
(The win on boot time, build times and writes to slow devices) is
probably the most compelling choice for these changes IMHO.
Colin King
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Tue, 17 Jan 2017 21:19:39 +0000 (15:19 -0600)]
UBUNTU: SAUCE: (no-up) i915: Remove MODULE_FIRMWARE statements for unreleased firmware
BugLink: http://bugs.launchpad.net/bugs/1626740
Intel has added MODULE_FIRMWARE statements to i915 which refer to
firmware files that they have not yet pushed out to upstream
linux-firmware. This causes the following warnings when
generating the initrd:
W: Possible missing firmware /lib/firmware/i915/kbl_guc_ver9_14.bin for module i915
W: Possible missing firmware /lib/firmware/i915/bxt_guc_ver8_7.bin for module i915
This firmware is clearly optional, and the warnings have been
generating a lot of confusion for users. Remove the offending
MODULE_FIRMWARE statements until Intel makes these files
available.
projects / mirror_ubuntu-zesty-kernel.git / log