d empty body in
> an 'else' statement [-Werror=empty-body]
> 2096 | AA_BUG(labels_ns(label) != labels_ns(new));
>
> Change the macro defintion to use no_printk(), which improves
> format string checking and avoids the warning.
>
> Signed-off-by: Arnd B
On 10/4/20 7:24 AM, t...@redhat.com wrote:
> From: Tom Rix
>
> clang static analysis reports this representative problem:
>
> label.c:1463:16: warning: Assigned value is garbage or undefined
> label->hname = name;
> ^
>
> In aa_update_label_name(), this the pro
On 1/20/21 2:56 PM, Eric W. Biederman wrote:
>
> TL;DR selinux and apparmor ignore no_new_privs
>
> What?
>
AppArmor does not ignore no_new_privs. Its mediation is bounded
and it doesn't grant anything that wasn't allowed when NNP was
set.
>
> Jo
On 1/20/21 1:26 PM, Eric W. Biederman wrote:
>
> The current understanding of apparmor with respect to no_new_privs is at
> odds with how no_new_privs is implemented and understood by the rest of
> the kernel.
>
> The documentation of no_new_privs states:
>> With ``no_new_privs`` set, ``execve()`
On 12/20/20 7:27 PM, Randy Dunlap wrote:
> Drop repeated words in comments.
> {a, then, to}
>
> Signed-off-by: Randy Dunlap
> Cc: John Johansen
> Cc: appar...@lists.ubuntu.com
> Cc: James Morris
> Cc: "Serge E. Hallyn"
> Cc: linux-security-mod...@vger.
On 12/10/20 1:39 AM, Miklos Szeredi wrote:
> On Thu, Dec 10, 2020 at 10:00 AM John Johansen
> wrote:
>>
>> On 12/8/20 2:27 AM, Tetsuo Handa wrote:
>>> On 2020/12/08 1:32, Miklos Szeredi wrote:
>>>> A general observation is that overlayfs does not c
On 12/8/20 2:27 AM, Tetsuo Handa wrote:
> On 2020/12/08 1:32, Miklos Szeredi wrote:
>> A general observation is that overlayfs does not call security_path_*()
>> hooks on the underlying fs. I don't see this as a problem, because a
>> simple bind mount done inside a private mount namespace also def
ate
> anymore, thus remove it from apparmor code.
>
> Signed-off-by: Andy Shevchenko
oh nice,
I will pull into the apparmor tree
Acked-by: John Johansen
> ---
> security/apparmor/apparmorfs.c | 3 ---
> 1 file changed, 3 deletions(-)
>
> diff --git a/security/apparmor/
On 11/9/20 2:28 PM, Casey Schaufler wrote:
> On 11/7/2020 2:05 PM, John Johansen wrote:
>> On 11/7/20 1:15 AM, Greg KH wrote:
>>> On Fri, Nov 06, 2020 at 04:20:43PM -0800, Casey Schaufler wrote:
>>>> On 11/5/2020 1:22 AM, Greg KH wrote:
>>>>> On
t;>> provided to get the display slot for a task_struct.
>>>>
>>>> Setting the "display" requires that all security modules using
>>>> setprocattr hooks allow the action. Each security module is
>>>> responsible for defining its policy.
On 8/5/20 8:43 AM, Stephen Smalley wrote:
> On 8/5/20 11:07 AM, Tyler Hicks wrote:
>
>> On 2020-08-05 10:27:43, Stephen Smalley wrote:
>>> On Wed, Aug 5, 2020 at 9:20 AM Mimi Zohar wrote:
On Wed, 2020-08-05 at 09:03 -0400, Stephen Smalley wrote:
> On Wed, Aug 5, 2020 at 8:57 AM Mimi Zoha
On 7/21/20 8:19 AM, Paul Moore wrote:
> On Tue, Jul 14, 2020 at 5:00 PM Richard Guy Briggs wrote:
>> On 2020-07-14 16:29, Paul Moore wrote:
>>> On Tue, Jul 14, 2020 at 1:44 PM Richard Guy Briggs wrote:
On 2020-07-14 12:21, Paul Moore wrote:
> On Mon, Jul 13, 2020 at 3:52 PM Richard Guy B
through and double checked all the https urls are good
Acked-by: John Johansen
> ---
> Continuing my work started at 93431e0607e5.
>
> If there are any URLs to be removed completely or at least not HTTPSified:
> Just clearly say so and I'll *undo my change*.
> See also
On 6/15/20 10:44 AM, Mimi Zohar wrote:
> (Cc'ing John)
>
> On Mon, 2020-06-15 at 10:33 -0700, Casey Schaufler wrote:
>> On 6/15/2020 9:45 AM, Lakshmi Ramasubramanian wrote:
>>> On 6/15/20 4:57 AM, Stephen Smalley wrote:
>>>
>>> Hi Stephen,
>>>
>>> Thanks for reviewing the patches.
>>>
> +void
. Silva (1):
apparmor: Replace zero-length array with flexible-array
John Johansen (11):
apparmor: add a valid state flags check
apparmor: add consistency check between state and dfa diff encode flags
apparmor: add proc subdir to attrs
apparmor: remove useless
Hi Linus,
Can you please pull the following bug fixes for apparmor
Thanks!
- John
The following changes since commit b85051e755b0e9d6dd8f17ef1da083851b83287d:
Merge tag 'fixes-for-5.7-rc6' of
git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux (2020-05-20 13:23:55
-0700)
are available
On 5/19/20 2:17 PM, Kees Cook wrote:
> On Tue, May 19, 2020 at 01:42:28PM -0500, Eric W. Biederman wrote:
>> Kees Cook writes:
>>
>>> On Tue, May 19, 2020 at 12:41:27PM -0500, Eric W. Biederman wrote:
Kees Cook writes:
> and given the LSM hooks, I think the noexec check is too late as we
On 4/6/20 4:41 AM, Amol Grover wrote:
> Hello,
>
> With respect to the patch https://lore.kernel.org/patchwork/patch/1202512/
> I boot tested with CONFIG_PROVE_RCU_LIST=y and encountered a susppicious RCU
> usage warning in "security/apparmor/include/lib.h". I thought of going forward
> and fix it
On 4/28/20 4:52 AM, Zou Wei wrote:
> Fixes coccicheck warnings:
>
> security/apparmor/file.c:162:9-10: WARNING: return of 0/1 in function
> 'is_deleted' with return type bool
> security/apparmor/file.c:362:9-10: WARNING: return of 0/1 in function
> 'xindex_is_subset' with return type bool
> secu
cinelle.
>
> [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
> [2] https://github.com/KSPP/linux/issues/21
> [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
>
> Signed-off-by: Gustavo A. R. Silva
Acked-by: John Johansen
I have pulled this into my tree
On 5/14/20 11:24 AM, Amol Grover wrote:
> On Mon, Apr 06, 2020 at 05:11:34PM +0530, Amol Grover wrote:
>> Hello,
>>
>> With respect to the patch https://lore.kernel.org/patchwork/patch/1202512/
>> I boot tested with CONFIG_PROVE_RCU_LIST=y and encountered a susppicious RCU
>> usage warning in "secu
wed-by: David Gow
> Signed-off-by: Anders Roxell
Acked-by: John Johansen
On 10/20/19 7:16 AM, Markus Elfring wrote:
>> … But after this release the the return statement
>> tries to access the label field of the rule which results in
>> use-after-free. Before releaseing the rule, copy errNo and return it
>> after releasing rule.
>
Navid thanks for finding this, and Mark
tch to drop it is below or feel free to cons up an alternate version.
---
commit 5dbc63d4a0aa819be8ecf21a67a352dd377b0221
Author: John Johansen
Date: Tue Sep 24 09:46:33 2019 -0700
apparmor: remove useless aafs_create_symlink
1180b4c757aa ("apparmor: fix dangling symlinks to policy rawdat
On 6/24/19 4:01 PM, James Morris wrote:
> On Fri, 21 Jun 2019, Matthew Garrett wrote:
>
>> Minor updates over V33 - security_is_locked_down renamed to
>> security_locked_down, return value of security_locked_down is returned
>> in most cases, one unnecessary patch was dropped, couple of minor nits
- Fix PROFILE_MEDIATES for untrusted input
- enforce nullbyte at end of tag string
- reset pos on failure to unpack for various functions
Jann Horn (1):
apparmor: enforce nullbyte at end of tag string
John Johansen (1
)
+ Bug Fixes
- Fix PROFILE_MEDIATES for untrusted input
- enforce nullbyte at end of tag string
Jann Horn (1):
apparmor: enforce nullbyte at end of tag string
John Johansen (1):
apparmor: fix PROFILE_MEDIATES for
nds accesses.
>
> Make sure that the tag string is null-terminated before passing it to
> strcmp().
>
> Cc: sta...@vger.kernel.org
> Signed-off-by: Jann Horn
gah! yes!
Acked-by: John Johansen
> ---
> Warning: The existence of this bug has not been verified at runtim
On 4/23/19 9:53 AM, Bharath Vedartham wrote:
> This patch fixes the sparse warning:
> warning: cast removes address space '' of expression.
>
> Signed-off-by: Bharath Vedartham
Acked-by: John Johansen
I will pull this into my tree
> ---
> security/apparmor/lsm.c
On 4/17/19 4:39 PM, Paul Moore wrote:
> On Wed, Apr 17, 2019 at 12:27 PM Oleg Nesterov wrote:
>> On 04/17, Paul Moore wrote:
>>>
>>> On Wed, Apr 17, 2019 at 10:57 AM Oleg Nesterov wrote:
On 04/17, Paul Moore wrote:
>
> I'm tempted to simply return an error in selinux_setprocattr() if
On 4/16/19 7:42 AM, Colin King wrote:
> From: Colin Ian King
>
> There is a spelling mistake in an information message string, fix it.
>
> Signed-off-by: Colin Ian King
Acked-by: John Johansen
I'll pull it into the apparmor tree
> ---
> security/apparmor/policy.
Hi Linus,
Can you please pull the following regression fix for apparmor
Thanks!
- John
The following changes since commit 771acc7e4a6e5dba779cb1a7fd851a164bc81033:
Bluetooth: btusb: request wake pin with NOAUTOEN (2019-04-09 17:38:24 -1000)
are available in the Git repository at:
git://
On 4/9/19 1:55 PM, Kees Cook wrote:
> On Tue, Apr 9, 2019 at 1:12 PM James Morris wrote:
>> Actually, JJ usually submits directly to Linus.
>
> Ah! Right; I forgot. John, can you take and send this?
>
yep, I'll send it up today
On 4/9/19 1:11 PM, James Morris wrote:
> On Tue, 9 Apr 2019, Kees Cook wrote:
>
>> On Mon, Apr 8, 2019 at 11:21 PM David Rheinsberg
>> wrote:
>>>
>>> Hi
>>>
>>> On Mon, Apr 8, 2019 at 6:07 PM Kees Cook wrote:
Before commit c5459b829b71 ("LSM: Plumb visibility into optional "enabled"
>>
On 4/8/19 10:25 AM, Kees Cook wrote:
> On Mon, Apr 8, 2019 at 9:58 AM John Johansen
> wrote:
>>> +/* Can only be set before AppArmor is initialized (i.e. on boot cmdline).
>>> */
>>> +static int param_set_aaintbool(const char *val, const struct kernel_param
On 4/8/19 9:07 AM, Kees Cook wrote:
> Before commit c5459b829b71 ("LSM: Plumb visibility into optional "enabled"
> state"), /sys/module/apparmor/parameters/enabled would show "Y" or "N"
> since it was using the "bool" handler. After being changed to "int",
> this switched to "1" or "0", breaking th
)
+ Bug Fixes
- fix double when failing to unpack secmark rules in policy
- fix leak of dentry when profile is removed
Chris Coulson (1):
apparmor: delete the dentry in aafs_remove() to avoid a leak
John
On 2/12/19 1:48 AM, Anders Roxell wrote:
> With commit 876dd866c084 ("apparmor: Initial implementation of raw
> policy blob compression") and SECURITY_APPARMOR is set to '=y'
> ZLIB_DEFLATE must be enabled as well for the linker to see the symbols.
>
> aarch64-linux-gnu-ld: security/apparmor/polic
handling for failed merges
- Fix warning about unused function apparmor_ipv6_postroute
John Johansen (1):
apparmor: Fix aa_label_build() error handling for failed merges
Petr Vorel (1):
apparmor: Fix warning about unused
Warning level 3 was used: -Wimplicit-fallthrough=3
>
> This patch is part of the ongoing efforts to enabling -Wimplicit-fallthrough.
>
> Signed-off-by: Gustavo A. R. Silva
looks good to me
Acked-by: John Johansen
> ---
> security/apparmor/domain.c| 2 +-
&g
x the problem?
>
sorry for not responding earlier, yes it does.
Acked-by: John Johansen
>> ---
>> security/security.c | 7 +++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/security/security.c b/security/security.c
>> index a618e22
On 1/4/19 1:17 AM, Peng Hao wrote:
> The variable 'new' may be NULL, so use PTR_ERR_OR_ZERO instead
> of PTR_ERR.
>
> Signed-off-by: Peng Hao
yep that is a problem unfortunately the fix isn't quite right
we don't want to return 0 for an error here. Instead we can
do
diff --git a/security/apparm
On 1/11/19 2:11 PM, Casey Schaufler wrote:
> On 1/11/2019 1:43 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: b808822a75a3 Add linux-next specific files for 20190111
>> git tree: linux-next
>> console output: https://syzkaller.appspot.com/x/log.tx
apparmor: don't try to replace stale label in ptraceme check
John Johansen (3):
apparmor: Fix failure to audit context info in build_change_hat
apparmor: remove no-op permission check in policy_unpack
apparmor: fix checkpatch error in Parse secmark policy
Lance Roy (1)
On 10/30/18 7:11 AM, Colin King wrote:
> From: Colin Ian King
>
> Trivial fix to clean up an indentation issue, remove space
>
> Signed-off-by: Colin Ian King
Thanks Colin,
I have pulled this into apparmor-next
> ---
> security/apparmor/apparmorfs.c | 2 +-
> 1 file changed, 1 insertion(+),
On 10/12/2018 04:31 AM, Jordan Glover wrote:
> ‐‐‐ Original Message ‐‐‐
> On Friday, October 12, 2018 2:26 AM, John Johansen
> wrote:
>
>> On 10/11/2018 04:53 PM, Jordan Glover wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Friday,
On 10/05/2018 09:11 AM, Arnd Bergmann wrote:
> The newly added code fails to build when either SECMARK or
> NETFILTER are disabled:
>
> security/apparmor/lsm.c: In function 'apparmor_socket_sock_rcv_skb':
> security/apparmor/lsm.c:1138:12: error: 'struct sk_buff' has no member named
> 'secmark';
On 10/02/2018 05:12 PM, Kees Cook wrote:
> On Tue, Oct 2, 2018 at 5:05 PM, John Johansen
> wrote:
>> On 10/02/2018 04:54 PM, Kees Cook wrote:
>>> That's not how I have it currently. It's a comma-separated a string,
>>> including the reserv
On 10/02/2018 10:39 PM, Lance Roy wrote:
> lockdep_assert_held() is better suited to checking locking requirements,
> since it won't get confused when someone else holds the lock. This is
> also a step towards possibly removing spin_is_locked().
>
> Signed-off-by: Lance Roy
On 10/02/2018 01:29 PM, Kees Cook wrote:
> On Tue, Oct 2, 2018 at 12:47 PM, John Johansen
> wrote:
>> On 10/02/2018 12:17 PM, Kees Cook wrote:
>>> I could define CONFIG_LSM_ENABLE as being "additive" to
>>> SECURITY_APPARMOR_BOOTPARAM_VALUE and
>>>
On 09/17/2018 05:45 PM, Kees Cook wrote:
> On Mon, Sep 17, 2018 at 5:24 PM, Casey Schaufler
> wrote:
>> On 9/17/2018 5:00 PM, Kees Cook wrote:
>>> The legacy per-LSM
>>> enable/disable ordering is the same, but ordering between
>>> lsm.enable/disable and the per-LSM options is NOT ordered. i.e. t
On 09/17/2018 04:20 PM, Kees Cook wrote:
> On Mon, Sep 17, 2018 at 4:10 PM, Mickaël Salaün wrote:
>> Landlock, because it target unprivileged users, should only be called
>> after all other major (access-control) LSMs. The admin or distro must
>> not be able to change that order in any way. This c
On 09/17/2018 04:10 PM, Mickaël Salaün wrote:
>
<< snip >>
> If "lsm.enable=apparmor lsm.disable=apparmor" is specified the last value
> specified is used giving "lsm.disable=apparmor".
>
makes sense
>>>
>>> The rules for modification are pretty obvious. The downside is, as
>>>
On 09/17/2018 02:57 PM, Casey Schaufler wrote:
> On 9/17/2018 12:55 PM, John Johansen wrote:
>> On 09/17/2018 12:23 PM, Casey Schaufler wrote:
>>> On 9/17/2018 11:14 AM, Kees Cook wrote:
>>>>> Keep security=$lsm with the existing exclusive behavior.
>>>&
On 09/17/2018 12:23 PM, Casey Schaufler wrote:
> On 9/17/2018 11:14 AM, Kees Cook wrote:
>>
>>> Keep security=$lsm with the existing exclusive behavior.
>>> Add lsm=$lsm1,...,$lsmN which requires a full list of modules
>>>
>>> If you want to be fancy (I don't!) you could add
>>>
>>> lsm.add=$lsm1,.
On 09/17/2018 11:14 AM, Kees Cook wrote:
> On Mon, Sep 17, 2018 at 10:13 AM, Casey Schaufler
> wrote:
>> TOMOYO uses the cred blob pointer. When the blob is shared TOMOYO
>> has to be allocated a pointer size chunk to store the pointer in.
>> Smack has the same behavior on file blobs.
>
> Oh dang
On 09/06/2018 09:33 PM, Tony Jones wrote:
> The netperf benchmark shows a 5.73% reduction in throughput for
> small (64 byte) transfers by unconfined tasks.
>
> DEFINE_AUDIT_SK() in aa_label_sk_perm() should not be performed
> unconditionally, rather only when the label is confined.
>
> netperf
check when converting secids to secctx
John Johansen (1):
apparmor: fix bad debug check in apparmor_secid_to_secctx()
security/apparmor/secid.c | 1 -
1 file changed, 1 deletion(-)
On 09/01/2018 06:04 AM, Tetsuo Handa wrote:
> On 2017/10/22 2:17, Casey Schaufler wrote:
>>> As one year elapsed since I proposed CaitSith for upstream, I'd like to
>>> hear the status again. I looked at
>>> http://schd.ws/hosted_files/lss2017/8b/201709-LinuxSecuritySummit-Stacking.pdf
>>> .
>>> H
On 09/01/2018 09:33 PM, Dmitry Vyukov wrote:
> On Sat, Sep 1, 2018 at 11:18 AM, John Johansen
> wrote:
>> On 08/29/2018 07:17 PM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit:817e60a
On 08/29/2018 07:17 PM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 817e60a7a2bb Merge branch 'nfp-add-NFP5000-support'
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1536d29640
> kernel config: https://syzkaller
or code in __aa_create_ns()
John Johansen (2):
apparmor: Fix failure to audit context info in build_change_hat
apparmor: remove no-op permission check in policy_unpack
Tyler Hicks (2):
apparmor: Check buffer bounds when mapping permissions mask
apparmor: Fully initialize aa_pe
On 08/23/2018 07:09 AM, Arnd Bergmann wrote:
thank you for the patch, but a fix for this issue was pushed to apparmor-next
yesterday
> After the corresponding 'goto' was removed, we get a warning
> for the 'fail' label:
>
> security/apparmor/policy_unpack.c: In function 'unpack_dfa':
> securit
On 08/23/2018 06:42 AM, Gustavo A. R. Silva wrote:
thank you for the patch, but a fix for this issue was pushed to apparmor-next
yesterday
> Due to commit fb5841091f28 ("apparmor: remove no-op permission check
> in policy_unpack"), there is some leftover code.
>
> Coverity reports this issue as
On 08/22/2018 05:20 PM, Stephen Rothwell wrote:
> Hi John,
>
> After merging the apparmor tree, today's linux-next build (x86_64
> allmodconfig) produced this warning:
>
> security/apparmor/policy_unpack.c: In function 'unpack_dfa':
> security/apparmor/policy_unpack.c:426:1: warning: label 'fail'
On 07/14/2018 09:19 AM, Colin King wrote:
> From: Colin Ian King
>
> Pointer 'info' is being assigned but is never used hence it is
> redundant and can be removed.
>
> Cleans up clang warning:
> warning: variable 'info' set but not used [-Wunused-but-set-variable]
>
NAK,
real problem wrong fix
On 07/05/2018 10:25 PM, Tyler Hicks wrote:
> Fully initialize the aa_perms struct in profile_query_cb() to avoid the
> potential of using an uninitialized struct member's value in a response
> to a query from userspace.
>
> Detected by CoverityScan CID#1415126 ("Uninitialized scalar variable")
>
On 07/05/2018 10:25 PM, Tyler Hicks wrote:
> Don't read past the end of the buffer containing permissions
> characters or write past the end of the destination string.
>
> Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
>
> Fixes: e53cfe6c7caa ("apparmor: rework perm mappin
f rule on error exit path
Andy Shevchenko (1):
apparmor: Convert to use match_string() helper
John Johansen (9):
apparmor: add support for mapping secids and using secctxes
apparmor: add the ability to get a task's secid
apparmor: fix '*seclen' is neve
On 06/05/2018 04:47 AM, Matthew Wilcox wrote:
> On Mon, Jun 04, 2018 at 07:35:24PM -0700, John Johansen wrote:
>> On 06/04/2018 07:27 PM, Matthew Wilcox wrote:
>>> On Mon, Jun 04, 2018 at 06:27:09PM -0700, John Johansen wrote:
>>>> hey Mathew,
>>>>
>>
On 06/04/2018 07:27 PM, Matthew Wilcox wrote:
> On Mon, Jun 04, 2018 at 06:27:09PM -0700, John Johansen wrote:
>> hey Mathew,
>>
>> I've pulled this into apparmor-next and done the retuning of
>> AA_SECID_INVALID a follow on patch. The reworking of the api to
>&
On 05/28/2018 10:01 AM, Matthew Wilcox wrote:
>
> ping?
>
> I have this queued up in my XArray tree. If I don't hear from you before
> -rc1, I'll be submitting it as part of the XArray conversion.
>
hey Mathew,
I've pulled this into apparmor-next and done the retuning of
AA_SECID_INVALID a fol
On 05/22/2018 02:32 AM, Matthew Wilcox wrote:
> Replace the custom usage of the radix tree to store a list of free IDs
> with the IDR.
>
> Signed-off-by: Matthew Wilcox
>
> security/apparmor/secid.c | 114
> --
> 1 file changed, 11 insertions(+), 10
On 05/28/2018 10:01 AM, Matthew Wilcox wrote:
>
> ping?
>
> I have this queued up in my XArray tree. If I don't hear from you before
> -rc1, I'll be submitting it as part of the XArray conversion.
yeah looking at this is on my to do list (I am might even manage to get to it
today), the last cou
On 05/21/2018 04:58 AM, Yisheng Xie wrote:
> match_string() returns the index of an array for a matching string,
> which can be used intead of open coded variant.
>
Andy Shevchenko patch to do the same thing is already in apparmor-next
> Cc: John Johansen
> Cc: James Morris
On 05/07/2018 01:27 PM, Kees Cook wrote:
> On Mon, May 7, 2018 at 1:19 PM, Matthew Wilcox wrote:
>> On Mon, May 07, 2018 at 09:03:54AM -0700, Kees Cook wrote:
>>> On Mon, May 7, 2018 at 4:39 AM, Matthew Wilcox wrote:
On Fri, May 04, 2018 at 09:24:56PM -0700, Kees Cook wrote:
> On Fri, Ma
d this up.
Acked-by: John Johansen
> cc: John Johansen
> cc: appar...@lists.ubuntu.com
> cc: linux-security-mod...@vger.kernel.org
> ---
>
> security/apparmor/include/mount.h | 11 +
> security/apparmor/lsm.c | 80
> +++
On 04/19/2018 04:03 AM, Stefan Berger wrote:
> On 04/18/2018 05:32 PM, John Johansen wrote:
>> On 04/18/2018 01:12 PM, Eric W. Biederman wrote:
>>> Mimi Zohar writes:
>>>
>>>> On Wed, 2018-04-18 at 09:09 -0700, John Johansen wrote:
>>>>> On
On 04/18/2018 01:12 PM, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
>> On Wed, 2018-04-18 at 09:09 -0700, John Johansen wrote:
>>> On 04/13/2018 09:25 AM, Mimi Zohar wrote:
>>>> [Cc'ing John Johansen]
>>>>
>>>> On Tue, 2018-03-2
On 04/13/2018 09:25 AM, Mimi Zohar wrote:
> [Cc'ing John Johansen]
>
> On Tue, 2018-03-27 at 18:01 -0500, Eric W. Biederman wrote:
> [...]
>> As such I expect the best way to create the ima namespace is by simply
>> writing to securityfs/imafs. Possibly before
On 03/28/2018 04:10 AM, Stefan Berger wrote:
> On 03/27/2018 07:01 PM, Eric W. Biederman wrote:
>> Stefan Berger writes:
>>
>>> From: Yuqiong Sun
>>>
>>> Add new CONFIG_IMA_NS config option. Let clone() create a new IMA
>>> namespace upon CLONE_NEWUSER flag. Attach the ima_ns data structure
>>>
memory leak on buffer on error exit path
Dan Carpenter (1):
apparmor: Fix an error code in verify_table_headers()
John Johansen (31):
apparmor: fix display of .ns_name for containers
apparmor: fix resource audit messages when auditing peer
apparmor: fix logging of the
On 03/27/2018 06:35 AM, Colin King wrote:
> From: Colin Ian King
>
> Currently on the error exit path the allocated buffer is not free'd
> causing a memory leak. Fix this by kfree'ing it.
>
> Detected by CoverityScan, CID#1466876 ("Resource leaks")
>
> Fixes: 1180b4c757aa ("apparmor: fix dangli
rityScan, CID#1466080 ("Unsigned compared against 0")
>
> Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr,
> presence and value")
> Signed-off-by: Colin Ian King
Acked-by: John Johansen
and pulled into apparmor-next
> ---
> secur
Hi Stephan,
can you please add apparmor-next from
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor#apparmor-next
to the linux-next tree
I have run through a test merge, build, and set of regression tests against the
March 13 tree without any issues.
thanks
- John
On 02/09/2018 03:01 PM, Linus Torvalds wrote:
> On Fri, Feb 9, 2018 at 12:19 PM, John Johansen
> wrote:
>>
>> Please pull these apparmor changes for v4.16
>
> No.
>
> You had an extra two weeks because 4.15 was delayed.
>
> Yet you send me a series of patche
cred naming to better match usage
- simplify code in aafs
+ Bug fixes
- fix display of .ns_name for containers
- fix resource audit messages when auditing peer
- fix logging of the existence test for signals
John Johansen (28
armor: fix ptrace label match when matching stacked labels
- apparmor: Fix regression in profile conflict logic
----
John Johansen (1):
apparmor: fix ptrace label match when matching stacked labels
Matthew Garrett (1):
app
On 01/07/2018 11:40 AM, Linus Torvalds wrote:
> On Sun, Jan 7, 2018 at 5:53 AM, John Johansen
> wrote:
>>
>> can you please pull the following regression fix for apparmor.
>
> Pulled.
>
> I do note that you still don't seem to have any signatures on your key.
: fix regression in mount mediation when feature set is pinned
(2018-01-05 15:07:42 -0800)
- fix regression in mount mediation when feature set is pinned
John Johansen
fixes:
- apparmor: fix oops in audit_signal_cb hook
John Johansen (1):
apparmor: fix oops in audit_signal_cb hook
security/apparmor/include/audit.h | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
On 11/21/2017 04:28 PM, Shuah Khan wrote:
> On 11/21/2017 04:53 PM, John Johansen wrote:
>> On 11/21/2017 10:02 AM, Shuah Khan wrote:
>>> On 11/21/2017 10:44 AM, John Johansen wrote:
>>>> On 11/21/2017 08:58 AM, Shuah Khan wrote:
>>>>> Hi John,
>&
On 11/23/2017 05:38 AM, Jiri Slaby wrote:
> On 11/22/2017, 04:59 PM, John Johansen wrote:
>> Can you verify the following patch fixes the problem for you
>
> Reportedly, it helps:
> https://apibugzilla.suse.com/show_bug.cgi?id=1069562#c3
>
Thanks Jiri,
Unfortunately I wasn
Can you verify the following patch fixes the problem for you
---
>From 6ba06322267ea931be5f1f559965120d1e09b030 Mon Sep 17 00:00:00 2001
From: John Johansen
Date: Wed, 22 Nov 2017 07:33:38 -0800
Subject: [PATCH] apparmor: fix oops in audit_signal_cb hook
The apparmor_audit_data struct order
On 11/21/2017 10:02 AM, Shuah Khan wrote:
> On 11/21/2017 10:44 AM, John Johansen wrote:
>> On 11/21/2017 08:58 AM, Shuah Khan wrote:
>>> Hi John,
>>>
>>> I am seeing the following on my laptop. Unfortunately this is my primary
>>> system and my ability
On 11/21/2017 08:58 AM, Shuah Khan wrote:
> Hi John,
>
> I am seeing the following on my laptop. Unfortunately this is my primary
> system and my ability to bisect might be a bit limited. The system is
> running
>
> 4.14.0+ #4 SMP Tue Nov 14 19:25:58 MST 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>
rning in __aa_create_ns
Arnd Bergmann (1):
apparmor: initialized returned struct aa_perms
Colin Ian King (2):
apparmor: fix spelling mistake: "resoure" -> "resource"
apparmor: remove un
On 11/20/2017 06:00 AM, Arnd Bergmann wrote:
> On Mon, Sep 25, 2017 at 4:29 PM, John Johansen
> wrote:
>> On 09/15/2017 03:55 PM, Arnd Bergmann wrote:
>>> gcc-4.4 points out suspicious code in compute_mnt_perms, where
>>> the aa_perms structure is only partia
On 11/08/2017 10:53 AM, Linus Torvalds wrote:
> On Wed, Nov 8, 2017 at 8:09 AM, John Johansen
> wrote:
>>
>> Signed-off-by: Colin Ian King
>> Signed-off-by: John Johansen
>
> This sign-off chain is odd. It implies that the patch came from Colin
> King, bnu
On 11/08/2017 10:53 AM, Linus Torvalds wrote:
> On Wed, Nov 8, 2017 at 8:09 AM, John Johansen
> wrote:
>>
>> Signed-off-by: Colin Ian King
>> Signed-off-by: John Johansen
>
> This sign-off chain is odd. It implies that the patch came from Colin
> King, bnu
1 - 100 of 258 matches
Mail list logo
