306 Commits

Author SHA1 Message Date
Georgia Garcia f4995e4a87 UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: apparmor4.0.0 [67/90]: userns - add the ability to reference a global variable for a feature value"
BugLink: https://bugs.launchpad.net/bugs/2095370

This reverts commit 8bd4ee319a.

This commit also makes userns and io_uring restriction feature file
contents static to indicate it is available in the kernel. This is
necessary because if the values change, then the kernel features hash
used by AppArmor would also change, causing pre-compiled policies to
not load as expected.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Mehmet Basaran <mehmet.basaran@canonical.com>
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
2025-02-14 15:53:21 +03:00
GUO Zihua 20f82769cd ima: Avoid blocking in RCU read-side critical section
BugLink: https://bugs.launchpad.net/bugs/2075154

commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream.

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
               BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
      7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
      f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
      44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS:  00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ima_get_action+0x22/0x30
 process_measurement+0xb0/0x830
 ? page_add_file_rmap+0x15/0x170
 ? alloc_set_pte+0x269/0x4c0
 ? prep_new_page+0x81/0x140
 ? simple_xattr_get+0x75/0xa0
 ? selinux_file_open+0x9d/0xf0
 ima_file_check+0x64/0x90
 path_openat+0x571/0x1720
 do_filp_open+0x9b/0x110
 ? page_counter_try_charge+0x57/0xc0
 ? files_cgroup_alloc_fd+0x38/0x60
 ? __alloc_fd+0xd4/0x250
 ? do_sys_open+0x1bd/0x250
 do_sys_open+0x1bd/0x250
 do_syscall_64+0x5d/0x1d0
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
|	Thread A	|	Thread B	|
|			|ima_match_policy	|
|			|  rcu_read_lock	|
|ima_lsm_update_rule	|			|
|  synchronize_rcu	|			|
|			|    kmalloc(GFP_KERNEL)|
|			|      sleep		|
==> synchronize_rcu returns early
|  kfree(entry)		|			|
|			|    entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
|			|    entry->action	|
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbdbc ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
2024-08-13 12:13:03 +02:00
John Johansen 11bd800e8f UBUNTU: SAUCE: apparmor4.0.0 [88/90]: apparmor: add fine grained ipv4/ipv6 mediation
BugLink: http://bugs.launchpad.net/bugs/2028253
Buglink: https://bugs.launchpad.net/bugs/2056496

Add the ability to mediate inet access at a port and address level.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fefa3cec7db83b9a0dd1a339f7c8d76c0b820ad8
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:36 +02:00
John Johansen 06bb02860a UBUNTU: SAUCE: apparmor4.0.0 [86/90]: apparmor: add ability to mediate caps with policy state machine
BugLink: http://bugs.launchpad.net/bugs/2028253

Currently the caps encoding is very limited. Allow capabilities to
be mediated by the state machine. This will allow us to add
conditionals to capabilities that aren't possible with the current
encoding.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bb78e87633afdf5e4b7dc0b2c857f61e97369068
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:36 +02:00
John Johansen 43a6c29532 UBUNTU: SAUCE: apparmor4.0.0 [85/90]: apparmor: allow profile to be transitioned when a user ns is created
BugLink: http://bugs.launchpad.net/bugs/2028253

User namespaces are used to create sandboxes and often need a different
set of permission than during setup. Allow for a profile state change
on the task creating the namespace.

The transition is encoded the same as exec domain transitions and
only uses a subset of the transitions available at exec. Enivronment
scrubbing etc are not available.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 90f73560fd8dfec350c62a630a9f5719e1da2f23
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:36 +02:00
John Johansen 5e6d82089b UBUNTU: SAUCE: apparmor4.0.0 [83/90]: apparmor: add support for profiles to define the kill signal
BugLink: http://bugs.launchpad.net/bugs/2028253

Previously apparmor has only sent SIGKILL but there are cases where
it can be useful to send a different signal. Allow the profile
to optionally specify a different value.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 22763bfcc93238f352eca731fae8a25d21aa4683
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:35 +02:00
John Johansen 9318d48fee UBUNTU: SAUCE: apparmor4.0.0 [82/90]: apparmor: add additional flags to extended permission.
BugLink: http://bugs.launchpad.net/bugs/2028253

With the switch to extended permissions the ACCEPT2 became unused
freeing up to store state specific flags. The first flags to be
stored are FLAG_OWNER and FLAG other which paves the way to final
merge file and policydb perms into a single permission table.

Lookups based on the objects ownership conditional will still need
separate fns, for now. But make the function slightly more generic
instead of being dedicated to to file permission.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6513003de9c049192edc3c17bb1bc793d0875790
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:35 +02:00
John Johansen bd1e2a79d2 UBUNTU: SAUCE: apparmor4.0.0 [80/90]: apparmor: carry mediation check on label
BugLink: http://bugs.launchpad.net/bugs/2028253

In order to speed up the mediated check, precompute and store the
result as a bit per class type. This not only will allow us to
speed up the mediation check but is also a step to removing the
unconfined special cases as the unconfined check can be replaced
with the generic label_mediates() check.

need to compute initial profile mediated bit vector

Note: label check does not work for capabilities and resources

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d8719977bc2bea2969846a49acfbabf06572ee1f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:35 +02:00
Georgia Garcia b51dd892ca UBUNTU: SAUCE: apparmor4.0.0 [69/90]: add io_uring mediation
BugLink: http://bugs.launchpad.net/bugs/2028253

For now, the io_uring mediation is limited to sqpoll and
override_creds.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit d4bbbd67b37fb77205cef0c175dd6f88cf37fdaa
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:35 +02:00
John Johansen 8bd4ee319a UBUNTU: SAUCE: apparmor4.0.0 [67/90]: userns - add the ability to reference a global variable for a feature value
BugLink: http://bugs.launchpad.net/bugs/2028253

Some features when present can be turned on/off by boot parameters.
Allow for a reference type to allow the features directory to
reflect whether the feature is currently enabled.

BugLink: http://bugs.launchpad.net/bugs/2032602
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 965de04e35f281306b1783e94500fff6ea5c8dae
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 177a32ef2d UBUNTU: SAUCE: apparmor4.0.0 [66/90]: prompt - add support for advanced filtering of notifications
BugLink: http://bugs.launchpad.net/bugs/2028253

Simple filtering based off of type (ALLOWED, DENIED, ...) is
insufficient for several user cases.

Allow for a dfa based filter that can be combined with type
to further screen notifications to specific labels, classes
of mediation and even the permission request.

BugLink: http://bugs.launchpad.net/bugs/2032602
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 60b7d6660330beee97539ed233854a81f30aabd2
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen fdd1e4fe13 UBUNTU: SAUCE: apparmor4.0.0 [64/90]: prompt - allow profiles to set prompts as interruptible
BugLink: http://bugs.launchpad.net/bugs/2028253

Generally prompts can't be interruptible because there are too many
applications that don't handle ERESTARTSYS correctly. This can lead
to random failures that result in a very poor experience.

However allowing upcalls to interruptible is very useful sometimes,
especially with some debugging so provide away for policy to allow
it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit a8d78d6106d8f3e6fff64137f29aaa42607eba2c
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen c723113f3a UBUNTU: SAUCE: apparmor4.0.0 [63/90]: prompt - add tailglob on name for cache support
BugLink: http://bugs.launchpad.net/bugs/2028253

Allow the cache to cover more than a single rejection by allowing
an entry to match everything that would match a tailglob expression.
This allows a reduction of cache entries and a reduction of prompts
to userspace when access to a directory hierarchy should be allowed
or denied.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 66c531b9ce8499689677fd4e9e08817dea4fae47
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 9e91d7c53d UBUNTU: SAUCE: apparmor4.0.0 [61/90]: prompt - add the ability to reply with a profile name
BugLink: http://bugs.launchpad.net/bugs/2028253
BugLink: https://bugs.launchpad.net/bugs/2028253

Add the ability to extend a profile with another profiles base rule
set as a reply to a prompt.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 56bf6533b2c415700a366ca6b675775e57ec4816
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 4e5b6652ed UBUNTU: SAUCE: apparmor4.0.0 [60/90]: prompt - refcount notifications
BugLink: http://bugs.launchpad.net/bugs/2028253

Prepare for separating the knotif from the audit_node. Currently all
knotifs have an audit node but in able to support new features this
won't always be the case. Prepare for this split by refcounting the
knotif.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit c5d575b9f515f14795b0bcbb478499eea80767b7
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 12cda360ea UBUNTU: SAUCE: apparmor4.0.0 [57/90]: prompt - Improve debug statements
BugLink: http://bugs.launchpad.net/bugs/2028253

Prompting debug is missing some output that can be helpful when
debugging.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 566e51cd6a4284623362c0a925e410160d84a56a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 10c2e3497e UBUNTU: SAUCE: apparmor4.0.0 [56/90]: prompt - refactor to moving caching to uresponse
BugLink: http://bugs.launchpad.net/bugs/2028253

To be able to be more responsive to prompt return values refactor the
code more to make caching operations distinct from user interaction
and move adding to the cache into the uresps side, so actions don't
have to be passed back to the paused process.

This is a step towards allowing response that will use a named
response instead of permissions and also allow for reuse of knotif
for notifications, heartbeat and canceled.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit f3dbf86be0c1d27e61e69abd7c8ed7b42e46e3a8
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 443431be30 UBUNTU: SAUCE: apparmor4.0.0 [55/90]: prompt - add refcount to audit_node in prep or reuse and delete
BugLink: http://bugs.launchpad.net/bugs/2028253

The audit_node needs to be shared for asynchronous notifications to
multiple listeners. So add a refcount to enable sharing.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit bbebba69241db7470d5b389ae0bbb3524b02c04c
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen c5f3b6ece9 UBUNTU: SAUCE: apparmor4.0.0 [54/90]: prompt - allow controlling of caching of a prompt response
BugLink: http://bugs.launchpad.net/bugs/2028253

Allow the user response to indicate whether a response should be
cached or not.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 5ea8f857b8a8b8bfc78b492dc662d7c145407427
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:34 +02:00
John Johansen 00f709701f UBUNTU: SAUCE: apparmor4.0.0 [52/90]: enable userspace upcall for mediation
BugLink: http://bugs.launchpad.net/bugs/2028253

There are cases where userspace can provide additional information
that may be needed to make the correct mediation decision.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit c0cb33a681e82df1fda919edfd49fb7cf09615f3
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen f3973fd0c5 UBUNTU: SAUCE: apparmor4.0.0 [51/90]: add the ability for profiles to have a learning cache
BugLink: http://bugs.launchpad.net/bugs/2028253

To support a better complain mode allow caching learned entries off
of the profile. This can be used to dedup complain messages and
also as a basis for bulk delivery of complain messages to userspace
through a non audit logging interface.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit ee3bb68e2d8dde5bc314c7ec7bf5cad3afab694a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 6cc5addb5b UBUNTU: SAUCE: apparmor4.0.0 [50/90]: Improve debug print infrastructure
BugLink: http://bugs.launchpad.net/bugs/2028253

Make it so apparmor debug output can be controlled by class flags
as well as the debug flag on labels. This provides much finer
control at what is being output so apparmor doesn't flood the
logs with information that is not needed, making it hard to find
what is important.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit ad39d2bf13cf58ee3145c09b32cd45f86753e505
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 273a0d78a0 UBUNTU: SAUCE: apparmor4.0.0 [49/90]: setup slab cache for audit data
BugLink: http://bugs.launchpad.net/bugs/2028253

Audit data will be used for caches and learning. When this happens the
data needs to be off of the stack and a slab cache will help with
improve the dynamic allocation, and reduce overall size used.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit dce7014f7313db5f1af2ef9a04f3fc3a00e38fae
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 863d225455 UBUNTU: SAUCE: apparmor4.0.0 [48/90]: Add fine grained mediation of posix mqueues
BugLink: http://bugs.launchpad.net/bugs/2028253

Add fine grained mediation of posix mqueues. Specifically this patch
adds support for differentiating mqueues based on the name in the ipc
namespace. A follow on patch will add support for implied labels, and
a third patch explicit labels. This is done in part because of
dependencies on other patches to apparmor core.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 5de4e990b8c3297eebc2470c0dda6acb6c741a71
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 938de00f4f UBUNTU: SAUCE: apparmor4.0.0 [47/90]: af_unix mediation
BugLink: http://bugs.launchpad.net/bugs/2028253

af_socket mediation did not make it into 4.17 so add remaining out
of tree patch

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 651f0b2cc1d78cb7afbc0fcadc166ed0bcc78dd3
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 1467c91ebd UBUNTU: SAUCE: apparmor4.0.0 [46/90]: Add sysctls for additional controls of unpriv userns restrictions
BugLink: http://bugs.launchpad.net/bugs/2028253

Add apparmor_restrict_unprivileged_userns_force
  To force old policies that don't support user namespace restrictions
  to apply them anyways.

Add apparmor_restrict_unprivileged_userns_complain
  To cause user namespace restrictions to complain instead of fail.
  This will work on both profiles and unconfined.

Signed-off-by: John Johansen <john.johansen@canonical.com>

fixup userns

(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 13890cd37e28953bcf321d7ccad7ae50377e672f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen cf24569d20 UBUNTU: SAUCE: apparmor4.0.0 [45/90]: add unpriviled user ns mediation
BugLink: http://bugs.launchpad.net/bugs/2028253

Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit 98624b0de733fca44a790db0e78090dc77919fbd
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen f1e158f349 UBUNTU: SAUCE: apparmor4.0.0 [44/90]: patch to provide compatibility with v2.x net rules
BugLink: http://bugs.launchpad.net/bugs/2028253

The networking rules upstreamed in 4.17 have a deliberate abi break
with the older 2.x network rules.

This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit fdb71a3190842ca72ca1a84db6b5d6fb6e73b1fc
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
John Johansen 77811af4f0 UBUNTU: SAUCE: apparmor4.0.0 [43/90]: LSM stacking v39: UBUNTU: SAUCE: apparmor4.0.0 [12/95]: add/use fns to print hash string hex value
BugLink: http://bugs.launchpad.net/bugs/2028253

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
(cherry picked from commit f29a03f77b0c72a62fe44e1b1942d7e497b32fd5
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:33 +02:00
Casey Schaufler 1b0649d395 UBUNTU: SAUCE: apparmor4.0.0 [31/90]: LSM stacking v39: LSM: Exclusive secmark usage
BugLink: http://bugs.launchpad.net/bugs/2028253

The network secmark can only be used by one security module
at a time. Establish mechanism to identify to security modules
whether they have access to the secmark. SELinux already
incorparates mechanism, but it has to be added to Smack and
AppArmor.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry picked from commit c0c9497b3b4153c7cea3e7dec321996b24b96c04
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:32 +02:00
Casey Schaufler 4111e08c80 UBUNTU: SAUCE: apparmor4.0.0 [18/90]: LSM stacking v39: LSM: Use lsmcontext in security_lsmblob_to_secctx
BugLink: http://bugs.launchpad.net/bugs/2028253

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_lsmblob_to_secctx() will now return the length value
on success instead of 0.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
(cherry picked from commit b2a3a4be21bfc71ee961103fb2d638ebc031541e
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:31 +02:00
Casey Schaufler c45f92d3c9 UBUNTU: SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use lsmcontext in security_secid_to_secctx
BugLink: http://bugs.launchpad.net/bugs/2028253

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_secid_to_secctx() will now return the length value
on success instead of 0.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
(cherry picked from commit f2be390a1a158bf2b08006e4e58a2b6920c08c83
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:31 +02:00
Casey Schaufler 21aab7be69 UBUNTU: SAUCE: apparmor4.0.0 [16/90]: LSM stacking v39: LSM: Ensure the correct LSM context releaser
BugLink: http://bugs.launchpad.net/bugs/2028253

Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.

Update security_release_secctx() to use the lsmcontext instead
of a (char *, len) pair. Change its callers to do likewise.
The LSMs supporting this hook have had comments added to
remind the developer that there is more work to be done.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-nfs@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
(cherry picked from commit ff955dc9c08dfa96a404f52269ea8c0ec192be6d
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:31 +02:00
Casey Schaufler d626a73147 UBUNTU: SAUCE: apparmor4.0.0 [06/90]: LSM stacking v39: LSM: Add lsmblob_to_secctx hook
BugLink: http://bugs.launchpad.net/bugs/2028253

Add a new hook security_lsmblob_to_secctx() and its LSM specific
implementations. The LSM specific code will use the lsmblob element
allocated for that module. This allows for the possibility that more
than one module may be called upon to translate a secid to a string,
as can occur in the audit code.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry picked from commit a2b36b5dcaca7e31c3c80c9ae9198ae864d2827a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:30 +02:00
Casey Schaufler 7b67a3349c UBUNTU: SAUCE: apparmor4.0.0 [05/90]: LSM stacking v39: LSM: Use lsmblob in security_audit_rule_match
BugLink: http://bugs.launchpad.net/bugs/2028253

Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Cc: linux-audit@redhat.com
(cherry picked from commit ec1eb9be88908dcb7e040a27c40f247b20ca5f21
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:30 +02:00
Casey Schaufler e1a8c296ec UBUNTU: SAUCE: apparmor4.0.0 [04/90]: LSM stacking v39: IMA: avoid label collisions with stacked LSMs
BugLink: http://bugs.launchpad.net/bugs/2028253

Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active security module to apply
filters to. If not specified, use the first registered module
that supports the audit_rule_match() LSM hook. Allow the user
to specify in the IMA policy an lsm= option to specify the
security module to use for a particular rule.

This requires adding the LSM of interest as a parameter
to three of the audit hooks.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
To: audit@vger.kernel.org
(cherry picked from commit d177f98409d82dbb23763122fd1e4eb9897cf6ac
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:30 +02:00
Casey Schaufler 0278a672f0 UBUNTU: SAUCE: apparmor4.0.0 [02/90]: LSM stacking v39: SM: Infrastructure management of the sock security
BugLink: http://bugs.launchpad.net/bugs/2028253

Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry picked from commit c493287fe3495fcf3854f246b42cbaa88ed130da
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2024-04-12 10:15:30 +02:00
Casey Schaufler 223981db9b AppArmor: Add selfattr hooks
Add hooks for setselfattr and getselfattr. These hooks are not very
different from their setprocattr and getprocattr equivalents, and
much of the code is shared.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
[PM: forward ported beyond v6.6 due merge window changes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-11-12 22:54:42 -05:00
John Johansen 157a3537d6 apparmor: Fix regression in mount mediation
commit 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")

introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any
existing LSM. This creates a regression for AppArmor mediation of
mount. This patch provides a base mapping of the move_mount syscall to
the existing mount mediation. In the future we may introduce
additional mediations around the new mount calls.

Fixes: 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")
CC: stable@vger.kernel.org
Reported-by: Andreas Steinmetz <anstein99@googlemail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 16:01:32 -07:00
Georgia Garcia c4371d9063 apparmor: add io_uring mediation
For now, the io_uring mediation is limited to sqpoll and
override_creds.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:58:49 -07:00
John Johansen fa9b63adab apparmor: add user namespace creation mediation
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.

This allows an admin to quickly lock down a system while also still
allowing legitimate use.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:49:02 -07:00
John Johansen 2d9da9b188 apparmor: allow restricting unprivileged change_profile
unprivileged unconfined can use change_profile to alter the confinement
set by the mac admin.

Allow restricting unprivileged unconfined by still allowing change_profile
but stacking the change against unconfined. This allows unconfined to
still apply system policy but allows the task to enter the new confinement.

If unprivileged unconfined is required a sysctl is provided to switch
to the previous behavior.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:48:44 -07:00
John Johansen 98b824ff89 apparmor: refcount the pdb
With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among different pdbs each using
a different permission table.

Instead of duping the permission table when sharing a pdb, add a
refcount to the pdb so it can be easily shared.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:30:47 -07:00
John Johansen 90c436a64a apparmor: pass cred through to audit info.
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:30:38 -07:00
John Johansen d20f5a1a6e apparmor: rename audit_data->label to audit_data->subj_label
rename audit_data's label field to subj_label to better reflect its
use. Also at the same time drop unneeded assignments to ->subj_label
as the later call to aa_check_perms will do the assignment if needed.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:30:34 -07:00
John Johansen bd7bd201ca apparmor: combine common_audit_data and apparmor_audit_data
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:30:29 -07:00
John Johansen 79ddd4a7c5 apparmor: rename SK_CTX() to aa_sock and make it an inline fn
In preparation for LSM stacking rework the macro to an inline fn

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18 15:29:55 -07:00
Xiu Jianfeng fee5304a9c apparmor: remove unused functions in policy_ns.c/.h
These functions are not used now, remove them.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-15 21:44:31 -07:00
GONG, Ruiqi efea5b0dcc apparmor: remove unused PROF_* macros
The last usage of PROF_{ADD,REPLACE} were removed by commit 18e99f191a
("apparmor: provide finer control over policy management"). So remove
these two unused macros.

Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-08-08 13:24:48 -07:00
Xiu Jianfeng 980a580868 apparmor: cleanup unused functions in file.h
After changes in commit 33bf60cabc ("LSM: Infrastructure management of
the file security"), aa_alloc_file_ctx() and aa_free_file_ctx() are no
longer used, so remove them, and also remove aa_get_file_label() because
it seems that it's never been used before.

Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-08-08 13:16:13 -07:00