Georgia Garcia
f4995e4a87
UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: apparmor4.0.0 [67/90]: userns - add the ability to reference a global variable for a feature value"
...
BugLink: https://bugs.launchpad.net/bugs/2095370
This reverts commit 8bd4ee319a .
This commit also makes userns and io_uring restriction feature file
contents static to indicate it is available in the kernel. This is
necessary because if the values change, then the kernel features hash
used by AppArmor would also change, causing pre-compiled policies to
not load as expected.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com >
Acked-by: Stefan Bader <stefan.bader@canonical.com >
Acked-by: Mehmet Basaran <mehmet.basaran@canonical.com >
Signed-off-by: Koichiro Den <koichiro.den@canonical.com >
2025-02-14 15:53:21 +03:00
GUO Zihua
20f82769cd
ima: Avoid blocking in RCU read-side critical section
...
BugLink: https://bugs.launchpad.net/bugs/2075154
commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream.
A panic happens in ima_match_policy:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1 ] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS: 00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ima_get_action+0x22/0x30
process_measurement+0xb0/0x830
? page_add_file_rmap+0x15/0x170
? alloc_set_pte+0x269/0x4c0
? prep_new_page+0x81/0x140
? simple_xattr_get+0x75/0xa0
? selinux_file_open+0x9d/0xf0
ima_file_check+0x64/0x90
path_openat+0x571/0x1720
do_filp_open+0x9b/0x110
? page_counter_try_charge+0x57/0xc0
? files_cgroup_alloc_fd+0x38/0x60
? __alloc_fd+0xd4/0x250
? do_sys_open+0x1bd/0x250
do_sys_open+0x1bd/0x250
do_syscall_64+0x5d/0x1d0
entry_SYSCALL_64_after_hwframe+0x65/0xca
Commit c7423dbdbc ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.
Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.
The root cause of this issue could be described as follows:
| Thread A | Thread B |
| |ima_match_policy |
| | rcu_read_lock |
|ima_lsm_update_rule | |
| synchronize_rcu | |
| | kmalloc(GFP_KERNEL)|
| | sleep |
==> synchronize_rcu returns early
| kfree(entry) | |
| | entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
| | entry->action |
==> Accessing entry might cause panic.
To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.
Fixes: c7423dbdbc ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com >
Acked-by: John Johansen <john.johansen@canonical.com >
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com >
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com >
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com >
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org >
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com >
Signed-off-by: Stefan Bader <stefan.bader@canonical.com >
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com >
2024-08-13 12:13:03 +02:00
John Johansen
11bd800e8f
UBUNTU: SAUCE: apparmor4.0.0 [88/90]: apparmor: add fine grained ipv4/ipv6 mediation
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Buglink: https://bugs.launchpad.net/bugs/2056496
Add the ability to mediate inet access at a port and address level.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit fefa3cec7db83b9a0dd1a339f7c8d76c0b820ad8
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:36 +02:00
John Johansen
06bb02860a
UBUNTU: SAUCE: apparmor4.0.0 [86/90]: apparmor: add ability to mediate caps with policy state machine
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Currently the caps encoding is very limited. Allow capabilities to
be mediated by the state machine. This will allow us to add
conditionals to capabilities that aren't possible with the current
encoding.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit bb78e87633afdf5e4b7dc0b2c857f61e97369068
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:36 +02:00
John Johansen
43a6c29532
UBUNTU: SAUCE: apparmor4.0.0 [85/90]: apparmor: allow profile to be transitioned when a user ns is created
...
BugLink: http://bugs.launchpad.net/bugs/2028253
User namespaces are used to create sandboxes and often need a different
set of permission than during setup. Allow for a profile state change
on the task creating the namespace.
The transition is encoded the same as exec domain transitions and
only uses a subset of the transitions available at exec. Enivronment
scrubbing etc are not available.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 90f73560fd8dfec350c62a630a9f5719e1da2f23
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:36 +02:00
John Johansen
5e6d82089b
UBUNTU: SAUCE: apparmor4.0.0 [83/90]: apparmor: add support for profiles to define the kill signal
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Previously apparmor has only sent SIGKILL but there are cases where
it can be useful to send a different signal. Allow the profile
to optionally specify a different value.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 22763bfcc93238f352eca731fae8a25d21aa4683
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:35 +02:00
John Johansen
9318d48fee
UBUNTU: SAUCE: apparmor4.0.0 [82/90]: apparmor: add additional flags to extended permission.
...
BugLink: http://bugs.launchpad.net/bugs/2028253
With the switch to extended permissions the ACCEPT2 became unused
freeing up to store state specific flags. The first flags to be
stored are FLAG_OWNER and FLAG other which paves the way to final
merge file and policydb perms into a single permission table.
Lookups based on the objects ownership conditional will still need
separate fns, for now. But make the function slightly more generic
instead of being dedicated to to file permission.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 6513003de9c049192edc3c17bb1bc793d0875790
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:35 +02:00
John Johansen
bd1e2a79d2
UBUNTU: SAUCE: apparmor4.0.0 [80/90]: apparmor: carry mediation check on label
...
BugLink: http://bugs.launchpad.net/bugs/2028253
In order to speed up the mediated check, precompute and store the
result as a bit per class type. This not only will allow us to
speed up the mediation check but is also a step to removing the
unconfined special cases as the unconfined check can be replaced
with the generic label_mediates() check.
need to compute initial profile mediated bit vector
Note: label check does not work for capabilities and resources
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit d8719977bc2bea2969846a49acfbabf06572ee1f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:35 +02:00
Georgia Garcia
b51dd892ca
UBUNTU: SAUCE: apparmor4.0.0 [69/90]: add io_uring mediation
...
BugLink: http://bugs.launchpad.net/bugs/2028253
For now, the io_uring mediation is limited to sqpoll and
override_creds.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit d4bbbd67b37fb77205cef0c175dd6f88cf37fdaa
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:35 +02:00
John Johansen
8bd4ee319a
UBUNTU: SAUCE: apparmor4.0.0 [67/90]: userns - add the ability to reference a global variable for a feature value
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Some features when present can be turned on/off by boot parameters.
Allow for a reference type to allow the features directory to
reflect whether the feature is currently enabled.
BugLink: http://bugs.launchpad.net/bugs/2032602
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 965de04e35f281306b1783e94500fff6ea5c8dae
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
177a32ef2d
UBUNTU: SAUCE: apparmor4.0.0 [66/90]: prompt - add support for advanced filtering of notifications
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Simple filtering based off of type (ALLOWED, DENIED, ...) is
insufficient for several user cases.
Allow for a dfa based filter that can be combined with type
to further screen notifications to specific labels, classes
of mediation and even the permission request.
BugLink: http://bugs.launchpad.net/bugs/2032602
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 60b7d6660330beee97539ed233854a81f30aabd2
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
fdd1e4fe13
UBUNTU: SAUCE: apparmor4.0.0 [64/90]: prompt - allow profiles to set prompts as interruptible
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Generally prompts can't be interruptible because there are too many
applications that don't handle ERESTARTSYS correctly. This can lead
to random failures that result in a very poor experience.
However allowing upcalls to interruptible is very useful sometimes,
especially with some debugging so provide away for policy to allow
it.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit a8d78d6106d8f3e6fff64137f29aaa42607eba2c
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
c723113f3a
UBUNTU: SAUCE: apparmor4.0.0 [63/90]: prompt - add tailglob on name for cache support
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Allow the cache to cover more than a single rejection by allowing
an entry to match everything that would match a tailglob expression.
This allows a reduction of cache entries and a reduction of prompts
to userspace when access to a directory hierarchy should be allowed
or denied.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 66c531b9ce8499689677fd4e9e08817dea4fae47
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
9e91d7c53d
UBUNTU: SAUCE: apparmor4.0.0 [61/90]: prompt - add the ability to reply with a profile name
...
BugLink: http://bugs.launchpad.net/bugs/2028253
BugLink: https://bugs.launchpad.net/bugs/2028253
Add the ability to extend a profile with another profiles base rule
set as a reply to a prompt.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 56bf6533b2c415700a366ca6b675775e57ec4816
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
4e5b6652ed
UBUNTU: SAUCE: apparmor4.0.0 [60/90]: prompt - refcount notifications
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Prepare for separating the knotif from the audit_node. Currently all
knotifs have an audit node but in able to support new features this
won't always be the case. Prepare for this split by refcounting the
knotif.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit c5d575b9f515f14795b0bcbb478499eea80767b7
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
12cda360ea
UBUNTU: SAUCE: apparmor4.0.0 [57/90]: prompt - Improve debug statements
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Prompting debug is missing some output that can be helpful when
debugging.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 566e51cd6a4284623362c0a925e410160d84a56a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
10c2e3497e
UBUNTU: SAUCE: apparmor4.0.0 [56/90]: prompt - refactor to moving caching to uresponse
...
BugLink: http://bugs.launchpad.net/bugs/2028253
To be able to be more responsive to prompt return values refactor the
code more to make caching operations distinct from user interaction
and move adding to the cache into the uresps side, so actions don't
have to be passed back to the paused process.
This is a step towards allowing response that will use a named
response instead of permissions and also allow for reuse of knotif
for notifications, heartbeat and canceled.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit f3dbf86be0c1d27e61e69abd7c8ed7b42e46e3a8
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
443431be30
UBUNTU: SAUCE: apparmor4.0.0 [55/90]: prompt - add refcount to audit_node in prep or reuse and delete
...
BugLink: http://bugs.launchpad.net/bugs/2028253
The audit_node needs to be shared for asynchronous notifications to
multiple listeners. So add a refcount to enable sharing.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit bbebba69241db7470d5b389ae0bbb3524b02c04c
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
c5f3b6ece9
UBUNTU: SAUCE: apparmor4.0.0 [54/90]: prompt - allow controlling of caching of a prompt response
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Allow the user response to indicate whether a response should be
cached or not.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 5ea8f857b8a8b8bfc78b492dc662d7c145407427
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:34 +02:00
John Johansen
00f709701f
UBUNTU: SAUCE: apparmor4.0.0 [52/90]: enable userspace upcall for mediation
...
BugLink: http://bugs.launchpad.net/bugs/2028253
There are cases where userspace can provide additional information
that may be needed to make the correct mediation decision.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit c0cb33a681e82df1fda919edfd49fb7cf09615f3
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
f3973fd0c5
UBUNTU: SAUCE: apparmor4.0.0 [51/90]: add the ability for profiles to have a learning cache
...
BugLink: http://bugs.launchpad.net/bugs/2028253
To support a better complain mode allow caching learned entries off
of the profile. This can be used to dedup complain messages and
also as a basis for bulk delivery of complain messages to userspace
through a non audit logging interface.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit ee3bb68e2d8dde5bc314c7ec7bf5cad3afab694a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
6cc5addb5b
UBUNTU: SAUCE: apparmor4.0.0 [50/90]: Improve debug print infrastructure
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Make it so apparmor debug output can be controlled by class flags
as well as the debug flag on labels. This provides much finer
control at what is being output so apparmor doesn't flood the
logs with information that is not needed, making it hard to find
what is important.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit ad39d2bf13cf58ee3145c09b32cd45f86753e505
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
273a0d78a0
UBUNTU: SAUCE: apparmor4.0.0 [49/90]: setup slab cache for audit data
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Audit data will be used for caches and learning. When this happens the
data needs to be off of the stack and a slab cache will help with
improve the dynamic allocation, and reduce overall size used.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit dce7014f7313db5f1af2ef9a04f3fc3a00e38fae
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
863d225455
UBUNTU: SAUCE: apparmor4.0.0 [48/90]: Add fine grained mediation of posix mqueues
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Add fine grained mediation of posix mqueues. Specifically this patch
adds support for differentiating mqueues based on the name in the ipc
namespace. A follow on patch will add support for implied labels, and
a third patch explicit labels. This is done in part because of
dependencies on other patches to apparmor core.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 5de4e990b8c3297eebc2470c0dda6acb6c741a71
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
938de00f4f
UBUNTU: SAUCE: apparmor4.0.0 [47/90]: af_unix mediation
...
BugLink: http://bugs.launchpad.net/bugs/2028253
af_socket mediation did not make it into 4.17 so add remaining out
of tree patch
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 651f0b2cc1d78cb7afbc0fcadc166ed0bcc78dd3
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
1467c91ebd
UBUNTU: SAUCE: apparmor4.0.0 [46/90]: Add sysctls for additional controls of unpriv userns restrictions
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Add apparmor_restrict_unprivileged_userns_force
To force old policies that don't support user namespace restrictions
to apply them anyways.
Add apparmor_restrict_unprivileged_userns_complain
To cause user namespace restrictions to complain instead of fail.
This will work on both profiles and unconfined.
Signed-off-by: John Johansen <john.johansen@canonical.com >
fixup userns
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 13890cd37e28953bcf321d7ccad7ae50377e672f
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
cf24569d20
UBUNTU: SAUCE: apparmor4.0.0 [45/90]: add unpriviled user ns mediation
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit 98624b0de733fca44a790db0e78090dc77919fbd
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
f1e158f349
UBUNTU: SAUCE: apparmor4.0.0 [44/90]: patch to provide compatibility with v2.x net rules
...
BugLink: http://bugs.launchpad.net/bugs/2028253
The networking rules upstreamed in 4.17 have a deliberate abi break
with the older 2.x network rules.
This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit fdb71a3190842ca72ca1a84db6b5d6fb6e73b1fc
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
John Johansen
77811af4f0
UBUNTU: SAUCE: apparmor4.0.0 [43/90]: LSM stacking v39: UBUNTU: SAUCE: apparmor4.0.0 [12/95]: add/use fns to print hash string hex value
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from https://gitlab.com/jjohansen/apparmor-kernel )
Signed-off-by: Andrea Righi <andrea.righi@canonical.com >
(cherry picked from commit f29a03f77b0c72a62fe44e1b1942d7e497b32fd5
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:33 +02:00
Casey Schaufler
1b0649d395
UBUNTU: SAUCE: apparmor4.0.0 [31/90]: LSM stacking v39: LSM: Exclusive secmark usage
...
BugLink: http://bugs.launchpad.net/bugs/2028253
The network secmark can only be used by one security module
at a time. Establish mechanism to identify to security modules
whether they have access to the secmark. SELinux already
incorparates mechanism, but it has to be added to Smack and
AppArmor.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
(cherry picked from commit c0c9497b3b4153c7cea3e7dec321996b24b96c04
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:32 +02:00
Casey Schaufler
4111e08c80
UBUNTU: SAUCE: apparmor4.0.0 [18/90]: LSM stacking v39: LSM: Use lsmcontext in security_lsmblob_to_secctx
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
security_lsmblob_to_secctx() will now return the length value
on success instead of 0.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com >
(cherry picked from commit b2a3a4be21bfc71ee961103fb2d638ebc031541e
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:31 +02:00
Casey Schaufler
c45f92d3c9
UBUNTU: SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use lsmcontext in security_secid_to_secctx
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
security_secid_to_secctx() will now return the length value
on success instead of 0.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com >
(cherry picked from commit f2be390a1a158bf2b08006e4e58a2b6920c08c83
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:31 +02:00
Casey Schaufler
21aab7be69
UBUNTU: SAUCE: apparmor4.0.0 [16/90]: LSM stacking v39: LSM: Ensure the correct LSM context releaser
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.
Update security_release_secctx() to use the lsmcontext instead
of a (char *, len) pair. Change its callers to do likewise.
The LSMs supporting this hook have had comments added to
remind the developer that there is more work to be done.
Reviewed-by: Kees Cook <keescook@chromium.org >
Reviewed-by: John Johansen <john.johansen@canonical.com >
Acked-by: Paul Moore <paul@paul-moore.com >
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com >
Acked-by: Chuck Lever <chuck.lever@oracle.com >
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org >
Cc: linux-nfs@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com >
(cherry picked from commit ff955dc9c08dfa96a404f52269ea8c0ec192be6d
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:31 +02:00
Casey Schaufler
d626a73147
UBUNTU: SAUCE: apparmor4.0.0 [06/90]: LSM stacking v39: LSM: Add lsmblob_to_secctx hook
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Add a new hook security_lsmblob_to_secctx() and its LSM specific
implementations. The LSM specific code will use the lsmblob element
allocated for that module. This allows for the possibility that more
than one module may be called upon to translate a secid to a string,
as can occur in the audit code.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
(cherry picked from commit a2b36b5dcaca7e31c3c80c9ae9198ae864d2827a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:30 +02:00
Casey Schaufler
7b67a3349c
UBUNTU: SAUCE: apparmor4.0.0 [05/90]: LSM stacking v39: LSM: Use lsmblob in security_audit_rule_match
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
Acked-by: Paul Moore <paul@paul-moore.com >
Reviewed-by: John Johansen <john.johansen@canonical.com >
Cc: linux-audit@redhat.com
(cherry picked from commit ec1eb9be88908dcb7e040a27c40f247b20ca5f21
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:30 +02:00
Casey Schaufler
e1a8c296ec
UBUNTU: SAUCE: apparmor4.0.0 [04/90]: LSM stacking v39: IMA: avoid label collisions with stacked LSMs
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active security module to apply
filters to. If not specified, use the first registered module
that supports the audit_rule_match() LSM hook. Allow the user
to specify in the IMA policy an lsm= option to specify the
security module to use for a particular rule.
This requires adding the LSM of interest as a parameter
to three of the audit hooks.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
To: Mimi Zohar <zohar@linux.ibm.com >
To: linux-integrity@vger.kernel.org
To: audit@vger.kernel.org
(cherry picked from commit d177f98409d82dbb23763122fd1e4eb9897cf6ac
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:30 +02:00
Casey Schaufler
0278a672f0
UBUNTU: SAUCE: apparmor4.0.0 [02/90]: LSM stacking v39: SM: Infrastructure management of the sock security
...
BugLink: http://bugs.launchpad.net/bugs/2028253
Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Acked-by: Paul Moore <paul@paul-moore.com >
Reviewed-by: Kees Cook <keescook@chromium.org >
Reviewed-by: John Johansen <john.johansen@canonical.com >
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com >
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
(cherry picked from commit c493287fe3495fcf3854f246b42cbaa88ed130da
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next )
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com >
2024-04-12 10:15:30 +02:00
Casey Schaufler
223981db9b
AppArmor: Add selfattr hooks
...
Add hooks for setselfattr and getselfattr. These hooks are not very
different from their setprocattr and getprocattr equivalents, and
much of the code is shared.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com >
Acked-by: John Johansen <john.johansen@canonical.com >
[PM: forward ported beyond v6.6 due merge window changes]
Signed-off-by: Paul Moore <paul@paul-moore.com >
2023-11-12 22:54:42 -05:00
John Johansen
157a3537d6
apparmor: Fix regression in mount mediation
...
commit 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")
introduced a new move_mount(2) system call and a corresponding new LSM
security_move_mount hook but did not implement this hook for any
existing LSM. This creates a regression for AppArmor mediation of
mount. This patch provides a base mapping of the move_mount syscall to
the existing mount mediation. In the future we may introduce
additional mediations around the new mount calls.
Fixes: 2db154b3ea ("vfs: syscall: Add move_mount(2) to move mounts around")
CC: stable@vger.kernel.org
Reported-by: Andreas Steinmetz <anstein99@googlemail.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 16:01:32 -07:00
Georgia Garcia
c4371d9063
apparmor: add io_uring mediation
...
For now, the io_uring mediation is limited to sqpoll and
override_creds.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:58:49 -07:00
John Johansen
fa9b63adab
apparmor: add user namespace creation mediation
...
Unprivileged user namespace creation is often used as a first step
in privilege escalation attacks. Instead of disabling it at the
sysrq level, which blocks its legitimate use as for setting up a sandbox,
allow control on a per domain basis.
This allows an admin to quickly lock down a system while also still
allowing legitimate use.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:49:02 -07:00
John Johansen
2d9da9b188
apparmor: allow restricting unprivileged change_profile
...
unprivileged unconfined can use change_profile to alter the confinement
set by the mac admin.
Allow restricting unprivileged unconfined by still allowing change_profile
but stacking the change against unconfined. This allows unconfined to
still apply system policy but allows the task to enter the new confinement.
If unprivileged unconfined is required a sysctl is provided to switch
to the previous behavior.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:48:44 -07:00
John Johansen
98b824ff89
apparmor: refcount the pdb
...
With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among different pdbs each using
a different permission table.
Instead of duping the permission table when sharing a pdb, add a
refcount to the pdb so it can be easily shared.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:30:47 -07:00
John Johansen
90c436a64a
apparmor: pass cred through to audit info.
...
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:30:38 -07:00
John Johansen
d20f5a1a6e
apparmor: rename audit_data->label to audit_data->subj_label
...
rename audit_data's label field to subj_label to better reflect its
use. Also at the same time drop unneeded assignments to ->subj_label
as the later call to aa_check_perms will do the assignment if needed.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:30:34 -07:00
John Johansen
bd7bd201ca
apparmor: combine common_audit_data and apparmor_audit_data
...
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:30:29 -07:00
John Johansen
79ddd4a7c5
apparmor: rename SK_CTX() to aa_sock and make it an inline fn
...
In preparation for LSM stacking rework the macro to an inline fn
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-18 15:29:55 -07:00
Xiu Jianfeng
fee5304a9c
apparmor: remove unused functions in policy_ns.c/.h
...
These functions are not used now, remove them.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-10-15 21:44:31 -07:00
GONG, Ruiqi
efea5b0dcc
apparmor: remove unused PROF_* macros
...
The last usage of PROF_{ADD,REPLACE} were removed by commit 18e99f191a
("apparmor: provide finer control over policy management"). So remove
these two unused macros.
Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-08-08 13:24:48 -07:00
Xiu Jianfeng
980a580868
apparmor: cleanup unused functions in file.h
...
After changes in commit 33bf60cabc ("LSM: Infrastructure management of
the file security"), aa_alloc_file_ctx() and aa_free_file_ctx() are no
longer used, so remove them, and also remove aa_get_file_label() because
it seems that it's never been used before.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com >
Signed-off-by: John Johansen <john.johansen@canonical.com >
2023-08-08 13:16:13 -07:00