2017-09-23 05:48:32

by John Johansen

[permalink] [raw]
Subject: [GIT PULL] apparmor updates for v4.14-rc2

Hi,

This is a direct apparmor pull request, similar to SELinux's for the
v4.14 window, and the seccomp request that was sent today for
v4.14-rc2; it's the same series that I was sent to James' security
tree + one regression fix that was found after the series was sent to
James and would have been sent for v4.14-rc2

Please pull these apparmor changes for v4.14-rc2.

Thanks!

- John


The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:

Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2017-09-22

for you to fetch changes up to bf81100f63db7ea243d17b9d5008ba3af2fdf6b2:

apparmor: fix apparmorfs DAC access permissions (2017-09-22 13:20:01 -0700)

----------------------------------------------------------------
+ Features
- in preparation for secid mapping add support for absolute root view
based labels
- add base infrastructure for socket mediation
- add mount mediation
- add signal mediation

+ minor clean-ups and changes
- be defensive, ensure unconfined profiles have dfas initialized
- add more debug asserts to apparmorfs
- enable policy unpacking to audit different reasons for failure
- cleanup conditional check for label in label_print
- Redundant condition: prev_ns. in [label.c:1498]

+ Bug Fixes
- fix regression in apparmorfs DAC access permissions
- fix build failure on sparc caused by undeclared signals
- fix sparse report of incorrect type assignment when freeing label proxies
- fix race condition in null profile creation
- Fix an error code in aafs_create()
- Fix logical error in verify_header()
- Fix shadowed local variable in unpack_trans_table()

----------------------------------------------------------------
Christos Gkekas (1):
apparmor: Fix logical error in verify_header()

Dan Carpenter (1):
apparmor: Fix an error code in aafs_create()

Geert Uytterhoeven (1):
apparmor: Fix shadowed local variable in unpack_trans_table()

John Johansen (14):
apparmor: Redundant condition: prev_ns. in [label.c:1498]
apparmor: add the ability to mediate signals
apparmor: add mount mediation
apparmor: cleanup conditional check for label in label_print
apparmor: add support for absolute root view based labels
apparmor: make policy_unpack able to audit different info messages
apparmor: add more debug asserts to apparmorfs
apparmor: add base infastructure for socket mediation
apparmor: move new_null_profile to after profile lookup fns()
apparmor: fix race condition in null profile creation
apparmor: ensure unconfined profiles have dfas initialized
apparmor: fix incorrect type assignment when freeing proxies
apparmor: fix build failure on sparc caused by undeclared signals
apparmor: fix apparmorfs DAC access permissions

security/apparmor/.gitignore | 1 +
security/apparmor/Makefile | 43 ++-
security/apparmor/apparmorfs.c | 45 ++-
security/apparmor/domain.c | 4 +-
security/apparmor/file.c | 30 ++
security/apparmor/include/apparmor.h | 2 +
security/apparmor/include/audit.h | 39 +-
security/apparmor/include/domain.h | 5 +
security/apparmor/include/ipc.h | 6 +
security/apparmor/include/label.h | 1 +
security/apparmor/include/mount.h | 54 +++
security/apparmor/include/net.h | 114 ++++++
security/apparmor/include/perms.h | 5 +-
security/apparmor/include/policy.h | 13 +
security/apparmor/include/sig_names.h | 98 +++++
security/apparmor/ipc.c | 99 +++++
security/apparmor/label.c | 36 +-
security/apparmor/lib.c | 5 +-
security/apparmor/lsm.c | 472 +++++++++++++++++++++++
security/apparmor/mount.c | 696 ++++++++++++++++++++++++++++++++++
security/apparmor/net.c | 184 +++++++++
security/apparmor/policy.c | 166 ++++----
security/apparmor/policy_ns.c | 2 +
security/apparmor/policy_unpack.c | 105 ++++-
24 files changed, 2088 insertions(+), 137 deletions(-)
create mode 100644 security/apparmor/include/mount.h
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/include/sig_names.h
create mode 100644 security/apparmor/mount.c
create mode 100644 security/apparmor/net.c


Attachments:
signature.asc (801.00 B)
OpenPGP digital signature