Hi,
Please pull these apparmor changes for v4.16
Thanks!
- John
The following changes since commit d8a5b80568a9cb66810e75b182018e9edb68e8ff:
Linux 4.15 (2018-01-28 13:20:33 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2018-02-09
for you to fetch changes up to ad2b3884f07f95f9e0dd897ae56d6c82ad7b00e8:
apparmor: add base infastructure for socket mediation (2018-02-09 11:30:02 -0800)
----------------------------------------------------------------
apparmor pull-request for 4.16
+ Features
- add base infrastructure for socket mediation. ABI bump and
additional checks to ensure only v8 compliant policy uses
socket af mediation.
- improve and cleanup dfa verification
- improve profile attachment logic
- improve overlapping expression handling
- add the xattr matching to the attachment logic
- improve signal mediation handling with stacked labels
- improve handling of no_new_privs in a label stack
+ Cleanups and changes
- use dfa to parse string split
- bounded version of label_parse
- proper line wrap nulldfa.in
- split context out into task and cred naming to better match usage
- simplify code in aafs
+ Bug fixes
- fix display of .ns_name for containers
- fix resource audit messages when auditing peer
- fix logging of the existence test for signals
----------------------------------------------------------------
John Johansen (28):
apparmor: fix display of .ns_name for containers
apparmor: fix resource audit messages when auditing peer
apparmor: fix logging of the existence test for signals
apparmor: split load data into management struct and data blob
apparmor: add first substr match to dfa
apparmor: use the dfa to do label parse string splitting
apparmor: provide a bounded version of label_parse
apparmor: cleanup add proper line wrapping to nulldfa.in
apparmor: root view labels should not be under user control
apparmor: make signal label match work when matching stacked labels
apparmor: audit unknown signal numbers
apparmor: rename task_ctx to the more accurate cred_ctx
apparmor: move task domain change info to task security
apparmor: drop cred_ctx and reference the label directly
apparmor: rename tctx to ctx
apparmor: cleanup fixup description of aa_replace_profiles
apparmor: cleanup, drop unused fn __aa_task_is_confined()
apparmor: move task related defines and fns to task.X files
apparmor: move context.h to cred.h
apparmor: update domain transitions that are subsets of confinement at nnp
apparmor: dfa move character match into a macro
apparmor: dfa add support for state differential encoding
apparmor: dfa split verification of table headers
apparmor: cleanup create_aafs() error path
apparmor: cleanup: simplify code to get ns symlink name
apparmor: convert attaching profiles via xattrs to use dfa matching
apparmor: improve overlapping domain attachment resolution
apparmor: add base infastructure for socket mediation
Matthew Garrett (1):
apparmor: Add support for attaching profiles via xattr, presence and value
Pravin Shedge (1):
security: apparmor: remove duplicate includes
security/apparmor/.gitignore | 1 +
security/apparmor/Makefile | 45 ++-
security/apparmor/apparmorfs.c | 73 ++--
security/apparmor/capability.c | 2 +-
security/apparmor/domain.c | 355 +++++++++++++-----
security/apparmor/file.c | 32 +-
security/apparmor/include/audit.h | 19 +-
security/apparmor/include/{context.h => cred.h} | 63 +---
security/apparmor/include/label.h | 28 ++
security/apparmor/include/match.h | 28 ++
security/apparmor/include/net.h | 114 ++++++
security/apparmor/include/perms.h | 5 +-
security/apparmor/include/policy.h | 17 +
security/apparmor/include/policy_unpack.h | 2 +-
security/apparmor/include/sig_names.h | 5 +-
security/apparmor/include/task.h | 94 +++++
security/apparmor/ipc.c | 52 +--
security/apparmor/label.c | 42 ++-
security/apparmor/lib.c | 5 +-
security/apparmor/lsm.c | 462 ++++++++++++++++++++++--
security/apparmor/match.c | 423 ++++++++++++++++++----
security/apparmor/mount.c | 2 +-
security/apparmor/net.c | 185 ++++++++++
security/apparmor/nulldfa.in | 108 +++++-
security/apparmor/policy.c | 11 +-
security/apparmor/policy_ns.c | 2 +-
security/apparmor/policy_unpack.c | 117 +++++-
security/apparmor/procattr.c | 2 +-
security/apparmor/resource.c | 2 +-
security/apparmor/stacksplitdfa.in | 114 ++++++
security/apparmor/{context.c => task.c} | 139 +++----
31 files changed, 2067 insertions(+), 482 deletions(-)
rename security/apparmor/include/{context.h => cred.h} (70%)
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/include/task.h
create mode 100644 security/apparmor/net.c
create mode 100644 security/apparmor/stacksplitdfa.in
rename security/apparmor/{context.c => task.c} (53%)
On Fri, Feb 9, 2018 at 12:19 PM, John Johansen
<[email protected]> wrote:
>
> Please pull these apparmor changes for v4.16
No.
You had an extra two weeks because 4.15 was delayed.
Yet you send me a series of patches that have been committed today, on
a Friday before the weekend when the merge window closes.
And none of this appears to have been in linux-next, at least not as
of February 1st, when the merge window opened.
No no no.
This can all wait for 4.17. And if the same problem persists, it can
wait longer.
Linus
On 02/09/2018 03:01 PM, Linus Torvalds wrote:
> On Fri, Feb 9, 2018 at 12:19 PM, John Johansen
> <[email protected]> wrote:
>>
>> Please pull these apparmor changes for v4.16
>
> No.
>
> You had an extra two weeks because 4.15 was delayed.
>
> Yet you send me a series of patches that have been committed today, on
> a Friday before the weekend when the merge window closes.
>
> And none of this appears to have been in linux-next, at least not as
> of February 1st, when the merge window opened.
>
> No no no.
>
> This can all wait for 4.17. And if the same problem persists, it can
> wait longer.
>
Ack,
thanks