Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750916AbdIWFsc (ORCPT <rfc822;w@1wt.eu>);
        Sat, 23 Sep 2017 01:48:32 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:36930 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750738AbdIWFsa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 23 Sep 2017 01:48:30 -0400
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKLM <linux-kernel@vger.kernel.org>,
        "open list:SECURITY SUBSYSTEM" 
        <linux-security-module@vger.kernel.org>
From: John Johansen <john.johansen@canonical.com>
Subject: [GIT PULL] apparmor updates for v4.14-rc2
Organization: Canonical
Message-ID: <2f11838a-7038-f7a2-5827-38ef8efd4047@canonical.com>
Date: Fri, 22 Sep 2017 22:48:10 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="4kNmvoe23dNAFUlihj4SX0f7K8iQlD34c"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 6252
Lines: 155

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--4kNmvoe23dNAFUlihj4SX0f7K8iQlD34c
Content-Type: multipart/mixed; boundary="30JVja19Nh39Qxpj6F2Jt6mJWq3GOShOW";
 protected-headers="v1"
From: John Johansen <john.johansen@canonical.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKLM <linux-kernel@vger.kernel.org>,
 "open list:SECURITY SUBSYSTEM" <linux-security-module@vger.kernel.org>
Message-ID: <2f11838a-7038-f7a2-5827-38ef8efd4047@canonical.com>
Subject: [GIT PULL] apparmor updates for v4.14-rc2

--30JVja19Nh39Qxpj6F2Jt6mJWq3GOShOW
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

Hi,

This is a direct apparmor pull request, similar to SELinux's for the
v4.14 window, and the seccomp request that was sent today for
v4.14-rc2; it's the same series that I was sent to James' security
tree + one regression fix that was found after the series was sent to
James and would have been sent for v4.14-rc2

Please pull these apparmor changes for v4.14-rc2.

Thanks!

- John


The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68=
d9:

  Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/ap=
parmor-pr-2017-09-22

for you to fetch changes up to bf81100f63db7ea243d17b9d5008ba3af2fdf6b2:

  apparmor: fix apparmorfs DAC access permissions (2017-09-22 13:20:01 -0=
700)

----------------------------------------------------------------
+ Features
  - in preparation for secid mapping add support for absolute root view
    based labels
  - add base infrastructure for socket mediation
  - add mount mediation
  - add signal mediation

+ minor clean-ups and changes
  - be defensive, ensure unconfined profiles have dfas initialized
  - add more debug asserts to apparmorfs
  - enable policy unpacking to audit different reasons for failure
  - cleanup conditional check for label in label_print
  - Redundant condition: prev_ns. in [label.c:1498]

+ Bug Fixes
  - fix regression in apparmorfs DAC access permissions
  - fix build failure on sparc caused by undeclared signals
  - fix sparse report of incorrect type assignment when freeing label pro=
xies
  - fix race condition in null profile creation
  - Fix an error code in aafs_create()
  - Fix logical error in verify_header()
  - Fix shadowed local variable in unpack_trans_table()

----------------------------------------------------------------
Christos Gkekas (1):
      apparmor: Fix logical error in verify_header()

Dan Carpenter (1):
      apparmor: Fix an error code in aafs_create()

Geert Uytterhoeven (1):
      apparmor: Fix shadowed local variable in unpack_trans_table()

John Johansen (14):
      apparmor: Redundant condition: prev_ns. in [label.c:1498]
      apparmor: add the ability to mediate signals
      apparmor: add mount mediation
      apparmor: cleanup conditional check for label in label_print
      apparmor: add support for absolute root view based labels
      apparmor: make policy_unpack able to audit different info messages
      apparmor: add more debug asserts to apparmorfs
      apparmor: add base infastructure for socket mediation
      apparmor: move new_null_profile to after profile lookup fns()
      apparmor: fix race condition in null profile creation
      apparmor: ensure unconfined profiles have dfas initialized
      apparmor: fix incorrect type assignment when freeing proxies
      apparmor: fix build failure on sparc caused by undeclared signals
      apparmor: fix apparmorfs DAC access permissions

 security/apparmor/.gitignore          |   1 +
 security/apparmor/Makefile            |  43 ++-
 security/apparmor/apparmorfs.c        |  45 ++-
 security/apparmor/domain.c            |   4 +-
 security/apparmor/file.c              |  30 ++
 security/apparmor/include/apparmor.h  |   2 +
 security/apparmor/include/audit.h     |  39 +-
 security/apparmor/include/domain.h    |   5 +
 security/apparmor/include/ipc.h       |   6 +
 security/apparmor/include/label.h     |   1 +
 security/apparmor/include/mount.h     |  54 +++
 security/apparmor/include/net.h       | 114 ++++++
 security/apparmor/include/perms.h     |   5 +-
 security/apparmor/include/policy.h    |  13 +
 security/apparmor/include/sig_names.h |  98 +++++
 security/apparmor/ipc.c               |  99 +++++
 security/apparmor/label.c             |  36 +-
 security/apparmor/lib.c               |   5 +-
 security/apparmor/lsm.c               | 472 +++++++++++++++++++++++
 security/apparmor/mount.c             | 696 ++++++++++++++++++++++++++++=
++++++
 security/apparmor/net.c               | 184 +++++++++
 security/apparmor/policy.c            | 166 ++++----
 security/apparmor/policy_ns.c         |   2 +
 security/apparmor/policy_unpack.c     | 105 ++++-
 24 files changed, 2088 insertions(+), 137 deletions(-)
 create mode 100644 security/apparmor/include/mount.h
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/include/sig_names.h
 create mode 100644 security/apparmor/mount.c
 create mode 100644 security/apparmor/net.c


--30JVja19Nh39Qxpj6F2Jt6mJWq3GOShOW--

--4kNmvoe23dNAFUlihj4SX0f7K8iQlD34c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZxfWpAAoJEAUvNnAY1cPYDuwQAJYnyjfier1ejPnBrwLabVDF
H5IDsBQFd29RO5fV9qxsNmyzVewnjwzY1rL1zC6k1qoQt3p1kvYHTHhmlZRFhmHS
7DNS3a333ykHPQuricXAj//CnQzWQNT+qR69Gj3QiYyJVWyhexFylHwxTIVihoHL
PtHnh+0Jax6ihgQEUrhLlXwRZli1EgFiLgTlcmI6bzCtrzpiz46OhszGhe97yopj
V3Z9uOLubWTSztBnVsbOZ4kyZoJIHmkWKZloqRwRdmUpU1immdsXkNPRKmjjvDML
1/vKuU6oVjD7AKUDNpw7IL+kQfD/P7yK2FeVqnNsDxChNo8aQPxI6UNQFxiH2+0P
fqL+mykOnawK32djNCjSCJpxRr5PvRPcJSk7A//ctgprkFy5ABeUEeE5mHC3FkSh
VluxS01ht1WJQ4TsrxVeCRSCbuu3xxHiJEDQvdpiYlghXa1cNR2tj9+iBdOzGRPg
QuE/Tg9347LCzh/ISdE7T6EEIXb3np8nGfjuiaT/LkYKQRzE0t9ugyzFZXdNa3Ao
L2VsKJkWJilaT3fsWs8fHOFnh8FG39C2jQlnmtrP9GdBCLflS90It+6hZRc0t2qA
r8uLos6XvRL0nXrfSjyVS+UKQfvLbJTEfbCqS9YLUdJ/Rot91rxNZ/XZoQFxJ0eV
maVMRDFf9apFpxxRuMBF
=yb/x
-----END PGP SIGNATURE-----

--4kNmvoe23dNAFUlihj4SX0f7K8iQlD34c--