Received: by 10.192.165.156 with SMTP id m28csp307785imm;
        Tue, 10 Apr 2018 22:27:09 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48hjSs2Yh52AfGNh6gCzlryefgysdvIGv0Df1Lvd+FSKVe0cnhI8MJuiTDaFvtQ0OvFAFsO
X-Received: by 2002:a17:902:7291:: with SMTP id d17-v6mr3532590pll.218.1523424429646;
        Tue, 10 Apr 2018 22:27:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523424429; cv=none;
        d=google.com; s=arc-20160816;
        b=EmW9hwUrFeQdxbQHXCWSf9EU0DXECABh2EZQkbxPQeK9aIMF7OhE9Jkz/eByRqk+sf
         znGB69br2yvvYivPuomz1w7Ou3IUC88OVOshCS6qaaO5aHnHhfUmsOqEYbQNihaSk6kp
         M60cg9lUsO1nm7rHvPY6/D5RLA8Prwri0PkiOjr+uPwmCTwLeRxWbjUqcoJ1sLn6g3v2
         RxOzK9RHMOR0F3CW5QCuD8122E3cdFg6Vu6b1+T0cONrHKUzIzh23GFaFMRlLYwG1FKB
         gqekwABK1ap0MqlbLH9Q1roIdYmbxLXMjNK+9kKxJ2sNU5FBeIYtUFJVV1xSA41TPrY8
         ouZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:date:message-id
         :organization:cc:to:subject:from:arc-authentication-results;
        bh=xmOPaBIfqqbTxXFQbEilu/dUppMopnbyFi3L5G0xe00=;
        b=iCUYLHd5YXyX/ATFDaTvHLO5cTfw2fB3pfYaRI/4eNGEttRtPL3ZBWp70btA4HBrLp
         fFOy9YQR9WTx2lPBY1p4ZPPliBVNUfkThcls7/u2Xhl9/C2WNB8eEAJnvg/st0QAORf4
         qci9AZlYldzstGzS2gdCdZsNDXzDT65DDNuCNg+V/Eu3ZLU8SmeAC0kBpRdj04wckfnl
         fBHhelkvHL3xe6Wm1RAsJbK9iQGpdEHoEYorQs50nsgdhGUTh640NlxbCjHPOZ5HnTcL
         mS0X6/ai9/ebSQvcaD7itgBWzQBQ99afdCARqKOixc2ZXC0fPwkhcW7dHyn7avtIcSQH
         PV1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a24si251705pgn.425.2018.04.10.22.26.32;
        Tue, 10 Apr 2018 22:27:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752376AbeDKFWs (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 01:22:48 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:37405 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752250AbeDKFWd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 01:22:33 -0400
Received: from static-50-53-54-67.bvtn.or.frontiernet.net ([50.53.54.67] helo=[192.168.192.153])
        by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
        (Exim 4.76)
        (envelope-from <john.johansen@canonical.com>)
        id 1f68DI-0006N3-8W; Wed, 11 Apr 2018 05:22:32 +0000
From:   John Johansen <john.johansen@canonical.com>
Subject: [GIT PULL] apparmor updates for v4.17
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     LKLM <linux-kernel@vger.kernel.org>,
        "open list:SECURITY SUBSYSTEM" 
        <linux-security-module@vger.kernel.org>
Organization: Canonical
Message-ID: <70d319b8-4cf7-117b-8369-1490bf45176a@canonical.com>
Date:   Tue, 10 Apr 2018 22:22:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="XAcIuJDh9s7BoAXSiRWJaEg4VAmpxU0aU"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--XAcIuJDh9s7BoAXSiRWJaEg4VAmpxU0aU
Content-Type: multipart/mixed; boundary="XOtFii0vtWNi0kMLghMtTL6ibFo419u6H";
 protected-headers="v1"
From: John Johansen <john.johansen@canonical.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKLM <linux-kernel@vger.kernel.org>,
 "open list:SECURITY SUBSYSTEM" <linux-security-module@vger.kernel.org>
Message-ID: <70d319b8-4cf7-117b-8369-1490bf45176a@canonical.com>
Subject: [GIT PULL] apparmor updates for v4.17

--XOtFii0vtWNi0kMLghMtTL6ibFo419u6H
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

Hi,


Please pull these apparmor changes for v4.17

Thanks!

- John

The following changes since commit d8a5b80568a9cb66810e75b182018e9edb68e8=
ff:

  Linux 4.15 (2018-01-28 13:20:33 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/ap=
parmor-pr-2018-04-10

for you to fetch changes up to 588558eb6d0e0b6edfa65a67e906c2ffeba63ff1:

  apparmor: fix memory leak on buffer on error exit path (2018-03-30 21:1=
4:04 -0700)

----------------------------------------------------------------
+ Features
  - add base infrastructure for socket mediation. ABI bump and
    additional checks to ensure only v8 compliant policy uses
    socket af mediation.
  - improve and cleanup dfa verification
  - improve profile attachment logic
    - improve overlapping expression handling
    - add the xattr matching to the attachment logic
  - improve signal mediation handling with stacked labels
  - improve handling of no_new_privs in a label stack

+ Cleanups and changes
  - use dfa to parse string split
  - bounded version of label_parse
  - proper line wrap nulldfa.in
  - split context out into task and cred naming to better match usage
  - simplify code in aafs

+ Bug fixes
  - fix display of .ns_name for containers
  - fix resource audit messages when auditing peer
  - fix logging of the existence test for signals
  - fix resource audit messages when auditing peer
  - fix display of .ns_name for containers
  - fix an error code in verify_table_headers()
  - fix memory leak on buffer on error exit path
  - fix error returns checks by making size a ssize_t

----------------------------------------------------------------
Colin Ian King (2):
      apparmor: fix error returns checks by making size a ssize_t
      apparmor: fix memory leak on buffer on error exit path

Dan Carpenter (1):
      apparmor: Fix an error code in verify_table_headers()

John Johansen (31):
      apparmor: fix display of .ns_name for containers
      apparmor: fix resource audit messages when auditing peer
      apparmor: fix logging of the existence test for signals
      apparmor: split load data into management struct and data blob
      apparmor: add first substr match to dfa
      apparmor: use the dfa to do label parse string splitting
      apparmor: provide a bounded version of label_parse
      apparmor: cleanup add proper line wrapping to nulldfa.in
      apparmor: root view labels should not be under user control
      apparmor: make signal label match work when matching stacked labels=

      apparmor: audit unknown signal numbers
      apparmor: rename task_ctx to the more accurate cred_ctx
      apparmor: move task domain change info to task security
      apparmor: drop cred_ctx and reference the label directly
      apparmor: rename tctx to ctx
      apparmor: cleanup fixup description of aa_replace_profiles
      apparmor: cleanup, drop unused fn __aa_task_is_confined()
      apparmor: move task related defines and fns to task.X files
      apparmor: move context.h to cred.h
      apparmor: update domain transitions that are subsets of confinement=
 at nnp
      apparmor: dfa move character match into a macro
      apparmor: dfa add support for state differential encoding
      apparmor: dfa split verification of table headers
      apparmor: cleanup create_aafs() error path
      apparmor: cleanup: simplify code to get ns symlink name
      apparmor: convert attaching profiles via xattrs to use dfa matching=

      apparmor: improve overlapping domain attachment resolution
      apparmor: add base infastructure for socket mediation
      apparmor: remove POLICY_MEDIATES_SAFE
      apparmor: update MAINTAINERS file git and wiki locations
      apparmor: fix dangling symlinks to policy rawdata after replacement=


Matthew Garrett (1):
      apparmor: Add support for attaching profiles via xattr, presence an=
d value

Pravin Shedge (1):
      security: apparmor: remove duplicate includes

 MAINTAINERS                                     |   4 +-
 security/apparmor/.gitignore                    |   1 +
 security/apparmor/Makefile                      |  45 ++-
 security/apparmor/apparmorfs.c                  | 203 ++++++----
 security/apparmor/capability.c                  |   2 +-
 security/apparmor/domain.c                      | 355 +++++++++++++-----=

 security/apparmor/file.c                        |  32 +-
 security/apparmor/include/apparmor.h            |   3 +-
 security/apparmor/include/audit.h               |  19 +-
 security/apparmor/include/{context.h =3D> cred.h} |  63 +---
 security/apparmor/include/label.h               |  28 ++
 security/apparmor/include/match.h               |  28 ++
 security/apparmor/include/net.h                 | 106 ++++++
 security/apparmor/include/perms.h               |   5 +-
 security/apparmor/include/policy.h              |  23 +-
 security/apparmor/include/policy_unpack.h       |   2 +-
 security/apparmor/include/sig_names.h           |   5 +-
 security/apparmor/include/task.h                |  94 +++++
 security/apparmor/ipc.c                         |  52 +--
 security/apparmor/label.c                       |  42 ++-
 security/apparmor/lib.c                         |   5 +-
 security/apparmor/lsm.c                         | 467 ++++++++++++++++++=
++++--
 security/apparmor/match.c                       | 423 +++++++++++++++++-=
---
 security/apparmor/mount.c                       |   2 +-
 security/apparmor/net.c                         | 187 ++++++++++
 security/apparmor/nulldfa.in                    | 108 +++++-
 security/apparmor/policy.c                      |  11 +-
 security/apparmor/policy_ns.c                   |   2 +-
 security/apparmor/policy_unpack.c               |  70 +++-
 security/apparmor/procattr.c                    |   2 +-
 security/apparmor/resource.c                    |   2 +-
 security/apparmor/stacksplitdfa.in              | 114 ++++++
 security/apparmor/{context.c =3D> task.c}         | 139 +++----
 33 files changed, 2119 insertions(+), 525 deletions(-)
 rename security/apparmor/include/{context.h =3D> cred.h} (70%)
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/include/task.h
 create mode 100644 security/apparmor/net.c
 create mode 100644 security/apparmor/stacksplitdfa.in
 rename security/apparmor/{context.c =3D> task.c} (53%)


--XOtFii0vtWNi0kMLghMtTL6ibFo419u6H--

--XAcIuJDh9s7BoAXSiRWJaEg4VAmpxU0aU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIbBAEBCgAGBQJazZuVAAoJEAUvNnAY1cPYop8P914oykIW63mbObFDd3nZh5B9
mbMOnS/a//cSlduTd/SNsoR8QO09L0LHSoRkYv+C3VHZcGM73KfQ4bRD32R/91ef
/viXbU7G60bwQtg3moInoOPNkpnLJj9Z2K++8aBCH+nd1f0DSucgYKxLRar15Opk
nzf9UC3aAZxX4unx1i2mFFZNK39Xm7X0E/0opJzbsQODcxgzn0eHhsF993YAO5di
EEWZ+M7eF52X48bOZY4GBeX1JLwDARq78byWy0JrppSDp6TFx2caVvScd8346Z9z
A+VIAiy7cQDl4r4W7Mrn6curFgzzO2QEeYtFBPiXWYZTs0VA60m+4Dw666DA6G/W
sx5hN3NeQ2Lt+Luw7KljHPuHkjLwqqGQqzvt/G6IA0exQp337l5JNMa593IHQAQW
IRSxw5u7yQVVoKkxQuRdKcV/lWfPPPLxzykUaATNC5yoz0SD08dOdXBGEKvoS7nu
806GTqGN9CDe1E3cHnxONoWX9qN6ESSJWKLjJUdhmQMHt7KiPdIsuFGGeKx8K/d1
XIjPOfXZDDDrS57OYdlZOTGuYGGi77vnIBrWDr4cwmq2mrijd5AMzj3ZmGbEDpUU
xFfrJXwv7EQKA3VNvsmXJG4vp62/IcfrgRvs00PuSy3WXPPr0LS5+h3vDJ12Uomw
8l3YqMHy4vI849cQJsk=
=RP3C
-----END PGP SIGNATURE-----

--XAcIuJDh9s7BoAXSiRWJaEg4VAmpxU0aU--