lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 16 Jan 2017 13:30:40 -0800
From:   John Johansen <>
To:     James Morris <>
        LKLM <>
Subject: Re: [GIT PULL] AppArmor fixes for 4.11

Sigh, kernel build bot turned up a missed a config combination that
results in a build failure

   security/built-in.o: In function `aa_unpack':
   (.text+0x841e2): undefined reference to `aa_g_hash_policy'

I have pushed the fix on top of the previous request. The pull request
with the new patch added is


The following changes since commit b8aa8453918ebfd93d78de56c2afd4b735e02e27:

  security: Fix inode_getattr documentation (2017-01-10 17:39:23 +1100)

are available in the git repository at:

  git:// for-security

for you to fetch changes up to 3ccb76c5dfe0d25c1d0168d5b726d0b43d19a485:

  apparmor: fix undefined reference to `aa_g_hash_policy' (2017-01-16 13:21:27 -0800)

John Johansen (57):
      apparmor: move lib definitions into separate lib include
      apparmor: split out shared policy_XXX fns to lib
      apparmor: split apparmor policy namespaces code into its own file
      apparmor: rename namespace to ns to improve code line lengths
      apparmor: rename sid to secid
      apparmor: rename PFLAG_INVALID to PFLAG_STALE
      apparmor: rename replacedby to proxy
      apparmor: add strn version of lookup_profile fn
      apparmor: add strn version of aa_find_ns
      apparmor: add lib fn to find the "split" for fqnames
      apparmor: add fn to lookup profiles by fqname
      apparmor: allow ns visibility question to consider subnses
      apparmor: add macro for bug asserts to check that a lock is held
      apparmor: add debug assert AA_BUG and Kconfig to control debug info
      apparmor: rename mediated_filesystem() to path_mediated_fs()
      apparmor: rename hname_tail to basename
      apparmor: constify policy name and hname
      apparmor: pass gfp param into aa_policy_init()
      apparmor: update policy_destroy to use new debug asserts
      apparmor: refactor prepare_ns() and make usable from different views
      apparmor: pass gfp_t parameter into profile allocation
      apparmor: name null-XXX profiles after the executable
      apparmor: remove paranoid load switch
      apparmor: add support for force complain flag to support learning mode
      apparmor: prepare to support newer versions of policy
      apparmor: add get_dfa() fn
      apparmor: allow policydb to be used as the file dfa
      apparmor: add a default null dfa
      apparmor: provide userspace flag indicating binfmt_elf_mmap change
      apparmor: add special .null file used to "close" fds at exec
      apparmor: track ns level so it can be used to help in view checks
      apparmor: Make aa_remove_profile() callable from a different view
      apparmor: allow introspecting the policy namespace name
      apparmor: allow specifying the profile doing the management
      apparmor: add ns being viewed as a param to policy_view_capable()
      apparmor: add ns being viewed as a param to policy_admin_capable()
      apparmor: add profile and ns params to aa_may_manage_policy()
      apparmor: add ns name to the audit data for policy loads
      apparmor: allow introspecting the loaded policy pre internal transform
      apparmor: audit policy ns specified in policy load
      apparmor: pass the subject profile into profile replace/remove
      apparmor: add per policy ns .load, .replace, .remove interface files
      apparmor: fail task profile update if current_cred isn't real_cred
      apparmor: rename context abreviation cxt to the more standard ctx
      apparmor: change op from int to const char *
      apparmor: change aad apparmor_audit_data macro to a fn macro
      apparmor: remove unused op parameter from simple_write_to_buffer()
      apparmor: fix change_hat debug output
      apparmor: convert change_profile to use fqname later to give better control
      apparmor: make computing policy hashes conditional on kernel parameter
      apparmor: update cap audit to check SECURITY_CAP_NOAUDIT
      apparmor: add per cpu work buffers to avoid allocating buffers at every hook
      apparmor: add check for apparmor enabled in module parameters missing it
      apparmor: fix restricted endian type warnings for dfa unpack
      apparmor: fix restricted endian type warnings for policy unpack
      apparmor: replace remaining BUG_ON() asserts with AA_BUG()
      apparmor: fix undefined reference to `aa_g_hash_policy'

Kees Cook (1):
      apparmor: use designated initializers

Tetsuo Handa (1):
      AppArmor: Use GFP_KERNEL for __aa_kvmalloc().

Tyler Hicks (1):
      apparmor: sysctl to enable unprivileged user ns AppArmor policy loading

William Hua (1):
      apparmor: support querying extended trusted helper extra data

 security/apparmor/Kconfig                    |  31 +-
 security/apparmor/Makefile                   |   2 +-
 security/apparmor/apparmorfs.c               | 681 ++++++++++++++++++----
 security/apparmor/audit.c                    |  98 +---
 security/apparmor/capability.c               |  26 +-
 security/apparmor/context.c                  | 107 ++--
 security/apparmor/crypto.c                   |  39 +-
 security/apparmor/domain.c                   | 137 ++---
 security/apparmor/file.c                     |  80 +--
 security/apparmor/include/apparmor.h         |  82 +--
 security/apparmor/include/apparmorfs.h       |  21 +-
 security/apparmor/include/audit.h            | 152 ++---
 security/apparmor/include/context.h          |  84 +--
 security/apparmor/include/crypto.h           |   5 +
 security/apparmor/include/domain.h           |   4 +-
 security/apparmor/include/file.h             |   9 +-
 security/apparmor/include/lib.h              | 200 +++++++
 security/apparmor/include/match.h            |  26 +-
 security/apparmor/include/path.h             |  53 ++
 security/apparmor/include/policy.h           | 199 ++-----
 security/apparmor/include/policy_ns.h        | 147 +++++
 security/apparmor/include/policy_unpack.h    |  28 +-
 security/apparmor/include/{sid.h => secid.h} |  18 +-
 security/apparmor/ipc.c                      |  18 +-
 security/apparmor/lib.c                      | 111 +++-
 security/apparmor/lsm.c                      | 317 +++++++----
 security/apparmor/match.c                    |  47 +-
 security/apparmor/                 |   1 +
 security/apparmor/policy.c                   | 824 ++++++++++-----------------
 security/apparmor/policy_ns.c                | 346 +++++++++++
 security/apparmor/policy_unpack.c            | 257 ++++++---
 security/apparmor/procattr.c                 |  38 +-
 security/apparmor/resource.c                 |  19 +-
 security/apparmor/secid.c                    |  55 ++
 security/apparmor/sid.c                      |  55 --
 35 files changed, 2796 insertions(+), 1521 deletions(-)
 create mode 100644 security/apparmor/include/lib.h
 create mode 100644 security/apparmor/include/policy_ns.h
 rename security/apparmor/include/{sid.h => secid.h} (50%)
 create mode 100644 security/apparmor/
 create mode 100644 security/apparmor/policy_ns.c
 create mode 100644 security/apparmor/secid.c
 delete mode 100644 security/apparmor/sid.c

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists