lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2f11838a-7038-f7a2-5827-38ef8efd4047@canonical.com>
Date:   Fri, 22 Sep 2017 22:48:10 -0700
From:   John Johansen <john.johansen@...onical.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKLM <linux-kernel@...r.kernel.org>,
        "open list:SECURITY SUBSYSTEM" 
        <linux-security-module@...r.kernel.org>
Subject: [GIT PULL] apparmor updates for v4.14-rc2

Hi,

This is a direct apparmor pull request, similar to SELinux's for the
v4.14 window, and the seccomp request that was sent today for
v4.14-rc2; it's the same series that I was sent to James' security
tree + one regression fix that was found after the series was sent to
James and would have been sent for v4.14-rc2

Please pull these apparmor changes for v4.14-rc2.

Thanks!

- John


The following changes since commit 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9:

  Linux 4.13-rc2 (2017-07-23 16:15:17 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2017-09-22

for you to fetch changes up to bf81100f63db7ea243d17b9d5008ba3af2fdf6b2:

  apparmor: fix apparmorfs DAC access permissions (2017-09-22 13:20:01 -0700)

----------------------------------------------------------------
+ Features
  - in preparation for secid mapping add support for absolute root view
    based labels
  - add base infrastructure for socket mediation
  - add mount mediation
  - add signal mediation

+ minor clean-ups and changes
  - be defensive, ensure unconfined profiles have dfas initialized
  - add more debug asserts to apparmorfs
  - enable policy unpacking to audit different reasons for failure
  - cleanup conditional check for label in label_print
  - Redundant condition: prev_ns. in [label.c:1498]

+ Bug Fixes
  - fix regression in apparmorfs DAC access permissions
  - fix build failure on sparc caused by undeclared signals
  - fix sparse report of incorrect type assignment when freeing label proxies
  - fix race condition in null profile creation
  - Fix an error code in aafs_create()
  - Fix logical error in verify_header()
  - Fix shadowed local variable in unpack_trans_table()

----------------------------------------------------------------
Christos Gkekas (1):
      apparmor: Fix logical error in verify_header()

Dan Carpenter (1):
      apparmor: Fix an error code in aafs_create()

Geert Uytterhoeven (1):
      apparmor: Fix shadowed local variable in unpack_trans_table()

John Johansen (14):
      apparmor: Redundant condition: prev_ns. in [label.c:1498]
      apparmor: add the ability to mediate signals
      apparmor: add mount mediation
      apparmor: cleanup conditional check for label in label_print
      apparmor: add support for absolute root view based labels
      apparmor: make policy_unpack able to audit different info messages
      apparmor: add more debug asserts to apparmorfs
      apparmor: add base infastructure for socket mediation
      apparmor: move new_null_profile to after profile lookup fns()
      apparmor: fix race condition in null profile creation
      apparmor: ensure unconfined profiles have dfas initialized
      apparmor: fix incorrect type assignment when freeing proxies
      apparmor: fix build failure on sparc caused by undeclared signals
      apparmor: fix apparmorfs DAC access permissions

 security/apparmor/.gitignore          |   1 +
 security/apparmor/Makefile            |  43 ++-
 security/apparmor/apparmorfs.c        |  45 ++-
 security/apparmor/domain.c            |   4 +-
 security/apparmor/file.c              |  30 ++
 security/apparmor/include/apparmor.h  |   2 +
 security/apparmor/include/audit.h     |  39 +-
 security/apparmor/include/domain.h    |   5 +
 security/apparmor/include/ipc.h       |   6 +
 security/apparmor/include/label.h     |   1 +
 security/apparmor/include/mount.h     |  54 +++
 security/apparmor/include/net.h       | 114 ++++++
 security/apparmor/include/perms.h     |   5 +-
 security/apparmor/include/policy.h    |  13 +
 security/apparmor/include/sig_names.h |  98 +++++
 security/apparmor/ipc.c               |  99 +++++
 security/apparmor/label.c             |  36 +-
 security/apparmor/lib.c               |   5 +-
 security/apparmor/lsm.c               | 472 +++++++++++++++++++++++
 security/apparmor/mount.c             | 696 ++++++++++++++++++++++++++++++++++
 security/apparmor/net.c               | 184 +++++++++
 security/apparmor/policy.c            | 166 ++++----
 security/apparmor/policy_ns.c         |   2 +
 security/apparmor/policy_unpack.c     | 105 ++++-
 24 files changed, 2088 insertions(+), 137 deletions(-)
 create mode 100644 security/apparmor/include/mount.h
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/include/sig_names.h
 create mode 100644 security/apparmor/mount.c
 create mode 100644 security/apparmor/net.c



Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ