zesty: apparmor update for 4.9-rc7
John Johansen
john.johansen at canonical.com
Wed Nov 23 00:31:08 UTC 2016
An upstream patch will break the current set of apparmor patches in zesty.
Specifically
3d40658 apparmor: fix change_hat not finding hat after policy replacement
breaks
7e7126a UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
once the 7e7126a merge is fixed the rest of the patches apply cleanly.
The merge if done manually should just take the code that already exists
in the ubuntu branch (the issue fixed by 3d40658 does not exist in
ubuntu).
For the next time zesty is rebased against 4.9 an updated version of the
patchset against the current v4.9 (post rc6, pre rc7) kernel has been
pushed to kernel.ubuntu.com with the full info listed in the form of a
pull-request below
The following changes since commit 3b404a519815b9820f73f1ecf404e5546c9270ba:
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security (2016-11-21 15:27:41 -0800)
are available in the git repository at:
git://kernel.ubuntu.com/jj/ubuntu-zesty.git v4.9-rc7ish-apparmor
for you to fetch changes up to d3441f4205c3ffe64d1f7b39bfc623a82993d9f1:
UBUNTU: SAUCE: apparmor: add flag to detect semantic change, to binfmt_elf mmap (2016-11-22 16:18:25 -0800)
----------------------------------------------------------------
John Johansen (34):
UBUNTU: SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
fixup backout policy view capable for forward port
UBUNTU: SAUCE: apparmor: Fix __label_update proxy comparison test
UBUNTU: SAUCE: apparmor: fix stack trace when removing namespace with profiles
UBUNTU: SAUCE: apparmor: Fix new to old label comparison for domain transitions
UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
UBUNTU: SAUCE: apparmor: profiles in one ns can affect mediation in another ns
UBUNTU: SAUCE: apparmor: reduction of vec to single entry is just that entry
UBUNTU: SAUCE: apparmor: fix vec_unique for vectors larger than 8
UBUNTU: SAUCE: apparmor: fix: parameters can be changed after policy is locked
UBUNTU: SAUCE: apparmor: special case unconfined when determining the mode
UBUNTU: SAUCE: apparmor: deleted dentries can be disconnected
UBUNTU: SAUCE: apparmor: Fix auditing behavior for change_hat probing
apparmor: fix: Rework the iter loop for label_update
apparmor: add more assertions for updates/merges to help catch errors
apparmor: Make pivot root transitions work with stacking
apparmor: convert delegating deleted files to mediate deleted files
apparmor: add missing parens. not a bug fix but highly recommended
apparmor: add a stack_version file to allow detection of bug fixes
apparmor: push path lookup into mediation loop
apparmor: default to allowing unprivileged userns policy
apparmor: fix: permissions test to view and manage policy
apparmor: Add Basic ns cross check condition for ipc
apparmor: add interface to be able to grab loaded policy
apparmor: refactor aa_prepare_ns into prepare_ns and create_ns routines
apparmor: add __aa_find_ns fn
apparmor: add mkdir/rmdir interface to manage policy namespaces
apparmor: fix oops in pivot_root mediation
apparmor: fix warning that fn build_pivotroot discards const
apparmor: add interface to advertise status of current task stacking
apparmor: update policy permissions to consider ns being viewed/managed
apparmor: add per ns policy management interface
apparmor: bump domain stacking version to 1.2
UBUNTU: SAUCE: apparmor: add flag to detect semantic change, to binfmt_elf mmap
Tyler Hicks (4):
UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading
UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
UBUNTU: SAUCE: apparmor: Consult sysctl when reading profiles in a user ns
UBUNTU: SAUCE: apparmor: Fix FTBFS due to bad include path
William Hua (1):
UBUNTU: SAUCE: apparmor: add data query support
security/apparmor/.gitignore | 1 +
security/apparmor/Kconfig | 59 +-
security/apparmor/Makefile | 44 +-
security/apparmor/af_unix.c | 643 +++++++++
security/apparmor/apparmorfs.c | 1075 +++++++++++++--
security/apparmor/audit.c | 120 +-
security/apparmor/capability.c | 56 +-
security/apparmor/context.c | 152 +--
security/apparmor/crypto.c | 37 +
security/apparmor/domain.c | 1391 ++++++++++++-------
security/apparmor/file.c | 569 +++++---
security/apparmor/include/af_unix.h | 114 ++
security/apparmor/include/apparmor.h | 91 +-
security/apparmor/include/apparmorfs.h | 21 +-
security/apparmor/include/audit.h | 180 ++-
security/apparmor/include/capability.h | 6 +-
security/apparmor/include/context.h | 216 +--
security/apparmor/include/crypto.h | 5 +
security/apparmor/include/domain.h | 9 +-
security/apparmor/include/file.h | 120 +-
security/apparmor/include/ipc.h | 22 +-
security/apparmor/include/label.h | 502 +++++++
security/apparmor/include/lib.h | 317 +++++
security/apparmor/include/match.h | 20 +
security/apparmor/include/mount.h | 54 +
security/apparmor/include/net.h | 124 ++
security/apparmor/include/path.h | 63 +-
security/apparmor/include/perms.h | 173 +++
security/apparmor/include/policy.h | 291 ++--
security/apparmor/include/policy_ns.h | 150 ++
security/apparmor/include/policy_unpack.h | 28 +-
security/apparmor/include/procattr.h | 3 +-
security/apparmor/include/resource.h | 4 +-
security/apparmor/include/sig_names.h | 95 ++
security/apparmor/ipc.c | 234 +++-
security/apparmor/label.c | 2105 +++++++++++++++++++++++++++++
security/apparmor/lib.c | 473 ++++++-
security/apparmor/lsm.c | 1060 ++++++++++++---
security/apparmor/match.c | 29 +-
security/apparmor/mount.c | 704 ++++++++++
security/apparmor/net.c | 357 +++++
security/apparmor/nulldfa.in | 1 +
security/apparmor/path.c | 132 +-
security/apparmor/policy.c | 994 ++++++--------
security/apparmor/policy_ns.c | 353 +++++
security/apparmor/policy_unpack.c | 323 ++++-
security/apparmor/procattr.c | 94 +-
security/apparmor/resource.c | 114 +-
48 files changed, 11151 insertions(+), 2577 deletions(-)
create mode 100644 security/apparmor/af_unix.c
create mode 100644 security/apparmor/include/af_unix.h
create mode 100644 security/apparmor/include/label.h
create mode 100644 security/apparmor/include/lib.h
create mode 100644 security/apparmor/include/mount.h
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/include/perms.h
create mode 100644 security/apparmor/include/policy_ns.h
create mode 100644 security/apparmor/include/sig_names.h
create mode 100644 security/apparmor/label.c
create mode 100644 security/apparmor/mount.c
create mode 100644 security/apparmor/net.c
create mode 100644 security/apparmor/nulldfa.in
create mode 100644 security/apparmor/policy_ns.c
More information about the kernel-team
mailing list