[Groovy][PULL] LSM stacking
Stefan Bader
stefan.bader at canonical.com
Wed Oct 7 08:21:23 UTC 2020
On 07.10.20 08:08, John Johansen wrote:
> This is a refresh to v20 of the LSM stacking patches for groovy.
>
> It reverts several of the previous reverts (feel free to drop original revert and following revert or the revert). And then adds a couple of patches to prep for the newer LSM stacking patches and adds some fixes to apparmor's support of audit rules.
>
> This series is required to fix lp1898280
>
> BugLink: http://bugs.launchpad.net/bugs/1898280
Is it Groundhog day... again?
>
>
>
> The following changes since commit aaaa95814cb615cf585e8865036787d1e7fa45c1:
>
> UBUNTU: Ubuntu-5.8.0-20.21 (2020-09-22 15:13:52 -0500)
>
> are available in the Git repository at:
>
> https://git.launchpad.net/~jjohansen/+git/groovy-lsm-stacking lsm-stacking
>
> for you to fetch changes up to a8479652ad88e279b0fde9cf90ca059e65b3ec39:
>
> UBUNTU: SAUCE: Audit: Fix for missing NULL check (2020-10-06 19:27:57 -0700)
>
> ----------------------------------------------------------------
> Casey Schaufler (24):
> UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
> UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.
> UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match
> UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as
> UBUNTU: SAUCE: net: Prepare UDS for security module stacking
> UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid
> UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx
> UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid
> UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid
> UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid
> UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid
> UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs
> UBUNTU: SAUCE: LSM: Specify which LSM to display
> UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser
> UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx
> UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx
> UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter
> UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob
> UBUNTU: SAUCE: LSM: Verify LSM display sanity in binder
> UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
> UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM attributes
> UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
> UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
> UBUNTU: SAUCE: Audit: Fix for missing NULL check
>
> John Johansen (21):
> Revert "UBUNTU: SAUCE: Revert "apparmor: add support for mapping secids and using secctxes""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Use an IDR to allocate apparmor secids""
> Revert "UBUNTU: SAUCE: Revert "apparmor: fixup secid map conversion to using IDR""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Add a wildcard secid""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Parse secmark policy""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Allow filtering based on secmark policy""
> Revert "UBUNTU: SAUCE: Fix-up af_unix mediation for sock infrastructure management"
> Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
> Revert "UBUNTU: SAUCE: apparmor: update flags to no longer be exclusive"
> Revert "UBUNTU: SAUCE: apparmor: add an apparmorfs entry to access current attrs"
> Revert "UBUNTU: SAUCE: Revert "apparmor: add the ability to get a task's secid""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Add support for audit rule filtering""
> Revert "UBUNTU: SAUCE: Revert "apparmor: modify audit rule support to support profile stacks""
> Revert "UBUNTU: SAUCE: Revert "apparmor: fix bad debug check in apparmor_secid_to_secctx()""
> Revert "UBUNTU: SAUCE: Revert "apparmor: add #ifdef checks for secmark filtering""
> Revert "UBUNTU: SAUCE: Revert "apparmor: fix checkpatch error in Parse secmark policy""
> Revert "UBUNTU: SAUCE: Revert "apparmor: Fix warning about unused function apparmor_ipv6_postroute""
> UBUNTU: SAUCE: apparmor: drop prefixing abs root labels with '='
> UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
> UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()
> UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()
>
> Documentation/security/lsm.rst | 28 ++
> drivers/android/binder.c | 26 +-
> fs/ceph/xattr.c | 6 +-
> fs/nfs/nfs4proc.c | 8 +-
> fs/nfsd/nfs4xdr.c | 20 +-
> fs/proc/base.c | 2 +
> include/linux/audit.h | 19 +-
> include/linux/cred.h | 3 +-
> include/linux/lsm_hooks.h | 35 ++-
> include/linux/security.h | 194 ++++++++++--
> include/net/af_unix.h | 2 +-
> include/net/netlabel.h | 10 +-
> include/net/scm.h | 15 +-
> include/net/xfrm.h | 4 +-
> include/uapi/linux/audit.h | 2 +
> kernel/audit.c | 173 ++++++++---
> kernel/audit.h | 9 +-
> kernel/auditfilter.c | 32 +-
> kernel/auditsc.c | 169 +++++++----
> kernel/cred.c | 12 +-
> net/ipv4/cipso_ipv4.c | 27 +-
> net/ipv4/ip_sockglue.c | 12 +-
> net/netfilter/nf_conntrack_netlink.c | 24 +-
> net/netfilter/nf_conntrack_standalone.c | 11 +-
> net/netfilter/nfnetlink_queue.c | 28 +-
> net/netfilter/nft_meta.c | 18 +-
> net/netfilter/xt_SECMARK.c | 9 +-
> net/netlabel/netlabel_kapi.c | 6 +-
> net/netlabel/netlabel_unlabeled.c | 98 +++---
> net/netlabel/netlabel_unlabeled.h | 2 +-
> net/netlabel/netlabel_user.c | 13 +-
> net/netlabel/netlabel_user.h | 2 +-
> net/unix/af_unix.c | 6 +-
> security/apparmor/af_unix.c | 8 +-
> security/apparmor/apparmorfs.c | 66 ----
> security/apparmor/audit.c | 90 +++++-
> security/apparmor/include/apparmor.h | 3 +-
> security/apparmor/include/apparmorfs.h | 3 -
> security/apparmor/include/audit.h | 5 +
> security/apparmor/include/label.h | 2 +-
> security/apparmor/include/net.h | 10 +
> security/apparmor/include/policy.h | 3 +
> security/apparmor/include/procattr.h | 2 +-
> security/apparmor/include/secid.h | 21 +-
> security/apparmor/label.c | 14 +-
> security/apparmor/lsm.c | 225 ++++++++++++--
> security/apparmor/net.c | 68 +++++
> security/apparmor/policy.c | 5 +-
> security/apparmor/policy_unpack.c | 67 ++++
> security/apparmor/procattr.c | 22 +-
> security/apparmor/secid.c | 152 ++++++++--
> security/bpf/hooks.c | 12 +-
> security/commoncap.c | 7 +-
> security/integrity/ima/ima.h | 13 +-
> security/integrity/ima/ima_api.c | 10 +-
> security/integrity/ima/ima_appraise.c | 6 +-
> security/integrity/ima/ima_main.c | 48 +--
> security/integrity/ima/ima_policy.c | 61 ++--
> security/integrity/integrity_audit.c | 2 +-
> security/loadpin/loadpin.c | 8 +-
> security/lockdown/lockdown.c | 7 +-
> security/safesetid/lsm.c | 8 +-
> security/security.c | 520 +++++++++++++++++++++++++++++---
> security/selinux/hooks.c | 27 +-
> security/selinux/include/classmap.h | 2 +-
> security/selinux/include/security.h | 1 +
> security/selinux/netlabel.c | 2 +-
> security/selinux/ss/services.c | 4 +-
> security/smack/smack.h | 1 +
> security/smack/smack_lsm.c | 19 +-
> security/smack/smackfs.c | 13 +-
> security/tomoyo/tomoyo.c | 8 +-
> security/yama/yama_lsm.c | 7 +-
> 73 files changed, 1984 insertions(+), 593 deletions(-)
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20201007/06f1256f/attachment.sig>
More information about the kernel-team
mailing list