[Groovy][PULL] LSM stacking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Groovy][PULL] LSM stacking

John Johansen-2
This is a refresh to v20 of the LSM stacking patches for groovy.

It reverts several of the previous reverts (feel free to drop original revert and following revert or the revert). And then adds a couple of patches to prep for the newer LSM stacking patches and adds some fixes to apparmor's support of audit rules.

This series is required to fix lp1898280

BugLink: http://bugs.launchpad.net/bugs/1898280



The following changes since commit aaaa95814cb615cf585e8865036787d1e7fa45c1:

  UBUNTU: Ubuntu-5.8.0-20.21 (2020-09-22 15:13:52 -0500)

are available in the Git repository at:

  https://git.launchpad.net/~jjohansen/+git/groovy-lsm-stacking lsm-stacking

for you to fetch changes up to a8479652ad88e279b0fde9cf90ca059e65b3ec39:

  UBUNTU: SAUCE: Audit: Fix for missing NULL check (2020-10-06 19:27:57 -0700)

----------------------------------------------------------------
Casey Schaufler (24):
      UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
      UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.
      UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match
      UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as
      UBUNTU: SAUCE: net: Prepare UDS for security module stacking
      UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid
      UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx
      UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid
      UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid
      UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid
      UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid
      UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs
      UBUNTU: SAUCE: LSM: Specify which LSM to display
      UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser
      UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx
      UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx
      UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter
      UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob
      UBUNTU: SAUCE: LSM: Verify LSM display sanity in binder
      UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
      UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM  attributes
      UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
      UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
      UBUNTU: SAUCE: Audit: Fix for missing NULL check

John Johansen (21):
      Revert "UBUNTU: SAUCE: Revert "apparmor: add support for mapping secids and using secctxes""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Use an IDR to allocate apparmor secids""
      Revert "UBUNTU: SAUCE: Revert "apparmor: fixup secid map conversion to using IDR""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Add a wildcard secid""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Parse secmark policy""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Allow filtering based on secmark policy""
      Revert "UBUNTU: SAUCE: Fix-up af_unix mediation for sock infrastructure management"
      Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
      Revert "UBUNTU: SAUCE: apparmor: update flags to no longer be exclusive"
      Revert "UBUNTU: SAUCE: apparmor: add an apparmorfs entry to access current attrs"
      Revert "UBUNTU: SAUCE: Revert "apparmor: add the ability to get a task's secid""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Add support for audit rule filtering""
      Revert "UBUNTU: SAUCE: Revert "apparmor: modify audit rule support to support profile stacks""
      Revert "UBUNTU: SAUCE: Revert "apparmor: fix bad debug check in apparmor_secid_to_secctx()""
      Revert "UBUNTU: SAUCE: Revert "apparmor: add #ifdef checks for secmark filtering""
      Revert "UBUNTU: SAUCE: Revert "apparmor: fix checkpatch error in Parse secmark policy""
      Revert "UBUNTU: SAUCE: Revert "apparmor: Fix warning about unused function apparmor_ipv6_postroute""
      UBUNTU: SAUCE: apparmor: drop prefixing abs root labels with '='
      UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
      UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()
      UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()

 Documentation/security/lsm.rst          |  28 ++
 drivers/android/binder.c                |  26 +-
 fs/ceph/xattr.c                         |   6 +-
 fs/nfs/nfs4proc.c                       |   8 +-
 fs/nfsd/nfs4xdr.c                       |  20 +-
 fs/proc/base.c                          |   2 +
 include/linux/audit.h                   |  19 +-
 include/linux/cred.h                    |   3 +-
 include/linux/lsm_hooks.h               |  35 ++-
 include/linux/security.h                | 194 ++++++++++--
 include/net/af_unix.h                   |   2 +-
 include/net/netlabel.h                  |  10 +-
 include/net/scm.h                       |  15 +-
 include/net/xfrm.h                      |   4 +-
 include/uapi/linux/audit.h              |   2 +
 kernel/audit.c                          | 173 ++++++++---
 kernel/audit.h                          |   9 +-
 kernel/auditfilter.c                    |  32 +-
 kernel/auditsc.c                        | 169 +++++++----
 kernel/cred.c                           |  12 +-
 net/ipv4/cipso_ipv4.c                   |  27 +-
 net/ipv4/ip_sockglue.c                  |  12 +-
 net/netfilter/nf_conntrack_netlink.c    |  24 +-
 net/netfilter/nf_conntrack_standalone.c |  11 +-
 net/netfilter/nfnetlink_queue.c         |  28 +-
 net/netfilter/nft_meta.c                |  18 +-
 net/netfilter/xt_SECMARK.c              |   9 +-
 net/netlabel/netlabel_kapi.c            |   6 +-
 net/netlabel/netlabel_unlabeled.c       |  98 +++---
 net/netlabel/netlabel_unlabeled.h       |   2 +-
 net/netlabel/netlabel_user.c            |  13 +-
 net/netlabel/netlabel_user.h            |   2 +-
 net/unix/af_unix.c                      |   6 +-
 security/apparmor/af_unix.c             |   8 +-
 security/apparmor/apparmorfs.c          |  66 ----
 security/apparmor/audit.c               |  90 +++++-
 security/apparmor/include/apparmor.h    |   3 +-
 security/apparmor/include/apparmorfs.h  |   3 -
 security/apparmor/include/audit.h       |   5 +
 security/apparmor/include/label.h       |   2 +-
 security/apparmor/include/net.h         |  10 +
 security/apparmor/include/policy.h      |   3 +
 security/apparmor/include/procattr.h    |   2 +-
 security/apparmor/include/secid.h       |  21 +-
 security/apparmor/label.c               |  14 +-
 security/apparmor/lsm.c                 | 225 ++++++++++++--
 security/apparmor/net.c                 |  68 +++++
 security/apparmor/policy.c              |   5 +-
 security/apparmor/policy_unpack.c       |  67 ++++
 security/apparmor/procattr.c            |  22 +-
 security/apparmor/secid.c               | 152 ++++++++--
 security/bpf/hooks.c                    |  12 +-
 security/commoncap.c                    |   7 +-
 security/integrity/ima/ima.h            |  13 +-
 security/integrity/ima/ima_api.c        |  10 +-
 security/integrity/ima/ima_appraise.c   |   6 +-
 security/integrity/ima/ima_main.c       |  48 +--
 security/integrity/ima/ima_policy.c     |  61 ++--
 security/integrity/integrity_audit.c    |   2 +-
 security/loadpin/loadpin.c              |   8 +-
 security/lockdown/lockdown.c            |   7 +-
 security/safesetid/lsm.c                |   8 +-
 security/security.c                     | 520 +++++++++++++++++++++++++++++---
 security/selinux/hooks.c                |  27 +-
 security/selinux/include/classmap.h     |   2 +-
 security/selinux/include/security.h     |   1 +
 security/selinux/netlabel.c             |   2 +-
 security/selinux/ss/services.c          |   4 +-
 security/smack/smack.h                  |   1 +
 security/smack/smack_lsm.c              |  19 +-
 security/smack/smackfs.c                |  13 +-
 security/tomoyo/tomoyo.c                |   8 +-
 security/yama/yama_lsm.c                |   7 +-
 73 files changed, 1984 insertions(+), 593 deletions(-)


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [Groovy][PULL] LSM stacking

Stefan Bader-2
On 07.10.20 08:08, John Johansen wrote:
> This is a refresh to v20 of the LSM stacking patches for groovy.
>
> It reverts several of the previous reverts (feel free to drop original revert and following revert or the revert). And then adds a couple of patches to prep for the newer LSM stacking patches and adds some fixes to apparmor's support of audit rules.
>
> This series is required to fix lp1898280
>
> BugLink: http://bugs.launchpad.net/bugs/1898280

Is it Groundhog day... again?


>
>
>
> The following changes since commit aaaa95814cb615cf585e8865036787d1e7fa45c1:
>
>   UBUNTU: Ubuntu-5.8.0-20.21 (2020-09-22 15:13:52 -0500)
>
> are available in the Git repository at:
>
>   https://git.launchpad.net/~jjohansen/+git/groovy-lsm-stacking lsm-stacking
>
> for you to fetch changes up to a8479652ad88e279b0fde9cf90ca059e65b3ec39:
>
>   UBUNTU: SAUCE: Audit: Fix for missing NULL check (2020-10-06 19:27:57 -0700)
>
> ----------------------------------------------------------------
> Casey Schaufler (24):
>       UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
>       UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as
>       UBUNTU: SAUCE: net: Prepare UDS for security module stacking
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid
>       UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs
>       UBUNTU: SAUCE: LSM: Specify which LSM to display
>       UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser
>       UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx
>       UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx
>       UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter
>       UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob
>       UBUNTU: SAUCE: LSM: Verify LSM display sanity in binder
>       UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
>       UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM  attributes
>       UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
>       UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
>       UBUNTU: SAUCE: Audit: Fix for missing NULL check
>
> John Johansen (21):
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add support for mapping secids and using secctxes""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Use an IDR to allocate apparmor secids""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fixup secid map conversion to using IDR""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Add a wildcard secid""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Parse secmark policy""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Allow filtering based on secmark policy""
>       Revert "UBUNTU: SAUCE: Fix-up af_unix mediation for sock infrastructure management"
>       Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
>       Revert "UBUNTU: SAUCE: apparmor: update flags to no longer be exclusive"
>       Revert "UBUNTU: SAUCE: apparmor: add an apparmorfs entry to access current attrs"
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add the ability to get a task's secid""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Add support for audit rule filtering""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: modify audit rule support to support profile stacks""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fix bad debug check in apparmor_secid_to_secctx()""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add #ifdef checks for secmark filtering""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fix checkpatch error in Parse secmark policy""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Fix warning about unused function apparmor_ipv6_postroute""
>       UBUNTU: SAUCE: apparmor: drop prefixing abs root labels with '='
>       UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
>       UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()
>       UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()
>
>  Documentation/security/lsm.rst          |  28 ++
>  drivers/android/binder.c                |  26 +-
>  fs/ceph/xattr.c                         |   6 +-
>  fs/nfs/nfs4proc.c                       |   8 +-
>  fs/nfsd/nfs4xdr.c                       |  20 +-
>  fs/proc/base.c                          |   2 +
>  include/linux/audit.h                   |  19 +-
>  include/linux/cred.h                    |   3 +-
>  include/linux/lsm_hooks.h               |  35 ++-
>  include/linux/security.h                | 194 ++++++++++--
>  include/net/af_unix.h                   |   2 +-
>  include/net/netlabel.h                  |  10 +-
>  include/net/scm.h                       |  15 +-
>  include/net/xfrm.h                      |   4 +-
>  include/uapi/linux/audit.h              |   2 +
>  kernel/audit.c                          | 173 ++++++++---
>  kernel/audit.h                          |   9 +-
>  kernel/auditfilter.c                    |  32 +-
>  kernel/auditsc.c                        | 169 +++++++----
>  kernel/cred.c                           |  12 +-
>  net/ipv4/cipso_ipv4.c                   |  27 +-
>  net/ipv4/ip_sockglue.c                  |  12 +-
>  net/netfilter/nf_conntrack_netlink.c    |  24 +-
>  net/netfilter/nf_conntrack_standalone.c |  11 +-
>  net/netfilter/nfnetlink_queue.c         |  28 +-
>  net/netfilter/nft_meta.c                |  18 +-
>  net/netfilter/xt_SECMARK.c              |   9 +-
>  net/netlabel/netlabel_kapi.c            |   6 +-
>  net/netlabel/netlabel_unlabeled.c       |  98 +++---
>  net/netlabel/netlabel_unlabeled.h       |   2 +-
>  net/netlabel/netlabel_user.c            |  13 +-
>  net/netlabel/netlabel_user.h            |   2 +-
>  net/unix/af_unix.c                      |   6 +-
>  security/apparmor/af_unix.c             |   8 +-
>  security/apparmor/apparmorfs.c          |  66 ----
>  security/apparmor/audit.c               |  90 +++++-
>  security/apparmor/include/apparmor.h    |   3 +-
>  security/apparmor/include/apparmorfs.h  |   3 -
>  security/apparmor/include/audit.h       |   5 +
>  security/apparmor/include/label.h       |   2 +-
>  security/apparmor/include/net.h         |  10 +
>  security/apparmor/include/policy.h      |   3 +
>  security/apparmor/include/procattr.h    |   2 +-
>  security/apparmor/include/secid.h       |  21 +-
>  security/apparmor/label.c               |  14 +-
>  security/apparmor/lsm.c                 | 225 ++++++++++++--
>  security/apparmor/net.c                 |  68 +++++
>  security/apparmor/policy.c              |   5 +-
>  security/apparmor/policy_unpack.c       |  67 ++++
>  security/apparmor/procattr.c            |  22 +-
>  security/apparmor/secid.c               | 152 ++++++++--
>  security/bpf/hooks.c                    |  12 +-
>  security/commoncap.c                    |   7 +-
>  security/integrity/ima/ima.h            |  13 +-
>  security/integrity/ima/ima_api.c        |  10 +-
>  security/integrity/ima/ima_appraise.c   |   6 +-
>  security/integrity/ima/ima_main.c       |  48 +--
>  security/integrity/ima/ima_policy.c     |  61 ++--
>  security/integrity/integrity_audit.c    |   2 +-
>  security/loadpin/loadpin.c              |   8 +-
>  security/lockdown/lockdown.c            |   7 +-
>  security/safesetid/lsm.c                |   8 +-
>  security/security.c                     | 520 +++++++++++++++++++++++++++++---
>  security/selinux/hooks.c                |  27 +-
>  security/selinux/include/classmap.h     |   2 +-
>  security/selinux/include/security.h     |   1 +
>  security/selinux/netlabel.c             |   2 +-
>  security/selinux/ss/services.c          |   4 +-
>  security/smack/smack.h                  |   1 +
>  security/smack/smack_lsm.c              |  19 +-
>  security/smack/smackfs.c                |  13 +-
>  security/tomoyo/tomoyo.c                |   8 +-
>  security/yama/yama_lsm.c                |   7 +-
>  73 files changed, 1984 insertions(+), 593 deletions(-)
>
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [Groovy][PULL] LSM stacking

Andrea Righi
In reply to this post by John Johansen-2
On Tue, Oct 06, 2020 at 11:08:24PM -0700, John Johansen wrote:
> This is a refresh to v20 of the LSM stacking patches for groovy.
>
> It reverts several of the previous reverts (feel free to drop original revert and following revert or the revert). And then adds a couple of patches to prep for the newer LSM stacking patches and adds some fixes to apparmor's support of audit rules.
>
> This series is required to fix lp1898280
>
> BugLink: http://bugs.launchpad.net/bugs/1898280

It's quite difficult to review all the details of this large patch set.
Overall it makes sense to me and I successfully test-built & booted on a
VM, therefore:

Acked-by: Andrea Righi <[hidden email]>

>
>
>
> The following changes since commit aaaa95814cb615cf585e8865036787d1e7fa45c1:
>
>   UBUNTU: Ubuntu-5.8.0-20.21 (2020-09-22 15:13:52 -0500)
>
> are available in the Git repository at:
>
>   https://git.launchpad.net/~jjohansen/+git/groovy-lsm-stacking lsm-stacking
>
> for you to fetch changes up to a8479652ad88e279b0fde9cf90ca059e65b3ec39:
>
>   UBUNTU: SAUCE: Audit: Fix for missing NULL check (2020-10-06 19:27:57 -0700)
>
> ----------------------------------------------------------------
> Casey Schaufler (24):
>       UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
>       UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as
>       UBUNTU: SAUCE: net: Prepare UDS for security module stacking
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid
>       UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid
>       UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs
>       UBUNTU: SAUCE: LSM: Specify which LSM to display
>       UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser
>       UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx
>       UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx
>       UBUNTU: SAUCE: LSM: security_secid_to_secctx in netlink netfilter
>       UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob
>       UBUNTU: SAUCE: LSM: Verify LSM display sanity in binder
>       UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
>       UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM  attributes
>       UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
>       UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
>       UBUNTU: SAUCE: Audit: Fix for missing NULL check
>
> John Johansen (21):
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add support for mapping secids and using secctxes""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Use an IDR to allocate apparmor secids""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fixup secid map conversion to using IDR""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Add a wildcard secid""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Parse secmark policy""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Allow filtering based on secmark policy""
>       Revert "UBUNTU: SAUCE: Fix-up af_unix mediation for sock infrastructure management"
>       Revert "UBUNTU: SAUCE: LSM: Infrastructure management of the sock security"
>       Revert "UBUNTU: SAUCE: apparmor: update flags to no longer be exclusive"
>       Revert "UBUNTU: SAUCE: apparmor: add an apparmorfs entry to access current attrs"
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add the ability to get a task's secid""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Add support for audit rule filtering""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: modify audit rule support to support profile stacks""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fix bad debug check in apparmor_secid_to_secctx()""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: add #ifdef checks for secmark filtering""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: fix checkpatch error in Parse secmark policy""
>       Revert "UBUNTU: SAUCE: Revert "apparmor: Fix warning about unused function apparmor_ipv6_postroute""
>       UBUNTU: SAUCE: apparmor: drop prefixing abs root labels with '='
>       UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
>       UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()
>       UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()
>
>  Documentation/security/lsm.rst          |  28 ++
>  drivers/android/binder.c                |  26 +-
>  fs/ceph/xattr.c                         |   6 +-
>  fs/nfs/nfs4proc.c                       |   8 +-
>  fs/nfsd/nfs4xdr.c                       |  20 +-
>  fs/proc/base.c                          |   2 +
>  include/linux/audit.h                   |  19 +-
>  include/linux/cred.h                    |   3 +-
>  include/linux/lsm_hooks.h               |  35 ++-
>  include/linux/security.h                | 194 ++++++++++--
>  include/net/af_unix.h                   |   2 +-
>  include/net/netlabel.h                  |  10 +-
>  include/net/scm.h                       |  15 +-
>  include/net/xfrm.h                      |   4 +-
>  include/uapi/linux/audit.h              |   2 +
>  kernel/audit.c                          | 173 ++++++++---
>  kernel/audit.h                          |   9 +-
>  kernel/auditfilter.c                    |  32 +-
>  kernel/auditsc.c                        | 169 +++++++----
>  kernel/cred.c                           |  12 +-
>  net/ipv4/cipso_ipv4.c                   |  27 +-
>  net/ipv4/ip_sockglue.c                  |  12 +-
>  net/netfilter/nf_conntrack_netlink.c    |  24 +-
>  net/netfilter/nf_conntrack_standalone.c |  11 +-
>  net/netfilter/nfnetlink_queue.c         |  28 +-
>  net/netfilter/nft_meta.c                |  18 +-
>  net/netfilter/xt_SECMARK.c              |   9 +-
>  net/netlabel/netlabel_kapi.c            |   6 +-
>  net/netlabel/netlabel_unlabeled.c       |  98 +++---
>  net/netlabel/netlabel_unlabeled.h       |   2 +-
>  net/netlabel/netlabel_user.c            |  13 +-
>  net/netlabel/netlabel_user.h            |   2 +-
>  net/unix/af_unix.c                      |   6 +-
>  security/apparmor/af_unix.c             |   8 +-
>  security/apparmor/apparmorfs.c          |  66 ----
>  security/apparmor/audit.c               |  90 +++++-
>  security/apparmor/include/apparmor.h    |   3 +-
>  security/apparmor/include/apparmorfs.h  |   3 -
>  security/apparmor/include/audit.h       |   5 +
>  security/apparmor/include/label.h       |   2 +-
>  security/apparmor/include/net.h         |  10 +
>  security/apparmor/include/policy.h      |   3 +
>  security/apparmor/include/procattr.h    |   2 +-
>  security/apparmor/include/secid.h       |  21 +-
>  security/apparmor/label.c               |  14 +-
>  security/apparmor/lsm.c                 | 225 ++++++++++++--
>  security/apparmor/net.c                 |  68 +++++
>  security/apparmor/policy.c              |   5 +-
>  security/apparmor/policy_unpack.c       |  67 ++++
>  security/apparmor/procattr.c            |  22 +-
>  security/apparmor/secid.c               | 152 ++++++++--
>  security/bpf/hooks.c                    |  12 +-
>  security/commoncap.c                    |   7 +-
>  security/integrity/ima/ima.h            |  13 +-
>  security/integrity/ima/ima_api.c        |  10 +-
>  security/integrity/ima/ima_appraise.c   |   6 +-
>  security/integrity/ima/ima_main.c       |  48 +--
>  security/integrity/ima/ima_policy.c     |  61 ++--
>  security/integrity/integrity_audit.c    |   2 +-
>  security/loadpin/loadpin.c              |   8 +-
>  security/lockdown/lockdown.c            |   7 +-
>  security/safesetid/lsm.c                |   8 +-
>  security/security.c                     | 520 +++++++++++++++++++++++++++++---
>  security/selinux/hooks.c                |  27 +-
>  security/selinux/include/classmap.h     |   2 +-
>  security/selinux/include/security.h     |   1 +
>  security/selinux/netlabel.c             |   2 +-
>  security/selinux/ss/services.c          |   4 +-
>  security/smack/smack.h                  |   1 +
>  security/smack/smack_lsm.c              |  19 +-
>  security/smack/smackfs.c                |  13 +-
>  security/tomoyo/tomoyo.c                |   8 +-
>  security/yama/yama_lsm.c                |   7 +-
>  73 files changed, 1984 insertions(+), 593 deletions(-)
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [Groovy][PULL] LSM stacking

Seth Forshee
In reply to this post by John Johansen-2
On Tue, Oct 06, 2020 at 11:08:24PM -0700, John Johansen wrote:

> This is a refresh to v20 of the LSM stacking patches for groovy.
>
> It reverts several of the previous reverts (feel free to drop original revert and following revert or the revert). And then adds a couple of patches to prep for the newer LSM stacking patches and adds some fixes to apparmor's support of audit rules.
>
> This series is required to fix lp1898280
>
> BugLink: http://bugs.launchpad.net/bugs/1898280
>
>
>
> The following changes since commit aaaa95814cb615cf585e8865036787d1e7fa45c1:
>
>   UBUNTU: Ubuntu-5.8.0-20.21 (2020-09-22 15:13:52 -0500)
>
> are available in the Git repository at:
>
>   https://git.launchpad.net/~jjohansen/+git/groovy-lsm-stacking lsm-stacking
>
> for you to fetch changes up to a8479652ad88e279b0fde9cf90ca059e65b3ec39:
>
>   UBUNTU: SAUCE: Audit: Fix for missing NULL check (2020-10-06 19:27:57 -0700)

Applied to groovy/master-next, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team