BugLink: http://bugs.launchpad.net/bugs/1235977
The profile introspection seq file has a locking bug when policy is viewed
from a virtual root (task in a policy namespace, introspection from the
real root is not affected).
The test for root
while (parent) {
is correct for the real root, but incorrect for tasks in a policy namespace.
This allows the task to walk backup the policy tree past its virtual root
causing it to be unlocked before the virtual root should be in the p_stop
fn.
This results in the following lockdep back trace:
[ 78.479744] [ BUG: bad unlock balance detected! ]
[ 78.479792] 3.11.0-11-generic #17 Not tainted
[ 78.479838] -------------------------------------
[ 78.479885] grep/2223 is trying to release lock (&ns->lock) at:
[ 78.479952] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480002] but there are no more locks to release!
[ 78.480037]
[ 78.480037] other info that might help us debug this:
[ 78.480037] 1 lock held by grep/2223:
[ 78.480037] #0: (&p->lock){+.+.+.}, at: [<ffffffff812111bd>] seq_read+0x3d/0x3d0
[ 78.480037]
[ 78.480037] stack backtrace:
[ 78.480037] CPU: 0 PID: 2223 Comm: grep Not tainted 3.11.0-11-generic #17
[ 78.480037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.480037] ffffffff817bf3be ffff880007763d60 ffffffff817b97ef ffff8800189d2190
[ 78.480037] ffff880007763d88 ffffffff810e1c6e ffff88001f044730 ffff8800189d2190
[ 78.480037] ffffffff817bf3be ffff880007763e00 ffffffff810e5bd6 0000000724fe56b7
[ 78.480037] Call Trace:
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff817b97ef>] dump_stack+0x54/0x74
[ 78.480037] [<ffffffff810e1c6e>] print_unlock_imbalance_bug+0xee/0x100
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5bd6>] lock_release_non_nested+0x226/0x300
[ 78.480037] [<ffffffff817bf2fe>] ? __mutex_unlock_slowpath+0xce/0x180
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5d5c>] lock_release+0xac/0x310
[ 78.480037] [<ffffffff817bf2b3>] __mutex_unlock_slowpath+0x83/0x180
[ 78.480037] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff81376c91>] p_stop+0x51/0x90
[ 78.480037] [<ffffffff81211408>] seq_read+0x288/0x3d0
[ 78.480037] [<ffffffff811e9d9e>] vfs_read+0x9e/0x170
[ 78.480037] [<ffffffff811ea8cc>] SyS_read+0x4c/0xa0
[ 78.480037] [<ffffffff817ccc9d>] system_call_fastpath+0x1a/0x1f
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1208988
dependency of: fix unix domain sockets to be mediated on connection
needed to fix sleep in atomic context
Dynamically allocating buffers to store the path lookup slows mediation
down, and may require being able to sleep or accept failure of buffer
allocation. Handling fd inheritance during committing_creds, and unix
domain sockets can't fail nor can it sleep to do an allocation, so it
requires having preallocated buffers.
So add support for preallocated buffers and convert everything that
can be to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1194127
This patch uses TRACE_EVENT to add tracepoints for the open(),
exec() and uselib() syscalls so that ureadahead can cheaply trace
the boot sequence to determine what to read to speed up the next.
It's not upstream because it will need to be rebased onto the syscall
trace events whenever that gets merged, and is a stop-gap.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
[apw@canonical.com: ported for 3.4]
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
This is a sync and squash to the apparmor 3 alpha 4 development snapshot
backported from 3.12. The set of patches in this squash are available
is the aa3.0-presquash branch of the dev tree.
Several of the patches in the squash have been submitted upstream.
Several more will be submitted soon, and other parts are still in
active review and development.
This squash will be updated to remove patches as they are pulled
into the upstream tree, and add new patches as they become available
to the stable apparmor dev branch.
In addition to the apparmor 3 sync this contains the backport patch
series for the 3.4 manta kernel
- apparmor: 3.10 backport revert no delay vfree()
- apparmor: 3.8 backport provide file_inode helper 496ad9aa
- apparmor: 3.6 backport revert uapi for capnames 43c422ed
- apparmor: 3.6 backport revert uapi for resnames 8a1ab315
- apparmor: 3.6 backport define kuid_t d2b31ca64
- apparmor: 3.6 backport kuid_t support for audit 2db81452
- apparmor: 3.6 backport remove const from sb_mount 808d4e3c
- apparmor: 3.4 backport revert file_mmap e5467859
- apparmor: 3.4 backport cap_mmap_addr d007794a
- apparmor: 3.4 backport fake no_new_privs 259e5e6c
- apparmor: 3.4 backport revert task audi_data 0972c74e
- apparmor: 3.4 backport alias file_open 83d49856
- UBUNTU: SAUCE: (no-up) apparmor: update config options
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1210149
If binder cannot find the receiving task in the sender's namespace it
will default to a null PID which thus breaks communication in our
container-based scenario. This patch extends binder to first look in the
senders namespace and if unsuccesfull search in the global namespace.
Signed-off-by: Ricardo Mendoza <ricardo.mendoza@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Each mem=X option specified an _additional_ memory segment. This
cummulative behaviour prevents us from using mem=X to limit ram in play
during testing, especially where the bootloader is supplying the actual
memory of the device unconditionally. Allow the memory map to be reset
to empty via a '!' prefix.
BugLink: http://bugs.launchpad.net/bugs/1206835
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Testing shows that the deadline scheduler on the flash file system
performs slightly better than CFQ. It also consumes marginally less
power. So enable deadline by default.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This fixes a bug in the current apparmor3 alpha2 sync, where none root
users can not query whether the apparmor module is enabled. It has been
incorporated into the apparmor dev tree and will be integrated as part
of the next sync, at which point this patch will be reverted.
BugLink: http://bugs.launchpad.net/bugs/1199912
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Use this script, then when updating configs set everything to 'm'
that is possible, otherwise y (except for the one debug option)
for i in CONFIG_IP_NF_ CONFIG_IP6_NF_ CONFIG_NETFILTER_ CONFIG_NF_
do
sed -i '/'$i'.*set/d' debian.*/config/config.common.ubuntu
sed -i '/'$i'.*=y/d' debian.*/config/config.common.ubuntu
done
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a squash of the following commits from the branch
v3.4-backport-of-apparmor3
Signed-off-by: John Johansen <john.johansen@canonical.com>
----------------------------------------------------------------
sync to Linux 3.10 apparmor
UBUNTU SAUCE: apparmor: sync apparmor3 dev snapshot
----------------------------------------------------------------
John Johansen (67):
apparmor: fix auditing of domain transition failures due to incomplete policy
apparmor: Remove -W1 warnings
apparmor: refactor profile mode macros
apparmor: fix error code to failure message mapping for name lookup
apparmor: add utility function to get an arbitrary tasks profile.
apparmor: add kvzalloc to handle zeroing for kvmalloc
apparmor: use common fn to clear task_context for domain transitions
apparmor: remove "permipc" command
apparmor: relax the restrictions on setting rlimits
apparmor: misc cleanup of match
apparmor: move perm defines into policy_unpack
apparmor: remove sid from profiles
apparmor: move the free_profile fn ahead of aa_alloc_profile
apparmor: reserve and mask off the top 8 bits of the base field
apparmor: fix the audit type table
apparmor: add a features/policy dir to interface
apparmor: Fix smatch warning in aa_remove_profiles
apparmor: fix sparse warnings
apparmor: localize getting the security context to a few macros
apparmor: fix setprocattr arg processing for onexec
apparmor: fix fully qualified name parsing
apparmor: enable users to query whether apparmor is enabled
apparmor: provide base for multiple profiles to be replaced at once
apparmor: convert profile lists to RCU based locking
apparmor: change how profile replacement update is done
apparmor: update how unconfined is handled
apparmor: fix namespace to be freeded via RCU
apparmor: rework namespace free path
apparmor: make free_profile available outside of policy.c
apparmor: allow setting any profile into the unconfined state
apparmor: provide the ability to boot with a default profile set on init
apparmor: fix fs extry display for default profile
apparmor: Add interface files for profiles and namespaces
FIX: collapse aa_fs_entry to a single entry instead of a null terminated array
apparmor: merge profile mode names
apparmor: fix the locking etc. in the new policy interface
apparmor: add an optional profile attachment string
apparmor: Add profile introspection file to interface
apparmor: update compatibility patch for RCU locking
FIX: more fixes to aafs/profiles file
apparmor: reuse name string from previous profile
apparmor: add basic support for implicit labeling of files
apparmor: directly free a label if it has not been added to a labelset
FIX: ensure label is only inserted if not already in tree
apparmor: baby step - now add labels to the labelset trees
FIX: ensure all profiles get added to the correct lists
apparmor: move replacedby to use labels instead of profiles
apparmor: introduce using labels from contexts
apparmor: add abilitiy to print labels and update interface to use
apparmor: rework auditing to use the label
apparmor: audit the profile and namespace for all messages
apparmor: treat each task as if the label can have mutiple entries
apparmor: use most recent label available, when possible.
apparmor: remove FLAG_MEDIATE_DELETED
apparmor: move aa_label_insert
apparmor: add a log fn to generate log message for each profile in a label
apparmor: add helper for getting the newest profile
apparmor: add the ability to create a new label based on merging 2 labels
apparmor: invalidate compound labels, and replace
apparmor: set up base labeling on sockets
apparmor: Add the ability to mediate mount
apparmor: convert mount to label instead of profile
apparmor: treat mount as if each task may have multi-profile labels
apparmor: implement profile-based query interface in apparmorfs
apparmor: update profile permission query interface to use labels
apparmor: fix returning -einval when should be no perms on query interface
apparmor: add a features/dbus dir to securityfs interface
security/apparmor/.gitignore | 1 +
security/apparmor/Kconfig | 35 ++
security/apparmor/Makefile | 42 ++-
security/apparmor/apparmorfs.c | 757 +++++++++++++++++++++++++++++++++++++-
security/apparmor/audit.c | 30 +-
security/apparmor/context.c | 122 ++++---
security/apparmor/domain.c | 123 ++++---
security/apparmor/file.c | 173 +++++----
security/apparmor/include/apparmor.h | 58 ++-
security/apparmor/include/apparmorfs.h | 39 ++
security/apparmor/include/audit.h | 21 +-
security/apparmor/include/context.h | 158 +++++---
security/apparmor/include/domain.h | 2 +
security/apparmor/include/file.h | 23 +-
security/apparmor/include/ipc.h | 4 +-
security/apparmor/include/label.h | 325 +++++++++++++++++
security/apparmor/include/match.h | 21 +-
security/apparmor/include/mount.h | 54 +++
security/apparmor/include/net.h | 54 +++
security/apparmor/include/path.h | 2 +-
security/apparmor/include/policy.h | 214 ++++++-----
security/apparmor/include/policy_unpack.h | 21 +-
security/apparmor/include/procattr.h | 3 +-
security/apparmor/include/resource.h | 4 +-
security/apparmor/include/sid.h | 4 +-
security/apparmor/ipc.c | 48 +--
security/apparmor/label.c | 1626 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
security/apparmor/lib.c | 37 +-
security/apparmor/lsm.c | 645 ++++++++++++++++++++++++++++-----
security/apparmor/match.c | 23 +-
security/apparmor/mount.c | 704 ++++++++++++++++++++++++++++++++++++
security/apparmor/net.c | 169 +++++++++
security/apparmor/path.c | 2 +-
security/apparmor/policy.c | 871 +++++++++++++++++++++++++++-----------------
security/apparmor/policy_unpack.c | 188 ++++++++--
security/apparmor/procattr.c | 57 +--
security/apparmor/resource.c | 91 +++--
37 files changed, 5790 insertions(+), 961 deletions(-)
create mode 100644 security/apparmor/include/label.h
create mode 100644 security/apparmor/include/mount.h
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/label.c
create mode 100644 security/apparmor/mount.c
create mode 100644 security/apparmor/net.c
UBUNTU SAUCE: apparmor: 3.8 backport provide file_inode helper 496ad9aa
support changes from commit 496ad9aa8ef448058e36ca7a787c61f2e63f0f54
UBUNTU SAUCE: apparmor: 3.6 backport revert uapi for capnames 43c422ed
partial revert of 43c422eda99b894f18d1cca17bcd2401efaf7bd0
UBUNTU SAUCE: apparmor: 3.6 backport revert uapi for resnames 8a1ab315
partial revert 8a1ab3155c2ac7fbe5f2038d6e26efeb607a1498
UBUNTU SAUCE: apparmor: 3.6 backport define kuid_t d2b31ca64
support changes from commit d2b31ca644fdc8704de3367a6a56a5c958c77f53
UBUNTU SAUCE: apparmor: 3.6 backport kuid_t support for audit 2db81452
support changes from commit 2db81452931eb51cc739d6e495cf1bd4860c3c99
UBUNTU SAUCE: apparmor: 3.6 backport remove const from sb_mount 808d4e3c
partial revert of 808d4e3cfdcc52b19276175464f6dbca4df13b09
UBUNTU SAUCE: apparmor: 3.4 backport revert file_mmap e5467859
partial revert of e5467859f7f79b69fc49004403009dfdba3bec53
UBUNTU SAUCE: apparmor: 3.4 backport cap_mmap_addr d007794a
support changes from d007794a182bc072a7b7479909dbd0d67ba341be
UBUNTU SAUCE: apparmor: 3.4 backport fake no_new_privs 259e5e6c
support interface from 259e5e6c75a910f3b5e656151dc602f53f9d7548
c29bceb3967398cf2ac8bf8edf9634fdb722df7d
UBUNTU SAUCE: apparmor: 3.4 backport alias file_open 83d49856
add support for 83d498569e9a7a4b92c4c5d3566f2d6a604f28c9
