Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v6.5.5 2023-07-07T16:55:31Z 2023-07-07T16:55:31Z Linus Torvalds torvalds@linux-foundation.org 2023-07-07T16:55:31Z urn:sha1:70806ee18a871140a73a2524a29865e1d904348c Pull apparmor updates from John Johansen: - fix missing error check for rhashtable_insert_fast - add missing failure check in compute_xmatch_perms - fix policy_compat permission remap with extended permissions - fix profile verification and enable it - fix kzalloc perms tables for shared dfas - Fix kernel-doc header for verify_dfa_accept_index - aa_buffer: Convert 1-element array to flexible array - Return directly after a failed kzalloc() in two functions - fix use of strcpy in policy_unpack_test - fix kernel-doc complaints - Fix some kernel-doc comments * tag 'apparmor-pr-2023-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: Fix kernel-doc header for verify_dfa_accept_index apparmor: fix: kzalloc perms tables for shared dfas apparmor: fix profile verification and enable it apparmor: fix policy_compat permission remap with extended permissions apparmor: aa_buffer: Convert 1-element array to flexible array apparmor: add missing failure check in compute_xmatch_perms apparmor: fix missing error check for rhashtable_insert_fast apparmor: Return directly after a failed kzalloc() in two functions AppArmor: Fix some kernel-doc comments apparmor: fix use of strcpy in policy_unpack_test apparmor: fix kernel-doc complaints 2023-07-06T18:12:10Z John Johansen john.johansen@canonical.com 2023-06-21T09:04:58Z urn:sha1:3f069c4c643225f2b96b4b3f8c30e4445f079d2e Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202306141934.UKmM9bFX-lkp@intel.com/ Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-06T18:05:58Z John Johansen john.johansen@canonical.com 2023-04-15T07:50:32Z urn:sha1:ec6851ae0ab4587e610e260ddda75f92f3389f91 Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> 2023-07-06T17:59:55Z John Johansen john.johansen@canonical.com 2023-04-17T09:57:55Z urn:sha1:6f442d42c0d89876994a4a135eadf82b0e6ff6e4 The transition table size was not being set by compat mappings resulting in the profile verification code not being run. Unfortunately the checks were also buggy not being correctly updated from the old accept perms, to the new layout. Also indicate to userspace that the kernel has the permstable verification fixes. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 670f31774ab6 ("apparmor: verify permission table indexes") Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> 2023-07-06T17:58:49Z John Johansen john.johansen@canonical.com 2023-03-10T23:59:45Z urn:sha1:0bac2002b397fda7c9ea81ee0b06a02242958107 If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> 2023-07-06T17:58:49Z Kees Cook keescook@chromium.org 2023-05-11T21:34:45Z urn:sha1:ba808cb5edfdf032db9e849e194d28169b6efbcd In the ongoing effort to convert all fake flexible arrays to proper flexible arrays, replace aa_buffer's 1-element "buffer" member with a flexible array. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-06T17:58:49Z John Johansen john.johansen@canonical.com 2023-04-14T07:24:47Z urn:sha1:6600e9f692e36e265ef0828f08337fa294bb330f Add check for failure to allocate the permission table. Fixes: caa9f579ca72 ("apparmor: isolate policy backwards compatibility to its own file") Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-06T17:58:49Z Danila Chernetsov listdansp@mail.ru 2023-04-04T19:05:49Z urn:sha1:000518bc5aef25d3f703592a0296d578c98b1517 rhashtable_insert_fast() could return err value when memory allocation is failed. but unpack_profile() do not check values and this always returns success value. This patch just adds error check code. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") Signed-off-by: Danila Chernetsov <listdansp@mail.ru> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-06T17:58:49Z Markus Elfring elfring@users.sourceforge.net 2023-03-29T09:50:44Z urn:sha1:6d7467957ecdc9018fb860bb60738e997abeaecb 1. Return directly after a call of the function “kzalloc” failed at the beginning in these function implementations. 2. Omit extra initialisations (for a few local variables) which became unnecessary with this refactoring. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: John Johansen <john.johansen@canonical.com> 2023-07-06T17:58:49Z Yang Li yang.lee@linux.alibaba.com 2023-03-03T01:28:33Z urn:sha1:755a22c74345a7b4c18dbb86f553eeb7895a97c9 Make the description of @table to @strs in function unpack_trans_table() to silence the warnings: security/apparmor/policy_unpack.c:456: warning: Function parameter or member 'strs' not described in 'unpack_trans_table' security/apparmor/policy_unpack.c:456: warning: Excess function parameter 'table' description in 'unpack_trans_table' Reported-by: Abaci Robot <abaci@linux.alibaba.com> Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=4332 Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: John Johansen <john.johansen@canonical.com>