From: John Johansen <john.johansen@canonical.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKLM <linux-kernel@vger.kernel.org>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>
Subject: [GIT PULL] AppArmor updates for 6.7
Date: Fri, 3 Nov 2023 04:13:36 -0700 [thread overview]
Message-ID: <bf45d4d9-5a15-4ba3-9f55-b8c7e300dc54@canonical.com> (raw)
Hi Linus,
Please pull the following apparmor for patches for the 6.7 merge
window.
This PR adds initial support for mediating io_uring and userns
creation. Adds a new restriction that tightens the use of
change_profile, and a couple of optimizations to reduce performance
bottle necks that have been found when retrieving the current task's
secid and allocating work buffers.
The majority of the patch set continues cleaning up and simplifying
the code (fixing comments, removing now dead functions, and macros
etc). Finally there are 4 bug fixes, with the regression fix having
had a couple months of testing.
These patches have been in linux-next and been tested while in there,
and have also had a merge and regression test against your current
tree as of a day ago.
thanks
- john
The following changes since commit 06c2afb862f9da8dc5efa4b6076a0e48c3fbaaa5:
Linux 6.5-rc1 (2023-07-09 13:53:13 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2023-11-03
for you to fetch changes up to 6cede10161be00d129a24e8b84c2674785a32cf8:
apparmor: Fix some kernel-doc comments (2023-10-23 00:26:27 -0700)
----------------------------------------------------------------
+ Features
- optimize retrieving current task secid
- add base io_uring mediation
- add base userns mediation
- improve buffer allocation
- allow restricting unprivilege change_profile
+ Cleanups
- Fix kernel doc comments
- remove unused declarations
- remove unused functions
- remove unneeded #ifdef
- remove unused macros
- mark fns static
- cleanup fn with unused return values
- cleanup audit data
- pass cred through to audit data
- refcount the pdb instead of using duplicates
- make SK_CTX macro an inline fn
- some comment cleanups
+ Bug fixes
- fix regression in mount mediation
- fix invalid refenece
- use passed in gfp flags
- advertise avaiability of extended perms and disconnected.path
----------------------------------------------------------------
Arnd Bergmann (1):
apparmor: mark new functions static
Dan Carpenter (1):
apparmor: use passed in gfp flags in aa_alloc_null()
GONG, Ruiqi (2):
apparmor: remove unused macro
apparmor: remove unused PROF_* macros
Gaosheng Cui (11):
apparmor: Fix kernel-doc warnings in apparmor/audit.c
apparmor: Fix kernel-doc warnings in apparmor/capability.c
apparmor: Fix kernel-doc warnings in apparmor/domain.c
apparmor: Fix kernel-doc warnings in apparmor/file.c
apparmor: Fix kernel-doc warnings in apparmor/label.c
apparmor: Fix kernel-doc warnings in apparmor/lib.c
apparmor: Fix kernel-doc warnings in apparmor/match.c
apparmor: Fix kernel-doc warnings in apparmor/resource.c
apparmor: Fix kernel-doc warnings in apparmor/policy_unpack.c
apparmor: Fix kernel-doc warnings in apparmor/policy_compat.c
apparmor: Fix kernel-doc warnings in apparmor/policy.c
Georgia Garcia (2):
apparmor: fix invalid reference on profile->disconnected
apparmor: add io_uring mediation
John Johansen (13):
apparmor: advertise availability of exended perms
apparmor: fixup return comments for kernel doc cleanups by Gaosheng Cui
apparmor: rename SK_CTX() to aa_sock and make it an inline fn
apparmor: combine common_audit_data and apparmor_audit_data
apparmor: rename audit_data->label to audit_data->subj_label
apparmor: pass cred through to audit info.
apparmor: provide separate audit messages for file and policy checks
apparmor: refcount the pdb
apparmor: advertise disconnected.path is available
apparmor: allow restricting unprivileged change_profile
apparmor: add user namespace creation mediation
apparmor: cache buffers on percpu list if there is lock contention
apparmor: Fix regression in mount mediation
Quanfa Fu (1):
apparmor: make aa_set_current_onexec return void
Vinicius Costa Gomes (1):
apparmor: Optimize retrieving current task secid
Xiu Jianfeng (4):
apparmor: cleanup unused declarations in policy.h
apparmor: cleanup unused functions in file.h
apparmor: remove unneeded #ifdef in decompress_zstd()
apparmor: remove unused functions in policy_ns.c/.h
Yang Li (3):
apparmor: Fix some kernel-doc comments
apparmor: Fix one kernel-doc comment
apparmor: Fix some kernel-doc comments
security/apparmor/apparmorfs.c | 49 ++--
security/apparmor/audit.c | 75 +++---
security/apparmor/capability.c | 33 +--
security/apparmor/domain.c | 193 +++++++++------
security/apparmor/file.c | 217 ++++++++++-------
security/apparmor/include/apparmor.h | 3 +-
security/apparmor/include/audit.h | 44 ++--
security/apparmor/include/capability.h | 3 +-
security/apparmor/include/file.h | 54 +----
security/apparmor/include/ipc.h | 4 +-
security/apparmor/include/lib.h | 2 +
security/apparmor/include/match.h | 6 -
security/apparmor/include/mount.h | 26 ++-
security/apparmor/include/net.h | 25 +-
security/apparmor/include/perms.h | 7 +-
security/apparmor/include/policy.h | 68 ++++--
security/apparmor/include/policy_ns.h | 14 --
security/apparmor/include/resource.h | 3 +-
security/apparmor/include/task.h | 11 +-
security/apparmor/ipc.c | 53 +++--
security/apparmor/label.c | 46 ++--
security/apparmor/lib.c | 54 ++---
security/apparmor/lsm.c | 414 ++++++++++++++++++++++++++++-----
security/apparmor/match.c | 48 +---
security/apparmor/mount.c | 186 +++++++++------
security/apparmor/net.c | 65 +++---
security/apparmor/policy.c | 133 +++++++----
security/apparmor/policy_compat.c | 1 +
security/apparmor/policy_ns.c | 37 ---
security/apparmor/policy_unpack.c | 152 ++++++------
security/apparmor/resource.c | 54 +++--
security/apparmor/task.c | 104 ++++++---
32 files changed, 1336 insertions(+), 848 deletions(-)
next reply other threads:[~2023-11-03 11:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-03 11:13 John Johansen [this message]
2023-11-03 19:53 ` [GIT PULL] AppArmor updates for 6.7 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bf45d4d9-5a15-4ba3-9f55-b8c7e300dc54@canonical.com \
--to=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.