Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-03-07T19:44:01Z 2019-03-07T19:44:01Z Linus Torvalds torvalds@linux-foundation.org 2019-03-07T19:44:01Z urn:sha1:ae5906ceee038ea29ff5162d1bcd18fb50af8b94 Pull security subsystem updates from James Morris: - Extend LSM stacking to allow sharing of cred, file, ipc, inode, and task blobs. This paves the way for more full-featured LSMs to be merged, and is specifically aimed at LandLock and SARA LSMs. This work is from Casey and Kees. - There's a new LSM from Micah Morton: "SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist." This feature is currently shipping in ChromeOS. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (62 commits) keys: fix missing __user in KEYCTL_PKEY_QUERY LSM: Update list of SECURITYFS users in Kconfig LSM: Ignore "security=" when "lsm=" is specified LSM: Update function documentation for cap_capable security: mark expected switch fall-throughs and add a missing break tomoyo: Bump version. LSM: fix return value check in safesetid_init_securityfs() LSM: SafeSetID: add selftest LSM: SafeSetID: remove unused include LSM: SafeSetID: 'depend' on CONFIG_SECURITY LSM: Add 'name' field for SafeSetID in DEFINE_LSM LSM: add SafeSetID module that gates setid calls LSM: add SafeSetID module that gates setid calls tomoyo: Allow multiple use_group lines. tomoyo: Coding style fix. tomoyo: Swicth from cred->security to task_struct->security. security: keys: annotate implicit fall throughs security: keys: annotate implicit fall throughs security: keys: annotate implicit fall through capabilities:: annotate implicit fall through ... 2019-02-22T17:56:09Z Gustavo A. R. Silva gustavo@embeddedor.com 2019-02-08T20:54:53Z urn:sha1:09186e503486da4a17f16f2f7c679e6e3e2a32f4 In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. This patch fixes the following warnings: security/integrity/ima/ima_template_lib.c:85:10: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:940:18: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:943:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:972:21: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:974:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/smack/smack_lsm.c:3391:9: warning: this statement may fall through [-Wimplicit-fallthrough=] security/apparmor/domain.c:569:6: warning: this statement may fall through [-Wimplicit-fallthrough=] Warning level 3 was used: -Wimplicit-fallthrough=3 Also, add a missing break statement to fix the following warning: security/integrity/ima/ima_appraise.c:116:26: warning: this statement may fall through [-Wimplicit-fallthrough=] Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: James Morris <james.morris@microsoft.com> 2019-02-01T16:01:39Z John Johansen john.johansen@canonical.com 2019-01-24T21:53:05Z urn:sha1:d6d478aee003e19ef90321176552a8ad2929a47f aa_label_merge() can return NULL for memory allocations failures make sure to handle and set the correct error in this case. Reported-by: Peng Hao <peng.hao2@zte.com.cn> Signed-off-by: John Johansen <john.johansen@canonical.com> 2019-01-08T21:18:44Z Casey Schaufler casey@schaufler-ca.com 2018-09-22T00:17:59Z urn:sha1:69b5a44a95bb86f3ad8a50bf2e354057ec450082 Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org> 2018-07-20T10:25:25Z John Johansen john.johansen@canonical.com 2018-07-20T10:25:25Z urn:sha1:24b87a16fee0ebd49b66e8523186ace7ea09ad12 Cleans up clang warning: warning: variable 'info' set but not used [-Wunused-but-set-variable] Fixes: 89dbf1962aa63 ("apparmor: move change_hat mediation to using labels") Reported-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-05-03T07:47:56Z Zygmunt Krynicki zygmunt.krynicki@canonical.com 2018-04-12T10:34:28Z urn:sha1:b2c2086c3984d96045e758d984d859caae6f96ca Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-03-24T00:25:25Z Colin Ian King colin.king@canonical.com 2018-03-23T23:34:22Z urn:sha1:a61ecd329cfa951b7d36c13e9e2a07e7761c0e89 Currently variable size is a unsigned size_t, hence comparisons to see if it is less than zero (for error checking) will always be false. Fix this by making size a ssize_t Detected by CoverityScan, CID#1466080 ("Unsigned compared against 0") Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-02-09T19:30:02Z John Johansen john.johansen@canonical.com 2017-11-19T03:43:13Z urn:sha1:21f606610502ef56f9180b1529fc7e02957564c8 Overlapping domain attachments using the current longest left exact match fail in some simple cases, and with the fix to ensure consistent behavior by failing unresolvable attachments it becomes important to do a better job. eg. under the current match the following are unresolvable where the alternation is clearly a better match under the most specific left match rule. /** /{bin/,}usr/ Use a counting match that detects when a loop in the state machine is enter, and return the match count to provide a better specific left match resolution. Signed-off-by: John Johansen <john.johansen@canonical.com> 2018-02-09T19:30:02Z John Johansen john.johansen@canonical.com 2017-12-12T23:28:05Z urn:sha1:73f488cd903938e78979d50e081a0314ad142351 This converts profile attachment based on xattrs to a fixed extended conditional using dfa matching. This has a couple of advantages - pattern matching can be used for the xattr match - xattrs can be optional for an attachment or marked as required - the xattr attachment conditional will be able to be combined with other extended conditionals when the flexible extended conditional work lands. The xattr fixed extended conditional is appended to the xmatch conditional. If an xattr attachment is specified the profile xmatch will be generated regardless of whether there is a pattern match on the executable name. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2018-02-09T19:30:02Z Matthew Garrett mjg59@google.com 2018-02-08T20:37:19Z urn:sha1:8e51f9087f4024d20f70f4d9831e1f45d8088331 Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>