kernel/security/apparmor/include/policy_ns.h, branch linux-6.12.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.12.y2026-03-13T16:20:47Zapparmor: fix: limit the number of levels of policy namespaces2026-03-13T16:20:47ZJohn Johansenjohn.johansen@canonical.com2026-03-03T19:08:02Zurn:sha1:853ce31ca72097d23991a06876a2ccb5cb64b603
commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream.
Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.
Hard cap policy namespaces to the same depth as user namespaces.
Fixes: c88d4c7b049e8 ("AppArmor: core policy routines")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Reviewed-by: Ryan Lee <ryan.lee@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
apparmor: remove unused functions in policy_ns.c/.h2023-10-16T04:44:31ZXiu Jianfengxiujianfeng@huawei.com2023-08-10T20:10:56Zurn:sha1:fee5304a9c820bd12bd40b1f2591f8e2be0ccbcf
These functions are not used now, remove them.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add a kernel label to use on kernel objects2022-07-13T23:37:21ZJohn Johansenjohn.johansen@canonical.com2022-05-24T09:38:12Zurn:sha1:95c0581f9bfdfbe97126ba1c7f5650a9dd064dda
Separate kernel objects from unconfined. This is done so we can
distinguish between the two in debugging, auditing and in preparation
for being able to replace unconfined, which is not appropriate for the
kernel.
The kernel label will continue to behave similar to unconfined.
Acked-by: Jon Tourville <jon.tourville@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 4412019-06-05T15:37:17ZThomas Gleixnertglx@linutronix.de2019-06-01T08:08:55Zurn:sha1:b886d83c5b621abc84ff9616f14c529be3f6b147
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2 of the license
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 315 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Armijn Hemel <armijn@tjaldur.nl>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
apparmor: switch from profiles to using labels on contexts2017-06-11T00:11:38ZJohn Johansenjohn.johansen@canonical.com2017-06-09T15:14:28Zurn:sha1:637f688dc3dc304a89f441d76f49a0e35bc49c08
Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add namespace lookup fns()2017-06-11T00:11:32ZJohn Johansenjohn.johansen@canonical.com2017-06-03T00:44:27Zurn:sha1:3664268f19ea07bec55df92fe53ff9ed28968bcc
Currently lookups are restricted to a single ns component in the
path. However when namespaces are allowed to have separate views, and
scopes this will not be sufficient, as it will be possible to have
a multiple component ns path in scope.
Add some ns lookup fns() to allow this and use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: add policy revision file interface2017-06-11T00:11:27ZJohn Johansenjohn.johansen@canonical.com2017-05-26T23:27:58Zurn:sha1:d9bf2c268be6064ae0c9980e4c37fdd262c7effc
Add a policy revision file to find the current revision of a ns's policy.
There is a revision file per ns, as well as a virtualized global revision
file in the base apparmor fs directory. The global revision file when
opened will provide the revision of the opening task namespace.
The revision file can be waited on via select/poll to detect apparmor
policy changes from the last read revision of the opened file. This
means that the revision file must be read after the select/poll other
wise update data will remain ready for reading.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: move to per loaddata files, instead of replicating in profiles2017-06-08T19:51:49ZJohn Johansenjohn.johansen@canonical.com2017-05-09T07:08:41Zurn:sha1:5d5182cae40115c03933989473288e54afb39c7c
The loaddata sets cover more than just a single profile and should
be tracked at the ns level. Move the load data files under the namespace
and reference the files from the profiles via a symlink.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
apparmor: add special .null file used to "close" fds at exec2017-01-16T09:18:35ZJohn Johansenjohn.johansen@canonical.com2017-01-16T08:42:45Zurn:sha1:a71ada305801e940ff69c2c58489778760e5148b
Borrow the special null device file from selinux to "close" fds that
don't have sufficient permissions at exec time.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: refactor prepare_ns() and make usable from different views2017-01-16T09:18:28ZJohn Johansenjohn.johansen@canonical.com2017-01-16T08:42:34Zurn:sha1:73688d1ed0b8f800f312f7bc9d583463858da861
prepare_ns() will need to be called from alternate views, and namespaces
will need to be created via different interfaces. So refactor and
allow specifying the view ns.
Signed-off-by: John Johansen <john.johansen@canonical.com>