kernel/security/apparmor/include/policy_unpack.h, branch linux-4.16.y

apparmor: move to per loaddata files, instead of replicating in profiles

2017-06-08T19:51:49Z

The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook

apparmor: audit policy ns specified in policy load

2017-01-16T09:18:43Z

Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen

apparmor: allow introspecting the loaded policy pre internal transform

2017-01-16T09:18:42Z

Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen

apparmor: allow setting any profile into the unconfined state

2013-08-14T18:42:07Z

Allow emulating the default profile behavior from boot, by allowing loading of a profile in the unconfined state into a new NS. Signed-off-by: John Johansen Acked-by: Seth Arnold

apparmor: provide base for multiple profiles to be replaced at once

2013-08-14T18:42:06Z

previously profiles had to be loaded one at a time, which could result in cases where a replacement of a set would partially succeed, and then fail resulting in inconsistent policy. Allow multiple profiles to replaced "atomically" so that the replacement either succeeds or fails for the entire set of profiles. Signed-off-by: John Johansen

AppArmor: policy routines for loading and unpacking policy

2010-08-02T05:38:36Z

AppArmor policy is loaded in a platform independent flattened binary stream. Verify and unpack the data converting it to the internal format needed for enforcement. Signed-off-by: John Johansen Signed-off-by: James Morris