[xenial] request-pull apparmor 3.5-beta1

John Johansen john.johansen at canonical.com
Fri Mar 18 14:51:20 UTC 2016 

The apparmor 3.5 adds basic policy namespace stacking
BugLink: http://bugs.launchpad.net/bugs/1379535

this is known to cause 1 set of failures under the current apparmor
regression test suite which is due to an change in the error code returned
under certain circumstances for the change_profile tests. This will be
fixed in the test suite with the next sync


The following changes since commit c0fd1aa917c171cd801fc5074fc05f4a166ae5e2:

  UBUNTU: Ubuntu-4.4.0-13.29 (2016-03-11 12:13:52 -0700)

are available in the git repository at:

  git://kernel.ubuntu.com/jj/ubuntu-xenial.git master-upstream-aa3.5-beta1

for you to fetch changes up to fe9ff67322ce483d8c433465130f7536fd3a00b8:

  UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading (2016-03-18 07:21:25 -0700)

----------------------------------------------------------------
John Johansen (48):
      Revert "UBUNTU: SAUCE: Move replacedby allocation into label_alloc"
      Revert "UBUNTU: SAUCE: Fixup: __label_update() still doesn't handle some cases correctly."
      Revert "UBUNTU: SAUCE: fix: audit "no_new_privs" case for exec failure"
      Revert "UBUNTU: SAUCE: fixup: warning about aa_label_vec_find_or_create not being static"
      Revert "UBUNTU: SAUCE: apparmor: fix refcount race when finding a child profile"
      Revert "UBUNTU: SAUCE: fixup: cast poison values to remove warnings"
      Revert "UBUNTU: SAUCE: fixup: get rid of unused var build warning"
      Revert "UBUNTU: SAUCE: fixup: 20/23 locking issue around in __label_update"
      Revert "UBUNTU: SAUCE: fixup: make __share_replacedby private to get rid of build warning"
      Revert "UBUNTU: SAUCE: fix: replacedby forwarding is not being properly update when ns is destroyed"
      Revert "UBUNTU: SAUCE: apparmor: fix log of apparmor audit message when kern_path() fails"
      Revert "UBUNTU: SAUCE: fixup: cleanup return handling of labels"
      Revert "UBUNTU: SAUCE: apparmor: fix: ref count leak when profile sha1 hash is read"
      Revert "UBUNTU: SAUCE: apparmor: Fix: query label file permission"
      Revert "UBUNTU: SAUCE: apparmor: Don't remove label on rcu callback if the label has already been removed"
      Revert "UBUNTU: SAUCE: apparmor: Fix: break circular refcount for label that is directly freed."
      Revert "UBUNTU: SAUCE: apparmor: Fix: refcount bug when inserting label update that transitions ns"
      Revert "UBUNTU: SAUCE: apparmor: Fix: now that insert can force replacement use it instead of remove_and_insert"
      Revert "UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation"
      Revert "UBUNTU: SAUCE: apparmor: ensure that repacedby sharing is done correctly"
      Revert "UBUNTU: SAUCE: apparmor: Fix: update replacedby allocation to take a gfp parameter"
      Revert "UBUNTU: SAUCE: apparmor: Fix: convert replacedby update to be protected by the labelset lock"
      Revert "UBUNTU: SAUCE: apparmor: Fix: add required locking of __aa_update_replacedby on merge path"
      Revert "UBUNTU: SAUCE: apparmor: Fix: deadlock in aa_put_label() call chain"
      Revert "UBUNTU: SAUCE: apparmor: Fix: label_vec_merge insertion"
      Revert "UBUNTU: SAUCE: apparmor: Fix: ensure new labels resulting from merge have a replacedby"
      Revert "UBUNTU: SAUCE: apparmor: Fix: refcount leak in aa_label_merge"
      Revert "UBUNTU: SAUCE: apparmor: Fix: refcount race between locating in labelset and get"
      Revert "UBUNTU: SAUCE: apparmor: Fix: label merge handling of marking unconfined and stale"
      Revert "UBUNTU: SAUCE: apparmor: add underscores to indicate aa_label_next_not_in_set() use needs locking"
      Revert "UBUNTU: SAUCE: apparmor: debug: POISON label and replaceby pointer on free"
      Revert "UBUNTU: SAUCE: apparmor: Fix: ensure aa_get_newest will trip debugging if the replacedby is not setup"
      Revert "UBUNTU: SAUCE: apparmor: Fix: insert race between label_update and label_merge"
      Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case"
      Revert "UBUNTU: SAUCE: apparmor: Disallow update of cred when then subjective != the objective cred"
      Revert "UBUNTU: SAUCE: apparmor: Fix: oops do to invalid null ptr deref in label print fns"
      Revert "UBUNTU: SAUCE: fix-up: kern_mount fail path should not be doing put_buffers()"
      Revert "UBUNTU: SAUCE: apparmor: fix sleep from invalid context"
      Revert "UBUNTU: SAUCE: (no-up): apparmor: fix for failed mediation of socket that is being shutdown"
      Revert "UBUNTU: SAUCE: (no-up) apparmor: Fix incompatible pointer type warnings"
      Revert "UBUNTU: SAUCE: (no-up) apparmor: fix mount not handling disconnected paths"
      Revert "UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets"
      Revert "UBUNTU: apparmor -- follow change to this_cpu_ptr"
      Revert "UBUNTU: SAUCE: (no-up) fix: bad unix_addr_fs macro"
      Revert "UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ..."
      Revert "UBUNTU: SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot"
      Revert "UBUNTU: SAUCE: (no-up) apparmor: add parameter to control whether policy hashing is used"
      UBUNTU: SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot

Tyler Hicks (1):
      UBUNTU: SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

 security/apparmor/Makefile                |    3 +-
 security/apparmor/af_unix.c               |   84 +-
 security/apparmor/apparmorfs.c            |  267 +++--
 security/apparmor/audit.c                 |   66 +-
 security/apparmor/capability.c            |   16 +-
 security/apparmor/context.c               |   97 +-
 security/apparmor/domain.c                | 1302 +++++++++++++--------
 security/apparmor/file.c                  |   98 +-
 security/apparmor/include/af_unix.h       |   25 +-
 security/apparmor/include/apparmor.h      |  133 +--
 security/apparmor/include/apparmorfs.h    |    7 +-
 security/apparmor/include/audit.h         |  136 +--
 security/apparmor/include/context.h       |   56 +-
 security/apparmor/include/domain.h        |    9 +-
 security/apparmor/include/file.h          |   81 +-
 security/apparmor/include/label.h         |  215 ++--
 security/apparmor/include/lib.h           |  317 +++++
 security/apparmor/include/match.h         |    5 +
 security/apparmor/include/net.h           |   36 +-
 security/apparmor/include/perms.h         |   17 +-
 security/apparmor/include/policy.h        |  189 +--
 security/apparmor/include/policy_ns.h     |  127 ++
 security/apparmor/include/policy_unpack.h |    1 +
 security/apparmor/include/procattr.h      |    1 -
 security/apparmor/ipc.c                   |   31 +-
 security/apparmor/label.c                 | 1815 ++++++++++++++++-------------
 security/apparmor/lib.c                   |  105 +-
 security/apparmor/lsm.c                   |  345 +++---
 security/apparmor/match.c                 |   29 +-
 security/apparmor/mount.c                 |  136 ++-
 security/apparmor/net.c                   |  100 +-
 security/apparmor/nulldfa.in              |    1 +
 security/apparmor/policy.c                |  769 ++++--------
 security/apparmor/policy_ns.c             |  323 +++++
 security/apparmor/policy_unpack.c         |  117 +-
 security/apparmor/procattr.c              |   46 +-
 security/apparmor/resource.c              |   14 +-
 37 files changed, 4032 insertions(+), 3087 deletions(-)
 create mode 100644 security/apparmor/include/lib.h
 create mode 100644 security/apparmor/include/policy_ns.h
 create mode 100644 security/apparmor/nulldfa.in
 create mode 100644 security/apparmor/policy_ns.c

More information about the kernel-team mailing list