[Focal][pull] apparmor - bug fixes

John Johansen john.johansen at canonical.com
Wed Apr 8 16:38:15 UTC 2020 

The following pull request(s) are cherry-picks of fixes in the 5.5, 5.6 and apparmor-next kernels dropped on top of the focal kernels

Two alternate pull requests are included below.

* base - the base set of bug fixes

* with memory patch - everything in base + a patch series (and its fixes) that reduces apparmor's memory use on high cpu count machines (apparmor is currently allocating 2*PAGESIZE buffers per vcpu) . It also makes apparmor behave better in real time/low latency kernel situations (much shorter rcu critical sections). All of the patches involved in the memory patch series are in the upstream kernel.


the with memory patch series is a nice to have but is certainly not required, and at this point the base patch set is the safer set to pull in.



------------------------ base --------------------------------

The following changes since commit 3c24d247a86bb82cf89e640a241696387203ef0e:

  UBUNTU: Ubuntu-5.4.0-21.25 (2020-03-26 17:54:01 -0300)

are available in the Git repository at:

  https://gitlab.com/jjohansen/apparmor-kernel.git apparmor-nomem

for you to fetch changes up to ba2d4c305e9144c62eccb13e68475cc434d26d3d:

  UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions (2020-04-08 08:53:17 -0700)

----------------------------------------------------------------
John Johansen (6):
      UBUNTU: [Upstream] apparmor: increase left match history buffer size
      UBUNTU: SAUCE: apparmor: add a valid state flags check
      UBUNTU: SAUCE: aapparmor: add consistency check between state and dfa diff encode flags
      UBUNTU: SAUCE: aapparmor: remove useless aafs_create_symlink
      UBUNTU: SAUCE: aapparmor: fail unpack if profile mode is unknown
      UBUNTU: SAUCE: apparmor: ensure that dfa state tables have entries

Mateusz Nosek (1):
      UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions

Xiyu Yang (1):
      UBUNTU: SAUCE: apparmor: fix potential label refcnt leak in aa_change_profile

 security/apparmor/apparmorfs.c    | 50 +++++++--------------------------------
 security/apparmor/domain.c        |  3 +--
 security/apparmor/include/match.h |  7 ++++--
 security/apparmor/label.c         |  6 -----
 security/apparmor/match.c         | 21 +++++++++++++---
 security/apparmor/policy_unpack.c |  4 ++++
 6 files changed, 37 insertions(+), 54 deletions(-)




--------------------- with memory patch ----------------------

The following changes since commit 3c24d247a86bb82cf89e640a241696387203ef0e:

  UBUNTU: Ubuntu-5.4.0-21.25 (2020-03-26 17:54:01 -0300)

are available in the Git repository at:

  https://gitlab.com/jjohansen/apparmor-kernel.git apparmor

for you to fetch changes up to 588067c0a4a7551d747579155695fa39f75cdb96:

  UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions (2020-04-08 05:46:08 -0700)

----------------------------------------------------------------
John Johansen (10):
      UBUNTU: [Upstream] apparmor: increase left match history buffer size
      UBUNTU: [Upstream] apparmor: fix wrong buffer allocation in aa_new_mount
      UBUNTU: [Upstream] apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
      UBUNTU: [Upstream] apparmor: make it so work buffers can be allocated from atomic context
      UBUNTU: [Upstream] apparmor: only get a label reference if the fast path check fails
      UBUNTU: SAUCE: apparmor: add a valid state flags check
      UBUNTU: SAUCE: aapparmor: add consistency check between state and dfa diff encode flags
      UBUNTU: SAUCE: aapparmor: remove useless aafs_create_symlink
      UBUNTU: SAUCE: aapparmor: fail unpack if profile mode is unknown
      UBUNTU: SAUCE: apparmor: ensure that dfa state tables have entries

Mateusz Nosek (1):
      UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions

Patrick Steinhardt (1):
      UBUNTU: [Upstream] apparmor: fix bind mounts aborting with -ENOMEM

Sebastian Andrzej Siewior (2):
      UBUNTU: [Upstream] apparmor: Use a memory pool instead per-CPU caches
      UBUNTU: [Upstream] apparmor: Switch to GFP_KERNEL where possible

Xiyu Yang (1):
      UBUNTU: SAUCE: apparmor: fix potential label refcnt leak in aa_change_profile

 security/apparmor/apparmorfs.c    |  50 +++----------
 security/apparmor/domain.c        |  49 ++++++-------
 security/apparmor/file.c          |  49 +++++++++----
 security/apparmor/include/file.h  |   2 +-
 security/apparmor/include/match.h |   7 +-
 security/apparmor/include/path.h  |  50 +------------
 security/apparmor/label.c         |   6 --
 security/apparmor/lsm.c           | 149 +++++++++++++++++++++++++++++---------
 security/apparmor/match.c         |  21 +++++-
 security/apparmor/mount.c         |  67 +++++++++++++----
 security/apparmor/policy_unpack.c |   4 +
 11 files changed, 259 insertions(+), 195 deletions(-)

More information about the kernel-team mailing list