Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'apparmor-pr-2024-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
"This adds a single feature, switch the hash used to check policy from
sha1 to sha256

There are fixes for two memory leaks, and refcount bug and a potential
crash when a profile name is empty. Along with a couple minor code
cleanups.

Summary:

Features
- switch policy hash from sha1 to sha256

Bug Fixes
- Fix refcount leak in task_kill
- Fix leak of pdb objects and trans_table
- avoid crash when parse profie name is empty

Cleanups
- add static to stack_msg and nulldfa
- more kernel-doc cleanups"

* tag 'apparmor-pr-2024-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
apparmor: Fix memory leak in unpack_profile()
apparmor: avoid crash when parsed profile name is empty
apparmor: fix possible memory leak in unpack_trans_table
apparmor: free the allocated pdb objects
apparmor: Fix ref count leak in task_kill
apparmor: cleanup network hook comments
apparmor: add missing params to aa_may_ptrace kernel-doc comments
apparmor: declare nulldfa as static
apparmor: declare stack_msg as static
apparmor: switch SECURITY_APPARMOR_HASH from sha1 to sha256

+54 -74
+6 -6
security/apparmor/Kconfig
··· 57 57 cpu is paramount. 58 58 59 59 config SECURITY_APPARMOR_HASH 60 - bool "Enable introspection of sha1 hashes for loaded profiles" 60 + bool "Enable introspection of sha256 hashes for loaded profiles" 61 61 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62 62 select CRYPTO 63 - select CRYPTO_SHA1 63 + select CRYPTO_SHA256 64 64 default y 65 65 help 66 66 This option selects whether introspection of loaded policy ··· 74 74 depends on SECURITY_APPARMOR_HASH 75 75 default y 76 76 help 77 - This option selects whether sha1 hashing of loaded policy 78 - is enabled by default. The generation of sha1 hashes for 79 - loaded policy provide system administrators a quick way 80 - to verify that policy in the kernel matches what is expected, 77 + This option selects whether sha256 hashing of loaded policy 78 + is enabled by default. The generation of sha256 hashes for 79 + loaded policy provide system administrators a quick way to 80 + verify that policy in the kernel matches what is expected, 81 81 however it can slow down policy load on some devices. In 82 82 these cases policy hashing can be disabled by default and 83 83 enabled only if needed.
+8 -8
security/apparmor/apparmorfs.c
··· 1474 1474 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1475 1475 1476 1476 if (aa_g_hash_policy) { 1477 - dent = aafs_create_file("sha1", S_IFREG | 0444, dir, 1477 + dent = aafs_create_file("sha256", S_IFREG | 0444, dir, 1478 1478 rawdata, &seq_rawdata_hash_fops); 1479 1479 if (IS_ERR(dent)) 1480 1480 goto fail; ··· 1643 1643 return target; 1644 1644 } 1645 1645 1646 - static const char *rawdata_get_link_sha1(struct dentry *dentry, 1646 + static const char *rawdata_get_link_sha256(struct dentry *dentry, 1647 1647 struct inode *inode, 1648 1648 struct delayed_call *done) 1649 1649 { 1650 - return rawdata_get_link_base(dentry, inode, done, "sha1"); 1650 + return rawdata_get_link_base(dentry, inode, done, "sha256"); 1651 1651 } 1652 1652 1653 1653 static const char *rawdata_get_link_abi(struct dentry *dentry, ··· 1664 1664 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1665 1665 } 1666 1666 1667 - static const struct inode_operations rawdata_link_sha1_iops = { 1668 - .get_link = rawdata_get_link_sha1, 1667 + static const struct inode_operations rawdata_link_sha256_iops = { 1668 + .get_link = rawdata_get_link_sha256, 1669 1669 }; 1670 1670 1671 1671 static const struct inode_operations rawdata_link_abi_iops = { ··· 1738 1738 profile->dents[AAFS_PROF_ATTACH] = dent; 1739 1739 1740 1740 if (profile->hash) { 1741 - dent = create_profile_file(dir, "sha1", profile, 1741 + dent = create_profile_file(dir, "sha256", profile, 1742 1742 &seq_profile_hash_fops); 1743 1743 if (IS_ERR(dent)) 1744 1744 goto fail; ··· 1748 1748 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1749 1749 if (profile->rawdata) { 1750 1750 if (aa_g_hash_policy) { 1751 - dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir, 1751 + dent = aafs_create("raw_sha256", S_IFLNK | 0444, dir, 1752 1752 profile->label.proxy, NULL, NULL, 1753 - &rawdata_link_sha1_iops); 1753 + &rawdata_link_sha256_iops); 1754 1754 if (IS_ERR(dent)) 1755 1755 goto fail; 1756 1756 aa_get_proxy(profile->label.proxy);
+3 -3
security/apparmor/crypto.c
··· 106 106 if (!apparmor_initialized) 107 107 return 0; 108 108 109 - tfm = crypto_alloc_shash("sha1", 0, 0); 109 + tfm = crypto_alloc_shash("sha256", 0, 0); 110 110 if (IS_ERR(tfm)) { 111 111 int error = PTR_ERR(tfm); 112 - AA_ERROR("failed to setup profile sha1 hashing: %d\n", error); 112 + AA_ERROR("failed to setup profile sha256 hashing: %d\n", error); 113 113 return error; 114 114 } 115 115 apparmor_tfm = tfm; 116 116 apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm); 117 117 118 - aa_info_message("AppArmor sha1 policy hashing enabled"); 118 + aa_info_message("AppArmor sha256 policy hashing enabled"); 119 119 120 120 return 0; 121 121 }
+1 -1
security/apparmor/domain.c
··· 1311 1311 return error; 1312 1312 } 1313 1313 1314 - const char *stack_msg = "change_profile unprivileged unconfined converted to stacking"; 1314 + static const char *stack_msg = "change_profile unprivileged unconfined converted to stacking"; 1315 1315 1316 1316 /** 1317 1317 * aa_change_profile - perform a one-way profile transition
+1
security/apparmor/lib.c
··· 41 41 kfree_sensitive(t->table[i]); 42 42 kfree_sensitive(t->table); 43 43 t->table = NULL; 44 + t->size = 0; 44 45 } 45 46 } 46 47
+17 -46
security/apparmor/lsm.c
··· 1023 1023 cl = aa_get_newest_cred_label(cred); 1024 1024 error = aa_may_signal(cred, cl, tc, tl, sig); 1025 1025 aa_put_label(cl); 1026 - return error; 1027 1026 } else { 1028 1027 cl = __begin_current_label_crit_section(); 1029 1028 error = aa_may_signal(current_cred(), cl, tc, tl, sig); ··· 1055 1056 return error; 1056 1057 } 1057 1058 1058 - /** 1059 - * apparmor_sk_alloc_security - allocate and attach the sk_security field 1060 - */ 1061 1059 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 1062 1060 { 1063 1061 struct aa_sk_ctx *ctx; ··· 1068 1072 return 0; 1069 1073 } 1070 1074 1071 - /** 1072 - * apparmor_sk_free_security - free the sk_security field 1073 - */ 1074 1075 static void apparmor_sk_free_security(struct sock *sk) 1075 1076 { 1076 1077 struct aa_sk_ctx *ctx = aa_sock(sk); ··· 1080 1087 1081 1088 /** 1082 1089 * apparmor_sk_clone_security - clone the sk_security field 1090 + * @sk: sock to have security cloned 1091 + * @newsk: sock getting clone 1083 1092 */ 1084 1093 static void apparmor_sk_clone_security(const struct sock *sk, 1085 1094 struct sock *newsk) ··· 1098 1103 new->peer = aa_get_label(ctx->peer); 1099 1104 } 1100 1105 1101 - /** 1102 - * apparmor_socket_create - check perms before creating a new socket 1103 - */ 1104 1106 static int apparmor_socket_create(int family, int type, int protocol, int kern) 1105 1107 { 1106 1108 struct aa_label *label; ··· 1119 1127 1120 1128 /** 1121 1129 * apparmor_socket_post_create - setup the per-socket security struct 1130 + * @sock: socket that is being setup 1131 + * @family: family of socket being created 1132 + * @type: type of the socket 1133 + * @ptotocol: protocol of the socket 1134 + * @kern: socket is a special kernel socket 1122 1135 * 1123 1136 * Note: 1124 - * - kernel sockets currently labeled unconfined but we may want to 1125 - * move to a special kernel label 1137 + * - kernel sockets labeled kernel_t used to use unconfined 1126 1138 * - socket may not have sk here if created with sock_create_lite or 1127 1139 * sock_alloc. These should be accept cases which will be handled in 1128 1140 * sock_graft. ··· 1152 1156 return 0; 1153 1157 } 1154 1158 1155 - /** 1156 - * apparmor_socket_bind - check perms before bind addr to socket 1157 - */ 1158 1159 static int apparmor_socket_bind(struct socket *sock, 1159 1160 struct sockaddr *address, int addrlen) 1160 1161 { ··· 1165 1172 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 1166 1173 } 1167 1174 1168 - /** 1169 - * apparmor_socket_connect - check perms before connecting @sock to @address 1170 - */ 1171 1175 static int apparmor_socket_connect(struct socket *sock, 1172 1176 struct sockaddr *address, int addrlen) 1173 1177 { ··· 1178 1188 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 1179 1189 } 1180 1190 1181 - /** 1182 - * apparmor_socket_listen - check perms before allowing listen 1183 - */ 1184 1191 static int apparmor_socket_listen(struct socket *sock, int backlog) 1185 1192 { 1186 1193 AA_BUG(!sock); ··· 1189 1202 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 1190 1203 } 1191 1204 1192 - /** 1193 - * apparmor_socket_accept - check perms before accepting a new connection. 1194 - * 1205 + /* 1195 1206 * Note: while @newsock is created and has some information, the accept 1196 1207 * has not been done. 1197 1208 */ ··· 1218 1233 aa_sk_perm(op, request, sock->sk)); 1219 1234 } 1220 1235 1221 - /** 1222 - * apparmor_socket_sendmsg - check perms before sending msg to another socket 1223 - */ 1224 1236 static int apparmor_socket_sendmsg(struct socket *sock, 1225 1237 struct msghdr *msg, int size) 1226 1238 { 1227 1239 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 1228 1240 } 1229 1241 1230 - /** 1231 - * apparmor_socket_recvmsg - check perms before receiving a message 1232 - */ 1233 1242 static int apparmor_socket_recvmsg(struct socket *sock, 1234 1243 struct msghdr *msg, int size, int flags) 1235 1244 { ··· 1242 1263 aa_sk_perm(op, request, sock->sk)); 1243 1264 } 1244 1265 1245 - /** 1246 - * apparmor_socket_getsockname - check perms before getting the local address 1247 - */ 1248 1266 static int apparmor_socket_getsockname(struct socket *sock) 1249 1267 { 1250 1268 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 1251 1269 } 1252 1270 1253 - /** 1254 - * apparmor_socket_getpeername - check perms before getting remote address 1255 - */ 1256 1271 static int apparmor_socket_getpeername(struct socket *sock) 1257 1272 { 1258 1273 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); ··· 1265 1292 aa_sk_perm(op, request, sock->sk)); 1266 1293 } 1267 1294 1268 - /** 1269 - * apparmor_socket_getsockopt - check perms before getting socket options 1270 - */ 1271 1295 static int apparmor_socket_getsockopt(struct socket *sock, int level, 1272 1296 int optname) 1273 1297 { ··· 1272 1302 level, optname); 1273 1303 } 1274 1304 1275 - /** 1276 - * apparmor_socket_setsockopt - check perms before setting socket options 1277 - */ 1278 1305 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1279 1306 int optname) 1280 1307 { ··· 1279 1312 level, optname); 1280 1313 } 1281 1314 1282 - /** 1283 - * apparmor_socket_shutdown - check perms before shutting down @sock conn 1284 - */ 1285 1315 static int apparmor_socket_shutdown(struct socket *sock, int how) 1286 1316 { 1287 1317 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); ··· 1287 1323 #ifdef CONFIG_NETWORK_SECMARK 1288 1324 /** 1289 1325 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk 1326 + * @sk: sk to associate @skb with 1327 + * @skb: skb to check for perms 1290 1328 * 1291 1329 * Note: can not sleep may be called with locks held 1292 1330 * ··· 1320 1354 1321 1355 /** 1322 1356 * apparmor_socket_getpeersec_stream - get security context of peer 1357 + * @sock: socket that we are trying to get the peer context of 1358 + * @optval: output - buffer to copy peer name to 1359 + * @optlen: output - size of copied name in @optval 1360 + * @len: size of @optval buffer 1361 + * Returns: 0 on success, -errno of failure 1323 1362 * 1324 1363 * Note: for tcp only valid if using ipsec or cipso on lan 1325 1364 */ ··· 2153 2182 static char nulldfa_src[] = { 2154 2183 #include "nulldfa.in" 2155 2184 }; 2156 - struct aa_dfa *nulldfa; 2185 + static struct aa_dfa *nulldfa; 2157 2186 2158 2187 static char stacksplitdfa_src[] = { 2159 2188 #include "stacksplitdfa.in"
+7 -6
security/apparmor/policy.c
··· 99 99 }; 100 100 101 101 102 - static void aa_free_pdb(struct aa_policydb *policy) 102 + static void aa_free_pdb(struct aa_policydb *pdb) 103 103 { 104 - if (policy) { 105 - aa_put_dfa(policy->dfa); 106 - if (policy->perms) 107 - kvfree(policy->perms); 108 - aa_free_str_table(&policy->trans); 104 + if (pdb) { 105 + aa_put_dfa(pdb->dfa); 106 + if (pdb->perms) 107 + kvfree(pdb->perms); 108 + aa_free_str_table(&pdb->trans); 109 + kfree(pdb); 109 110 } 110 111 } 111 112
+9 -4
security/apparmor/policy_unpack.c
··· 478 478 if (!table) 479 479 goto fail; 480 480 481 + strs->table = table; 482 + strs->size = size; 481 483 for (i = 0; i < size; i++) { 482 484 char *str; 483 485 int c, j, pos, size2 = aa_unpack_strdup(e, &str, NULL); ··· 522 520 goto fail; 523 521 if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) 524 522 goto fail; 525 - 526 - strs->table = table; 527 - strs->size = size; 528 523 } 529 524 return true; 530 525 531 526 fail: 532 - kfree_sensitive(table); 527 + aa_free_str_table(strs); 533 528 e->pos = saved_pos; 534 529 return false; 535 530 } ··· 832 833 833 834 tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len); 834 835 if (tmpns) { 836 + if (!tmpname) { 837 + info = "empty profile name"; 838 + goto fail; 839 + } 835 840 *ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL); 836 841 if (!*ns_name) { 837 842 info = "out of memory"; ··· 1025 1022 } 1026 1023 } else if (rules->policy->dfa && 1027 1024 rules->policy->start[AA_CLASS_FILE]) { 1025 + aa_put_pdb(rules->file); 1028 1026 rules->file = aa_get_pdb(rules->policy); 1029 1027 } else { 1028 + aa_put_pdb(rules->file); 1030 1029 rules->file = aa_get_pdb(nullpdb); 1031 1030 } 1032 1031 error = -EPROTO;
+2
security/apparmor/task.c
··· 278 278 279 279 /** 280 280 * aa_may_ptrace - test if tracer task can trace the tracee 281 + * @tracer_cred: cred of task doing the tracing (NOT NULL) 281 282 * @tracer: label of the task doing the tracing (NOT NULL) 283 + * @tracee_cred: cred of task to be traced 282 284 * @tracee: task label to be traced 283 285 * @request: permission request 284 286 *