Merge tag 'apparmor-pr-2026-02-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
"Features:
- add .kunitconfig
- audit execpath

Merge tag 'apparmor-pr-2026-02-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
"Features:
- add .kunitconfig
- audit execpath in userns mediation
- add support loading per permission tagging

Cleanups:
- remove unused percpu critical sections in buffer management
- document the buffer hold, add an overflow guard
- split xxx_in_ns into its two separate semantic use cases
- remove apply_modes_to_perms from label_match
- refactor/cleanup cred helper fns.
- guard against free attachment/data routines being called with NULL
- drop in_atomic flag in common_mmap, common_file_perm, and cleanup
- make str table more generic and be able to have multiple entries
- Replace deprecated strcpy with memcpy in gen_symlink_name
- Replace deprecated strcpy in d_namespace_path
- Replace sprintf/strcpy with scnprintf/strscpy in aa_policy_init
- replace sprintf with snprintf in aa_new_learning_profile

Bug Fixes:
- fix cast in format string DEBUG statement
- fix make aa_labelmatch return consistent
- fix fmt string type error in process_strs_entry
- fix kernel-doc comments for inview
- fix invalid deref of rawdata when export_binary is unset
- avoid per-cpu hold underflow in aa_get_buffer
- fix fast path cache check for unix sockets
- fix rlimit for posix cpu timers
- fix label and profile debug macros
- move check for aa_null file to cover all cases
- return -ENOMEM in unpack_perms_table upon alloc failure
- fix boolean argument in apparmor_mmap_file
- Fix & Optimize table creation from possibly unaligned memory
- Allow apparmor to handle unaligned dfa tables
- fix NULL deref in aa_sock_file_perm
- fix NULL pointer dereference in __unix_needs_revalidation
- fix signedness bug in unpack_tags()"

* tag 'apparmor-pr-2026-02-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (34 commits)
apparmor: fix signedness bug in unpack_tags()
apparmor: fix cast in format string DEBUG statement
apparmor: fix aa_label to return state from compount and component match
apparmor: fix fmt string type error in process_strs_entry
apparmor: fix kernel-doc comments for inview
apparmor: fix invalid deref of rawdata when export_binary is unset
apparmor: add .kunitconfig
apparmor: cleanup remove unused percpu critical sections in buffer management
apparmor: document the buffer hold, add an overflow guard
apparmor: avoid per-cpu hold underflow in aa_get_buffer
apparmor: split xxx_in_ns into its two separate semantic use cases
apparmor: make label_match return a consistent value
apparmor: remove apply_modes_to_perms from label_match
apparmor: fix fast path cache check for unix sockets
apparmor: fix rlimit for posix cpu timers
apparmor: refactor/cleanup cred helper fns.
apparmor: fix label and profile debug macros
apparmor: move check for aa_null file to cover all cases
apparmor: guard against free routines being called with a NULL
apparmor: return -ENOMEM in unpack_perms_table upon alloc failure
...

show more ...

apparmor: add .kunitconfig

Add .kunitconfig file to the AppArmor directory to enable easy execution of
KUnit tests.

AppArmor tests (CONFIG_SECURITY_APPARMOR_KUNIT_TEST) depend on
CONFIG_SECURITY_AP

apparmor: add .kunitconfig

Add .kunitconfig file to the AppArmor directory to enable easy execution of
KUnit tests.

AppArmor tests (CONFIG_SECURITY_APPARMOR_KUNIT_TEST) depend on
CONFIG_SECURITY_APPARMOR which also depends on CONFIG_SECURITY and
CONFIG_NET. Without explicitly enabling these configs in the .kunitconfig,
developers will need to specify config manually.

With the .kunitconfig, developers can run the tests:
$ ./tools/testing/kunit/kunit.py run --kunitconfig security/apparmor

Signed-off-by: Ryota Sakamoto <sakamo.ryota@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...