apparmor: fix apparmor mediating locking non-fs unix sockets

the v8 and earlier policy does not encode the locking permission for
no-fs unix sockets. However the kernel is enforcing mediation.

Add

apparmor: fix apparmor mediating locking non-fs unix sockets

the v8 and earlier policy does not encode the locking permission for
no-fs unix sockets. However the kernel is enforcing mediation.

Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will
grant permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

Link: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: Fix abi check to include v8 abi

The v8 abi is supported by the kernel but the userspace supported
version check does not allow for it. This was missed when v8 was added
due to a bug in the

apparmor: Fix abi check to include v8 abi

The v8 abi is supported by the kernel but the userspace supported
version check does not allow for it. This was missed when v8 was added
due to a bug in the userspace compiler which was setting an older abi
version for v8 encoding (which is forward compatible except on the
network encoding). However it is possible to detect the network
encoding by checking the policydb network support which the code
does. The end result was that missing the abi flag worked until
userspace was fixed and began correctly checking for the v8 abi
version.

Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: convert policy lookup to use accept as an index

Remap polidydb dfa accept table from embedded perms to an index, and
then move the perm lookup to use the accept entry as an index into the

apparmor: convert policy lookup to use accept as an index

Remap polidydb dfa accept table from embedded perms to an index, and
then move the perm lookup to use the accept entry as an index into the
perm table. This is done so that the perm table can be separated from
the dfa, allowing dfa accept to index to share expanded permission
sets.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: convert xmatch lookup to use accept as an index

Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table

apparmor: convert xmatch lookup to use accept as an index

Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table.

This is step towards unifying permission lookup and reducing the
size of permissions tables.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: convert fperm lookup to use accept as an index

Remap file dfa accept table from embedded perms to index and then move
fperm lookup to use the accept entry as an index into the fperm table.

apparmor: convert fperm lookup to use accept as an index

Remap file dfa accept table from embedded perms to index and then move
fperm lookup to use the accept entry as an index into the fperm table.

This is a step toward unifying permission lookup.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: convert xmatch to using the new shared policydb struct

continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.

Signed-off-b

apparmor: convert xmatch to using the new shared policydb struct

continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: combine file_rules and aa_policydb into a single shared struct

file_rules and policydb are almost the same and will need the same
features in the future so combine them.

Signed-off-by: Jo

apparmor: combine file_rules and aa_policydb into a single shared struct

file_rules and policydb are almost the same and will need the same
features in the future so combine them.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: compute policydb permission on profile load

Rather than computing policydb permissions for each access
permissions can be computed once on profile load and stored for lookup.

Signed-off-b

apparmor: compute policydb permission on profile load

Rather than computing policydb permissions for each access
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: convert xmatch to use aa_perms structure

Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.

Signed-off-by: John Johansen <j

apparmor: convert xmatch to use aa_perms structure

Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: rework and cleanup fperm computation

shorten the name of some of the mapping functions which shortens line
lengths.

change the mapping so it returns the perm table instead of operating
di

apparmor: rework and cleanup fperm computation

shorten the name of some of the mapping functions which shortens line
lengths.

change the mapping so it returns the perm table instead of operating
directly on the file struct.

Handle potential memory allocation failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: move fperm computation into policy_unpack

fperm computation is only needed during policy_unpack so move the
code there to isolate it fromt the run time code.

Signed-off-by: John Johansen

apparmor: move fperm computation into policy_unpack

fperm computation is only needed during policy_unpack so move the
code there to isolate it fromt the run time code.

Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: compute xmatch permissions on profile load

Rather than computing xmatch permissions each time access is requested,
these permissions can be computed once on profile load and stored for
loo

apparmor: compute xmatch permissions on profile load

Rather than computing xmatch permissions each time access is requested,
these permissions can be computed once on profile load and stored for
lookup.

Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: compute file permissions on profile load

Rather than computing file permissions for each file access, file
permissions can be computed once on profile load and stored for lookup.

Signed-o

apparmor: compute file permissions on profile load

Rather than computing file permissions for each file access, file
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

apparmor: use zstd compression for profile data

Change the algorithm used by apparmor to compress profile data from
zlib to zstd, using the new zstd API introduced in 5.16.

Zstd provides a larger r

apparmor: use zstd compression for profile data

Change the algorithm used by apparmor to compress profile data from
zlib to zstd, using the new zstd API introduced in 5.16.

Zstd provides a larger range of compression levels than zlib and
significantly better performance at the default level (for a relatively
small increase in compressed size).

The apparmor module parameter raw_data_compression_level is now clamped
to the minimum and maximum compression levels reported by the zstd
library. A compression level of 0 retains the previous behavior of
disabling policy compression instead of using zstd's behavior, which is
to use the default compression level.

Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

show more ...

Merge drm/drm-next into drm-intel-gt-next

Daniele needs 84d4333c1e28 ("misc/mei: Add NULL check to component match
callback functions") in order to merge the DG2 HuC patches.

Signed-off-by: Tvrtko

Merge drm/drm-next into drm-intel-gt-next

Daniele needs 84d4333c1e28 ("misc/mei: Add NULL check to component match
callback functions") in order to merge the DG2 HuC patches.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>

show more ...

Merge branch 'for-6.1/nvdimm' into libnvdimm-for-next

Add v6.1 content on top of some straggling updates that missed v6.0.

Merge branch 'mlx5-vfio' into mlx5-next

Merge net/mlx5 dependencies for device DMA logging.

Signed-off-by: Leon Romanovsky <leonro@nvidia.com>

Merge branch 'for-6.0/dax' into libnvdimm-fixes

Pick up another "Soft Reservation" fix for v6.0-final on top of some
straggling nvdimm fixes that missed v5.19.

Merge tag 'v6.0-rc6' into locking/core, to refresh the branch

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge drm/drm-next into drm-misc-next

We need 6.0-rc1 to merge the backlight rework PR.

Signed-off-by: Maxime Ripard <maxime@cerno.tech>

Merge branch 'am5748-fix' into fixes

Merge branch 'linus' into x86/mm, to refresh the branch

This branch is ~14k commits behind upstream, and has an old merge base
from early into the merge window, refresh it to v6.0-rc3+fixes before
q

Merge branch 'linus' into x86/mm, to refresh the branch

This branch is ~14k commits behind upstream, and has an old merge base
from early into the merge window, refresh it to v6.0-rc3+fixes before
queueing up new commits.

Signed-off-by: Ingo Molnar <mingo@kernel.org>

show more ...

Merge branch 'sched/warnings' into sched/core, to pick up WARN_ON_ONCE() conversion commit

Merge in the BUG_ON() => WARN_ON_ONCE() conversion commit.

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge drm/drm-next into drm-intel-next

Sync drm-intel-next with v6.0-rc as well as recent drm-intel-gt-next.

Since drm-next does not have commit f0c70d41e4e8 ("drm/i915/guc: remove
runtime info pri

Merge drm/drm-next into drm-intel-next

Sync drm-intel-next with v6.0-rc as well as recent drm-intel-gt-next.

Since drm-next does not have commit f0c70d41e4e8 ("drm/i915/guc: remove
runtime info printing from time stamp logging") yet, only
drm-intel-gt-next, will need to do that as part of the merge here to
build.

Signed-off-by: Jani Nikula <jani.nikula@intel.com>

show more ...