| Message ID | d8b7f674-b503-4368-ccd9-5dcdaf7255bf@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [Focal,pull] apparmor - bug fixes | expand |
On Wed, Apr 08, 2020 at 09:38:15AM -0700, John Johansen wrote: > The following pull request(s) are cherry-picks of fixes in the 5.5, 5.6 and apparmor-next kernels dropped on top of the focal kernels > > Two alternate pull requests are included below. > > * base - the base set of bug fixes > > * with memory patch - everything in base + a patch series (and its fixes) that reduces apparmor's memory use on high cpu count machines (apparmor is currently allocating 2*PAGESIZE buffers per vcpu) . It also makes apparmor behave better in real time/low latency kernel situations (much shorter rcu critical sections). All of the patches involved in the memory patch series are in the upstream kernel. > > > the with memory patch series is a nice to have but is certainly not required, and at this point the base patch set is the safer set to pull in. Being this close to release, I've opted to play it safe and apply the base set. I've applied those to focal/master-next, and the SAUCE patches to unstable/master. Thanks!
The following pull request(s) are cherry-picks of fixes in the 5.5, 5.6 and apparmor-next kernels dropped on top of the focal kernels Two alternate pull requests are included below. * base - the base set of bug fixes * with memory patch - everything in base + a patch series (and its fixes) that reduces apparmor's memory use on high cpu count machines (apparmor is currently allocating 2*PAGESIZE buffers per vcpu) . It also makes apparmor behave better in real time/low latency kernel situations (much shorter rcu critical sections). All of the patches involved in the memory patch series are in the upstream kernel. the with memory patch series is a nice to have but is certainly not required, and at this point the base patch set is the safer set to pull in. ------------------------ base -------------------------------- The following changes since commit 3c24d247a86bb82cf89e640a241696387203ef0e: UBUNTU: Ubuntu-5.4.0-21.25 (2020-03-26 17:54:01 -0300) are available in the Git repository at: https://gitlab.com/jjohansen/apparmor-kernel.git apparmor-nomem for you to fetch changes up to ba2d4c305e9144c62eccb13e68475cc434d26d3d: UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions (2020-04-08 08:53:17 -0700) ---------------------------------------------------------------- John Johansen (6): UBUNTU: [Upstream] apparmor: increase left match history buffer size UBUNTU: SAUCE: apparmor: add a valid state flags check UBUNTU: SAUCE: aapparmor: add consistency check between state and dfa diff encode flags UBUNTU: SAUCE: aapparmor: remove useless aafs_create_symlink UBUNTU: SAUCE: aapparmor: fail unpack if profile mode is unknown UBUNTU: SAUCE: apparmor: ensure that dfa state tables have entries Mateusz Nosek (1): UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions Xiyu Yang (1): UBUNTU: SAUCE: apparmor: fix potential label refcnt leak in aa_change_profile security/apparmor/apparmorfs.c | 50 +++++++-------------------------------- security/apparmor/domain.c | 3 +-- security/apparmor/include/match.h | 7 ++++-- security/apparmor/label.c | 6 ----- security/apparmor/match.c | 21 +++++++++++++--- security/apparmor/policy_unpack.c | 4 ++++ 6 files changed, 37 insertions(+), 54 deletions(-) --------------------- with memory patch ---------------------- The following changes since commit 3c24d247a86bb82cf89e640a241696387203ef0e: UBUNTU: Ubuntu-5.4.0-21.25 (2020-03-26 17:54:01 -0300) are available in the Git repository at: https://gitlab.com/jjohansen/apparmor-kernel.git apparmor for you to fetch changes up to 588067c0a4a7551d747579155695fa39f75cdb96: UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions (2020-04-08 05:46:08 -0700) ---------------------------------------------------------------- John Johansen (10): UBUNTU: [Upstream] apparmor: increase left match history buffer size UBUNTU: [Upstream] apparmor: fix wrong buffer allocation in aa_new_mount UBUNTU: [Upstream] apparmor: reduce rcu_read_lock scope for aa_file_perm mediation UBUNTU: [Upstream] apparmor: make it so work buffers can be allocated from atomic context UBUNTU: [Upstream] apparmor: only get a label reference if the fast path check fails UBUNTU: SAUCE: apparmor: add a valid state flags check UBUNTU: SAUCE: aapparmor: add consistency check between state and dfa diff encode flags UBUNTU: SAUCE: aapparmor: remove useless aafs_create_symlink UBUNTU: SAUCE: aapparmor: fail unpack if profile mode is unknown UBUNTU: SAUCE: apparmor: ensure that dfa state tables have entries Mateusz Nosek (1): UBUNTU: SAUCE: security/apparmor/label.c: Clean code by removing redundant instructions Patrick Steinhardt (1): UBUNTU: [Upstream] apparmor: fix bind mounts aborting with -ENOMEM Sebastian Andrzej Siewior (2): UBUNTU: [Upstream] apparmor: Use a memory pool instead per-CPU caches UBUNTU: [Upstream] apparmor: Switch to GFP_KERNEL where possible Xiyu Yang (1): UBUNTU: SAUCE: apparmor: fix potential label refcnt leak in aa_change_profile security/apparmor/apparmorfs.c | 50 +++---------- security/apparmor/domain.c | 49 ++++++------- security/apparmor/file.c | 49 +++++++++---- security/apparmor/include/file.h | 2 +- security/apparmor/include/match.h | 7 +- security/apparmor/include/path.h | 50 +------------ security/apparmor/label.c | 6 -- security/apparmor/lsm.c | 149 +++++++++++++++++++++++++++++--------- security/apparmor/match.c | 21 +++++- security/apparmor/mount.c | 67 +++++++++++++---- security/apparmor/policy_unpack.c | 4 + 11 files changed, 259 insertions(+), 195 deletions(-)