From patchwork Tue Apr 10 17:01:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 896830 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 40LD3B0LYNz9rx7; Wed, 11 Apr 2018 03:01:26 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1f5we0-0007Sy-5F; Tue, 10 Apr 2018 17:01:20 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1f5wdy-0007Sj-Pu for kernel-team@lists.ubuntu.com; Tue, 10 Apr 2018 17:01:18 +0000 Received: from static-50-53-54-67.bvtn.or.frontiernet.net ([50.53.54.67] helo=[192.168.192.153]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1f5wdy-0003lk-DO; Tue, 10 Apr 2018 17:01:18 +0000 To: Kernel team list From: John Johansen Subject: [Bionic][request-pull] LSM stacking for bionic Organization: Canonical Message-ID: <11ca541d-391c-48bd-9468-a9140be1cccc@canonical.com> Date: Tue, 10 Apr 2018 10:01:16 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Language: en-GB X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This is the LSM stacking patchset for bionic. It is based on the first five patches of the most recent upstream revision (contains several bug fixes), and the set of patches from artful ported to the revised base. It includes a revision to the Kconfig, and Ubuntu config settings so that it can share the same config enforcement rules as none stacking kernels. The following changes since commit f02c5a422e9026ff83ca56dd6b1b1164f408ee8b: UBUNTU: Ubuntu-4.15.0-12.13 (2018-03-07 22:09:44 +0100) are available in the git repository at: ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-artful.git bionic-stacking for you to fetch changes up to 082eeecf55bfcfdc3771f62d86d0c235428bca91: UBUNTU: SAUCE: LSM stacking: remove procfs context interface (2018-04-10 08:45:45 -0700) ---------------------------------------------------------------- Casey Schaufler (6): UBUNTU: SAUCE: LSM stacking: procfs: add smack subdir to attrs UBUNTU: SAUCE: LSM stacking: LSM: Manage credential security blobs UBUNTU: SAUCE: LSM stacking: LSM: Manage file security blobs UBUNTU: SAUCE: LSM stacking: LSM: Manage task security blobs UBUNTU: SAUCE: LSM stacking: LSM: Manage remaining security blobs UBUNTU: SAUCE: LSM stacking: LSM: General stacking Colin Ian King (1): UBUNTU: SAUCE: LSM stacking: check for invalid zero sized writes John Johansen (18): UBUNTU: SAUCE: LSM stacking: fixup initialize task->security UBUNTU: SAUCE: LSM stacking: fixup: alloc_task_ctx is dead code UBUNTU: SAUCE: LSM stacking: add support for stacking getpeersec_stream UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks UBUNTU: SAUCE: LSM stacking: fixup apparmor stacking enablement UBUNTU: SAUCE: LSM stacking: fixup stacking kconfig UBUNTU: SAUCE: LSM stacking: allow selecting multiple LSMs using kernel boot params UBUNTU: SAUCE: LSM stacking: provide prctl interface for setting context UBUNTU: SAUCE: LSM stacking: inherit current display LSM UBUNTU: SAUCE: LSM stacking: keep an index for each registered LSM UBUNTU: SAUCE: LSM stacking: verify display LSM UBUNTU: SAUCE: LSM stacking: provide a way to specify the default display lsm UBUNTU: SAUCE: LSM stacking: make sure LSM blob align on 64 bit boundaries UBUNTU: SAUCE: LSM stacking: add /proc//attr/display_lsm UBUNTU: SAUCE: LSM stacking: add Kconfig to set default display LSM UBUNTU: SAUCE: LSM stacking: add configs for LSM stacking UBUNTU: SAUCE: LSM stacking: add apparmor and selinux proc dirs UBUNTU: SAUCE: LSM stacking: remove procfs context interface Documentation/admin-guide/LSM/index.rst | 23 +- debian.master/config/annotations | 5 + debian.master/config/config.common.ubuntu | 12 +- fs/proc/base.c | 96 +++- fs/proc/internal.h | 1 + include/linux/lsm_hooks.h | 40 +- include/linux/security.h | 15 +- include/uapi/linux/prctl.h | 4 + kernel/cred.c | 13 - kernel/fork.c | 3 + security/Kconfig | 165 ++++++- security/apparmor/context.c | 12 - security/apparmor/include/context.h | 25 +- security/apparmor/include/file.h | 2 +- security/apparmor/include/net.h | 12 +- security/apparmor/lsm.c | 84 ++-- security/security.c | 776 +++++++++++++++++++++++++++++- security/selinux/hooks.c | 490 ++++++------------- security/selinux/include/objsec.h | 87 +++- security/selinux/netlabel.c | 15 +- security/selinux/selinuxfs.c | 5 +- security/selinux/ss/services.c | 3 +- security/selinux/xfrm.c | 4 +- security/smack/smack.h | 90 +++- security/smack/smack_access.c | 2 +- security/smack/smack_lsm.c | 530 +++++++------------- security/smack/smack_netfilter.c | 8 +- security/smack/smackfs.c | 18 +- security/tomoyo/common.h | 31 +- security/tomoyo/domain.c | 4 +- security/tomoyo/securityfs_if.c | 15 +- security/tomoyo/tomoyo.c | 57 ++- 32 files changed, 1777 insertions(+), 870 deletions(-)