This is the seveth general posting of the newest version of the
AppArmor security module it has been rewritten to use the security_path
hooks instead of the previous vfs approach.  The current implementation
is aimed at being as semantically close to previous versions of AppArmor
as possible while using the existing LSM infrastructure.

Development is on going and
improvements to file, capability, network, resource usage and ipc mediation
are planned.

With this submission we believe AppArmor is ready for inclusion into
the kernel.

_Issues NOT specifically addressed_
* The d_namespace_path function still manually strips the " (deleted)"
  string that __d_path appends.  A fix to __d_path is being pursued
  independently of the AppArmor submission.

  http://lkml.org/lkml/2010/7/6/186

_Issues Addressed Since Last Time AppArmor was Posted_

All changes requested by feed back
* Add comment for embedded \0 in fqnames and their validation
* Add comment for kvmalloc minimum size of work_struct when falling back
  to vmalloc
* Spell check of comments and general cleanup any need change found during
  the spell check.
* updated aa_info_message
* removed extraneous if (profile) checks
* removed unused AA_NEW_SID symbol
* added __init and __initdata to fns and variables where appropriate
* removed patch text not related to apparmor that was being added to
  Documentation/kernel-parameters.txt

Misc fixes and cleanups as result of above changes
* fixed missing include for vmalloc.h in lib.c that would cause build failure
  on some platforms
* Added simple Documentation/apparmor.txt

  A Detailed list of all changes and patches are available from the AppArmor
  git repository, from commit 5e43ceab0299aa8ee786e17048a31a865de3163f

The AppArmor project has recently transitioned away from Novell forge.
Code and Documentation can be found at the following locations
* Mailing List - apparmor@lists.ubuntu.com
* Documentation (wip) - http://apparmor.wiki.kernel.org/
* User space ...
[ message continues ]

Miscellaneous functions and defines needed by AppArmor, including
the base path resolution routines.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/include/apparmor.h |   92 +++++++++++++
 security/apparmor/include/path.h     |   31 +++++
 security/apparmor/lib.c              |  133 +++++++++++++++++++
 security/apparmor/path.c             |  235 ++++++++++++++++++++++++++++++++++
 4 files changed, 491 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/include/apparmor.h
 create mode 100644 security/apparmor/include/path.h
 create mode 100644 security/apparmor/lib.c
 create mode 100644 security/apparmor/path.c

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
new file mode 100644
index 0000000..38ccaea
--- /dev/null
+++ b/security/apparmor/include/apparmor.h
@@ -0,0 +1,92 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor basic global and lib definitions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __APPARMOR_H
+#define __APPARMOR_H
+
+#include <linux/fs.h>
+
+#include "match.h"
+
+/* Control parameters settable through module/boot flags */
+extern enum audit_mode aa_g_audit;
+extern int aa_g_audit_header;
+extern int aa_g_debug;
+extern int aa_g_lock_policy;
+extern int aa_g_logsyscall;
+extern int aa_g_paranoid_load;
+extern unsigned int aa_g_path_max;
+
+/*
+ * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
+ * which is not related to profile accesses.
+ */
+
+#define AA_DEBUG(fmt, args...)						\
+	do {								\
+		if (aa_g_debug && printk_ratelimit())			\
+			printk(KERN_DEBUG "AppArmor: " fmt, ##args);	\
+	} while (0)
+
+#define ...
[ message continues ]

On Fri, Jul 30, 2010 at 12:47 AM, John Johansen

16 pages is a lot of memory for 64 K pages. What's the purpose of

Please don't hide this into apparmor internals. People have invented

I don't understand this part here. Is it needed for interrupt contexts
or does vfree() sleep somewhere? If it's for the former, I think we
can just add a comment saying that kvmalloc/kvfree is not safe from
--

[ message continues ]

yes it is, and I don't expect it will every allocate that much, though it
will occassionally with large policies do allocations larger than 16*4K.
The figure here is some what arbitrary, and I would certainly be willing
to shrink it.  Basically it is there to put a clamp on allocating precious
yep, and it used to be GFP_KERNEL too, looking back GFP_NOIO happend when
poking at a bug where apparmor was trigger a IO when it was allocating its
memory.  Turned out the bug wasn't apparmor related just being triggered
while apparmor was loading policy, but the GFP_NOIO flag stuck here.
sure, I would be more than willing to replace this with a generic
system fn.  The last attempt I saw at adding generic routines of this
nature was here
vfree can sleep, and skipping the schedule_work parts won't work for
apparmor as many of these allocations are being freed via rcu callbacks
as most of our object life cycles are dependent on cred refcounting.
--

[ message continues ]

On Fri, Jul 30, 2010 at 1:01 PM, John Johansen

Can someone point me to where vfree() actually sleeps? I'm unable to
find the exact spot.
--

[ message continues ]

http://lxr.linux.no/linux+v2.6.34.1/mm/vmalloc.c#L1405 . vfree ->
__vunmap, vunmap -> __vunmap, and there is a might_sleep() function in
vunmap.

BTW: I'll respin the kvmalloc patch later.

Thanks.

-- 
Regards,
Changli Gao(xiaosuo@gmail.com)
--

[ message continues ]

Yes, but that doesn't answer my question. Where's the actual call-site

Great!
--

[ message continues ]

Update lsm_audit for AppArmor specific data, and add the core routines for
AppArmor uses for auditing.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 include/linux/lsm_audit.h         |   27 +++++
 security/apparmor/audit.c         |  215 +++++++++++++++++++++++++++++++++++++
 security/apparmor/include/audit.h |  123 +++++++++++++++++++++
 3 files changed, 365 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/audit.c
 create mode 100644 security/apparmor/include/audit.h

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 6907251..13b5c9a 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -94,6 +94,33 @@ struct common_audit_data {
 			int result;
 		} selinux_audit_data;
 #endif
+#ifdef CONFIG_SECURITY_APPARMOR
+		struct {
+			int error;
+			int op;
+			int type;
+			void *profile;
+			const char *name;
+			const char *info;
+			union {
+				void *target;
+				struct {
+					long pos;
+					void *target;
+				} iface;
+				struct {
+					int rlim;
+					unsigned long max;
+				} rlim;
+				struct {
+					const char *target;
+					u32 request;
+					u32 denied;
+					uid_t ouid;
+				} fs;
+			};
+		} apparmor_audit_data;
+#endif
 	};
 	/* these callback will be implemented by a specific LSM */
 	void (*lsm_pre_audit)(struct audit_buffer *, void *);
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
new file mode 100644
index 0000000..96502b2
--- /dev/null
+++ b/security/apparmor/audit.c
@@ -0,0 +1,215 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor auditing functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/audit.h>
+#include ...
[ message continues ]

AppArmor contexts attach profiles and state to tasks, files, etc. when
a direct profile reference is not sufficient.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/context.c         |  216 +++++++++++++++++++++++++++++++++++
 security/apparmor/include/context.h |  154 +++++++++++++++++++++++++
 2 files changed, 370 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/context.c
 create mode 100644 security/apparmor/include/context.h

diff --git a/security/apparmor/context.c b/security/apparmor/context.c
new file mode 100644
index 0000000..8a9b502
--- /dev/null
+++ b/security/apparmor/context.c
@@ -0,0 +1,216 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor functions used to manipulate object security
+ * contexts.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ *
+ * AppArmor sets confinement on every task, via the the aa_task_cxt and
+ * the aa_task_cxt.profile, both of which are required and are not allowed
+ * to be NULL.  The aa_task_cxt is not reference counted and is unique
+ * to each cred (which is reference count).  The profile pointed to by
+ * the task_cxt is reference counted.
+ *
+ * TODO
+ * If a task uses change_hat it currently does not return to the old
+ * cred or task context but instead creates a new one.  Ideally the task
+ * should return to the previous cred if it has not been modified.
+ *
+ */
+
+#include "include/context.h"
+#include "include/policy.h"
+
+/**
+ * aa_alloc_task_context - allocate a new task_cxt
+ * @flags: gfp flags for allocation
+ *
+ * Returns: allocated buffer or NULL on failure
+ */
+struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
+{
+	return kzalloc(sizeof(struct aa_task_cxt), ...
[ message continues ]

A basic dfa matching engine based off the dfa engine in the Dragon
Book.  It uses simple row comb compression with a check field.

This allows AppArmor to do pattern matching in linear time, and also
avoids stack issues that an nfa based engine may have.  The dfa
engine uses a byte based comparison, with all values being valid.
Any potential character encoding are handled user side when the dfa
tables are created.  By convention AppArmor uses \0 to separate two
dependent path matches since \0 is not a valid path character
(this is done in the link permission check).

The dfa tables are generated in user space and are verified at load
time to be internally consistent.

There are several future improvements planned for the dfa engine:
* The dfa engine may be converted to a hybrid nfa-dfa engine, with
  a fixed size limited stack.  This would allow for size time
  tradeoffs, by inserting limited nfa states to help control
  state explosion that can occur with dfas.
* The dfa engine may pickup the ability to do limited dynamic
  variable matching, instead of fixing all variables at policy
  load time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/include/match.h |  132 ++++++++++++++
 security/apparmor/match.c         |  353 +++++++++++++++++++++++++++++++++++++
 2 files changed, 485 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/include/match.h
 create mode 100644 security/apparmor/match.c

diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
new file mode 100644
index 0000000..734a6d3
--- /dev/null
+++ b/security/apparmor/include/match.h
@@ -0,0 +1,132 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor policy dfa matching engine definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License ...
[ message continues ]

AppArmor does files enforcement via pathname matching.  Matching is done
at file open using a dfa match engine.  Permission is against the final
file object not parent directories, ie. the traversal of directories
as part of the file match is implicitly allowed.  In the case of nonexistant
files (creation) permissions are checked against the target file not the
directory.  eg. In case of creating the file /dir/new, permissions are
checked against the match /dir/new not against /dir/.

The permissions for matches are currently stored in the dfa accept table,
but this will change to allow for dfa reuse and also to allow for sharing
of wider accept states.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/file.c         |  457 ++++++++++++++++++++++++++++++++++++++
 security/apparmor/include/file.h |  217 ++++++++++++++++++
 2 files changed, 674 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/file.c
 create mode 100644 security/apparmor/include/file.h

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
new file mode 100644
index 0000000..7312db7
--- /dev/null
+++ b/security/apparmor/file.c
@@ -0,0 +1,457 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+struct file_perms nullperms;
+
+
+/**
+ * audit_file_mask - convert mask to permission string
+ * @buffer: buffer to write string to (NOT NULL)
+ * @mask: permission mask to convert
+ */
+static void audit_file_mask(struct audit_buffer ...
[ message continues ]

AppArmor routines for controling domain transitions, which can occur at
exec or through self directed change_profile/change_hat calls.

Unconfined tasks are checked at exec against the profiles in the confining
profile namespace to determine if a profile should be attached to the task.

Confined tasks execs are controlled by the profile which provides rules
determining which execs are allowed and if so which profiles should be
transitioned to.

Self directed domain transitions allow a task to request transition
to a given profile.  If the transition is allowed then the profile will
be applied, either immeditately or at exec time depending on the request.
Immeditate self directed transitions have several security limitations
but have uses in setting up stub transition profiles and other limited
cases.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c         |  823 ++++++++++++++++++++++++++++++++++++
 security/apparmor/include/domain.h |   36 ++
 2 files changed, 859 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/domain.c
 create mode 100644 security/apparmor/include/domain.h

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
new file mode 100644
index 0000000..08bbe63
--- /dev/null
+++ b/security/apparmor/domain.c
@@ -0,0 +1,823 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor policy attachment and domain transitions
+ *
+ * Copyright (C) 2002-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/errno.h>
+#include <linux/fdtable.h>
+#include <linux/file.h>
+#include <linux/mount.h>
+#include <linux/syscalls.h>
+#include <linux/tracehook.h>
+#include <linux/personality.h>
+
+#include "include/audit.h"
+#include ...
[ message continues ]

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 Documentation/apparmor.txt          |   40 +++++++++++++++++++++++++++++++++++
 Documentation/kernel-parameters.txt |    8 +++++++
 MAINTAINERS                         |    8 +++++++
 3 files changed, 56 insertions(+), 0 deletions(-)
 create mode 100644 Documentation/apparmor.txt

diff --git a/Documentation/apparmor.txt b/Documentation/apparmor.txt
new file mode 100644
index 0000000..6240438
--- /dev/null
+++ b/Documentation/apparmor.txt
@@ -0,0 +1,40 @@
+--- What is AppArmor? ---
+
+AppArmor is MAC style security extension for the Linux kernel.  It implements
+a task centered policy, with task "profiles" being created and loaded
+from user space.  Tasks on the system that do not have a profile defined for
+them run in an unconfined state which is equivalent to standard Linux DAC
+permissions.
+
+--- How to enable/disable ---
+
+set CONFIG_SECURITY_APPARMOR=y
+
+If AppArmor should be selected as the default security module then
+   set CONFIG_DEFAULT_SECURITY="apparmor"
+   and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
+
+Build the kernel
+
+If AppArmor is not the default security module it can be enabled by passing
+security=apparmor on the kernel's command line.
+
+If AppArmor is the default security module it can be disabled by passing
+apparmor=0, security=XXXX (where XXX is valid security module), on the
+kernel's command line
+
+For AppArmor to enforce any restrictions beyond standard Linux DAC permissions
+policy must be loaded into the kernel from user space (see the Documentation
+and tools links).
+
+--- Documentation ---
+
+Documentation can be found on the wiki.
+
+--- Links ---
+
+Mailing List - apparmor@lists.ubuntu.com
+Wiki - http://apparmor.wiki.kernel.org/
+User space tools - https://launchpad.net/apparmor
+Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
+
diff --git a/Documentation/kernel-parameters.txt ...
[ message continues ]

AppArmor hooks to interface with the LSM, module parameters and module
initialization.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c |  939 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 939 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/lsm.c

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
new file mode 100644
index 0000000..7daf0d5
--- /dev/null
+++ b/security/apparmor/lsm.c
@@ -0,0 +1,939 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor LSM hooks.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/security.h>
+#include <linux/moduleparam.h>
+#include <linux/mm.h>
+#include <linux/mman.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include <linux/ptrace.h>
+#include <linux/ctype.h>
+#include <linux/sysctl.h>
+#include <linux/audit.h>
+#include <net/sock.h>
+
+#include "include/apparmor.h"
+#include "include/apparmorfs.h"
+#include "include/audit.h"
+#include "include/capability.h"
+#include "include/context.h"
+#include "include/file.h"
+#include "include/ipc.h"
+#include "include/path.h"
+#include "include/policy.h"
+#include "include/procattr.h"
+
+/* Flag indicating whether initialization completed */
+int apparmor_initialized __initdata;
+
+/*
+ * LSM hook functions
+ */
+
+/*
+ * free the associated aa_task_cxt and put its profiles
+ */
+static void apparmor_cred_free(struct cred *cred)
+{
+	aa_free_task_context(cred->security);
+	cred->security = NULL;
+}
+
+/*
+ * allocate the apparmor part of blank credentials
+ */
+static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
+{
+	/* freed by apparmor_cred_free */
+	struct ...
[ message continues ]

Kconfig and Makefiles to enable configuration and building of AppArmor.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/Kconfig             |    6 ++++++
 security/Makefile            |    2 ++
 security/apparmor/.gitignore |    5 +++++
 security/apparmor/Kconfig    |   31 +++++++++++++++++++++++++++++++
 security/apparmor/Makefile   |   24 ++++++++++++++++++++++++
 5 files changed, 68 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/.gitignore
 create mode 100644 security/apparmor/Kconfig
 create mode 100644 security/apparmor/Makefile

diff --git a/security/Kconfig b/security/Kconfig
index 226b955..bd72ae6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
 source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
+source security/apparmor/Kconfig
 
 source security/integrity/ima/Kconfig
 
@@ -148,6 +149,7 @@ choice
 	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
 	default DEFAULT_SECURITY_DAC
 
 	help
@@ -163,6 +165,9 @@ choice
 	config DEFAULT_SECURITY_TOMOYO
 		bool "TOMOYO" if SECURITY_TOMOYO=y
 
+	config DEFAULT_SECURITY_APPARMOR
+		bool "AppArmor" if SECURITY_APPARMOR=y
+
 	config DEFAULT_SECURITY_DAC
 		bool "Unix Discretionary Access Controls"
 
@@ -173,6 +178,7 @@ config DEFAULT_SECURITY
 	default "selinux" if DEFAULT_SECURITY_SELINUX
 	default "smack" if DEFAULT_SECURITY_SMACK
 	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+	default "apparmor" if DEFAULT_SECURITY_APPARMOR
 	default "" if DEFAULT_SECURITY_DAC
 
 endmenu
diff --git a/security/Makefile b/security/Makefile
index da20a19..8bb0fe9 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS)			+= keys/
 subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
 ...
[ message continues ]

AppArmor policy is loaded in a platform independent flattened binary
stream.  Verify and unpack the data converting it to the internal
format needed for enforcement.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/include/policy_unpack.h |   20 +
 security/apparmor/policy_unpack.c         |  703 +++++++++++++++++++++++++++++
 2 files changed, 723 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/include/policy_unpack.h
 create mode 100644 security/apparmor/policy_unpack.c

diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h
new file mode 100644
index 0000000..a2dccca
--- /dev/null
+++ b/security/apparmor/include/policy_unpack.h
@@ -0,0 +1,20 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor policy loading interface function definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __POLICY_INTERFACE_H
+#define __POLICY_INTERFACE_H
+
+struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns);
+
+#endif /* __POLICY_INTERFACE_H */
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
new file mode 100644
index 0000000..eb3700e
--- /dev/null
+++ b/security/apparmor/policy_unpack.c
@@ -0,0 +1,703 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor functions for unpacking policy loaded from
+ * userspace.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * AppArmor ...
[ message continues ]

The /proc/<pid>/attr/* interface is used for process introspection and
commands.  While the apparmorfs interface is used for global introspection
and loading and removing policy.

The interface currently only contains the files necessary for loading
policy, and will be extended in the future to include sysfs style
single per file introspection inteface.

The old AppArmor 2.4 interface files have been removed into a compatibility
patch, that distros can use to maintain backwards compatibility.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/apparmorfs.c         |  239 ++++++++++++++++++++++++++++++++
 security/apparmor/include/apparmorfs.h |   20 +++
 security/apparmor/include/procattr.h   |   26 ++++
 security/apparmor/procattr.c           |  170 +++++++++++++++++++++++
 4 files changed, 455 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/apparmorfs.c
 create mode 100644 security/apparmor/include/apparmorfs.h
 create mode 100644 security/apparmor/include/procattr.h
 create mode 100644 security/apparmor/procattr.c

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
new file mode 100644
index 0000000..7320331
--- /dev/null
+++ b/security/apparmor/apparmorfs.c
@@ -0,0 +1,239 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor /sys/kernel/security/apparmor interface functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/security.h>
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/apparmorfs.h"
+#include "include/audit.h"
+#include ...
[ message continues ]

ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests.  Improved mediation is a wip.

rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level.  Only resources specified in a profile are controled
or set.  AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.

AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.

Capabilities:  AppArmor provides a per profile mask of capabilities,
that will further restrict.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/capability.c         |  141 ++++++++++++++++++++++++++++++++
 security/apparmor/include/capability.h |   45 ++++++++++
 security/apparmor/include/ipc.h        |   28 ++++++
 security/apparmor/include/resource.h   |   46 ++++++++++
 security/apparmor/ipc.c                |  114 ++++++++++++++++++++++++++
 security/apparmor/resource.c           |  134 ++++++++++++++++++++++++++++++
 6 files changed, 508 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/capability.c
 create mode 100644 security/apparmor/include/capability.h
 create mode 100644 security/apparmor/include/ipc.h
 create mode 100644 security/apparmor/include/resource.h
 create mode 100644 security/apparmor/ipc.c
 create mode 100644 security/apparmor/resource.c

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
new file mode 100644
index 0000000..9982c48
--- /dev/null
+++ b/security/apparmor/capability.c
@@ -0,0 +1,141 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor capability mediation functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program ...
[ message continues ]

The basic routines and defines for AppArmor policy.  AppArmor policy
is defined by a few basic components.
      profiles - the basic unit of confinement contain all the information
                 to enforce policy on a task

                 Profiles tend to be named after an executable that they
                 will attach to but this is not required.
      namespaces - a container for a set of profiles that will be used
                 during attachment and transitions between profiles.
      sids - which provide a unique id for each profile

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/include/policy.h |  305 +++++++++
 security/apparmor/include/sid.h    |   24 +
 security/apparmor/policy.c         | 1184 ++++++++++++++++++++++++++++++++++++
 security/apparmor/sid.c            |   55 ++
 4 files changed, 1568 insertions(+), 0 deletions(-)
 create mode 100644 security/apparmor/include/policy.h
 create mode 100644 security/apparmor/include/sid.h
 create mode 100644 security/apparmor/policy.c
 create mode 100644 security/apparmor/sid.c

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
new file mode 100644
index 0000000..aeda5cf
--- /dev/null
+++ b/security/apparmor/include/policy.h
@@ -0,0 +1,305 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor policy definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_POLICY_H
+#define __AA_POLICY_H
+
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/kref.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/socket.h>
+
+#include "apparmor.h"
+#include "audit.h"
+#include "capability.h"
+#include ...
[ message continues ]

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

Please carry out any further development against the above tree.

Note that I added the patch below to update AA against the latest 
version of path_truncate:


commit 08c702abe63c2da88f811d5c9f98eb01eb8edc77
Author: James Morris <jmorris@namei.org>
Date:   Fri Jul 30 09:02:04 2010 +1000

    AppArmor: update path_truncate method to latest version
    
    Remove extraneous path_truncate arguments from the AppArmor hook,
    as they've been removed from the LSM API.
    
    Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 7daf0d5..8db33a8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -278,8 +278,7 @@ static int apparmor_path_mknod(struct path *dir, struct dentry *dentry,
 	return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
 }
 
-static int apparmor_path_truncate(struct path *path, loff_t length,
-				  unsigned int time_attrs)
+static int apparmor_path_truncate(struct path *path)
 {
 	struct path_cond cond = { path->dentry->d_inode->i_uid,
 				  path->dentry->d_inode->i_mode


-- 
James Morris
<jmorris@namei.org>
--

[ message continues ]

Congratulations!

By the way, security/apparmor/Kconfig and security/apparmor/Makefile seems to be missing...
--

[ message continues ]

hrmm,

[PATCH 12/13] AppArmor: Enable configuring and building of the AppArmor security module

Kconfig and Makefiles to enable configuration and building of AppArmor.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/Kconfig             |    6 ++++++
 security/Makefile            |    2 ++
 security/apparmor/.gitignore |    5 +++++
 security/apparmor/Kconfig    |   31 +++++++++++++++++++++++++++++++
 security/apparmor/Makefile   |   24 ++++++++++++++++++++++++
 5 files changed, 68 insertions(+), 0 deletions(-)

...
--

[ message continues ]

Indeed. security/apparmor/.gitignore and security/apparmor/Kconfig and
security/apparmor/Makefile are by error dropped when commiting.
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commit;h=...
James, please correct.
--

[ message continues ]

Yep, I had to edit a couple of those files and they did not get added 
properly (I'm sure I typed git-add...).

Should be fixed now, please test.


-- 
James Morris
<jmorris@namei.org>
--

[ message continues ]

Now config and build works. Thanks.
--

[ message continues ]

Now wasn't that an adventure?

--

[ message continues ]

Ok, so now we have two name-based "security" modules. Can we at least
drop TOMOYO? That seems to have all apparmor disadvantages plus some
more...

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--

[ message continues ]

Hi,


Great idea! I suggest also to throw away the unnecessary filesystems.
Ext3 is great - who needs Ext4 or XFS?

-- 
Jan III Sobieski
--

[ message continues ]

No.  The policy is that any security module which implements an access 
control scheme and meets a well-defined security goal, and passes 
technical review, may be merged.

aka, The Arjan Protocol:

http://kerneltrap.org/Linux/Documenting_Security_Module_Intent


-- 
James Morris
<jmorris@namei.org>
--

[ message continues ]

It seems that security subsystem has lower standards than rest of the
kernel. Sad.
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--

[ message continues ]