AppArmor For Linux 6.17 Set To Introduce AF_UNIX Mediation, Other Improvements
([Linux Security] 3 Hours Ago
AppArmor)
- Reference: 0001566572
- News link: https://www.phoronix.com/news/Linux-6.17-AppArmor
- Source link:
Canonical engineer John Johansen sent out the AppArmor pull request today for the Linux 6.17 merge window that is heavy on changes for this Linux kernel security module.
The headline feature of the AppArmor changes submitted for Linux 6.17 is AF_UNIX mediation support after Ubuntu had been carrying similar patches for years. John Johansen explained in the pull request:
"This PR has one major feature, it pulls in a cleaned up version of af_unix mediation that Ubuntu has been carrying for years. It is placed behind a new abi to ensure that it does cause policy regressions. With pulling in the af_unix mediation there have been cleanups and some refactoring of network socket mediation. This accounts for the majority of the changes in the diff.
In addition there are a few improvements providing minor code optimizations. several code cleanups, and bug fixes."
With fine-grained AF_UNIX mediation in AppArmor it allows for controls based on the type (abstract, anonymous, fs), the address, and labeling on the socket. More details within [1]this patch .
The AppArmor [2]pull request also has a number of debug printing improvements, bug fixes, and other enhancements:
+ Features
- improve debug printing
- carry mediation check on label (optimization)
- improve ability for compiler to optimize __begin_current_label_crit_section
- transition for a linked list of rulesets to a vector of rulesets
- don't hardcode profile signal, allow it to be set by policy
- ability to mediate caps via the state machine instead of lut
- Add Ubuntu af_unix mediation, put it behind new v9 abi
+ Cleanups
- fix typos and spelling errors
- cleanup kernel doc and code inconsistencies
- remove redundant checks/code
- remove unused variables
- Use str_yes_no() helper function
- mark tables static where appropriate
- make all generated string array headers const char *const
- refactor to doc semantics of file_perm checks
- replace macro calls to network/socket fns with explicit calls
- refactor/cleanup socket mediation code preparing for finer grained mediation of different network families
- several updates to kernel doc comments
+ Bug fixes
- apparmor: Fix incorrect profile->signal range check
- idmap mount fixes
- policy unpack unaligned access fixes
- kfree_sensitive() where appropriate
- fix oops when freeing policy
- fix conflicting attachment resolution
- fix exec table look-ups when stacking isn't first
- fix exec auditing
- mitigate userspace generating overly large xtables
[1] https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/commit/?h=apparmor-next&id=c05e705812d179f4b85aeacc34a555a42bc4f9ac
[2] https://lore.kernel.org/lkml/8d0c22fd-330e-4c13-b9e3-32a927697667@canonical.com/
The headline feature of the AppArmor changes submitted for Linux 6.17 is AF_UNIX mediation support after Ubuntu had been carrying similar patches for years. John Johansen explained in the pull request:
"This PR has one major feature, it pulls in a cleaned up version of af_unix mediation that Ubuntu has been carrying for years. It is placed behind a new abi to ensure that it does cause policy regressions. With pulling in the af_unix mediation there have been cleanups and some refactoring of network socket mediation. This accounts for the majority of the changes in the diff.
In addition there are a few improvements providing minor code optimizations. several code cleanups, and bug fixes."
With fine-grained AF_UNIX mediation in AppArmor it allows for controls based on the type (abstract, anonymous, fs), the address, and labeling on the socket. More details within [1]this patch .
The AppArmor [2]pull request also has a number of debug printing improvements, bug fixes, and other enhancements:
+ Features
- improve debug printing
- carry mediation check on label (optimization)
- improve ability for compiler to optimize __begin_current_label_crit_section
- transition for a linked list of rulesets to a vector of rulesets
- don't hardcode profile signal, allow it to be set by policy
- ability to mediate caps via the state machine instead of lut
- Add Ubuntu af_unix mediation, put it behind new v9 abi
+ Cleanups
- fix typos and spelling errors
- cleanup kernel doc and code inconsistencies
- remove redundant checks/code
- remove unused variables
- Use str_yes_no() helper function
- mark tables static where appropriate
- make all generated string array headers const char *const
- refactor to doc semantics of file_perm checks
- replace macro calls to network/socket fns with explicit calls
- refactor/cleanup socket mediation code preparing for finer grained mediation of different network families
- several updates to kernel doc comments
+ Bug fixes
- apparmor: Fix incorrect profile->signal range check
- idmap mount fixes
- policy unpack unaligned access fixes
- kfree_sensitive() where appropriate
- fix oops when freeing policy
- fix conflicting attachment resolution
- fix exec table look-ups when stacking isn't first
- fix exec auditing
- mitigate userspace generating overly large xtables
[1] https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/commit/?h=apparmor-next&id=c05e705812d179f4b85aeacc34a555a42bc4f9ac
[2] https://lore.kernel.org/lkml/8d0c22fd-330e-4c13-b9e3-32a927697667@canonical.com/
Leinad