[AppArmor #3 0/12] AppArmor security module

From: John Johansen
Date: Tue Nov 10 2009 - 11:13:17 EST

Next message: John Johansen: "[PATCH 03/12] AppArmor: contexts used in attaching policy to system objects"
Previous message: Martin Knoblauch: "Re: Likley stupid question on "throttle_vm_writeout""
Next in thread: John Johansen: "[PATCH 03/12] AppArmor: contexts used in attaching policy to system objects"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is the newest version of the AppArmor security module it has been
rewritten to use the security_path hooks instead of the previous vfs
approach. The current implementation is aimed at being as semantically
close to previous versions of AppArmor as possible while using the
existing LSM infrastructure.

The rewrite is functional and roughly equivalent to previous versions
of AppArmor based off of vfs patching. Development is on going and
improvements to file, capability, network, resource usage and ipc mediation
are planned.

_Issues NOT currently addressed and will be address in the next post_
* AppArmor audit framework has not yet been updated as suggested by
Eric Paris in
http://marc.info/?l=linux-security-module&m=125778105017307&w=2
* AppArmor mmap_min_addr is broken and needs to be fixed as pointed out by
Eric Paris in
http://marc.info/?l=linux-security-module&m=125778004815241&w=2

_Issues Addressed Since Last Time AppArmor was Posted_
* Implemented change recommended by Tetsuo Handa in feedback:
http://marc.info/?l=linux-security-module&m=125730973023168&w=2
http://marc.info/?l=linux-security-module&m=125740018700307&w=2
- removed read head reset in policy_unpack
- added addition comments on locking, refcounting, and memory allocation
- reworked ref counting some so that more references are held explicitly
- drop dead/unreachable code
- fix oops in putting caps cache cpu_local var
- fix refcounting bug causing leak of creds
- reworked __d_path race detection and removal of (deleted) string
* fixed bug in nameresolution failure in apparmor_bprm_set_creds that could
cause a null pointer dereference oops
* fix bug in removal of child profiles that would lead to null pointer
dereference oops. Cleaned up code and removed dead portions
* rework filter and newest profile cleaning them up after changes made for
above removal bug.
* Cleanup namespace code, removing unused fns and adding addition comments
* move profile load/replace/remove routines from policy_unpack.c to policy.c
this allowed cleaning up the interface, allowing for more core policy
functions to be static, and also allows policy_unpack to only contain
unpack code.

AppArmor documentation can currently be found at
http://developer.novell.com/wiki/index.php/Apparmor

The unflattened AppArmor git tree can be found at
git://kernel.ubuntu.com/jj/apparmor-mainline.git

The AppArmor project is currently in transition and will be moving
away from Novell forge. The current upstream for the AppArmor tools
can be found at
https://launchpad.net/apparmor

The final location of the documentation and mailing lists have
not been determined and will be updated when known.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: John Johansen: "[PATCH 03/12] AppArmor: contexts used in attaching policy to system objects"
Previous message: Martin Knoblauch: "Re: Likley stupid question on "throttle_vm_writeout""
Next in thread: John Johansen: "[PATCH 03/12] AppArmor: contexts used in attaching policy to system objects"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]