lp:~apparmor-dev/ubuntu-kernel-next

Get this repository:
git clone https://git.qastaging.paddev.net/~apparmor-dev/ubuntu-kernel-next
Members of AppArmor Developers can upload to this repository. Log in for directions.

Branches

Name Last Modified Last Commit
noble-6.8-apparmor-dev 2024-04-16 16:16:06 UTC
UBUNTU: SAUCE: apparmor4.0.0 [92/90]: fix address mapping for recvfrom

Author: John Johansen
Author Date: 2024-04-16 15:07:14 UTC

UBUNTU: SAUCE: apparmor4.0.0 [92/90]: fix address mapping for recvfrom

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061851

Receive message cases are failing with an EINVAL error this is due
to the address may not be available for the receive case, but being
indicated with an addrlen of 0 not a null addr.

From a mediation pov this is fine, the address just can not be used
as part of an acceptance criteria. However the address lookup is being
done during the setup and the consistency check is failing.

Since it isn't required don't do the address verification check at
all, and leave that to other parts of the kernel. Treat any bad
address as unavailable.

Signed-off-by: John Johansen <john.johansen@canonical.com>

noble-dev 2024-01-27 00:19:04 UTC
UBUNTU: SAUCE: apparmor4.0.0 [94/94]: apparmor: add ability to mediate caps w...

Author: John Johansen
Author Date: 2024-01-04 17:00:49 UTC

UBUNTU: SAUCE: apparmor4.0.0 [94/94]: apparmor: add ability to mediate caps with policy state machine

Currently the caps encoding is very limited. Allow capabilities to
be mediated by the state machine. This will allow us to add
conditionals to capabilities that aren't possible with the current
encoding.

Signed-off-by: John Johansen <john.johansen@canonical.com>

v6.7-apparmor-mantic 2024-01-09 09:31:59 UTC
UBUNTU: SAUCE: apparmor4.0.0 [69/69]: apparmor: open userns related sysctl so...

Author: John Johansen
Author Date: 2023-10-25 12:31:30 UTC

UBUNTU: SAUCE: apparmor4.0.0 [69/69]: apparmor: open userns related sysctl so lxc can check if restriction are in place

BugLink: http://bugs.launchpad.net/bugs/2040194

https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>

jammy-mqueue-sru 2023-12-13 23:53:17 UTC
UBUNTU: SAUCE: (no-up) apparmor: Add fine grained mediation of posix mqueues

Author: John Johansen
Author Date: 2021-12-13 23:46:09 UTC

UBUNTU: SAUCE: (no-up) apparmor: Add fine grained mediation of posix mqueues

This is a SAUCE patch being SRUed to support customers that require the
feature on 22.04, instead of using an HWE kernel.

BugLink: https://bugs.launchpad.net/bugs/2045384

Add fine grained mediation of posix mqueues. Specifically this patch
adds support for differentiating mqueues based on the name in the ipc
namespace. A follow on patch will add support for implied labels, and
a third patch explicit labels. This is done in part because of
dependencies on other patches to apparmor core.

BugLink: https://bugs.launchpad.net/bugs/2045384
Signed-off-by: John Johansen <john.johansen@canonical.com>
(backported from commit 44f28e2ccee2000c7da971876dd003d38a8232d8 kinetic:linux)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

v6.6-apparmor-mantic 2023-11-08 00:53:07 UTC
UBUNTU: SAUCE: apparmor4.0.0 [83/83]: Fix inode_init for changed prototype

Author: John Johansen
Author Date: 2023-11-08 00:35:09 UTC

UBUNTU: SAUCE: apparmor4.0.0 [83/83]: Fix inode_init for changed prototype

Commit
    6bcdfd2cac55 security: Allow all LSMs to provide xattrs for inode_init_security hook

changed the inode_init hook prototype. Depending on build flags this
could break the build, or just emit a warning. AppArmor does not use
the adjusted parameters, so only the parameters of the hook introduced
in
    7f3d19921386 ("UBUNTU: SAUCE: apparmor4.0.0 [07/82]: Add fine grained mediation of posix mqueues")
need to be adjusted.

Signed-off-by: John Johansen <john.johansen@canonical.com>

default 2023-11-01 10:08:18 UTC
UBUNTU: SAUCE: apparmor4.0.0 [82/82]: apparmor: open userns related sysctl so...

Author: John Johansen
Author Date: 2023-10-25 12:31:30 UTC

UBUNTU: SAUCE: apparmor4.0.0 [82/82]: apparmor: open userns related sysctl so lxc can check if restriction are in place

BugLink: http://bugs.launchpad.net/bugs/2040194

https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>

next-6.5 2023-09-06 13:51:04 UTC
UBUNTU: Ubuntu-6.5.0-5.5

Author: Andrea Righi
Author Date: 2023-09-06 13:51:04 UTC

UBUNTU: Ubuntu-6.5.0-5.5

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

next 2023-09-06 13:51:04 UTC
UBUNTU: Ubuntu-6.5.0-5.5

Author: Andrea Righi
Author Date: 2023-09-06 13:51:04 UTC

UBUNTU: Ubuntu-6.5.0-5.5

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

next-6.4 2023-07-26 15:45:53 UTC
UBUNTU: Ubuntu-6.4.0-1.1

Author: Andrea Righi
Author Date: 2023-07-26 15:45:53 UTC

UBUNTU: Ubuntu-6.4.0-1.1

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

next-6.3 2023-06-08 14:44:41 UTC
UBUNTU: Ubuntu-6.3.0-7.7

Author: Paolo Pisati
Author Date: 2023-06-08 14:44:41 UTC

UBUNTU: Ubuntu-6.3.0-7.7

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

next-6.2 2023-04-14 10:11:49 UTC
UBUNTU: Ubuntu-6.2.0-21.21

Author: Andrea Righi
Author Date: 2023-04-14 10:11:49 UTC

UBUNTU: Ubuntu-6.2.0-21.21

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

next-6.1 2023-02-24 13:24:48 UTC
UBUNTU: Ubuntu-6.1.0-16.16

Author: Andrea Righi
Author Date: 2023-02-24 13:24:48 UTC

UBUNTU: Ubuntu-6.1.0-16.16

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

112 of 12 results
This repository contains Public information 
Everyone can see this information.