<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-next.git/security/apparmor/include, branch master</title>
<subtitle>Linux kernel latest source</subtitle>
<id>http://mirrors.hust.edu.cn/git/linux-next.git/atom?h=master</id>
<link rel='self' href='http://mirrors.hust.edu.cn/git/linux-next.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/'/>
<updated>2026-06-29T17:27:02+00:00</updated>
<entry>
<title>apparmor: Initial support for compressed policies</title>
<updated>2026-06-29T17:27:02+00:00</updated>
<author>
<name>Maxime Bélair</name>
<email>maxime.belair@canonical.com</email>
</author>
<published>2024-02-01T08:09:50+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=17b5758bf35c7a113363cd7a350b7e6a251b80f4'/>
<id>urn:sha1:17b5758bf35c7a113363cd7a350b7e6a251b80f4</id>
<content type='text'>
This patch allows policies to be compressed in userspace and be sent to
the kernel through the existing ".load" and ".replace" kernel interfaces.

The benefits of this approach are:
 - Save kernel time when loading policies
 - Allow userspace to provide a higher level of compression than the one
   provided by the kernel (ZSTD_CLEVEL_DEFAULT), thus saving space.
 - Allow small embedded systems to only store the compressed version of
   policies in userspace, saving memory.

Userspace-compressed policies improve system time by up to ~30% for big
profiles.

Signed-off-by: Maxime Bélair &lt;maxime.belair@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: make include headers self-contained</title>
<updated>2026-06-29T17:26:36+00:00</updated>
<author>
<name>Ryan Lee</name>
<email>ryan.lee@canonical.com</email>
</author>
<published>2026-02-13T20:33:11+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=37077e4cfad4905128853f83c9e4ddf6a31e04f3'/>
<id>urn:sha1:37077e4cfad4905128853f83c9e4ddf6a31e04f3</id>
<content type='text'>
Besides of resolving clangd IDE warnings, self-contained headers will be
less likely to break if the surrounding includes in .c files using them
change.

Signed-off-by: Ryan Lee &lt;ryan.lee@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: fix net.h and policy.h circular include pattern</title>
<updated>2026-06-29T17:26:21+00:00</updated>
<author>
<name>Ryan Lee</name>
<email>ryan.lee@canonical.com</email>
</author>
<published>2026-02-12T21:16:03+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=622ec01756ee9d483662655ff7315cb0e23afd46'/>
<id>urn:sha1:622ec01756ee9d483662655ff7315cb0e23afd46</id>
<content type='text'>
While the #ifdef guards prevent the circular include from blowing up,
policy.h does not actually need anything from net.h. Remove, that include
and instead include net.h in the other files that need it.

Signed-off-by: Ryan Lee &lt;ryan.lee@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: fix kernel-doc warnings</title>
<updated>2026-06-14T03:20:13+00:00</updated>
<author>
<name>Rodrigo Zaiden</name>
<email>rodrigoffzz@gmail.com</email>
</author>
<published>2026-05-31T19:36:28+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=d0691bd5dcaec2350039ecb04fa70faa91ac142d'/>
<id>urn:sha1:d0691bd5dcaec2350039ecb04fa70faa91ac142d</id>
<content type='text'>
Fix two kernel-doc warnings:
- non-kernel-doc comment marked with '/**' in af_unix.c
- documented symbol name mismatch for aa_get_i_loaddata() in
  policy_unpack.h

No functional changes.

Signed-off-by: Rodrigo Zaiden &lt;rodrigoffzz@gmail.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: fix use-after-free in rawdata dedup loop</title>
<updated>2026-06-14T03:20:13+00:00</updated>
<author>
<name>Ruslan Valiyev</name>
<email>linuxoid@gmail.com</email>
</author>
<published>2026-05-25T22:04:46+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=6f060496d03e4dc560a40f73770bd08335cb7a27'/>
<id>urn:sha1:6f060496d03e4dc560a40f73770bd08335cb7a27</id>
<content type='text'>
aa_replace_profiles() walks ns-&gt;rawdata_list to dedup the incoming
policy blob against entries already attached to existing profiles.
Per the kernel-doc on struct aa_loaddata, list membership does not
hold a reference: profiles hold pcount, and when the last pcount
drops, do_ploaddata_rmfs() is queued on a workqueue that takes
ns-&gt;lock and removes the entry. Between dropping the last pcount
and the workqueue running, an entry remains on the list with
pcount == 0.

aa_get_profile_loaddata() is an unconditional kref_get() on
pcount, so when the dedup loop hits such an entry, refcount
hardening reports

  refcount_t: addition on 0; use-after-free.

inside aa_replace_profiles(), and the poisoned counter then
trips "saturated" and "underflow" warnings on the subsequent
uses of the same loaddata.

Before commit a0b7091c4de4 ("apparmor: fix race on rawdata
dereference") the dedup path used a get_unless_zero-style helper
on a single counter, so the existing "if (tmp)" guard was
meaningful. The split-refcount refactor introduced
aa_get_profile_loaddata(), which has plain kref_get() semantics,
and the guard quietly became a no-op.

Introduce aa_get_profile_loaddata_not0(), matching the existing
_not0 convention used by aa_get_profile_not0(), and use it for
the rawdata_list dedup lookup so dying entries are skipped.

Reproduced on x86_64 with v7.1-rc5 in QEMU+KVM running Ubuntu
24.04 + stress-ng 0.17.06:

  stress-ng --apparmor 1 --klog-check --timeout 60s

Without this patch the three refcount_t warnings fire within a
few seconds. With it the same 60 s run is clean. Coverage is a
smoke-test only; a longer soak with CONFIG_KASAN, CONFIG_KCSAN
and CONFIG_PROVE_LOCKING would be welcome from anyone with the
cycles.

Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Reported-by: Colin Ian King &lt;colin.i.king@gmail.com&gt;
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221513
Cc: stable@vger.kernel.org
Signed-off-by: Ruslan Valiyev &lt;linuxoid@gmail.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: remove or add symlinks to rawdata according to export_binary</title>
<updated>2026-06-14T03:14:07+00:00</updated>
<author>
<name>Georgia Garcia</name>
<email>georgia.garcia@canonical.com</email>
</author>
<published>2026-01-29T18:39:42+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=59fe6fbc4cd45582bc8893de0a382a36562317b3'/>
<id>urn:sha1:59fe6fbc4cd45582bc8893de0a382a36562317b3</id>
<content type='text'>
When the export_binary parameter is set, then rawdata is available and
there should be a symbolic link for the rawdata in the profile
directory in apparmorfs. If the parameter is unset, then the symlinks
should not exist.

The issue arises when changing the value of export_binary on runtime
and replacing profiles. If export_binary was set when the profile was
originally loaded, then changed to 0 and the profile was reloaded,
then the symbolic links would still exist but would return ENOENT
because the rawdata no longer exists.

On the opposite side, if export_binary was unset when the profile was
originally loaded, then changed to 1 and the profile was reloaded,
then the symbolic links would not exist, even though the rawdata does.

Fixes: d61c57fde8191 ("apparmor: make export of raw binary profile to userspace optional")
Signed-off-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: make fn_label_build() capable of handling not supported</title>
<updated>2026-06-14T03:14:07+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-02-24T16:02:04+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=716d384ac7c905b719f3ce11cdb3a3d172c210fb'/>
<id>urn:sha1:716d384ac7c905b719f3ce11cdb3a3d172c210fb</id>
<content type='text'>
Currently fn_label_build() callback fns must provide a transition or
failure. Change this so that a callback can indicate it should be
skipped/not be involved in the label being built.

This will be useful when building object labels based on mediation
flags, as to whether the label should be set.

Existing callers can keep treating NULL return as an error because
none of those callback fns support skipping, but instead of the old
error handling replace with AA_BUG.

Reviewed-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: change fn_label_build() call to not return NULL</title>
<updated>2026-06-14T03:14:07+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-02-17T15:54:10+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=ed7cc1c6f240a0c2838c0617afb2b0466edd236f'/>
<id>urn:sha1:ed7cc1c6f240a0c2838c0617afb2b0466edd236f</id>
<content type='text'>
Previously fn_label_build() was accepting a NULL which represented
ENOMEM return and ERR_PTR for errors.

Clean this up by requiring the cb fn to return an ERR_PTR or valid
value.

Reviewed-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: add a conditional version of get_newest_label</title>
<updated>2026-06-14T03:14:06+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-04-17T07:51:22+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=f86ee868fd54c372255519284e1c0f4f7707c045'/>
<id>urn:sha1:f86ee868fd54c372255519284e1c0f4f7707c045</id>
<content type='text'>
get_newest_label() will always return a refcount, on the profile it
returns. However there are cases where we only need the refcount
if the label is stale and get_newest_label() will return a different
label.

Optimize this by making the get/put happen conditionally, by keeping
a flag indicating if the get was performed and a put is needed.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
<entry>
<title>apparmor: fix race between freeing data and fs accessing it</title>
<updated>2026-03-09T23:05:44+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2026-03-02T00:10:51+00:00</published>
<link rel='alternate' type='text/html' href='http://mirrors.hust.edu.cn/git/linux-next.git/commit/?id=8e135b8aee5a06c52a4347a5a6d51223c6f36ba3'/>
<id>urn:sha1:8e135b8aee5a06c52a4347a5a6d51223c6f36ba3</id>
<content type='text'>
AppArmor was putting the reference to i_private data on its end after
removing the original entry from the file system. However the inode
can aand does live beyond that point and it is possible that some of
the fs call back functions will be invoked after the reference has
been put, which results in a race between freeing the data and
accessing it through the fs.

While the rawdata/loaddata is the most likely candidate to fail the
race, as it has the fewest references. If properly crafted it might be
possible to trigger a race for the other types stored in i_private.

Fix this by moving the put of i_private referenced data to the correct
place which is during inode eviction.

Fixes: c961ee5f21b20 ("apparmor: convert from securityfs to apparmorfs for policy ns files")
Reported-by: Qualys Security Advisory &lt;qsa@qualys.com&gt;
Reviewed-by: Georgia Garcia &lt;georgia.garcia@canonical.com&gt;
Reviewed-by: Maxime Bélair &lt;maxime.belair@canonical.com&gt;
Reviewed-by: Cengiz Can &lt;cengiz.can@canonical.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
</content>
</entry>
</feed>
