linux/security/apparmor
John Johansen 524d8e1425 apparmor: disable showing the mode as part of a secid to secctx
Displaying the mode as part of the seectx takes up unnecessary memory,
makes it so we can't use refcounted secctx so we need to alloc/free on
every conversion from secid to secctx and introduces a space that
could be potentially mishandled by tooling.

Eg. In an audit record we get

  subj_type=firefix (enforce)

Having the mode reported is not necessary, and might even be confusing
eg. when writing an audit rule to match the above record field you
would use

  -F subj_type=firefox

ie. the mode is not included. AppArmor provides ways to find the mode
without reporting as part of the secctx. So disable this by default
before its use is wide spread and we can't. For now we add a sysctl
to control the behavior as we can't guarantee no one is using this.

Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-13 17:18:29 -07:00
..
include apparmor: disable showing the mode as part of a secid to secctx 2022-07-13 17:18:29 -07:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
apparmorfs.c apparmor: Fix memleak in aa_simple_write_to_buffer() 2022-07-09 15:13:59 -07:00
audit.c apparmor: fix quiet_denied for file rules 2022-07-09 15:13:59 -07:00
capability.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
crypto.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
domain.c apparmor: Fix some kernel-doc comments 2022-07-09 15:13:59 -07:00
file.c apparmor: handle idmapped mounts 2021-01-24 14:27:20 +01:00
ipc.c audit: purge audit_log_string from the intra-kernel audit API 2020-07-21 11:12:31 -04:00
Kconfig apparmor: Enable tuning of policy paranoid load for embedded systems 2022-07-09 15:13:59 -07:00
label.c apparmor: fix aa_label_asxprint return check 2022-07-09 15:13:59 -07:00
lib.c apparmor: Use struct_size() helper in kmalloc() 2022-07-09 15:13:59 -07:00
lsm.c apparmor: disable showing the mode as part of a secid to secctx 2022-07-13 17:18:29 -07:00
Makefile apparmor: add base infastructure for socket mediation 2018-03-13 17:25:48 -07:00
match.c apparmor: ensure that dfa state tables have entries 2020-04-08 04:42:48 -07:00
mount.c apparmor: fix reference count leak in aa_pivotroot() 2022-07-09 15:13:59 -07:00
net.c apparmor: add a kernel label to use on kernel objects 2022-07-13 16:37:21 -07:00
nulldfa.in apparmor: cleanup add proper line wrapping to nulldfa.in 2018-02-09 11:30:01 -08:00
path.c security: apparmor: delete repeated words in comments 2021-02-07 04:15:46 -08:00
policy_ns.c apparmor: add a kernel label to use on kernel objects 2022-07-13 16:37:21 -07:00
policy_unpack_test.c apparmor: test: Remove some casts which are no-longer required 2022-07-09 15:14:14 -07:00
policy_unpack.c apparmor: Fix undefined reference to `zlib_deflate_workspacesize' 2022-07-09 15:13:59 -07:00
policy.c apparmor: make export of raw binary profile to userspace optional 2022-07-09 15:13:59 -07:00
procattr.c apparmor: Fix kernel-doc 2022-07-09 15:13:59 -07:00
resource.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
secid.c apparmor: disable showing the mode as part of a secid to secctx 2022-07-13 17:18:29 -07:00
stacksplitdfa.in apparmor: use the dfa to do label parse string splitting 2018-02-09 11:30:01 -08:00
task.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00