[GIT PULL] AppArmor updates for 7.0-rc1

Thu Feb 19 00:19:34 UTC 2026

Hi Linus,

Below is the AppArmor update PR for 7.0

These patches have all been merge, build, and regression tested
against your tree as of yesterday. The code has been in linux-next
and the many of the patches in the Ubuntu kernels for testing.

This PR is mostly comprised of cleanups, and bug fixes, with 3 minor
features, the first being an improvement to our kunit testing, and
the other two extending the information available in audit messages.

Because this is coming so late in the window (sorry life happens),
if you would prefer I have prepared an alternate PR that contains
the set of bug fixes that apply without the features, or cleanups,
available via the tag bugfix-2026-02-18, which I can send a PR for
instead.

thanks
- john

The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8:

   Linux 6.19-rc1 (2025-12-14 16:05:07 +1200)

are available in the Git repository at:

   git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2026-02-18

for you to fetch changes up to 08020dbe3125e936429e7966bf072e08fa964f36:

   apparmor: fix signedness bug in unpack_tags() (2026-02-18 11:50:20 -0800)

----------------------------------------------------------------
+ Features
   - add .kunitconfig
   - audit execpath in userns mediation
   - add support loading per permission tagging

+ Cleanups
   - cleanup remove unused percpu critical sections in buffer management
   - document the buffer hold, add an overflow guard
   - split xxx_in_ns into its two separate semantic use cases
   - remove apply_modes_to_perms from label_match
   - refactor/cleanup cred helper fns.
   - guard against free attachment/data routines being called with a NULL
   - drop in_atomic flag in common_mmap, and common_file_perm, and cleanup
   - make str table more generic and be able to have multiple entries
   - Replace deprecated strcpy with memcpy in gen_symlink_name
   - Replace deprecated strcpy in d_namespace_path
   - Replace sprintf/strcpy with scnprintf/strscpy in aa_policy_init
   - replace sprintf with snprintf in aa_new_learning_profile

+ Bug Fixes
   - fix cast in format string DEBUG statement
   - fix make aa_labelmatch return consistent
   - fix fmt string type error in process_strs_entry
   - fix kernel-doc comments for inview
   - fix invalid deref of rawdata when export_binary is unset
   - avoid per-cpu hold underflow in aa_get_buffer
   - fix fast path cache check for unix sockets
   - fix rlimit for posix cpu timers
   - fix label and profile debug macros
   - move check for aa_null file to cover all cases
   - return -ENOMEM in unpack_perms_table upon alloc failure
   - fix boolean argument in apparmor_mmap_file
   - Fix & Optimize table creation from possibly unaligned memory
   - Allow apparmor to handle unaligned dfa tables
   - fix NULL deref in aa_sock_file_perm
   - fix NULL pointer dereference in __unix_needs_revalidation
   - fix signedness bug in unpack_tags()

----------------------------------------------------------------
Georgia Garcia (1):
       apparmor: fix invalid deref of rawdata when export_binary is unset

Helge Deller (2):
       AppArmor: Allow apparmor to handle unaligned dfa tables
       apparmor: Fix & Optimize table creation from possibly unaligned memory

John Johansen (19):
       apparmor: fix NULL sock in aa_sock_file_perm
       apparmor: make str table more generic and be able to have multiple entries
       apparmor: add support loading per permission tagging
       apparmor: drop in_atomic flag in common_mmap, and common_file_perm
       apparmor: guard against free routines being called with a NULL
       apparmor: move check for aa_null file to cover all cases
       apparmor: fix label and profile debug macros
       apparmor: refactor/cleanup cred helper fns.
       apparmor: fix rlimit for posix cpu timers
       apparmor: fix fast path cache check for unix sockets
       apparmor: remove apply_modes_to_perms from label_match
       apparmor: make label_match return a consistent value
       apparmor: split xxx_in_ns into its two separate semantic use cases
       apparmor: document the buffer hold, add an overflow guard
       apparmor: cleanup remove unused percpu critical sections in buffer management
       apparmor: fix kernel-doc comments for inview
       apparmor: fix fmt string type error in process_strs_entry
       apparmor: fix aa_label to return state from compount and component match
       apparmor: fix cast in format string DEBUG statement

Massimiliano Pellizzer (1):
       apparmor: fix signedness bug in unpack_tags()

Maxime Bélair (1):
       apparmor: userns: Add support for execpath in userns

Ryan Lee (3):
       apparmor: fix boolean argument in apparmor_mmap_file
       apparmor: account for in_atomic removal in common_file_perm
       apparmor: return -ENOMEM in unpack_perms_table upon alloc failure

Ryota Sakamoto (1):
       apparmor: add .kunitconfig

System Administrator (1):
       apparmor: fix NULL pointer dereference in __unix_needs_revalidation

Thorsten Blum (4):
       apparmor: replace sprintf with snprintf in aa_new_learning_profile
       apparmor: Replace sprintf/strcpy with scnprintf/strscpy in aa_policy_init
       apparmor: Replace deprecated strcpy in d_namespace_path
       apparmor: Replace deprecated strcpy with memcpy in gen_symlink_name

Zhengmian Hu (1):
       apparmor: avoid per-cpu hold underflow in aa_get_buffer

  security/apparmor/.kunitconfig     |   5 +
  security/apparmor/af_unix.c        |   2 +-
  security/apparmor/apparmorfs.c     |  23 ++-
  security/apparmor/domain.c         |  60 +++----
  security/apparmor/file.c           |  49 ++++--
  security/apparmor/include/audit.h  |   2 +
  security/apparmor/include/cred.h   | 100 +++++++----
  security/apparmor/include/lib.h    |  37 +++-
  security/apparmor/include/match.h  |  12 +-
  security/apparmor/include/policy.h |  32 +++-
  security/apparmor/label.c          |  55 +++---
  security/apparmor/lib.c            |  29 ++--
  security/apparmor/lsm.c            |  66 +++++---
  security/apparmor/match.c          |  22 +--
  security/apparmor/net.c            |   6 +-
  security/apparmor/path.c           |  13 +-
  security/apparmor/policy.c         |  31 +++-
  security/apparmor/policy_compat.c  |  10 +-
  security/apparmor/policy_unpack.c  | 336 ++++++++++++++++++++++++++++++++-----
  security/apparmor/resource.c       |   5 +
  security/apparmor/task.c           |  32 ++++
  21 files changed, 687 insertions(+), 240 deletions(-)
  create mode 100644 security/apparmor/.kunitconfig