[GIT PULL] AppArmor updates for 7.2-rc1
John Johansen
john.johansen at canonical.com
Wed Jun 24 07:52:16 UTC 2026
Hi Linus,
This is another round of bug fixing and some code cleanups, there are no
new features. I ended up pulling in a few bug fixes late, and gave them
some extra time to bake.
The biggest thing to note is Georgia is being added to help co-maintain
apparmor.
Everything has been merge, build, and regression tested against your tree
for Monday June 22.
thanks
- john
The following changes since commit 254f49634ee16a731174d2ae34bc50bd5f45e731:
Linux 7.1-rc1 (2026-04-26 14:19:00 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor tags/apparmor-pr-2026-06-22
for you to fetch changes up to 2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8:
apparmor: advertise the tcp fast open fix is applied (2026-06-23 22:15:15 -0700)
----------------------------------------------------------------
* add Georgia Garcia as co-maintainer of apparmor
* Cleanups
- replace get_zeroed_page() with kzalloc()
- remove unnecessary goto and associated label
- change fn_label_build() to return err on failure instead of NULL or err
- free rawdata as soon as possible
- use explicit instead of implicit flex array in rawdata_f_data
- use __label_make_stale in __aa_proxy_redirect
- return correct error by propagate -ENOMEM correctly in unpack_table
- aa_label_alloc use aa_label_free on alloc failure
- add a conditional version of get_newest_label
* Bug Fixes
- mediate the implicit connect of TCP fast open sendmsg
- fix C23ism of label immediately before a declaration
- fix kernel-doc warnings
- fix spelling mistakes
- fix use-after-free in rawdata dedup loop
- Fix inverted comparison in cache_hold_inc()
- fix uninitialized pointer passed to audit_log_untrustedstring()
- don't audit files pointing to aa_null.dentry
- put secmark label after secid lookup
- fix aa_getprocattr free procattr leak on format failure
- release exe file resources on path failure
- fail policy unpack on accept2 allocation failure
- Fix return in ns_mkdir_op
- remove or add symlinks to rawdata according to export_binary
- fix NULL pointer dereference in unpack_pdb
- fix potential UAF in aa_replace_profiles
- grab ns lock and refresh when looking up changehat child profiles
- enable differential encoding
- check label build before no_new_privs test
- conditionally compile get_loaddata_common_ref()
- fix unix socket mediation cache update, and leak
----------------------------------------------------------------
Andrew Morton (1):
security/apparmor/apparmorfs.c: conditionally compile get_loaddata_common_ref()
Bryam Vargas (1):
apparmor: mediate the implicit connect of TCP fast open sendmsg
Eduardo Vasconcelos (1):
apparmor: Fix inverted comparison in cache_hold_inc()
Georgia Garcia (3):
apparmor: fix NULL pointer dereference in unpack_pdb
apparmor: remove or add symlinks to rawdata according to export_binary
apparmor: don't audit files pointing to aa_null.dentry
Hongling Zeng (1):
apparmor: Fix return in ns_mkdir_op
John Johansen (13):
apparmor: add Georgia Garcia as co-maintainer of apparmor
apparmor: fix shadowing of plabel that prevents cache from being updated
apparmor: fix race in unix socket mediation when peer_path is used
apparmor: fix refcount leak when updating the sk_ctx
apparmor: add a conditional version of get_newest_label
apparmor: enable differential encoding
apparmor: fix rawdata_f_data implicit flex array
apparmor: free rawdata as soon as possible
apparmor: change fn_label_build() call to not return NULL
apparmor: make fn_label_build() capable of handling not supported
apparmor: remove unnecessary goto and associated label
apparmor: fix label can not be immediately before a declaration
apparmor: advertise the tcp fast open fix is applied
Maciek Borzecki (1):
apparmor: fix uninitialised pointer passed to audit_log_untrustedstring()
Maxime Bélair (2):
apparmor: propagate -ENOMEM correctly in unpack_table
apparmor: fix potential UAF in aa_replace_profiles
Mike Rapoport (Microsoft) (1):
apparmor: replace get_zeroed_page() with kzalloc()
Qingshuang Fu (1):
security: apparmor: fix two spelling mistakes
Rodrigo Zaiden (1):
apparmor: fix kernel-doc warnings
Ruoyu Wang (1):
apparmor: check label build before no_new_privs test
Ruslan Valiyev (1):
apparmor: fix use-after-free in rawdata dedup loop
Ryan Lee (2):
apparmor: use __label_make_stale in __aa_proxy_redirect
apparmor: grab ns lock and refresh when looking up changehat child profiles
Zygmunt Krynicki (5):
apparmor: aa_label_alloc use aa_label_free on alloc failure
apparmor: fail policy unpack on accept2 allocation failure
apparmor: release exe file resources on path failure
apparmor: aa_getprocattr free procattr leak on format failure
apparmor: put secmark label after secid lookup
MAINTAINERS | 1 +
security/apparmor/af_unix.c | 73 +++++++++---------
security/apparmor/apparmorfs.c | 119 ++++++++++++++++++++++--------
security/apparmor/domain.c | 97 ++++++++++++++++--------
security/apparmor/file.c | 12 +--
security/apparmor/include/apparmorfs.h | 12 +++
security/apparmor/include/label.h | 32 ++++++++
security/apparmor/include/lib.h | 21 +++---
security/apparmor/include/policy_unpack.h | 21 +++++-
security/apparmor/label.c | 26 +++----
security/apparmor/lsm.c | 20 ++++-
security/apparmor/match.c | 22 +++---
security/apparmor/mount.c | 17 ++---
security/apparmor/net.c | 3 +
security/apparmor/policy.c | 35 ++++++++-
security/apparmor/policy_unpack.c | 6 +-
security/apparmor/procattr.c | 2 +
security/apparmor/task.c | 2 +-
18 files changed, 368 insertions(+), 153 deletions(-)
More information about the Linux-security-module-archive
mailing list