-From 05bf1eb7276886a3eda0588a8e012b558b693e96 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Thu, 22 Jul 2010 02:32:02 -0700
-Subject: [PATCH] UBUNTU: SAUCE: AppArmor: Add profile introspection file to
- interface
-
-Add the dynamic profiles file to the interace, to allow load policy
-introspection.
-
-Signed-off-by: John Johansen <john.johansen@canonical.com>
-Acked-by: Kees Cook <kees@ubuntu.com>
----
- security/apparmor/Kconfig | 9 ++
- security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 240 insertions(+), 0 deletions(-)
-
-diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
-index 9b9013b..51ebf96 100644
---- a/security/apparmor/Kconfig
-+++ b/security/apparmor/Kconfig
-@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
- boot.
-
- If you are unsure how to answer this question, answer 1.
-+
-+config SECURITY_APPARMOR_COMPAT_24
-+ bool "Enable AppArmor 2.4 compatability"
-+ depends on SECURITY_APPARMOR
-+ default y
-+ help
-+ This option enables compatability with AppArmor 2.4. It is
-+ recommended if compatability with older versions of AppArmor
-+ is desired.
+commit 5ea33f587f5f7324c40c5986286d0f38307923bb
+Author: John Johansen <john.johansen@canonical.com>
+Date: Mon Apr 11 16:55:10 2016 -0700
+
+ apparmor: fix refcount bug in profile replacement
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 705c287..222052f 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ aa_get_profile(newest);
+ aa_put_profile(parent);
+ rcu_assign_pointer(ent->new->parent, newest);
+- } else
+- aa_put_profile(newest);
++ }
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+ aa_get_profile(ent->new));
+ __list_add_profile(&parent->base.profiles, ent->new);
++ aa_put_profile(newest);
+ } else {
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+
+commit f65b1c9b72442e6166332c04f332e4b4d4797887
+Author: John Johansen <john.johansen@canonical.com>
+Date: Mon Apr 11 16:57:19 2016 -0700
+
+ apparmor: fix replacement bug that adds new child to old parent
+
+ When set atomic replacement is used and the parent is updated before the
+ child, and the child did not exist in the old parent so there is no
+ direct replacement then the new child is incorrectly added to the old
+ parent. This results in the new parent not having the child(ren) that
+ it should and the old parent when being destroyed asserting the
+ following error.
+
+ AppArmor: policy_destroy: internal error, policy '<profile/name>' still
+ contains profiles
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 222052f..c92a9f6 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+ aa_get_profile(ent->new));
+- __list_add_profile(&parent->base.profiles, ent->new);
++ __list_add_profile(&newest->base.profiles, ent->new);
+ aa_put_profile(newest);
+ } else {
+ /* aafs interface uses replacedby */
+
+commit b6669bef20c9d934bc6498e79fffa220f6226518
+Author: John Johansen <john.johansen@canonical.com>
+Date: Sun Jun 8 11:20:54 2014 -0700
+
+ apparmor: fix uninitialized lsm_audit member
+
+ BugLink: http://bugs.launchpad.net/bugs/1268727
+
+ The task field in the lsm_audit struct needs to be initialized if
+ a change_hat fails, otherwise the following oops will occur
+
+ BUG: unable to handle kernel paging request at 0000002fbead7d08
+ IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+ PGD 1e3f35067 PUD 0
+ Oops: 0002 [#1] SMP
+ Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
+ CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
+ Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
+ task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
+ RIP: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+ RSP: 0018:ffff880212987b68 EFLAGS: 00010006
+ RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
+ RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
+ RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
+ R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
+ R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
+ FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
+ Stack:
+ ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
+ 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
+ 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
+ Call Trace:
+ [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
+ [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+ [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
+ [<ffffffff81075fee>] send_sig_info+0x1e/0x30
+ [<ffffffff8130242d>] aa_audit+0x13d/0x190
+ [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
+ [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+ [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
+ [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
+ [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
+ [<ffffffff812cee56>] security_setprocattr+0x16/0x20
+ [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
+ [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
+ [<ffffffff811b8039>] SyS_write+0x49/0xa0
+ [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index 89c7865..3a7f1da 100644
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -200,7 +200,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
+
+ if (sa->aad->type == AUDIT_APPARMOR_KILL)
+ (void)send_sig_info(SIGKILL, NULL,
+- sa->u.tsk ? sa->u.tsk : current);
++ sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
++ sa->u.tsk : current);
+
+ if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
+ return complain_error(sa->aad->error);
+diff --git a/security/apparmor/file.c b/security/apparmor/file.c
+index d186674..4d2af4b 100644
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+ int type = AUDIT_APPARMOR_AUTO;
+ struct common_audit_data sa;
+ struct apparmor_audit_data aad = {0,};
+- sa.type = LSM_AUDIT_DATA_NONE;
++ sa.type = LSM_AUDIT_DATA_TASK;
++ sa.u.tsk = NULL;
+ sa.aad = &aad;
+ aad.op = op,
+ aad.fs.request = request;
+
+commit aeab4cbfb86d0faeeb709e8201672e0662aa2c6f
+Author: John Johansen <john.johansen@canonical.com>
+Date: Fri Jul 25 04:02:03 2014 -0700
+
+ apparmor: exec should not be returning ENOENT when it denies
+
+ The current behavior is confusing as it causes exec failures to report
+ the executable is missing instead of identifying that apparmor
+ caused the failure.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index dc0027b..67a7418 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ new_profile = aa_get_newest_profile(ns->unconfined);
+ info = "ux fallback";
+ } else {
+- error = -ENOENT;
++ error = -EACCES;
+ info = "profile not found";
+ /* remove MAY_EXEC to audit as failure */
+ perms.allow &= ~MAY_EXEC;
+
+commit 752e4263021d90cf23c262f2fd3ebfd6dbccd455
+Author: John Johansen <john.johansen@canonical.com>
+Date: Fri Jul 25 04:01:56 2014 -0700
+
+ apparmor: fix update the mtime of the profile file on replacement
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 16c15ec..42b7c9f 100644
+index ad4fa49..45a6199 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
-@@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
- .release = single_release,
- };
+@@ -379,6 +379,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old,
-+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
-+/**
-+ * __next_namespace - find the next namespace to list
-+ * @root: root namespace to stop search at (NOT NULL)
-+ * @ns: current ns position (NOT NULL)
-+ *
-+ * Find the next namespace from @ns under @root and handle all locking needed
-+ * while switching current namespace.
-+ *
-+ * Returns: next namespace or NULL if at last namespace under @root
-+ * NOTE: will not unlock root->lock
-+ */
-+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
-+ struct aa_namespace *ns)
-+{
-+ struct aa_namespace *parent;
-+
-+ /* is next namespace a child */
-+ if (!list_empty(&ns->sub_ns)) {
-+ struct aa_namespace *next;
-+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
-+ read_lock(&next->lock);
-+ return next;
-+ }
-+
-+ /* check if the next ns is a sibling, parent, gp, .. */
-+ parent = ns->parent;
-+ while (parent) {
-+ read_unlock(&ns->lock);
-+ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
-+ read_lock(&ns->lock);
-+ return ns;
-+ }
-+ if (parent == root)
-+ return NULL;
-+ ns = parent;
-+ parent = parent->parent;
-+ }
-+
-+ return NULL;
-+}
-+
-+/**
-+ * __first_profile - find the first profile in a namespace
-+ * @root: namespace that is root of profiles being displayed (NOT NULL)
-+ * @ns: namespace to start in (NOT NULL)
-+ *
-+ * Returns: unrefcounted profile or NULL if no profile
-+ */
-+static struct aa_profile *__first_profile(struct aa_namespace *root,
-+ struct aa_namespace *ns)
-+{
-+ for ( ; ns; ns = __next_namespace(root, ns)) {
-+ if (!list_empty(&ns->base.profiles))
-+ return list_first_entry(&ns->base.profiles,
-+ struct aa_profile, base.list);
-+ }
-+ return NULL;
-+}
-+
-+/**
-+ * __next_profile - step to the next profile in a profile tree
-+ * @profile: current profile in tree (NOT NULL)
-+ *
-+ * Perform a depth first taversal on the profile tree in a namespace
-+ *
-+ * Returns: next profile or NULL if done
-+ * Requires: profile->ns.lock to be held
-+ */
-+static struct aa_profile *__next_profile(struct aa_profile *p)
-+{
-+ struct aa_profile *parent;
-+ struct aa_namespace *ns = p->ns;
-+
-+ /* is next profile a child */
-+ if (!list_empty(&p->base.profiles))
-+ return list_first_entry(&p->base.profiles, typeof(*p),
-+ base.list);
-+
-+ /* is next profile a sibling, parent sibling, gp, subling, .. */
-+ parent = p->parent;
-+ while (parent) {
-+ list_for_each_entry_continue(p, &parent->base.profiles,
-+ base.list)
-+ return p;
-+ p = parent;
-+ parent = parent->parent;
-+ }
-+
-+ /* is next another profile in the namespace */
-+ list_for_each_entry_continue(p, &ns->base.profiles, base.list)
-+ return p;
-+
-+ return NULL;
-+}
-+
-+/**
-+ * next_profile - step to the next profile in where ever it may be
-+ * @root: root namespace (NOT NULL)
-+ * @profile: current profile (NOT NULL)
-+ *
-+ * Returns: next profile or NULL if there isn't one
-+ */
-+static struct aa_profile *next_profile(struct aa_namespace *root,
-+ struct aa_profile *profile)
-+{
-+ struct aa_profile *next = __next_profile(profile);
-+ if (next)
-+ return next;
-+
-+ /* finished all profiles in namespace move to next namespace */
-+ return __first_profile(root, __next_namespace(root, profile->ns));
-+}
-+
-+/**
-+ * p_start - start a depth first traversal of profile tree
-+ * @f: seq_file to fill
-+ * @pos: current position
-+ *
-+ * Returns: first profile under current namespace or NULL if none found
-+ *
-+ * acquires first ns->lock
+ for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
+ new->dents[i] = old->dents[i];
++ if (new->dents[i])
++ new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
+ old->dents[i] = NULL;
+ }
+ }
+
+commit 0c67233b18406dc7a8629faf8f9452feace6fb13
+Author: John Johansen <john.johansen@canonical.com>
+Date: Fri Jul 25 04:02:08 2014 -0700
+
+ apparmor: fix disconnected bind mnts reconnection
+
+ Bind mounts can fail to be properly reconnected when PATH_CONNECT is
+ specified. Ensure that when PATH_CONNECT is specified the path has
+ a root.
+
+ BugLink: http://bugs.launchpad.net/bugs/1319984
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/path.c b/security/apparmor/path.c
+index edddc02..f261678 100644
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -141,7 +141,10 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ error = -EACCES;
+ if (*res == '/')
+ *name = res + 1;
+- }
++ } else if (*res != '/')
++ /* CONNECT_PATH with missing root */
++ error = prepend(name, *name - buf, "/", 1);
++
+ }
+
+ out:
+
+commit 30c2b759b4f456e97e859ca550666c8abe84ff3c
+Author: John Johansen <john.johansen@canonical.com>
+Date: Fri Jul 25 04:02:10 2014 -0700
+
+ apparmor: internal paths should be treated as disconnected
+
+ Internal mounts are not mounted anywhere and as such should be treated
+ as disconnected paths.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/path.c b/security/apparmor/path.c
+index f261678..a8fc7d0 100644
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -25,7 +25,6 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+
+-
+ /* modified from dcache.c */
+ static int prepend(char **buffer, int buflen, const char *str, int namelen)
+ {
+@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
+
+ #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
+
++/* If the path is not connected to the expected root,
++ * check if it is a sysctl and handle specially else remove any
++ * leading / that __d_path may have returned.
++ * Unless
++ * specifically directed to connect the path,
++ * OR
++ * if in a chroot and doing chroot relative paths and the path
++ * resolves to the namespace root (would be connected outside
++ * of chroot) and specifically directed to connect paths to
++ * namespace root.
+ */
-+static void *p_start(struct seq_file *f, loff_t *pos)
-+ __acquires(root->lock)
++static int disconnect(const struct path *path, char *buf, char **name,
++ int flags)
+{
-+ struct aa_profile *profile = NULL;
-+ struct aa_namespace *root = aa_current_profile()->ns;
-+ loff_t l = *pos;
-+ f->private = aa_get_namespace(root);
-+
-+
-+ /* find the first profile */
-+ read_lock(&root->lock);
-+ profile = __first_profile(root, root);
-+
-+ /* skip to position */
-+ for (; profile && l > 0; l--)
-+ profile = next_profile(root, profile);
-+
-+ return profile;
-+}
++ int error = 0;
+
-+/**
-+ * p_next - read the next profile entry
-+ * @f: seq_file to fill
-+ * @p: profile previously returned
-+ * @pos: current position
-+ *
-+ * Returns: next profile after @p or NULL if none
-+ *
-+ * may acquire/release locks in namespace tree as necessary
-+ */
-+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
-+{
-+ struct aa_profile *profile = p;
-+ struct aa_namespace *root = f->private;
-+ (*pos)++;
++ if (!(flags & PATH_CONNECT_PATH) &&
++ !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
++ our_mnt(path->mnt))) {
++ /* disconnected path, don't return pathname starting
++ * with '/'
++ */
++ error = -EACCES;
++ if (**name == '/')
++ *name = *name + 1;
++ } else if (**name != '/')
++ /* CONNECT_PATH with missing root */
++ error = prepend(name, *name - buf, "/", 1);
+
-+ return next_profile(root, profile);
++ return error;
+}
+
-+/**
-+ * p_stop - stop depth first traversal
-+ * @f: seq_file we are filling
-+ * @p: the last profile writen
-+ *
-+ * Release all locking done by p_start/p_next on namespace tree
-+ */
-+static void p_stop(struct seq_file *f, void *p)
-+ __releases(root->lock)
-+{
-+ struct aa_profile *profile = p;
-+ struct aa_namespace *root = f->private, *ns;
-+
-+ if (profile) {
-+ for (ns = profile->ns; ns && ns != root; ns = ns->parent)
-+ read_unlock(&ns->lock);
+ /**
+ * d_namespace_path - lookup a name associated with a given path
+ * @path: path to lookup (NOT NULL)
+@@ -74,7 +105,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ * control instead of hard coded /proc
+ */
+ return prepend(name, *name - buf, "/proc", 5);
+- }
++ } else
++ return disconnect(path, buf, name, flags);
+ return 0;
+ }
+
+@@ -120,32 +152,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ goto out;
+ }
+
+- /* If the path is not connected to the expected root,
+- * check if it is a sysctl and handle specially else remove any
+- * leading / that __d_path may have returned.
+- * Unless
+- * specifically directed to connect the path,
+- * OR
+- * if in a chroot and doing chroot relative paths and the path
+- * resolves to the namespace root (would be connected outside
+- * of chroot) and specifically directed to connect paths to
+- * namespace root.
+- */
+- if (!connected) {
+- if (!(flags & PATH_CONNECT_PATH) &&
+- !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+- our_mnt(path->mnt))) {
+- /* disconnected path, don't return pathname starting
+- * with '/'
+- */
+- error = -EACCES;
+- if (*res == '/')
+- *name = res + 1;
+- } else if (*res != '/')
+- /* CONNECT_PATH with missing root */
+- error = prepend(name, *name - buf, "/", 1);
+-
+- }
++ if (!connected)
++ error = disconnect(path, buf, name, flags);
+
+ out:
+ return error;
+
+commit 35f89b597a40c870f93a068bc92a7ef4f9b16a66
+Author: John Johansen <john.johansen@canonical.com>
+Date: Sat Apr 16 13:59:02 2016 -0700
+
+ apparmor: fix put() parent ref after updating the active ref
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index c92a9f6..455c9f8 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ /* parent replaced in this atomic set? */
+ if (newest != parent) {
+ aa_get_profile(newest);
+- aa_put_profile(parent);
+ rcu_assign_pointer(ent->new->parent, newest);
++ aa_put_profile(parent);
+ }
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+
+commit 7b1ec6a04ca57fabe250f1102f2803dea7fbd03b
+Author: John Johansen <john.johansen@canonical.com>
+Date: Sat Apr 16 14:16:50 2016 -0700
+
+ apparmor: fix log failures for all profiles in a set
+
+ currently only the profile that is causing the failure is logged. This
+ makes it more confusing than necessary about which profiles loaded
+ and which didn't. So make sure to log success and failure messages for
+ all profiles in the set being loaded.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 455c9f8..db31bc5 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
+ */
+ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ {
+- const char *ns_name, *name = NULL, *info = NULL;
++ const char *ns_name, *info = NULL;
+ struct aa_namespace *ns = NULL;
+ struct aa_load_ent *ent, *tmp;
+ int op = OP_PROF_REPL;
+@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ /* released below */
+ ns = aa_prepare_namespace(ns_name);
+ if (!ns) {
+- info = "failed to prepare namespace";
+- error = -ENOMEM;
+- name = ns_name;
+- goto fail;
++ error = audit_policy(op, GFP_KERNEL, ns_name,
++ "failed to prepare namespace", -ENOMEM);
++ goto free;
+ }
+
+ mutex_lock(&ns->lock);
+ /* setup parent and ns info */
+ list_for_each_entry(ent, &lh, list) {
+ struct aa_policy *policy;
+-
+- name = ent->new->base.hname;
+ error = __lookup_replace(ns, ent->new->base.hname, noreplace,
+ &ent->old, &info);
+ if (error)
+@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ if (!p) {
+ error = -ENOENT;
+ info = "parent does not exist";
+- name = ent->new->base.hname;
+ goto fail_lock;
+ }
+ rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
+@@ -1214,9 +1210,22 @@ out:
+
+ fail_lock:
+ mutex_unlock(&ns->lock);
+-fail:
+- error = audit_policy(op, GFP_KERNEL, name, info, error);
+
++ /* audit cause of failure */
++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++ audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
++ /* audit status that rest of profiles in the atomic set failed too */
++ info = "valid profile in failed atomic policy load";
++ list_for_each_entry(tmp, &lh, list) {
++ if (tmp == ent) {
++ info = "unchecked profile in failed atomic policy load";
++ /* skip entry that caused failure */
++ continue;
++ }
++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++ audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
+ }
-+ read_unlock(&root->lock);
-+ aa_put_namespace(root);
-+}
-+
-+/**
-+ * seq_show_profile - show a profile entry
-+ * @f: seq_file to file
-+ * @p: current position (profile) (NOT NULL)
-+ *
-+ * Returns: error on failure
-+ */
-+static int seq_show_profile(struct seq_file *f, void *p)
++free:
+ list_for_each_entry_safe(ent, tmp, &lh, list) {
+ list_del_init(&ent->list);
+ aa_load_ent_free(ent);
+
+commit 4c475747a31b0637f0d47cb9bddaf2c6efb02854
+Author: John Johansen <john.johansen@canonical.com>
+Date: Sat Apr 16 14:19:38 2016 -0700
+
+ apparmor: fix audit full profile hname on successful load
+
+ Currently logging of a successful profile load only logs the basename
+ of the profile. This can result in confusion when a child profile has
+ the same name as the another profile in the set. Logging the hname
+ will ensure there is no confusion.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index db31bc5..ca402d0 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ list_del_init(&ent->list);
+ op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
+
+- audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
++ audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
+
+ if (ent->old) {
+ __replace_profile(ent->old, ent->new, 1);
+
+commit 430741dd766291d2e618b04e918ee6da844c230a
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Apr 20 14:18:18 2016 -0700
+
+ apparmor: ensure the target profile name is always audited
+
+ The target profile name was not being correctly audited in a few
+ cases because the target variable was not being set and gotos
+ passed the code to set it at apply:
+
+ Since it is always based on new_profile just drop the target var
+ and conditionally report based on new_profile.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index 67a7418..fc3036b 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -346,7 +346,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ file_inode(bprm->file)->i_uid,
+ file_inode(bprm->file)->i_mode
+ };
+- const char *name = NULL, *target = NULL, *info = NULL;
++ const char *name = NULL, *info = NULL;
+ int error = 0;
+
+ if (bprm->cred_prepared)
+@@ -399,6 +399,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ if (cxt->onexec) {
+ struct file_perms cp;
+ info = "change_profile onexec";
++ new_profile = aa_get_newest_profile(cxt->onexec);
+ if (!(perms.allow & AA_MAY_ONEXEC))
+ goto audit;
+
+@@ -413,7 +414,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+
+ if (!(cp.allow & AA_MAY_ONEXEC))
+ goto audit;
+- new_profile = aa_get_newest_profile(cxt->onexec);
+ goto apply;
+ }
+
+@@ -445,10 +445,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ if (!new_profile) {
+ error = -ENOMEM;
+ info = "could not create null profile";
+- } else {
++ } else
+ error = -EACCES;
+- target = new_profile->base.hname;
+- }
+ perms.xindex |= AA_X_UNSAFE;
+ } else
+ /* fail exec */
+@@ -459,7 +457,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ * fail the exec.
+ */
+ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
+- aa_put_profile(new_profile);
+ error = -EPERM;
+ goto cleanup;
+ }
+@@ -474,10 +471,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+
+ if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+ error = may_change_ptraced_domain(new_profile);
+- if (error) {
+- aa_put_profile(new_profile);
++ if (error)
+ goto audit;
+- }
+ }
+
+ /* Determine if secure exec is needed.
+@@ -498,7 +493,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ bprm->unsafe |= AA_SECURE_X_NEEDED;
+ }
+ apply:
+- target = new_profile->base.hname;
+ /* when transitioning profiles clear unsafe personality bits */
+ bprm->per_clear |= PER_CLEAR_ON_SETID;
+
+@@ -506,15 +500,19 @@ x_clear:
+ aa_put_profile(cxt->profile);
+ /* transfer new profile reference will be released when cxt is freed */
+ cxt->profile = new_profile;
++ new_profile = NULL;
+
+ /* clear out all temporary/transitional state from the context */
+ aa_clear_task_cxt_trans(cxt);
+
+ audit:
+ error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
+- name, target, cond.uid, info, error);
++ name,
++ new_profile ? new_profile->base.hname : NULL,
++ cond.uid, info, error);
+
+ cleanup:
++ aa_put_profile(new_profile);
+ aa_put_profile(profile);
+ kfree(buffer);
+
+
+commit 06763d057300b3d5bbe1894acfe236cf193bab78
+Author: John Johansen <john.johansen@canonical.com>
+Date: Thu Mar 17 12:02:54 2016 -0700
+
+ apparmor: check that xindex is in trans_table bounds
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index a689f10..c841b12 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size)
+ int index, xtype;
+ xtype = xindex & AA_X_TYPE_MASK;
+ index = xindex & AA_X_INDEX_MASK;
+- if (xtype == AA_X_TABLE && index > table_size)
++ if (xtype == AA_X_TABLE && index >= table_size)
+ return 0;
+ return 1;
+ }
+
+commit 9ad29b2e7820895339f90eb71b411d0134cf1ce9
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Nov 18 11:41:05 2015 -0800
+
+ apparmor: fix ref count leak when profile sha1 hash is read
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 45a6199..0d8dd71 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
+ seq_printf(seq, "%.2x", profile->hash[i]);
+ seq_puts(seq, "\n");
+ }
++ aa_put_profile(profile);
+
+ return 0;
+ }
+
+commit e13f968d154ba9d6a2c4f82f33d3312a63430b54
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Dec 16 18:09:10 2015 -0800
+
+ apparmor: fix refcount race when finding a child profile
+
+ When finding a child profile via an rcu critical section, the profile
+ may be put and scheduled for deletion after the child is found but
+ before its refcount is incremented.
+
+ Protect against this by repeating the lookup if the profiles refcount
+ is 0 and is one its way to deletion.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index ca402d0..7807125 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
+ struct aa_profile *profile;
+
+ rcu_read_lock();
+- profile = aa_get_profile(__find_child(&parent->base.profiles, name));
++ do {
++ profile = __find_child(&parent->base.profiles, name);
++ } while (profile && !aa_get_profile_not0(profile));
+ rcu_read_unlock();
+
+ /* refcount released by caller */
+
+commit 5833ccff1227fbc8f1bab64351f6747a6c71bdeb
+Author: Geliang Tang <geliangtang@163.com>
+Date: Mon Nov 16 21:46:33 2015 +0800
+
+ apparmor: use list_next_entry instead of list_entry_next
+
+ list_next_entry has been defined in list.h, so I replace list_entry_next
+ with it.
+
+ Signed-off-by: Geliang Tang <geliangtang@163.com>
+ Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 0d8dd71..729e595 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -553,8 +553,6 @@ fail2:
+ }
+
+
+-#define list_entry_next(pos, member) \
+- list_entry(pos->member.next, typeof(*pos), member)
+ #define list_entry_is_head(pos, head, member) (&pos->member == (head))
+
+ /**
+@@ -585,7 +583,7 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+ parent = ns->parent;
+ while (ns != root) {
+ mutex_unlock(&ns->lock);
+- next = list_entry_next(ns, base.list);
++ next = list_next_entry(ns, base.list);
+ if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
+ mutex_lock(&next->lock);
+ return next;
+@@ -639,7 +637,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
+ parent = rcu_dereference_protected(p->parent,
+ mutex_is_locked(&p->ns->lock));
+ while (parent) {
+- p = list_entry_next(p, base.list);
++ p = list_next_entry(p, base.list);
+ if (!list_entry_is_head(p, &parent->base.profiles, base.list))
+ return p;
+ p = parent;
+@@ -648,7 +646,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
+ }
+
+ /* is next another profile in the namespace */
+- p = list_entry_next(p, base.list);
++ p = list_next_entry(p, base.list);
+ if (!list_entry_is_head(p, &ns->base.profiles, base.list))
+ return p;
+
+
+commit 645801f1ddd183109c011e5ecee23ed3fdcae244
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri Nov 6 15:17:30 2015 -0500
+
+ apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
+
+ While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
+ on another task. The only other example of a AppArmor mediating access to
+ another, already running, task (ignoring fork+exec) is ptrace.
+
+ The AppArmor model for ptrace is that one of the following must be true:
+ 1) The tracer is unconfined
+ 2) The tracer is in complain mode
+ 3) The tracer and tracee are confined by the same profile
+ 4) The tracer is confined but has SYS_CAP_PTRACE
+
+ 1), 2, and 3) are already true for setrlimit.
+
+ We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
+
+ We still test the values of the rlimit since it can always be overridden
+ using a value that means unlimited for a particular resource.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
+index 748bf0c..67a6072 100644
+--- a/security/apparmor/resource.c
++++ b/security/apparmor/resource.c
+@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
+ /* TODO: extend resource control to handle other (non current)
+ * profiles. AppArmor rules currently have the implicit assumption
+ * that the task is setting the resource of a task confined with
+- * the same profile.
++ * the same profile or that the task setting the resource of another
++ * task has CAP_SYS_RESOURCE.
+ */
+- if (profile != task_profile ||
++ if ((profile != task_profile &&
++ aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
+ (profile->rlimits.mask & (1 << resource) &&
+ new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
+ error = -EACCES;
+
+commit 2be4aed1f3332d87273eb593944332054f3cffac
+Author: John Johansen <john.johansen@canonical.com>
+Date: Thu Jun 2 02:37:02 2016 -0700
+
+ apparmor: add missing id bounds check on dfa verification
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index 001c43a..a1c04fe 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -62,6 +62,7 @@ struct table_set_header {
+ #define YYTD_ID_ACCEPT2 6
+ #define YYTD_ID_NXT 7
+ #define YYTD_ID_TSIZE 8
++#define YYTD_ID_MAX 8
+
+ #define YYTD_DATA8 1
+ #define YYTD_DATA16 2
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 727eb42..f9f57c6 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ * it every time we use td_id as an index
+ */
+ th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
++ if (th.td_id > YYTD_ID_MAX)
++ goto out;
+ th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
+ th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
+ blob += sizeof(struct table_header);
+
+commit c7f87d3c3363b1a0c4724e627e5c8e640a883c89
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Jun 15 09:57:55 2016 +0300
+
+ apparmor: don't check for vmalloc_addr if kvzalloc() failed
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index f9f57c6..32b72eb 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ u32, be32_to_cpu);
+ else
+ goto fail;
++ /* if table was vmalloced make sure the page tables are synced
++ * before it is used, as it goes live to all cpus.
++ */
++ if (is_vmalloc_addr(table))
++ vm_unmap_aliases();
+ }
+
+ out:
+- /* if table was vmalloced make sure the page tables are synced
+- * before it is used, as it goes live to all cpus.
+- */
+- if (is_vmalloc_addr(table))
+- vm_unmap_aliases();
+ return table;
+ fail:
+ kvfree(table);
+
+commit 0f7e61013dd1e67ebb54d58eee11ab009ceb5ef3
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Jun 15 10:00:55 2016 +0300
+
+ apparmor: fix oops in profile_unpack() when policy_db is not present
+
+ BugLink: http://bugs.launchpad.net/bugs/1592547
+
+ If unpack_dfa() returns NULL due to the dfa not being present,
+ profile_unpack() is not checking if the dfa is not present (NULL).
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index c841b12..dac2121 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ error = PTR_ERR(profile->policy.dfa);
+ profile->policy.dfa = NULL;
+ goto fail;
++ } else if (!profile->policy.dfa) {
++ error = -EPROTO;
++ goto fail;
+ }
+ if (!unpack_u32(e, &profile->policy.start[0], "start"))
+ /* default start state */
+
+commit de4ca46ec035283928e8fa40797897cefcf6ec3e
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed Jun 22 18:01:08 2016 -0700
+
+ apparmor: fix module parameters can be changed after policy is locked
+
+ the policy_lock parameter is a one way switch that prevents policy
+ from being further modified. Unfortunately some of the module parameters
+ can effectively modify policy by turning off enforcement.
+
+ split policy_admin_capable into a view check and a full admin check,
+ and update the admin check to test the policy_lock parameter.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index c28b0f2..52275f0 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
+ return profile->audit;
+ }
+
++bool policy_view_capable(void);
++bool policy_admin_capable(void);
+ bool aa_may_manage_policy(int op);
+
+ #endif /* __AA_POLICY_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 7798e16..e83eefb 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -728,51 +728,49 @@ __setup("apparmor=", apparmor_enabled_setup);
+ /* set global flag turning off the ability to load policy */
+ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+- if (aa_g_lock_policy)
+- return -EACCES;
+ return param_set_bool(val, kp);
+ }
+
+ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_bool(buffer, kp);
+ }
+
+ static int param_set_aabool(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+ return param_set_bool(val, kp);
+ }
+
+ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_bool(buffer, kp);
+ }
+
+ static int param_set_aauint(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+ return param_set_uint(val, kp);
+ }
+
+ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_uint(buffer, kp);
+ }
+
+ static int param_get_audit(char *buffer, struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -784,7 +782,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
+ static int param_set_audit(const char *val, struct kernel_param *kp)
+ {
+ int i;
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -805,7 +803,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
+
+ static int param_get_mode(char *buffer, struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -817,7 +815,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
+ static int param_set_mode(const char *val, struct kernel_param *kp)
+ {
+ int i;
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 7807125..179e68d 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
+ &sa, NULL);
+ }
+
++bool policy_view_capable(void)
+{
-+ struct aa_profile *profile = (struct aa_profile *)p;
-+ struct aa_namespace *root = f->private;
++ struct user_namespace *user_ns = current_user_ns();
++ bool response = false;
+
-+ if (profile->ns != root)
-+ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
-+ seq_printf(f, "%s (%s)\n", profile->base.hname,
-+ COMPLAIN_MODE(profile) ? "complain" : "enforce");
++ if (ns_capable(user_ns, CAP_MAC_ADMIN))
++ response = true;
+
-+ return 0;
++ return response;
+}
+
-+static const struct seq_operations aa_fs_profiles_op = {
-+ .start = p_start,
-+ .next = p_next,
-+ .stop = p_stop,
-+ .show = seq_show_profile,
-+};
-+
-+static int profiles_open(struct inode *inode, struct file *file)
++bool policy_admin_capable(void)
+{
-+ return seq_open(file, &aa_fs_profiles_op);
++ return policy_view_capable() && !aa_g_lock_policy;
+}
+
-+static int profiles_release(struct inode *inode, struct file *file)
-+{
-+ return seq_release(inode, file);
-+}
-+
-+const struct file_operations aa_fs_profiles_fops = {
-+ .open = profiles_open,
-+ .read = seq_read,
-+ .llseek = seq_lseek,
-+ .release = profiles_release,
-+};
-+#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
-+
- /** Base file system setup **/
-
- static struct aa_fs_entry aa_fs_entry_file[] = {
-@@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
- AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
- AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
- AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
-+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
-+ AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
-+#endif
- AA_FS_DIR("features", aa_fs_entry_features),
- { }
- };
---
-1.7.6.5
-
-From 4facdf9db37c12ff655c91270d9030e2ed805ca2 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Mon, 4 Oct 2010 15:03:36 -0700
-Subject: [PATCH] UBUNTU: SAUCE: AppArmor: basic networking rules
-
-Base support for network mediation.
-
-Signed-off-by: John Johansen <john.johansen@canonical.com>
----
- security/apparmor/.gitignore | 2 +-
- security/apparmor/Makefile | 42 +++++++++-
- security/apparmor/apparmorfs.c | 1 +
- security/apparmor/include/audit.h | 4 +
- security/apparmor/include/net.h | 44 ++++++++++
- security/apparmor/include/policy.h | 3 +
- security/apparmor/lsm.c | 112 +++++++++++++++++++++++++
- security/apparmor/net.c | 162 ++++++++++++++++++++++++++++++++++++
- security/apparmor/policy.c | 1 +
- security/apparmor/policy_unpack.c | 46 ++++++++++
- 10 files changed, 414 insertions(+), 3 deletions(-)
- create mode 100644 security/apparmor/include/net.h
- create mode 100644 security/apparmor/net.c
+ /**
+ * aa_may_manage_policy - can the current task manage policy
+ * @op: the policy manipulation operation being done
+@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op)
+ return 0;
+ }
+
+- if (!capable(CAP_MAC_ADMIN)) {
++ if (!policy_admin_capable()) {
+ audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
+ return 0;
+ }
+
+commit 46c339f46b83e4cf8098f599cd182e65e9d054fc
+Author: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Date: Fri Jun 10 23:34:26 2016 +0200
+
+ apparmor: do not expose kernel stack
+
+ Do not copy uninitalized fields th.td_hilen, th.td_data.
+
+ Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 32b72eb..3f900fc 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+
+ table = kvzalloc(tsize);
+ if (table) {
+- *table = th;
++ table->td_id = th.td_id;
++ table->td_flags = th.td_flags;
++ table->td_lolen = th.td_lolen;
+ if (th.td_flags == YYTD_DATA8)
+ UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+ u8, byte_to_byte);
+
+commit 7e65e8142b2ea4891581173d6e92fc337b02ff8b
+Author: John Johansen <john.johansen@canonical.com>
+Date: Sat Jul 9 23:46:33 2016 -0700
+
+ apparmor: fix arg_size computation for when setprocattr is null terminated
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index e83eefb..ba8207b 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -529,7 +529,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
+ if (!*args)
+ goto out;
+
+- arg_size = size - (args - (char *) value);
++ arg_size = size - (args - (largs ? largs : (char *) value));
+ if (strcmp(name, "current") == 0) {
+ if (strcmp(command, "changehat") == 0) {
+ error = aa_setprocattr_changehat(args, arg_size,
+
+commit b661b13237991be6b5cdf0849f137c5ec58217bf
+Author: John Johansen <john.johansen@canonical.com>
+Date: Mon Oct 4 15:03:36 2010 -0700
+
+ UBUNTU: SAUCE: AppArmor: basic networking rules
+
+ Base support for network mediation.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
-index 4d995ae..d5b291e 100644
+index 9cdec70..d5b291e 100644
--- a/security/apparmor/.gitignore
+++ b/security/apparmor/.gitignore
-@@ -1,6 +1,6 @@
+@@ -1,5 +1,6 @@
#
# Generated include files
#
--af_names.h
+net_names.h
capability_names.h
rlim_names.h
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-index 806bd19..19daa85 100644
+index d693df8..5dbb72f 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
-@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+@@ -4,10 +4,10 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
- resource.o sid.o file.o
+ resource.o sid.o file.o net.o
+ apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h net_names.h
# Build a lower case string table of capability names
-@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
- -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
- echo "};" >> $@
+@@ -25,6 +25,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
+ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+# Build a lower case string table of address family names
+# Transform lines from
# Build a lower case string table of rlimit names.
# Transforms lines from
-@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+@@ -61,6 +93,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
$(obj)/capability.o : $(obj)/capability_names.h
+$(obj)/net.o : $(obj)/net_names.h
$(obj)/resource.o : $(obj)/rlim_names.h
- $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
$(src)/Makefile
-@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
- $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+@@ -68,3 +101,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
$(src)/Makefile
$(call cmd,make-rlim)
+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
+ $(call cmd,make-af)
+ $(call cmd,make-sock)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 42b7c9f..114fb23 100644
+index 729e595..181d961 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
-@@ -429,6 +429,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
- static struct aa_fs_entry aa_fs_entry_features[] = {
+@@ -807,6 +807,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
+ AA_FS_DIR("policy", aa_fs_entry_policy),
AA_FS_DIR("domain", aa_fs_entry_domain),
AA_FS_DIR("file", aa_fs_entry_file),
+ AA_FS_DIR("network", aa_fs_entry_network),
AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
- { }
+ AA_FS_DIR("caps", aa_fs_entry_caps),
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
-index 4b7e189..17734f9 100644
+index ba3dfd1..5d3c419 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
-@@ -127,6 +127,10 @@ struct apparmor_audit_data {
+@@ -125,6 +125,10 @@ struct apparmor_audit_data {
u32 denied;
- uid_t ouid;
+ kuid_t ouid;
} fs;
+ struct {
+ int type, protocol;
+
+#endif /* __AA_NET_H */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
-index bda4569..eb13a73 100644
+index 52275f0..4fc4dac 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -27,6 +27,7 @@
+#include "net.h"
#include "resource.h"
- extern const char *const profile_mode_names[];
-@@ -157,6 +158,7 @@ struct aa_policydb {
+ extern const char *const aa_profile_mode_names[];
+@@ -176,6 +177,7 @@ struct aa_replacedby {
* @policy: general match rules governing policy
* @file: The set of rules governing basic file access and domain transitions
* @caps: capabilities for the profile
+ * @net: network controls for the profile
* @rlimits: rlimits for the profile
*
- * The AppArmor profile contains the basic confinement data. Each profile
-@@ -194,6 +196,7 @@ struct aa_profile {
+ * @dents: dentries for the profiles file entries in apparmorfs
+@@ -217,6 +219,7 @@ struct aa_profile {
struct aa_policydb policy;
struct aa_file_rules file;
struct aa_caps caps;
+ struct aa_net net;
struct aa_rlimit rlimits;
- };
+ unsigned char *hash;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 8ea39aa..f628734 100644
+index ba8207b..88d3b0a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -32,6 +32,7 @@
#include "include/path.h"
#include "include/policy.h"
#include "include/procattr.h"
-@@ -614,6 +615,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -584,6 +585,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
- static struct security_operations apparmor_ops = {
- .name = "apparmor",
-
-@@ -646,6 +745,19 @@ static struct security_operations apparmor_ops = {
- .getprocattr = apparmor_getprocattr,
- .setprocattr = apparmor_setprocattr,
-
-+ .socket_create = apparmor_socket_create,
-+ .socket_bind = apparmor_socket_bind,
-+ .socket_connect = apparmor_socket_connect,
-+ .socket_listen = apparmor_socket_listen,
-+ .socket_accept = apparmor_socket_accept,
-+ .socket_sendmsg = apparmor_socket_sendmsg,
-+ .socket_recvmsg = apparmor_socket_recvmsg,
-+ .socket_getsockname = apparmor_socket_getsockname,
-+ .socket_getpeername = apparmor_socket_getpeername,
-+ .socket_getsockopt = apparmor_socket_getsockopt,
-+ .socket_setsockopt = apparmor_socket_setsockopt,
-+ .socket_shutdown = apparmor_socket_shutdown,
-+
- .cred_alloc_blank = apparmor_cred_alloc_blank,
- .cred_free = apparmor_cred_free,
- .cred_prepare = apparmor_cred_prepare,
+ static struct security_hook_list apparmor_hooks[] = {
+ LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
+ LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
+@@ -613,6 +712,19 @@ static struct security_hook_list apparmor_hooks[] = {
+ LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
+ LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
+
++ LSM_HOOK_INIT(socket_create, apparmor_socket_create),
++ LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
++ LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
++ LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
++ LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
++ LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
++ LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
++ LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
++ LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
++ LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
++ LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
++ LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
++
+ LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
+ LSM_HOOK_INIT(cred_free, apparmor_cred_free),
+ LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
new file mode 100644
index 0000000..003dd18
+ return error;
+}
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index cf5fd22..27c8161 100644
+index 179e68d..f1a8541 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
-@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+@@ -603,6 +603,7 @@ void aa_free_profile(struct aa_profile *profile)
aa_free_file_rules(&profile->file);
aa_free_cap_rules(&profile->caps);
+ aa_free_net_rules(&profile->net);
aa_free_rlimit_rules(&profile->rlimits);
- aa_free_sid(profile->sid);
+ kzfree(profile->dirname);
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index 329b1fd..1b90dfa 100644
+index dac2121..0107bc4 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -193,6 +193,19 @@ fail:
static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
{
if (unpack_nameX(e, AA_U32, name)) {
-@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+@@ -476,6 +489,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
{
struct aa_profile *profile = NULL;
const char *name = NULL;
int i, error = -EPROTO;
kernel_cap_t tmpcap;
u32 tmp;
-@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+@@ -576,6 +590,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
if (!unpack_rlimits(e, profile))
goto fail;
if (unpack_nameX(e, AA_STRUCT, "policydb")) {
/* generic policy dfa - optional and may be NULL */
profile->policy.dfa = unpack_dfa(e);
---
-1.7.7.6
-
-From 888a3d71db1ffd3a19d9f621b07e60c4ab9e1c44 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Wed, 16 May 2012 10:58:05 -0700
-Subject: [PATCH] UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
-
-Add the ability for apparmor to do mediation of mount operations. Mount
-rules require an updated apparmor_parser (2.8 series) for policy compilation.
-
-The basic form of the rules are.
-
- [audit] [deny] mount [conds]* [device] [ -> [conds] path],
- [audit] [deny] remount [conds]* [path],
- [audit] [deny] umount [conds]* [path],
- [audit] [deny] pivotroot [oldroot=<value>] <path>
-
- remount is just a short cut for mount options=remount
-
- where [conds] can be
- fstype=<expr>
- options=<expr>
-
-Example mount commands
- mount, # allow all mounts, but not umount or pivotroot
- mount fstype=procfs, # allow mounting procfs anywhere
+commit 64c5e24470a219c79c2870c63f18f6bd55648b1b
+Author: John Johansen <john.johansen@canonical.com>
+Date: Fri Jun 29 17:34:00 2012 -0700
- mount options=(bind, ro) /foo -> /bar, # readonly bind mount
+ apparmor: Fix quieting of audit messages for network mediation
+
+ If a profile specified a quieting of network denials for a given rule by
+ either the quiet or deny rule qualifiers, the resultant quiet mask for
+ denied requests was applied incorrectly, resulting in two potential bugs.
+ 1. The misapplied quiet mask would prevent denials from being correctly
+ tested against the kill mask/mode. Thus network access requests that
+ should have resulted in the application being killed did not.
+
+ 2. The actual quieting of the denied network request was not being applied.
+ This would result in network rejections always being logged even when
+ they had been specifically marked as quieted.
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
- mount /dev/sda -> /mnt,
-
- mount /dev/sd** -> /mnt/**,
-
- mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
-
- umount,
-
- umount /m*,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 003dd18..6e6e5c9 100644
+--- a/security/apparmor/net.c
++++ b/security/apparmor/net.c
+@@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+ } else {
+ u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+ u16 kill_mask = 0;
+- u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
++ u16 denied = (1 << sa.aad->net.type);
+
+ if (denied & kill_mask)
+ audit_type = AUDIT_APPARMOR_KILL;
-See the apparmor userspace for full documentation
+commit f7cef61751a2382fb4ea26c18736d7552ffdb24a
+Author: John Johansen <john.johansen@canonical.com>
+Date: Wed May 16 10:58:05 2012 -0700
-Signed-off-by: John Johansen <john.johansen@canonical.com>
-Acked-by: Kees Cook <kees@ubuntu.com>
----
- security/apparmor/Makefile | 2 +-
- security/apparmor/apparmorfs.c | 13 +
- security/apparmor/audit.c | 4 +
- security/apparmor/domain.c | 2 +-
- security/apparmor/include/apparmor.h | 3 +-
- security/apparmor/include/audit.h | 11 +
- security/apparmor/include/domain.h | 2 +
- security/apparmor/include/mount.h | 54 +++
- security/apparmor/lsm.c | 59 ++++
- security/apparmor/mount.c | 620 ++++++++++++++++++++++++++++++++++
- 10 files changed, 767 insertions(+), 3 deletions(-)
- create mode 100644 security/apparmor/include/mount.h
- create mode 100644 security/apparmor/mount.c
+ UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
+
+ Add the ability for apparmor to do mediation of mount operations. Mount
+ rules require an updated apparmor_parser (2.8 series) for policy compilation.
+
+ The basic form of the rules are.
+
+ [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+ [audit] [deny] remount [conds]* [path],
+ [audit] [deny] umount [conds]* [path],
+ [audit] [deny] pivotroot [oldroot=<value>] <path>
+
+ remount is just a short cut for mount options=remount
+
+ where [conds] can be
+ fstype=<expr>
+ options=<expr>
+
+ Example mount commands
+ mount, # allow all mounts, but not umount or pivotroot
+
+ mount fstype=procfs, # allow mounting procfs anywhere
+
+ mount options=(bind, ro) /foo -> /bar, # readonly bind mount
+
+ mount /dev/sda -> /mnt,
+
+ mount /dev/sd** -> /mnt/**,
+
+ mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+
+ umount,
+
+ umount /m*,
+
+ See the apparmor userspace for full documentation
+
+ Signed-off-by: John Johansen <john.johansen@canonical.com>
+ Acked-by: Kees Cook <kees@ubuntu.com>
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-index 19daa85..63e0a4c 100644
+index 5dbb72f..89b3445 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
- resource.o sid.o file.o net.o
+ resource.o sid.o file.o net.o mount.o
+ apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
clean-files := capability_names.h rlim_names.h net_names.h
-
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 114fb23..ee77ec9 100644
+index 181d961..5fb67f6 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
-@@ -426,10 +426,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
- { }
- };
+@@ -800,7 +800,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_policy[] = {
+ AA_FS_FILE_BOOLEAN("set_load", 1),
+- {}
++ { }
++};
++
+static struct aa_fs_entry aa_fs_entry_mount[] = {
+ AA_FS_FILE_STRING("mask", "mount umount"),
+ { }
+ AA_FS_FILE_BOOLEAN("profile", 1),
+ AA_FS_FILE_BOOLEAN("pivot_root", 1),
+ { }
-+};
-+
+ };
+
static struct aa_fs_entry aa_fs_entry_features[] = {
+@@ -808,6 +819,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
AA_FS_DIR("domain", aa_fs_entry_domain),
AA_FS_DIR("file", aa_fs_entry_file),
AA_FS_DIR("network", aa_fs_entry_network),
+ AA_FS_DIR("namespaces", aa_fs_entry_namespaces),
AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
- { }
+ AA_FS_DIR("caps", aa_fs_entry_caps),
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
-index 3ae28db..e267963 100644
+index 3a7f1da..c2a8b8a 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -44,6 +44,10 @@ const char *const op_table[] = {
"post_create",
"bind",
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index b81ea10..afa8671 100644
+index fc3036b..f2a83b4 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
-@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name)
+@@ -236,7 +236,7 @@ static const char *next_name(int xtype, const char *name)
*
* Returns: refcounted profile, or NULL on failure (MAYBE NULL)
*/
struct aa_profile *new_profile = NULL;
struct aa_namespace *ns = profile->ns;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
-index 40aedd9..e243d96 100644
+index e4ea626..ce6ff6a 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
-@@ -29,8 +29,9 @@
+@@ -30,8 +30,9 @@
#define AA_CLASS_NET 4
#define AA_CLASS_RLIMITS 5
#define AA_CLASS_DOMAIN 6
/* Control parameters settable through module/boot flags */
extern enum audit_mode aa_g_audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
-index 17734f9..66a738c 100644
+index 5d3c419..b9f1d57 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
-@@ -73,6 +73,10 @@ enum aa_ops {
+@@ -72,6 +72,10 @@ enum aa_ops {
OP_FMMAP,
OP_FMPROT,
OP_CREATE,
OP_POST_CREATE,
OP_BIND,
-@@ -122,6 +126,13 @@ struct apparmor_audit_data {
+@@ -120,6 +124,13 @@ struct apparmor_audit_data {
unsigned long max;
} rlim;
struct {
void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
new file mode 100644
-index 0000000..bc17a53
+index 0000000..a43b1d6
--- /dev/null
+++ b/security/apparmor/include/mount.h
@@ -0,0 +1,54 @@
+
+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
+
-+int aa_remount(struct aa_profile *profile, struct path *path,
++int aa_remount(struct aa_profile *profile, const struct path *path,
+ unsigned long flags, void *data);
+
-+int aa_bind_mount(struct aa_profile *profile, struct path *path,
++int aa_bind_mount(struct aa_profile *profile, const struct path *path,
+ const char *old_name, unsigned long flags);
+
+
-+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++int aa_mount_change_type(struct aa_profile *profile, const struct path *path,
+ unsigned long flags);
+
-+int aa_move_mount(struct aa_profile *profile, struct path *path,
++int aa_move_mount(struct aa_profile *profile, const struct path *path,
+ const char *old_name);
+
+int aa_new_mount(struct aa_profile *profile, const char *dev_name,
-+ struct path *path, const char *type, unsigned long flags,
++ const struct path *path, const char *type, unsigned long flags,
+ void *data);
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+
-+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
-+ struct path *new_path);
++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path,
++ const struct path *new_path);
+
+#endif /* __AA_MOUNT_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index f628734..65ff9e4 100644
+index 88d3b0a..432cbd3 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -36,6 +36,7 @@
/* Flag indicating whether initialization completed */
int apparmor_initialized __initdata;
-@@ -504,6 +505,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+@@ -469,6 +470,61 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
}
-+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
-+ unsigned long flags, void *data)
++static int apparmor_sb_mount(const char *dev_name, const struct path *path,
++ const char *type, unsigned long flags, void *data)
+{
+ struct aa_profile *profile;
+ int error = 0;
+ return error;
+}
+
-+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
++static int apparmor_sb_pivotroot(const struct path *old_path,
++ const struct path *new_path)
+{
+ struct aa_profile *profile;
+ int error = 0;
static int apparmor_getprocattr(struct task_struct *task, char *name,
char **value)
{
-@@ -721,6 +776,10 @@ static struct security_operations apparmor_ops = {
- .capget = apparmor_capget,
- .capable = apparmor_capable,
+@@ -689,6 +745,10 @@ static struct security_hook_list apparmor_hooks[] = {
+ LSM_HOOK_INIT(capget, apparmor_capget),
+ LSM_HOOK_INIT(capable, apparmor_capable),
-+ .sb_mount = apparmor_sb_mount,
-+ .sb_umount = apparmor_sb_umount,
-+ .sb_pivotroot = apparmor_sb_pivotroot,
-+
- .path_link = apparmor_path_link,
- .path_unlink = apparmor_path_unlink,
- .path_symlink = apparmor_path_symlink,
++ LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
++ LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
++ LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
++
+ LSM_HOOK_INIT(path_link, apparmor_path_link),
+ LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
+ LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
new file mode 100644
-index 0000000..478aa4d
+index 0000000..9cf9170
--- /dev/null
+++ b/security/apparmor/mount.c
@@ -0,0 +1,620 @@
+ return 0;
+}
+
-+static int path_flags(struct aa_profile *profile, struct path *path)
++static int path_flags(struct aa_profile *profile, const struct path *path)
+{
+ return profile->path_flags |
+ S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
+}
+
-+int aa_remount(struct aa_profile *profile, struct path *path,
++int aa_remount(struct aa_profile *profile, const struct path *path,
+ unsigned long flags, void *data)
+{
+ struct file_perms perms = { };
+ return error;
+}
+
-+int aa_bind_mount(struct aa_profile *profile, struct path *path,
++int aa_bind_mount(struct aa_profile *profile, const struct path *path,
+ const char *dev_name, unsigned long flags)
+{
+ struct file_perms perms = { };
+ return error;
+}
+
-+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++int aa_mount_change_type(struct aa_profile *profile, const struct path *path,
+ unsigned long flags)
+{
+ struct file_perms perms = { };
+ return error;
+}
+
-+int aa_move_mount(struct aa_profile *profile, struct path *path,
++int aa_move_mount(struct aa_profile *profile, const struct path *path,
+ const char *orig_name)
+{
+ struct file_perms perms = { };
+}
+
+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
-+ struct path *path, const char *type, unsigned long flags,
++ const struct path *path, const char *type, unsigned long flags,
+ void *data)
+{
+ struct file_perms perms = { };
+ return error;
+}
+
-+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
-+ struct path *new_path)
++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path,
++ const struct path *new_path)
+{
+ struct file_perms perms = { };
+ struct aa_profile *target = NULL;
+
+ return error;
+}
---
-1.7.7.6
-
projects / packages / kernel.git / blobdiff