X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=kernel-apparmor.patch;h=9c0b815a6b50e354f3a18976f57741e2e08f7d3e;hb=80e83e0b62613eeadcf347dfa5c406e0b3eb2094;hp=d6d4585978e335de979e3782ec35dc402415f46e;hpb=3f5e7cb8954c054a160a3ba50dd25a6ecc8c58df;p=packages%2Fkernel.git diff --git a/kernel-apparmor.patch b/kernel-apparmor.patch index d6d45859..9c0b815a 100644 --- a/kernel-apparmor.patch +++ b/kernel-apparmor.patch @@ -1,11 +1,12 @@ -From e37c855a09ba7a8fa69334e9e3c7f5b0f66de896 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Mon, 4 Oct 2010 15:03:36 -0700 -Subject: UBUNTU: SAUCE: AppArmor: basic networking rules +commit 09aa4788d6052c6dc423d939319334ebb5d00847 +Author: John Johansen +Date: Mon Oct 4 15:03:36 2010 -0700 -Base support for network mediation. - -Signed-off-by: John Johansen + UBUNTU: SAUCE: AppArmor: basic networking rules + + Base support for network mediation. + + Signed-off-by: John Johansen diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore index 9cdec70..d5b291e 100644 @@ -92,10 +93,10 @@ index d693df8..5dbb72f 100644 + $(call cmd,make-af) + $(call cmd,make-sock) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index ad4fa49..6362c5a 100644 +index 729e595..181d961 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c -@@ -806,6 +806,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { +@@ -807,6 +807,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_DIR("policy", aa_fs_entry_policy), AA_FS_DIR("domain", aa_fs_entry_domain), AA_FS_DIR("file", aa_fs_entry_file), @@ -169,7 +170,7 @@ index 0000000..cb8a121 + +#endif /* __AA_NET_H */ diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index c28b0f2..b524d88 100644 +index 52275f0..4fc4dac 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -27,6 +27,7 @@ @@ -197,7 +198,7 @@ index c28b0f2..b524d88 100644 unsigned char *hash; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index dec607c..47fd244 100644 +index 41b8cb1..d96b5f7 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -32,6 +32,7 @@ @@ -208,7 +209,7 @@ index dec607c..47fd244 100644 #include "include/path.h" #include "include/policy.h" #include "include/procattr.h" -@@ -605,6 +606,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, +@@ -584,6 +585,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, return error; } @@ -313,7 +314,7 @@ index dec607c..47fd244 100644 static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), -@@ -634,6 +733,19 @@ static struct security_hook_list apparmor_hooks[] = { +@@ -613,6 +712,19 @@ static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), @@ -502,7 +503,7 @@ index 0000000..003dd18 + return error; +} diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 705c287..e2afe29 100644 +index 179e68d..f1a8541 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -603,6 +603,7 @@ void aa_free_profile(struct aa_profile *profile) @@ -514,7 +515,7 @@ index 705c287..e2afe29 100644 kzfree(profile->dirname); diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index a689f10..1a35e6b 100644 +index 1381206..7dc15ff 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -193,6 +193,19 @@ fail: @@ -584,26 +585,25 @@ index a689f10..1a35e6b 100644 if (unpack_nameX(e, AA_STRUCT, "policydb")) { /* generic policy dfa - optional and may be NULL */ profile->policy.dfa = unpack_dfa(e); --- -cgit v0.10.2 - -From 6b77d90baf3807b70ca17309ad6c0bd39f3297e7 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Fri, 29 Jun 2012 17:34:00 -0700 -Subject: apparmor: Fix quieting of audit messages for network mediation - -If a profile specified a quieting of network denials for a given rule by -either the quiet or deny rule qualifiers, the resultant quiet mask for -denied requests was applied incorrectly, resulting in two potential bugs. -1. The misapplied quiet mask would prevent denials from being correctly - tested against the kill mask/mode. Thus network access requests that - should have resulted in the application being killed did not. -2. The actual quieting of the denied network request was not being applied. - This would result in network rejections always being logged even when - they had been specifically marked as quieted. +commit f5c5644745201b5b7d398e841e5045d0a5d14b18 +Author: John Johansen +Date: Fri Jun 29 17:34:00 2012 -0700 -Signed-off-by: John Johansen + apparmor: Fix quieting of audit messages for network mediation + + If a profile specified a quieting of network denials for a given rule by + either the quiet or deny rule qualifiers, the resultant quiet mask for + denied requests was applied incorrectly, resulting in two potential bugs. + 1. The misapplied quiet mask would prevent denials from being correctly + tested against the kill mask/mode. Thus network access requests that + should have resulted in the application being killed did not. + + 2. The actual quieting of the denied network request was not being applied. + This would result in network rejections always being logged even when + they had been specifically marked as quieted. + + Signed-off-by: John Johansen diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 003dd18..6e6e5c9 100644 @@ -618,51 +618,50 @@ index 003dd18..6e6e5c9 100644 if (denied & kill_mask) audit_type = AUDIT_APPARMOR_KILL; --- -cgit v0.10.2 - -From a71049ba973b214e88eae89f9cb0c4965d184ead Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Wed, 16 May 2012 10:58:05 -0700 -Subject: UBUNTU: SAUCE: apparmor: Add the ability to mediate mount - -Add the ability for apparmor to do mediation of mount operations. Mount -rules require an updated apparmor_parser (2.8 series) for policy compilation. - -The basic form of the rules are. - - [audit] [deny] mount [conds]* [device] [ -> [conds] path], - [audit] [deny] remount [conds]* [path], - [audit] [deny] umount [conds]* [path], - [audit] [deny] pivotroot [oldroot=] - - remount is just a short cut for mount options=remount - - where [conds] can be - fstype= - options= -Example mount commands - mount, # allow all mounts, but not umount or pivotroot +commit 0269f1631e1496798e5b0a319ff05b1133cfeaa3 +Author: John Johansen +Date: Wed May 16 10:58:05 2012 -0700 - mount fstype=procfs, # allow mounting procfs anywhere - - mount options=(bind, ro) /foo -> /bar, # readonly bind mount - - mount /dev/sda -> /mnt, - - mount /dev/sd** -> /mnt/**, - - mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/ - - umount, - - umount /m*, - -See the apparmor userspace for full documentation - -Signed-off-by: John Johansen -Acked-by: Kees Cook + UBUNTU: SAUCE: apparmor: Add the ability to mediate mount + + Add the ability for apparmor to do mediation of mount operations. Mount + rules require an updated apparmor_parser (2.8 series) for policy compilation. + + The basic form of the rules are. + + [audit] [deny] mount [conds]* [device] [ -> [conds] path], + [audit] [deny] remount [conds]* [path], + [audit] [deny] umount [conds]* [path], + [audit] [deny] pivotroot [oldroot=] + + remount is just a short cut for mount options=remount + + where [conds] can be + fstype= + options= + + Example mount commands + mount, # allow all mounts, but not umount or pivotroot + + mount fstype=procfs, # allow mounting procfs anywhere + + mount options=(bind, ro) /foo -> /bar, # readonly bind mount + + mount /dev/sda -> /mnt, + + mount /dev/sd** -> /mnt/**, + + mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/ + + umount, + + umount /m*, + + See the apparmor userspace for full documentation + + Signed-off-by: John Johansen + Acked-by: Kees Cook diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 5dbb72f..89b3445 100644 @@ -678,10 +677,10 @@ index 5dbb72f..89b3445 100644 clean-files := capability_names.h rlim_names.h net_names.h diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 6362c5a..4917747 100644 +index 181d961..5fb67f6 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c -@@ -799,7 +799,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { +@@ -800,7 +800,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { static struct aa_fs_entry aa_fs_entry_policy[] = { AA_FS_FILE_BOOLEAN("set_load", 1), @@ -701,7 +700,7 @@ index 6362c5a..4917747 100644 }; static struct aa_fs_entry aa_fs_entry_features[] = { -@@ -807,6 +818,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = { +@@ -808,6 +819,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_DIR("domain", aa_fs_entry_domain), AA_FS_DIR("file", aa_fs_entry_file), AA_FS_DIR("network", aa_fs_entry_network), @@ -711,7 +710,7 @@ index 6362c5a..4917747 100644 AA_FS_DIR("rlimit", aa_fs_entry_rlimit), AA_FS_DIR("caps", aa_fs_entry_caps), diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c -index 89c7865..7fdb5d7 100644 +index 3a7f1da..c2a8b8a 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -44,6 +44,10 @@ const char *const op_table[] = { @@ -726,7 +725,7 @@ index 89c7865..7fdb5d7 100644 "post_create", "bind", diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c -index dc0027b..a2e3813 100644 +index fc3036b..f2a83b4 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -236,7 +236,7 @@ static const char *next_name(int xtype, const char *name) @@ -739,7 +738,7 @@ index dc0027b..a2e3813 100644 struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h -index e4ea626..ce6ff6a 100644 +index 5d721e9..b57da7b 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -30,8 +30,9 @@ @@ -797,7 +796,7 @@ index de04464..a3f70c5 100644 void apparmor_bprm_committing_creds(struct linux_binprm *bprm); diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h new file mode 100644 -index 0000000..bc17a53 +index 0000000..a43b1d6 --- /dev/null +++ b/security/apparmor/include/mount.h @@ -0,0 +1,54 @@ @@ -832,31 +831,31 @@ index 0000000..bc17a53 + +#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN) + -+int aa_remount(struct aa_profile *profile, struct path *path, ++int aa_remount(struct aa_profile *profile, const struct path *path, + unsigned long flags, void *data); + -+int aa_bind_mount(struct aa_profile *profile, struct path *path, ++int aa_bind_mount(struct aa_profile *profile, const struct path *path, + const char *old_name, unsigned long flags); + + -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, ++int aa_mount_change_type(struct aa_profile *profile, const struct path *path, + unsigned long flags); + -+int aa_move_mount(struct aa_profile *profile, struct path *path, ++int aa_move_mount(struct aa_profile *profile, const struct path *path, + const char *old_name); + +int aa_new_mount(struct aa_profile *profile, const char *dev_name, -+ struct path *path, const char *type, unsigned long flags, ++ const struct path *path, const char *type, unsigned long flags, + void *data); + +int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags); + -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path); ++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path, ++ const struct path *new_path); + +#endif /* __AA_MOUNT_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 47fd244..fb92441 100644 +index d96b5f7..7a02376 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -36,6 +36,7 @@ @@ -867,12 +866,12 @@ index 47fd244..fb92441 100644 /* Flag indicating whether initialization completed */ int apparmor_initialized __initdata; -@@ -492,6 +493,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, +@@ -469,6 +470,61 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); } -+static int apparmor_sb_mount(const char *dev_name, struct path *path, const char *type, -+ unsigned long flags, void *data) ++static int apparmor_sb_mount(const char *dev_name, const struct path *path, ++ const char *type, unsigned long flags, void *data) +{ + struct aa_profile *profile; + int error = 0; @@ -913,7 +912,8 @@ index 47fd244..fb92441 100644 + return error; +} + -+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path) ++static int apparmor_sb_pivotroot(const struct path *old_path, ++ const struct path *new_path) +{ + struct aa_profile *profile; + int error = 0; @@ -928,7 +928,7 @@ index 47fd244..fb92441 100644 static int apparmor_getprocattr(struct task_struct *task, char *name, char **value) { -@@ -710,6 +765,10 @@ static struct security_hook_list apparmor_hooks[] = { +@@ -689,6 +745,10 @@ static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(capget, apparmor_capget), LSM_HOOK_INIT(capable, apparmor_capable), @@ -941,7 +941,7 @@ index 47fd244..fb92441 100644 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c new file mode 100644 -index 0000000..478aa4d +index 0000000..9cf9170 --- /dev/null +++ b/security/apparmor/mount.c @@ -0,0 +1,620 @@ @@ -1277,13 +1277,13 @@ index 0000000..478aa4d + return 0; +} + -+static int path_flags(struct aa_profile *profile, struct path *path) ++static int path_flags(struct aa_profile *profile, const struct path *path) +{ + return profile->path_flags | + S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0; +} + -+int aa_remount(struct aa_profile *profile, struct path *path, ++int aa_remount(struct aa_profile *profile, const struct path *path, + unsigned long flags, void *data) +{ + struct file_perms perms = { }; @@ -1310,7 +1310,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_bind_mount(struct aa_profile *profile, struct path *path, ++int aa_bind_mount(struct aa_profile *profile, const struct path *path, + const char *dev_name, unsigned long flags) +{ + struct file_perms perms = { }; @@ -1352,7 +1352,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, ++int aa_mount_change_type(struct aa_profile *profile, const struct path *path, + unsigned long flags) +{ + struct file_perms perms = { }; @@ -1381,7 +1381,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_move_mount(struct aa_profile *profile, struct path *path, ++int aa_move_mount(struct aa_profile *profile, const struct path *path, + const char *orig_name) +{ + struct file_perms perms = { }; @@ -1422,7 +1422,7 @@ index 0000000..478aa4d +} + +int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name, -+ struct path *path, const char *type, unsigned long flags, ++ const struct path *path, const char *type, unsigned long flags, + void *data) +{ + struct file_perms perms = { }; @@ -1515,8 +1515,8 @@ index 0000000..478aa4d + return error; +} + -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path) ++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path, ++ const struct path *new_path) +{ + struct file_perms perms = { }; + struct aa_profile *target = NULL; @@ -1565,6 +1565,5 @@ index 0000000..478aa4d + + return error; +} --- -cgit v0.10.2 +