From 0776672ee02c20aad1fc3255f8d47289c503a927 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Fri, 29 Jul 2016 12:45:42 +0200 Subject: [PATCH] - builds; imq updated; apparmor updated; zph dropped (unmaintained for few years) --- kernel-apparmor.patch | 1261 +++++++++++++++++++++++++++++++++++++---- kernel-imq.patch | 543 +++++++++--------- kernel.spec | 9 +- 3 files changed, 1413 insertions(+), 400 deletions(-) diff --git a/kernel-apparmor.patch b/kernel-apparmor.patch index d6d45859..9d10f82f 100644 --- a/kernel-apparmor.patch +++ b/kernel-apparmor.patch @@ -1,11 +1,1064 @@ -From e37c855a09ba7a8fa69334e9e3c7f5b0f66de896 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Mon, 4 Oct 2010 15:03:36 -0700 -Subject: UBUNTU: SAUCE: AppArmor: basic networking rules +commit 5ea33f587f5f7324c40c5986286d0f38307923bb +Author: John Johansen +Date: Mon Apr 11 16:55:10 2016 -0700 -Base support for network mediation. + apparmor: fix refcount bug in profile replacement + + Signed-off-by: John Johansen + Acked-by: Seth Arnold -Signed-off-by: John Johansen +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index 705c287..222052f 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + aa_get_profile(newest); + aa_put_profile(parent); + rcu_assign_pointer(ent->new->parent, newest); +- } else +- aa_put_profile(newest); ++ } + /* aafs interface uses replacedby */ + rcu_assign_pointer(ent->new->replacedby->profile, + aa_get_profile(ent->new)); + __list_add_profile(&parent->base.profiles, ent->new); ++ aa_put_profile(newest); + } else { + /* aafs interface uses replacedby */ + rcu_assign_pointer(ent->new->replacedby->profile, + +commit f65b1c9b72442e6166332c04f332e4b4d4797887 +Author: John Johansen +Date: Mon Apr 11 16:57:19 2016 -0700 + + apparmor: fix replacement bug that adds new child to old parent + + When set atomic replacement is used and the parent is updated before the + child, and the child did not exist in the old parent so there is no + direct replacement then the new child is incorrectly added to the old + parent. This results in the new parent not having the child(ren) that + it should and the old parent when being destroyed asserting the + following error. + + AppArmor: policy_destroy: internal error, policy '' still + contains profiles + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index 222052f..c92a9f6 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + /* aafs interface uses replacedby */ + rcu_assign_pointer(ent->new->replacedby->profile, + aa_get_profile(ent->new)); +- __list_add_profile(&parent->base.profiles, ent->new); ++ __list_add_profile(&newest->base.profiles, ent->new); + aa_put_profile(newest); + } else { + /* aafs interface uses replacedby */ + +commit b6669bef20c9d934bc6498e79fffa220f6226518 +Author: John Johansen +Date: Sun Jun 8 11:20:54 2014 -0700 + + apparmor: fix uninitialized lsm_audit member + + BugLink: http://bugs.launchpad.net/bugs/1268727 + + The task field in the lsm_audit struct needs to be initialized if + a change_hat fails, otherwise the following oops will occur + + BUG: unable to handle kernel paging request at 0000002fbead7d08 + IP: [] _raw_spin_lock+0xe/0x50 + PGD 1e3f35067 PUD 0 + Oops: 0002 [#1] SMP + Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc] + CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu + Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011 + task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000 + RIP: 0010:[] [] _raw_spin_lock+0xe/0x50 + RSP: 0018:ffff880212987b68 EFLAGS: 00010006 + RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000 + RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08 + RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0 + R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f + R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830 + FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0 + Stack: + ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009 + 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c + 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026 + Call Trace: + [] __lock_task_sighand+0x47/0x80 + [] ? apparmor_cred_prepare+0x2f/0x50 + [] do_send_sig_info+0x2c/0x80 + [] send_sig_info+0x1e/0x30 + [] aa_audit+0x13d/0x190 + [] aa_audit_file+0xbc/0x130 + [] ? apparmor_cred_prepare+0x2f/0x50 + [] aa_change_hat+0x202/0x530 + [] aa_setprocattr_changehat+0x116/0x1d0 + [] apparmor_setprocattr+0x25d/0x300 + [] security_setprocattr+0x16/0x20 + [] proc_pid_attr_write+0x107/0x130 + [] vfs_write+0xb4/0x1f0 + [] SyS_write+0x49/0xa0 + [] tracesys+0xe1/0xe6 + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c +index 89c7865..3a7f1da 100644 +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -200,7 +200,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, + + if (sa->aad->type == AUDIT_APPARMOR_KILL) + (void)send_sig_info(SIGKILL, NULL, +- sa->u.tsk ? sa->u.tsk : current); ++ sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ? ++ sa->u.tsk : current); + + if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) + return complain_error(sa->aad->error); +diff --git a/security/apparmor/file.c b/security/apparmor/file.c +index d186674..4d2af4b 100644 +--- a/security/apparmor/file.c ++++ b/security/apparmor/file.c +@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, + int type = AUDIT_APPARMOR_AUTO; + struct common_audit_data sa; + struct apparmor_audit_data aad = {0,}; +- sa.type = LSM_AUDIT_DATA_NONE; ++ sa.type = LSM_AUDIT_DATA_TASK; ++ sa.u.tsk = NULL; + sa.aad = &aad; + aad.op = op, + aad.fs.request = request; + +commit aeab4cbfb86d0faeeb709e8201672e0662aa2c6f +Author: John Johansen +Date: Fri Jul 25 04:02:03 2014 -0700 + + apparmor: exec should not be returning ENOENT when it denies + + The current behavior is confusing as it causes exec failures to report + the executable is missing instead of identifying that apparmor + caused the failure. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c +index dc0027b..67a7418 100644 +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + new_profile = aa_get_newest_profile(ns->unconfined); + info = "ux fallback"; + } else { +- error = -ENOENT; ++ error = -EACCES; + info = "profile not found"; + /* remove MAY_EXEC to audit as failure */ + perms.allow &= ~MAY_EXEC; + +commit 752e4263021d90cf23c262f2fd3ebfd6dbccd455 +Author: John Johansen +Date: Fri Jul 25 04:01:56 2014 -0700 + + apparmor: fix update the mtime of the profile file on replacement + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index ad4fa49..45a6199 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -379,6 +379,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old, + + for (i = 0; i < AAFS_PROF_SIZEOF; i++) { + new->dents[i] = old->dents[i]; ++ if (new->dents[i]) ++ new->dents[i]->d_inode->i_mtime = CURRENT_TIME; + old->dents[i] = NULL; + } + } + +commit 0c67233b18406dc7a8629faf8f9452feace6fb13 +Author: John Johansen +Date: Fri Jul 25 04:02:08 2014 -0700 + + apparmor: fix disconnected bind mnts reconnection + + Bind mounts can fail to be properly reconnected when PATH_CONNECT is + specified. Ensure that when PATH_CONNECT is specified the path has + a root. + + BugLink: http://bugs.launchpad.net/bugs/1319984 + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/path.c b/security/apparmor/path.c +index edddc02..f261678 100644 +--- a/security/apparmor/path.c ++++ b/security/apparmor/path.c +@@ -141,7 +141,10 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, + error = -EACCES; + if (*res == '/') + *name = res + 1; +- } ++ } else if (*res != '/') ++ /* CONNECT_PATH with missing root */ ++ error = prepend(name, *name - buf, "/", 1); ++ + } + + out: + +commit 30c2b759b4f456e97e859ca550666c8abe84ff3c +Author: John Johansen +Date: Fri Jul 25 04:02:10 2014 -0700 + + apparmor: internal paths should be treated as disconnected + + Internal mounts are not mounted anywhere and as such should be treated + as disconnected paths. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/path.c b/security/apparmor/path.c +index f261678..a8fc7d0 100644 +--- a/security/apparmor/path.c ++++ b/security/apparmor/path.c +@@ -25,7 +25,6 @@ + #include "include/path.h" + #include "include/policy.h" + +- + /* modified from dcache.c */ + static int prepend(char **buffer, int buflen, const char *str, int namelen) + { +@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen) + + #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT) + ++/* If the path is not connected to the expected root, ++ * check if it is a sysctl and handle specially else remove any ++ * leading / that __d_path may have returned. ++ * Unless ++ * specifically directed to connect the path, ++ * OR ++ * if in a chroot and doing chroot relative paths and the path ++ * resolves to the namespace root (would be connected outside ++ * of chroot) and specifically directed to connect paths to ++ * namespace root. ++ */ ++static int disconnect(const struct path *path, char *buf, char **name, ++ int flags) ++{ ++ int error = 0; ++ ++ if (!(flags & PATH_CONNECT_PATH) && ++ !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && ++ our_mnt(path->mnt))) { ++ /* disconnected path, don't return pathname starting ++ * with '/' ++ */ ++ error = -EACCES; ++ if (**name == '/') ++ *name = *name + 1; ++ } else if (**name != '/') ++ /* CONNECT_PATH with missing root */ ++ error = prepend(name, *name - buf, "/", 1); ++ ++ return error; ++} ++ + /** + * d_namespace_path - lookup a name associated with a given path + * @path: path to lookup (NOT NULL) +@@ -74,7 +105,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, + * control instead of hard coded /proc + */ + return prepend(name, *name - buf, "/proc", 5); +- } ++ } else ++ return disconnect(path, buf, name, flags); + return 0; + } + +@@ -120,32 +152,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, + goto out; + } + +- /* If the path is not connected to the expected root, +- * check if it is a sysctl and handle specially else remove any +- * leading / that __d_path may have returned. +- * Unless +- * specifically directed to connect the path, +- * OR +- * if in a chroot and doing chroot relative paths and the path +- * resolves to the namespace root (would be connected outside +- * of chroot) and specifically directed to connect paths to +- * namespace root. +- */ +- if (!connected) { +- if (!(flags & PATH_CONNECT_PATH) && +- !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && +- our_mnt(path->mnt))) { +- /* disconnected path, don't return pathname starting +- * with '/' +- */ +- error = -EACCES; +- if (*res == '/') +- *name = res + 1; +- } else if (*res != '/') +- /* CONNECT_PATH with missing root */ +- error = prepend(name, *name - buf, "/", 1); +- +- } ++ if (!connected) ++ error = disconnect(path, buf, name, flags); + + out: + return error; + +commit 35f89b597a40c870f93a068bc92a7ef4f9b16a66 +Author: John Johansen +Date: Sat Apr 16 13:59:02 2016 -0700 + + apparmor: fix put() parent ref after updating the active ref + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index c92a9f6..455c9f8 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + /* parent replaced in this atomic set? */ + if (newest != parent) { + aa_get_profile(newest); +- aa_put_profile(parent); + rcu_assign_pointer(ent->new->parent, newest); ++ aa_put_profile(parent); + } + /* aafs interface uses replacedby */ + rcu_assign_pointer(ent->new->replacedby->profile, + +commit 7b1ec6a04ca57fabe250f1102f2803dea7fbd03b +Author: John Johansen +Date: Sat Apr 16 14:16:50 2016 -0700 + + apparmor: fix log failures for all profiles in a set + + currently only the profile that is causing the failure is logged. This + makes it more confusing than necessary about which profiles loaded + and which didn't. So make sure to log success and failure messages for + all profiles in the set being loaded. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index 455c9f8..db31bc5 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname, + */ + ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + { +- const char *ns_name, *name = NULL, *info = NULL; ++ const char *ns_name, *info = NULL; + struct aa_namespace *ns = NULL; + struct aa_load_ent *ent, *tmp; + int op = OP_PROF_REPL; +@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + /* released below */ + ns = aa_prepare_namespace(ns_name); + if (!ns) { +- info = "failed to prepare namespace"; +- error = -ENOMEM; +- name = ns_name; +- goto fail; ++ error = audit_policy(op, GFP_KERNEL, ns_name, ++ "failed to prepare namespace", -ENOMEM); ++ goto free; + } + + mutex_lock(&ns->lock); + /* setup parent and ns info */ + list_for_each_entry(ent, &lh, list) { + struct aa_policy *policy; +- +- name = ent->new->base.hname; + error = __lookup_replace(ns, ent->new->base.hname, noreplace, + &ent->old, &info); + if (error) +@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + if (!p) { + error = -ENOENT; + info = "parent does not exist"; +- name = ent->new->base.hname; + goto fail_lock; + } + rcu_assign_pointer(ent->new->parent, aa_get_profile(p)); +@@ -1214,9 +1210,22 @@ out: + + fail_lock: + mutex_unlock(&ns->lock); +-fail: +- error = audit_policy(op, GFP_KERNEL, name, info, error); + ++ /* audit cause of failure */ ++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; ++ audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error); ++ /* audit status that rest of profiles in the atomic set failed too */ ++ info = "valid profile in failed atomic policy load"; ++ list_for_each_entry(tmp, &lh, list) { ++ if (tmp == ent) { ++ info = "unchecked profile in failed atomic policy load"; ++ /* skip entry that caused failure */ ++ continue; ++ } ++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; ++ audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error); ++ } ++free: + list_for_each_entry_safe(ent, tmp, &lh, list) { + list_del_init(&ent->list); + aa_load_ent_free(ent); + +commit 4c475747a31b0637f0d47cb9bddaf2c6efb02854 +Author: John Johansen +Date: Sat Apr 16 14:19:38 2016 -0700 + + apparmor: fix audit full profile hname on successful load + + Currently logging of a successful profile load only logs the basename + of the profile. This can result in confusion when a child profile has + the same name as the another profile in the set. Logging the hname + will ensure there is no confusion. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index db31bc5..ca402d0 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) + list_del_init(&ent->list); + op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL; + +- audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error); ++ audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error); + + if (ent->old) { + __replace_profile(ent->old, ent->new, 1); + +commit 430741dd766291d2e618b04e918ee6da844c230a +Author: John Johansen +Date: Wed Apr 20 14:18:18 2016 -0700 + + apparmor: ensure the target profile name is always audited + + The target profile name was not being correctly audited in a few + cases because the target variable was not being set and gotos + passed the code to set it at apply: + + Since it is always based on new_profile just drop the target var + and conditionally report based on new_profile. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c +index 67a7418..fc3036b 100644 +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -346,7 +346,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + file_inode(bprm->file)->i_uid, + file_inode(bprm->file)->i_mode + }; +- const char *name = NULL, *target = NULL, *info = NULL; ++ const char *name = NULL, *info = NULL; + int error = 0; + + if (bprm->cred_prepared) +@@ -399,6 +399,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + if (cxt->onexec) { + struct file_perms cp; + info = "change_profile onexec"; ++ new_profile = aa_get_newest_profile(cxt->onexec); + if (!(perms.allow & AA_MAY_ONEXEC)) + goto audit; + +@@ -413,7 +414,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + + if (!(cp.allow & AA_MAY_ONEXEC)) + goto audit; +- new_profile = aa_get_newest_profile(cxt->onexec); + goto apply; + } + +@@ -445,10 +445,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + if (!new_profile) { + error = -ENOMEM; + info = "could not create null profile"; +- } else { ++ } else + error = -EACCES; +- target = new_profile->base.hname; +- } + perms.xindex |= AA_X_UNSAFE; + } else + /* fail exec */ +@@ -459,7 +457,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + * fail the exec. + */ + if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) { +- aa_put_profile(new_profile); + error = -EPERM; + goto cleanup; + } +@@ -474,10 +471,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + + if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { + error = may_change_ptraced_domain(new_profile); +- if (error) { +- aa_put_profile(new_profile); ++ if (error) + goto audit; +- } + } + + /* Determine if secure exec is needed. +@@ -498,7 +493,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + bprm->unsafe |= AA_SECURE_X_NEEDED; + } + apply: +- target = new_profile->base.hname; + /* when transitioning profiles clear unsafe personality bits */ + bprm->per_clear |= PER_CLEAR_ON_SETID; + +@@ -506,15 +500,19 @@ x_clear: + aa_put_profile(cxt->profile); + /* transfer new profile reference will be released when cxt is freed */ + cxt->profile = new_profile; ++ new_profile = NULL; + + /* clear out all temporary/transitional state from the context */ + aa_clear_task_cxt_trans(cxt); + + audit: + error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC, +- name, target, cond.uid, info, error); ++ name, ++ new_profile ? new_profile->base.hname : NULL, ++ cond.uid, info, error); + + cleanup: ++ aa_put_profile(new_profile); + aa_put_profile(profile); + kfree(buffer); + + +commit 06763d057300b3d5bbe1894acfe236cf193bab78 +Author: John Johansen +Date: Thu Mar 17 12:02:54 2016 -0700 + + apparmor: check that xindex is in trans_table bounds + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index a689f10..c841b12 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size) + int index, xtype; + xtype = xindex & AA_X_TYPE_MASK; + index = xindex & AA_X_INDEX_MASK; +- if (xtype == AA_X_TABLE && index > table_size) ++ if (xtype == AA_X_TABLE && index >= table_size) + return 0; + return 1; + } + +commit 9ad29b2e7820895339f90eb71b411d0134cf1ce9 +Author: John Johansen +Date: Wed Nov 18 11:41:05 2015 -0800 + + apparmor: fix ref count leak when profile sha1 hash is read + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 45a6199..0d8dd71 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v) + seq_printf(seq, "%.2x", profile->hash[i]); + seq_puts(seq, "\n"); + } ++ aa_put_profile(profile); + + return 0; + } + +commit e13f968d154ba9d6a2c4f82f33d3312a63430b54 +Author: John Johansen +Date: Wed Dec 16 18:09:10 2015 -0800 + + apparmor: fix refcount race when finding a child profile + + When finding a child profile via an rcu critical section, the profile + may be put and scheduled for deletion after the child is found but + before its refcount is incremented. + + Protect against this by repeating the lookup if the profiles refcount + is 0 and is one its way to deletion. + + Signed-off-by: John Johansen + Acked-by: Seth Arnold + +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index ca402d0..7807125 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name) + struct aa_profile *profile; + + rcu_read_lock(); +- profile = aa_get_profile(__find_child(&parent->base.profiles, name)); ++ do { ++ profile = __find_child(&parent->base.profiles, name); ++ } while (profile && !aa_get_profile_not0(profile)); + rcu_read_unlock(); + + /* refcount released by caller */ + +commit 5833ccff1227fbc8f1bab64351f6747a6c71bdeb +Author: Geliang Tang +Date: Mon Nov 16 21:46:33 2015 +0800 + + apparmor: use list_next_entry instead of list_entry_next + + list_next_entry has been defined in list.h, so I replace list_entry_next + with it. + + Signed-off-by: Geliang Tang + Acked-by: Serge Hallyn + Signed-off-by: John Johansen + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 0d8dd71..729e595 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -553,8 +553,6 @@ fail2: + } + + +-#define list_entry_next(pos, member) \ +- list_entry(pos->member.next, typeof(*pos), member) + #define list_entry_is_head(pos, head, member) (&pos->member == (head)) + + /** +@@ -585,7 +583,7 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root, + parent = ns->parent; + while (ns != root) { + mutex_unlock(&ns->lock); +- next = list_entry_next(ns, base.list); ++ next = list_next_entry(ns, base.list); + if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { + mutex_lock(&next->lock); + return next; +@@ -639,7 +637,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) + parent = rcu_dereference_protected(p->parent, + mutex_is_locked(&p->ns->lock)); + while (parent) { +- p = list_entry_next(p, base.list); ++ p = list_next_entry(p, base.list); + if (!list_entry_is_head(p, &parent->base.profiles, base.list)) + return p; + p = parent; +@@ -648,7 +646,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) + } + + /* is next another profile in the namespace */ +- p = list_entry_next(p, base.list); ++ p = list_next_entry(p, base.list); + if (!list_entry_is_head(p, &ns->base.profiles, base.list)) + return p; + + +commit 645801f1ddd183109c011e5ecee23ed3fdcae244 +Author: Jeff Mahoney +Date: Fri Nov 6 15:17:30 2015 -0500 + + apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task + + While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit + on another task. The only other example of a AppArmor mediating access to + another, already running, task (ignoring fork+exec) is ptrace. + + The AppArmor model for ptrace is that one of the following must be true: + 1) The tracer is unconfined + 2) The tracer is in complain mode + 3) The tracer and tracee are confined by the same profile + 4) The tracer is confined but has SYS_CAP_PTRACE + + 1), 2, and 3) are already true for setrlimit. + + We can match the ptrace model just by allowing CAP_SYS_RESOURCE. + + We still test the values of the rlimit since it can always be overridden + using a value that means unlimited for a particular resource. + + Signed-off-by: Jeff Mahoney + Signed-off-by: John Johansen + +diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c +index 748bf0c..67a6072 100644 +--- a/security/apparmor/resource.c ++++ b/security/apparmor/resource.c +@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, + /* TODO: extend resource control to handle other (non current) + * profiles. AppArmor rules currently have the implicit assumption + * that the task is setting the resource of a task confined with +- * the same profile. ++ * the same profile or that the task setting the resource of another ++ * task has CAP_SYS_RESOURCE. + */ +- if (profile != task_profile || ++ if ((profile != task_profile && ++ aa_capable(profile, CAP_SYS_RESOURCE, 1)) || + (profile->rlimits.mask & (1 << resource) && + new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) + error = -EACCES; + +commit 2be4aed1f3332d87273eb593944332054f3cffac +Author: John Johansen +Date: Thu Jun 2 02:37:02 2016 -0700 + + apparmor: add missing id bounds check on dfa verification + + Signed-off-by: John Johansen + +diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h +index 001c43a..a1c04fe 100644 +--- a/security/apparmor/include/match.h ++++ b/security/apparmor/include/match.h +@@ -62,6 +62,7 @@ struct table_set_header { + #define YYTD_ID_ACCEPT2 6 + #define YYTD_ID_NXT 7 + #define YYTD_ID_TSIZE 8 ++#define YYTD_ID_MAX 8 + + #define YYTD_DATA8 1 + #define YYTD_DATA16 2 +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index 727eb42..f9f57c6 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize) + * it every time we use td_id as an index + */ + th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1; ++ if (th.td_id > YYTD_ID_MAX) ++ goto out; + th.td_flags = be16_to_cpu(*(u16 *) (blob + 2)); + th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8)); + blob += sizeof(struct table_header); + +commit c7f87d3c3363b1a0c4724e627e5c8e640a883c89 +Author: John Johansen +Date: Wed Jun 15 09:57:55 2016 +0300 + + apparmor: don't check for vmalloc_addr if kvzalloc() failed + + Signed-off-by: John Johansen + +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index f9f57c6..32b72eb 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize) + u32, be32_to_cpu); + else + goto fail; ++ /* if table was vmalloced make sure the page tables are synced ++ * before it is used, as it goes live to all cpus. ++ */ ++ if (is_vmalloc_addr(table)) ++ vm_unmap_aliases(); + } + + out: +- /* if table was vmalloced make sure the page tables are synced +- * before it is used, as it goes live to all cpus. +- */ +- if (is_vmalloc_addr(table)) +- vm_unmap_aliases(); + return table; + fail: + kvfree(table); + +commit 0f7e61013dd1e67ebb54d58eee11ab009ceb5ef3 +Author: John Johansen +Date: Wed Jun 15 10:00:55 2016 +0300 + + apparmor: fix oops in profile_unpack() when policy_db is not present + + BugLink: http://bugs.launchpad.net/bugs/1592547 + + If unpack_dfa() returns NULL due to the dfa not being present, + profile_unpack() is not checking if the dfa is not present (NULL). + + Signed-off-by: John Johansen + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index c841b12..dac2121 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) + error = PTR_ERR(profile->policy.dfa); + profile->policy.dfa = NULL; + goto fail; ++ } else if (!profile->policy.dfa) { ++ error = -EPROTO; ++ goto fail; + } + if (!unpack_u32(e, &profile->policy.start[0], "start")) + /* default start state */ + +commit de4ca46ec035283928e8fa40797897cefcf6ec3e +Author: John Johansen +Date: Wed Jun 22 18:01:08 2016 -0700 + + apparmor: fix module parameters can be changed after policy is locked + + the policy_lock parameter is a one way switch that prevents policy + from being further modified. Unfortunately some of the module parameters + can effectively modify policy by turning off enforcement. + + split policy_admin_capable into a view check and a full admin check, + and update the admin check to test the policy_lock parameter. + + Signed-off-by: John Johansen + +diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h +index c28b0f2..52275f0 100644 +--- a/security/apparmor/include/policy.h ++++ b/security/apparmor/include/policy.h +@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile) + return profile->audit; + } + ++bool policy_view_capable(void); ++bool policy_admin_capable(void); + bool aa_may_manage_policy(int op); + + #endif /* __AA_POLICY_H */ +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 7798e16..e83eefb 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -728,51 +728,49 @@ __setup("apparmor=", apparmor_enabled_setup); + /* set global flag turning off the ability to load policy */ + static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; +- if (aa_g_lock_policy) +- return -EACCES; + return param_set_bool(val, kp); + } + + static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_view_capable()) + return -EPERM; + return param_get_bool(buffer, kp); + } + + static int param_set_aabool(const char *val, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; + return param_set_bool(val, kp); + } + + static int param_get_aabool(char *buffer, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_view_capable()) + return -EPERM; + return param_get_bool(buffer, kp); + } + + static int param_set_aauint(const char *val, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; + return param_set_uint(val, kp); + } + + static int param_get_aauint(char *buffer, const struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_view_capable()) + return -EPERM; + return param_get_uint(buffer, kp); + } + + static int param_get_audit(char *buffer, struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_view_capable()) + return -EPERM; + + if (!apparmor_enabled) +@@ -784,7 +782,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp) + static int param_set_audit(const char *val, struct kernel_param *kp) + { + int i; +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; + + if (!apparmor_enabled) +@@ -805,7 +803,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp) + + static int param_get_mode(char *buffer, struct kernel_param *kp) + { +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; + + if (!apparmor_enabled) +@@ -817,7 +815,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp) + static int param_set_mode(const char *val, struct kernel_param *kp) + { + int i; +- if (!capable(CAP_MAC_ADMIN)) ++ if (!policy_admin_capable()) + return -EPERM; + + if (!apparmor_enabled) +diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c +index 7807125..179e68d 100644 +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info, + &sa, NULL); + } + ++bool policy_view_capable(void) ++{ ++ struct user_namespace *user_ns = current_user_ns(); ++ bool response = false; ++ ++ if (ns_capable(user_ns, CAP_MAC_ADMIN)) ++ response = true; ++ ++ return response; ++} ++ ++bool policy_admin_capable(void) ++{ ++ return policy_view_capable() && !aa_g_lock_policy; ++} ++ + /** + * aa_may_manage_policy - can the current task manage policy + * @op: the policy manipulation operation being done +@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op) + return 0; + } + +- if (!capable(CAP_MAC_ADMIN)) { ++ if (!policy_admin_capable()) { + audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES); + return 0; + } + +commit 46c339f46b83e4cf8098f599cd182e65e9d054fc +Author: Heinrich Schuchardt +Date: Fri Jun 10 23:34:26 2016 +0200 + + apparmor: do not expose kernel stack + + Do not copy uninitalized fields th.td_hilen, th.td_data. + + Signed-off-by: Heinrich Schuchardt + Signed-off-by: John Johansen + +diff --git a/security/apparmor/match.c b/security/apparmor/match.c +index 32b72eb..3f900fc 100644 +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c +@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize) + + table = kvzalloc(tsize); + if (table) { +- *table = th; ++ table->td_id = th.td_id; ++ table->td_flags = th.td_flags; ++ table->td_lolen = th.td_lolen; + if (th.td_flags == YYTD_DATA8) + UNPACK_ARRAY(table->td_data, blob, th.td_lolen, + u8, byte_to_byte); + +commit 7e65e8142b2ea4891581173d6e92fc337b02ff8b +Author: John Johansen +Date: Sat Jul 9 23:46:33 2016 -0700 + + apparmor: fix arg_size computation for when setprocattr is null terminated + + Signed-off-by: John Johansen + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index e83eefb..ba8207b 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -529,7 +529,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, + if (!*args) + goto out; + +- arg_size = size - (args - (char *) value); ++ arg_size = size - (args - (largs ? largs : (char *) value)); + if (strcmp(name, "current") == 0) { + if (strcmp(command, "changehat") == 0) { + error = aa_setprocattr_changehat(args, arg_size, + +commit b661b13237991be6b5cdf0849f137c5ec58217bf +Author: John Johansen +Date: Mon Oct 4 15:03:36 2010 -0700 + + UBUNTU: SAUCE: AppArmor: basic networking rules + + Base support for network mediation. + + Signed-off-by: John Johansen diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore index 9cdec70..d5b291e 100644 @@ -92,10 +1145,10 @@ index d693df8..5dbb72f 100644 + $(call cmd,make-af) + $(call cmd,make-sock) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index ad4fa49..6362c5a 100644 +index 729e595..181d961 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c -@@ -806,6 +806,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { +@@ -807,6 +807,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_DIR("policy", aa_fs_entry_policy), AA_FS_DIR("domain", aa_fs_entry_domain), AA_FS_DIR("file", aa_fs_entry_file), @@ -169,7 +1222,7 @@ index 0000000..cb8a121 + +#endif /* __AA_NET_H */ diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h -index c28b0f2..b524d88 100644 +index 52275f0..4fc4dac 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -27,6 +27,7 @@ @@ -197,7 +1250,7 @@ index c28b0f2..b524d88 100644 unsigned char *hash; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index dec607c..47fd244 100644 +index ba8207b..88d3b0a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -32,6 +32,7 @@ @@ -208,7 +1261,7 @@ index dec607c..47fd244 100644 #include "include/path.h" #include "include/policy.h" #include "include/procattr.h" -@@ -605,6 +606,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, +@@ -584,6 +585,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, return error; } @@ -313,7 +1366,7 @@ index dec607c..47fd244 100644 static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), -@@ -634,6 +733,19 @@ static struct security_hook_list apparmor_hooks[] = { +@@ -613,6 +712,19 @@ static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), @@ -502,7 +1555,7 @@ index 0000000..003dd18 + return error; +} diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c -index 705c287..e2afe29 100644 +index 179e68d..f1a8541 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -603,6 +603,7 @@ void aa_free_profile(struct aa_profile *profile) @@ -514,7 +1567,7 @@ index 705c287..e2afe29 100644 kzfree(profile->dirname); diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index a689f10..1a35e6b 100644 +index dac2121..0107bc4 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -193,6 +193,19 @@ fail: @@ -584,26 +1637,25 @@ index a689f10..1a35e6b 100644 if (unpack_nameX(e, AA_STRUCT, "policydb")) { /* generic policy dfa - optional and may be NULL */ profile->policy.dfa = unpack_dfa(e); --- -cgit v0.10.2 - -From 6b77d90baf3807b70ca17309ad6c0bd39f3297e7 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Fri, 29 Jun 2012 17:34:00 -0700 -Subject: apparmor: Fix quieting of audit messages for network mediation - -If a profile specified a quieting of network denials for a given rule by -either the quiet or deny rule qualifiers, the resultant quiet mask for -denied requests was applied incorrectly, resulting in two potential bugs. -1. The misapplied quiet mask would prevent denials from being correctly - tested against the kill mask/mode. Thus network access requests that - should have resulted in the application being killed did not. -2. The actual quieting of the denied network request was not being applied. - This would result in network rejections always being logged even when - they had been specifically marked as quieted. +commit 64c5e24470a219c79c2870c63f18f6bd55648b1b +Author: John Johansen +Date: Fri Jun 29 17:34:00 2012 -0700 -Signed-off-by: John Johansen + apparmor: Fix quieting of audit messages for network mediation + + If a profile specified a quieting of network denials for a given rule by + either the quiet or deny rule qualifiers, the resultant quiet mask for + denied requests was applied incorrectly, resulting in two potential bugs. + 1. The misapplied quiet mask would prevent denials from being correctly + tested against the kill mask/mode. Thus network access requests that + should have resulted in the application being killed did not. + + 2. The actual quieting of the denied network request was not being applied. + This would result in network rejections always being logged even when + they had been specifically marked as quieted. + + Signed-off-by: John Johansen diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 003dd18..6e6e5c9 100644 @@ -618,51 +1670,50 @@ index 003dd18..6e6e5c9 100644 if (denied & kill_mask) audit_type = AUDIT_APPARMOR_KILL; --- -cgit v0.10.2 -From a71049ba973b214e88eae89f9cb0c4965d184ead Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Wed, 16 May 2012 10:58:05 -0700 -Subject: UBUNTU: SAUCE: apparmor: Add the ability to mediate mount +commit f7cef61751a2382fb4ea26c18736d7552ffdb24a +Author: John Johansen +Date: Wed May 16 10:58:05 2012 -0700 -Add the ability for apparmor to do mediation of mount operations. Mount -rules require an updated apparmor_parser (2.8 series) for policy compilation. - -The basic form of the rules are. - - [audit] [deny] mount [conds]* [device] [ -> [conds] path], - [audit] [deny] remount [conds]* [path], - [audit] [deny] umount [conds]* [path], - [audit] [deny] pivotroot [oldroot=] - - remount is just a short cut for mount options=remount - - where [conds] can be - fstype= - options= - -Example mount commands - mount, # allow all mounts, but not umount or pivotroot - - mount fstype=procfs, # allow mounting procfs anywhere - - mount options=(bind, ro) /foo -> /bar, # readonly bind mount - - mount /dev/sda -> /mnt, - - mount /dev/sd** -> /mnt/**, - - mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/ - - umount, - - umount /m*, - -See the apparmor userspace for full documentation - -Signed-off-by: John Johansen -Acked-by: Kees Cook + UBUNTU: SAUCE: apparmor: Add the ability to mediate mount + + Add the ability for apparmor to do mediation of mount operations. Mount + rules require an updated apparmor_parser (2.8 series) for policy compilation. + + The basic form of the rules are. + + [audit] [deny] mount [conds]* [device] [ -> [conds] path], + [audit] [deny] remount [conds]* [path], + [audit] [deny] umount [conds]* [path], + [audit] [deny] pivotroot [oldroot=] + + remount is just a short cut for mount options=remount + + where [conds] can be + fstype= + options= + + Example mount commands + mount, # allow all mounts, but not umount or pivotroot + + mount fstype=procfs, # allow mounting procfs anywhere + + mount options=(bind, ro) /foo -> /bar, # readonly bind mount + + mount /dev/sda -> /mnt, + + mount /dev/sd** -> /mnt/**, + + mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/ + + umount, + + umount /m*, + + See the apparmor userspace for full documentation + + Signed-off-by: John Johansen + Acked-by: Kees Cook diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 5dbb72f..89b3445 100644 @@ -678,10 +1729,10 @@ index 5dbb72f..89b3445 100644 clean-files := capability_names.h rlim_names.h net_names.h diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 6362c5a..4917747 100644 +index 181d961..5fb67f6 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c -@@ -799,7 +799,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { +@@ -800,7 +800,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = { static struct aa_fs_entry aa_fs_entry_policy[] = { AA_FS_FILE_BOOLEAN("set_load", 1), @@ -701,7 +1752,7 @@ index 6362c5a..4917747 100644 }; static struct aa_fs_entry aa_fs_entry_features[] = { -@@ -807,6 +818,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = { +@@ -808,6 +819,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_DIR("domain", aa_fs_entry_domain), AA_FS_DIR("file", aa_fs_entry_file), AA_FS_DIR("network", aa_fs_entry_network), @@ -711,7 +1762,7 @@ index 6362c5a..4917747 100644 AA_FS_DIR("rlimit", aa_fs_entry_rlimit), AA_FS_DIR("caps", aa_fs_entry_caps), diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c -index 89c7865..7fdb5d7 100644 +index 3a7f1da..c2a8b8a 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -44,6 +44,10 @@ const char *const op_table[] = { @@ -726,7 +1777,7 @@ index 89c7865..7fdb5d7 100644 "post_create", "bind", diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c -index dc0027b..a2e3813 100644 +index fc3036b..f2a83b4 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -236,7 +236,7 @@ static const char *next_name(int xtype, const char *name) @@ -797,7 +1848,7 @@ index de04464..a3f70c5 100644 void apparmor_bprm_committing_creds(struct linux_binprm *bprm); diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h new file mode 100644 -index 0000000..bc17a53 +index 0000000..a43b1d6 --- /dev/null +++ b/security/apparmor/include/mount.h @@ -0,0 +1,54 @@ @@ -832,31 +1883,31 @@ index 0000000..bc17a53 + +#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN) + -+int aa_remount(struct aa_profile *profile, struct path *path, ++int aa_remount(struct aa_profile *profile, const struct path *path, + unsigned long flags, void *data); + -+int aa_bind_mount(struct aa_profile *profile, struct path *path, ++int aa_bind_mount(struct aa_profile *profile, const struct path *path, + const char *old_name, unsigned long flags); + + -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, ++int aa_mount_change_type(struct aa_profile *profile, const struct path *path, + unsigned long flags); + -+int aa_move_mount(struct aa_profile *profile, struct path *path, ++int aa_move_mount(struct aa_profile *profile, const struct path *path, + const char *old_name); + +int aa_new_mount(struct aa_profile *profile, const char *dev_name, -+ struct path *path, const char *type, unsigned long flags, ++ const struct path *path, const char *type, unsigned long flags, + void *data); + +int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags); + -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path); ++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path, ++ const struct path *new_path); + +#endif /* __AA_MOUNT_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 47fd244..fb92441 100644 +index 88d3b0a..432cbd3 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -36,6 +36,7 @@ @@ -867,12 +1918,12 @@ index 47fd244..fb92441 100644 /* Flag indicating whether initialization completed */ int apparmor_initialized __initdata; -@@ -492,6 +493,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, +@@ -469,6 +470,61 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); } -+static int apparmor_sb_mount(const char *dev_name, struct path *path, const char *type, -+ unsigned long flags, void *data) ++static int apparmor_sb_mount(const char *dev_name, const struct path *path, ++ const char *type, unsigned long flags, void *data) +{ + struct aa_profile *profile; + int error = 0; @@ -913,7 +1964,8 @@ index 47fd244..fb92441 100644 + return error; +} + -+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path) ++static int apparmor_sb_pivotroot(const struct path *old_path, ++ const struct path *new_path) +{ + struct aa_profile *profile; + int error = 0; @@ -928,7 +1980,7 @@ index 47fd244..fb92441 100644 static int apparmor_getprocattr(struct task_struct *task, char *name, char **value) { -@@ -710,6 +765,10 @@ static struct security_hook_list apparmor_hooks[] = { +@@ -689,6 +745,10 @@ static struct security_hook_list apparmor_hooks[] = { LSM_HOOK_INIT(capget, apparmor_capget), LSM_HOOK_INIT(capable, apparmor_capable), @@ -941,7 +1993,7 @@ index 47fd244..fb92441 100644 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c new file mode 100644 -index 0000000..478aa4d +index 0000000..9cf9170 --- /dev/null +++ b/security/apparmor/mount.c @@ -0,0 +1,620 @@ @@ -1277,13 +2329,13 @@ index 0000000..478aa4d + return 0; +} + -+static int path_flags(struct aa_profile *profile, struct path *path) ++static int path_flags(struct aa_profile *profile, const struct path *path) +{ + return profile->path_flags | + S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0; +} + -+int aa_remount(struct aa_profile *profile, struct path *path, ++int aa_remount(struct aa_profile *profile, const struct path *path, + unsigned long flags, void *data) +{ + struct file_perms perms = { }; @@ -1310,7 +2362,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_bind_mount(struct aa_profile *profile, struct path *path, ++int aa_bind_mount(struct aa_profile *profile, const struct path *path, + const char *dev_name, unsigned long flags) +{ + struct file_perms perms = { }; @@ -1352,7 +2404,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_mount_change_type(struct aa_profile *profile, struct path *path, ++int aa_mount_change_type(struct aa_profile *profile, const struct path *path, + unsigned long flags) +{ + struct file_perms perms = { }; @@ -1381,7 +2433,7 @@ index 0000000..478aa4d + return error; +} + -+int aa_move_mount(struct aa_profile *profile, struct path *path, ++int aa_move_mount(struct aa_profile *profile, const struct path *path, + const char *orig_name) +{ + struct file_perms perms = { }; @@ -1422,7 +2474,7 @@ index 0000000..478aa4d +} + +int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name, -+ struct path *path, const char *type, unsigned long flags, ++ const struct path *path, const char *type, unsigned long flags, + void *data) +{ + struct file_perms perms = { }; @@ -1515,8 +2567,8 @@ index 0000000..478aa4d + return error; +} + -+int aa_pivotroot(struct aa_profile *profile, struct path *old_path, -+ struct path *new_path) ++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path, ++ const struct path *new_path) +{ + struct file_perms perms = { }; + struct aa_profile *target = NULL; @@ -1565,6 +2617,3 @@ index 0000000..478aa4d + + return error; +} --- -cgit v0.10.2 - diff --git a/kernel-imq.patch b/kernel-imq.patch index 2ca02016..b28cac4b 100644 --- a/kernel-imq.patch +++ b/kernel-imq.patch @@ -1,150 +1,6 @@ -diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig -index f184fb5..0e08522 100644 ---- a/drivers/net/Kconfig -+++ b/drivers/net/Kconfig -@@ -234,6 +234,125 @@ config RIONET_RX_SIZE - depends on RIONET - default "128" - -+config IMQ -+ tristate "IMQ (intermediate queueing device) support" -+ depends on NETDEVICES && NETFILTER -+ ---help--- -+ The IMQ device(s) is used as placeholder for QoS queueing -+ disciplines. Every packet entering/leaving the IP stack can be -+ directed through the IMQ device where it's enqueued/dequeued to the -+ attached qdisc. This allows you to treat network devices as classes -+ and distribute bandwidth among them. Iptables is used to specify -+ through which IMQ device, if any, packets travel. -+ -+ More information at: https://github.com/imq/linuximq -+ -+ To compile this driver as a module, choose M here: the module -+ will be called imq. If unsure, say N. -+ -+choice -+ prompt "IMQ behavior (PRE/POSTROUTING)" -+ depends on IMQ -+ default IMQ_BEHAVIOR_AB -+ help -+ This setting defines how IMQ behaves in respect to its -+ hooking in PREROUTING and POSTROUTING. -+ -+ IMQ can work in any of the following ways: -+ -+ PREROUTING | POSTROUTING -+ -----------------|------------------- -+ #1 After NAT | After NAT -+ #2 After NAT | Before NAT -+ #3 Before NAT | After NAT -+ #4 Before NAT | Before NAT -+ -+ The default behavior is to hook before NAT on PREROUTING -+ and after NAT on POSTROUTING (#3). -+ -+ This settings are specially usefull when trying to use IMQ -+ to shape NATed clients. -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ -+config IMQ_BEHAVIOR_AA -+ bool "IMQ AA" -+ help -+ This setting defines how IMQ behaves in respect to its -+ hooking in PREROUTING and POSTROUTING. -+ -+ Choosing this option will make IMQ hook like this: -+ -+ PREROUTING: After NAT -+ POSTROUTING: After NAT -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ -+config IMQ_BEHAVIOR_AB -+ bool "IMQ AB" -+ help -+ This setting defines how IMQ behaves in respect to its -+ hooking in PREROUTING and POSTROUTING. -+ -+ Choosing this option will make IMQ hook like this: -+ -+ PREROUTING: After NAT -+ POSTROUTING: Before NAT -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ -+config IMQ_BEHAVIOR_BA -+ bool "IMQ BA" -+ help -+ This setting defines how IMQ behaves in respect to its -+ hooking in PREROUTING and POSTROUTING. -+ -+ Choosing this option will make IMQ hook like this: -+ -+ PREROUTING: Before NAT -+ POSTROUTING: After NAT -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ -+config IMQ_BEHAVIOR_BB -+ bool "IMQ BB" -+ help -+ This setting defines how IMQ behaves in respect to its -+ hooking in PREROUTING and POSTROUTING. -+ -+ Choosing this option will make IMQ hook like this: -+ -+ PREROUTING: Before NAT -+ POSTROUTING: Before NAT -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ -+endchoice -+ -+config IMQ_NUM_DEVS -+ int "Number of IMQ devices" -+ range 2 16 -+ depends on IMQ -+ default "16" -+ help -+ This setting defines how many IMQ devices will be created. -+ -+ The default value is 16. -+ -+ More information can be found at: https://github.com/imq/linuximq -+ -+ If not sure leave the default settings alone. -+ - config TUN - tristate "Universal TUN/TAP device driver support" - depends on INET -diff --git a/drivers/net/Makefile b/drivers/net/Makefile -index 900b0c5..e093402 100644 ---- a/drivers/net/Makefile -+++ b/drivers/net/Makefile -@@ -10,6 +10,7 @@ obj-$(CONFIG_IPVLAN) += ipvlan/ - obj-$(CONFIG_DUMMY) += dummy.o - obj-$(CONFIG_EQUALIZER) += eql.o - obj-$(CONFIG_IFB) += ifb.o -+obj-$(CONFIG_IMQ) += imq.o - obj-$(CONFIG_MACSEC) += macsec.o - obj-$(CONFIG_MACVLAN) += macvlan.o - obj-$(CONFIG_MACVTAP) += macvtap.o -diff --git a/drivers/net/imq.c b/drivers/net/imq.c -new file mode 100644 -index 0000000..f80258f ---- /dev/null -+++ b/drivers/net/imq.c +diff -Naupr linux-4.7_orig/drivers/net/imq.c linux-4.7/drivers/net/imq.c +--- linux-4.7_orig/drivers/net/imq.c 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/drivers/net/imq.c 2016-07-26 20:58:55.635901659 +0700 @@ -0,0 +1,903 @@ +/* + * Pseudo-driver for the intermediate queue device. @@ -465,7 +321,7 @@ index 0000000..f80258f + struct nf_queue_entry *entry = skb->nf_queue_entry; + + skb->nf_queue_entry = NULL; -+ dev->trans_start = jiffies; ++ netif_trans_update(dev); + + dev->stats.tx_bytes += skb->len; + dev->stats.tx_packets++; @@ -1049,11 +905,149 @@ index 0000000..f80258f +MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See https://github.com/imq/linuximq/wiki for more information."); +MODULE_LICENSE("GPL"); +MODULE_ALIAS_RTNL_LINK("imq"); -diff --git a/include/linux/imq.h b/include/linux/imq.h -new file mode 100644 -index 0000000..1babb09 ---- /dev/null -+++ b/include/linux/imq.h +diff -Naupr linux-4.7_orig/drivers/net/Kconfig linux-4.7/drivers/net/Kconfig +--- linux-4.7_orig/drivers/net/Kconfig 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/drivers/net/Kconfig 2016-07-26 20:58:55.635901659 +0700 +@@ -258,6 +258,125 @@ config RIONET_RX_SIZE + depends on RIONET + default "128" + ++config IMQ ++ tristate "IMQ (intermediate queueing device) support" ++ depends on NETDEVICES && NETFILTER ++ ---help--- ++ The IMQ device(s) is used as placeholder for QoS queueing ++ disciplines. Every packet entering/leaving the IP stack can be ++ directed through the IMQ device where it's enqueued/dequeued to the ++ attached qdisc. This allows you to treat network devices as classes ++ and distribute bandwidth among them. Iptables is used to specify ++ through which IMQ device, if any, packets travel. ++ ++ More information at: https://github.com/imq/linuximq ++ ++ To compile this driver as a module, choose M here: the module ++ will be called imq. If unsure, say N. ++ ++choice ++ prompt "IMQ behavior (PRE/POSTROUTING)" ++ depends on IMQ ++ default IMQ_BEHAVIOR_AB ++ help ++ This setting defines how IMQ behaves in respect to its ++ hooking in PREROUTING and POSTROUTING. ++ ++ IMQ can work in any of the following ways: ++ ++ PREROUTING | POSTROUTING ++ -----------------|------------------- ++ #1 After NAT | After NAT ++ #2 After NAT | Before NAT ++ #3 Before NAT | After NAT ++ #4 Before NAT | Before NAT ++ ++ The default behavior is to hook before NAT on PREROUTING ++ and after NAT on POSTROUTING (#3). ++ ++ This settings are specially usefull when trying to use IMQ ++ to shape NATed clients. ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ ++config IMQ_BEHAVIOR_AA ++ bool "IMQ AA" ++ help ++ This setting defines how IMQ behaves in respect to its ++ hooking in PREROUTING and POSTROUTING. ++ ++ Choosing this option will make IMQ hook like this: ++ ++ PREROUTING: After NAT ++ POSTROUTING: After NAT ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ ++config IMQ_BEHAVIOR_AB ++ bool "IMQ AB" ++ help ++ This setting defines how IMQ behaves in respect to its ++ hooking in PREROUTING and POSTROUTING. ++ ++ Choosing this option will make IMQ hook like this: ++ ++ PREROUTING: After NAT ++ POSTROUTING: Before NAT ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ ++config IMQ_BEHAVIOR_BA ++ bool "IMQ BA" ++ help ++ This setting defines how IMQ behaves in respect to its ++ hooking in PREROUTING and POSTROUTING. ++ ++ Choosing this option will make IMQ hook like this: ++ ++ PREROUTING: Before NAT ++ POSTROUTING: After NAT ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ ++config IMQ_BEHAVIOR_BB ++ bool "IMQ BB" ++ help ++ This setting defines how IMQ behaves in respect to its ++ hooking in PREROUTING and POSTROUTING. ++ ++ Choosing this option will make IMQ hook like this: ++ ++ PREROUTING: Before NAT ++ POSTROUTING: Before NAT ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ ++endchoice ++ ++config IMQ_NUM_DEVS ++ int "Number of IMQ devices" ++ range 2 16 ++ depends on IMQ ++ default "16" ++ help ++ This setting defines how many IMQ devices will be created. ++ ++ The default value is 16. ++ ++ More information can be found at: https://github.com/imq/linuximq ++ ++ If not sure leave the default settings alone. ++ + config TUN + tristate "Universal TUN/TAP device driver support" + depends on INET +diff -Naupr linux-4.7_orig/drivers/net/Makefile linux-4.7/drivers/net/Makefile +--- linux-4.7_orig/drivers/net/Makefile 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/drivers/net/Makefile 2016-07-26 20:58:55.635901659 +0700 +@@ -11,6 +11,7 @@ obj-$(CONFIG_DUMMY) += dummy.o + obj-$(CONFIG_EQUALIZER) += eql.o + obj-$(CONFIG_IFB) += ifb.o + obj-$(CONFIG_MACSEC) += macsec.o ++obj-$(CONFIG_IMQ) += imq.o + obj-$(CONFIG_MACVLAN) += macvlan.o + obj-$(CONFIG_MACVTAP) += macvtap.o + obj-$(CONFIG_MII) += mii.o +diff -Naupr linux-4.7_orig/include/linux/imq.h linux-4.7/include/linux/imq.h +--- linux-4.7_orig/include/linux/imq.h 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/include/linux/imq.h 2016-07-26 20:58:55.639235009 +0700 @@ -0,0 +1,13 @@ +#ifndef _IMQ_H +#define _IMQ_H @@ -1068,11 +1062,10 @@ index 0000000..1babb09 + +#endif /* _IMQ_H */ + -diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index 3143c84..e213b31 100644 ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -3341,6 +3341,19 @@ static inline void netif_tx_unlock_bh(struct net_device *dev) +diff -Naupr linux-4.7_orig/include/linux/netdevice.h linux-4.7/include/linux/netdevice.h +--- linux-4.7_orig/include/linux/netdevice.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/linux/netdevice.h 2016-07-26 20:58:55.639235009 +0700 +@@ -3558,6 +3558,19 @@ static inline void netif_tx_unlock_bh(st } \ } @@ -1092,11 +1085,9 @@ index 3143c84..e213b31 100644 static inline void netif_tx_disable(struct net_device *dev) { unsigned int i; -diff --git a/include/linux/netfilter/xt_IMQ.h b/include/linux/netfilter/xt_IMQ.h -new file mode 100644 -index 0000000..9b07230 ---- /dev/null -+++ b/include/linux/netfilter/xt_IMQ.h +diff -Naupr linux-4.7_orig/include/linux/netfilter/xt_IMQ.h linux-4.7/include/linux/netfilter/xt_IMQ.h +--- linux-4.7_orig/include/linux/netfilter/xt_IMQ.h 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/include/linux/netfilter/xt_IMQ.h 2016-07-26 20:58:55.639235009 +0700 @@ -0,0 +1,9 @@ +#ifndef _XT_IMQ_H +#define _XT_IMQ_H @@ -1107,11 +1098,9 @@ index 0000000..9b07230 + +#endif /* _XT_IMQ_H */ + -diff --git a/include/linux/netfilter_ipv4/ipt_IMQ.h b/include/linux/netfilter_ipv4/ipt_IMQ.h -new file mode 100644 -index 0000000..7af320f ---- /dev/null -+++ b/include/linux/netfilter_ipv4/ipt_IMQ.h +diff -Naupr linux-4.7_orig/include/linux/netfilter_ipv4/ipt_IMQ.h linux-4.7/include/linux/netfilter_ipv4/ipt_IMQ.h +--- linux-4.7_orig/include/linux/netfilter_ipv4/ipt_IMQ.h 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/include/linux/netfilter_ipv4/ipt_IMQ.h 2016-07-26 20:58:55.639235009 +0700 @@ -0,0 +1,10 @@ +#ifndef _IPT_IMQ_H +#define _IPT_IMQ_H @@ -1123,11 +1112,9 @@ index 0000000..7af320f + +#endif /* _IPT_IMQ_H */ + -diff --git a/include/linux/netfilter_ipv6/ip6t_IMQ.h b/include/linux/netfilter_ipv6/ip6t_IMQ.h -new file mode 100644 -index 0000000..198ac01 ---- /dev/null -+++ b/include/linux/netfilter_ipv6/ip6t_IMQ.h +diff -Naupr linux-4.7_orig/include/linux/netfilter_ipv6/ip6t_IMQ.h linux-4.7/include/linux/netfilter_ipv6/ip6t_IMQ.h +--- linux-4.7_orig/include/linux/netfilter_ipv6/ip6t_IMQ.h 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/include/linux/netfilter_ipv6/ip6t_IMQ.h 2016-07-26 20:58:55.639235009 +0700 @@ -0,0 +1,10 @@ +#ifndef _IP6T_IMQ_H +#define _IP6T_IMQ_H @@ -1139,10 +1126,9 @@ index 0000000..198ac01 + +#endif /* _IP6T_IMQ_H */ + -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 4355129..47914c0 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h +diff -Naupr linux-4.7_orig/include/linux/skbuff.h linux-4.7/include/linux/skbuff.h +--- linux-4.7_orig/include/linux/skbuff.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/linux/skbuff.h 2016-07-26 20:58:55.639235009 +0700 @@ -38,6 +38,10 @@ #include #include @@ -1152,9 +1138,9 @@ index 4355129..47914c0 100644 +#endif + - /* A. Checksumming of received packets by device. - * -@@ -566,6 +570,9 @@ struct sk_buff { + /* The interface for checksum offload between the stack and networking drivers + * is as follows... +@@ -647,6 +651,9 @@ struct sk_buff { * first. This is owned by whoever has the skb queued ATM. */ char cb[48] __aligned(8); @@ -1164,7 +1150,7 @@ index 4355129..47914c0 100644 unsigned long _skb_refdst; void (*destructor)(struct sk_buff *skb); -@@ -575,6 +582,9 @@ struct sk_buff { +@@ -656,6 +663,9 @@ struct sk_buff { #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) struct nf_conntrack *nfct; #endif @@ -1174,7 +1160,7 @@ index 4355129..47914c0 100644 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) struct nf_bridge_info *nf_bridge; #endif -@@ -642,6 +652,9 @@ struct sk_buff { +@@ -723,6 +733,9 @@ struct sk_buff { __u8 inner_protocol_type:1; __u8 remcsum_offload:1; /* 3 or 5 bit hole */ @@ -1184,7 +1170,7 @@ index 4355129..47914c0 100644 #ifdef CONFIG_NET_SCHED __u16 tc_index; /* traffic control index */ -@@ -798,6 +811,12 @@ void kfree_skb_list(struct sk_buff *segs); +@@ -879,6 +892,12 @@ void kfree_skb_list(struct sk_buff *segs void skb_tx_error(struct sk_buff *skb); void consume_skb(struct sk_buff *skb); void __kfree_skb(struct sk_buff *skb); @@ -1197,7 +1183,7 @@ index 4355129..47914c0 100644 extern struct kmem_cache *skbuff_head_cache; void kfree_skb_partial(struct sk_buff *skb, bool head_stolen); -@@ -3344,6 +3363,10 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src, +@@ -3523,6 +3542,10 @@ static inline void __nf_copy(struct sk_b if (copy) dst->nfctinfo = src->nfctinfo; #endif @@ -1208,13 +1194,12 @@ index 4355129..47914c0 100644 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) dst->nf_bridge = src->nf_bridge; nf_bridge_get(src->nf_bridge); -diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h -index 9c5638a..b173aa7 100644 ---- a/include/net/netfilter/nf_queue.h -+++ b/include/net/netfilter/nf_queue.h +diff -Naupr linux-4.7_orig/include/net/netfilter/nf_queue.h linux-4.7/include/net/netfilter/nf_queue.h +--- linux-4.7_orig/include/net/netfilter/nf_queue.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/net/netfilter/nf_queue.h 2016-07-26 20:58:55.642568359 +0700 @@ -31,6 +31,12 @@ struct nf_queue_handler { - void nf_register_queue_handler(const struct nf_queue_handler *qh); - void nf_unregister_queue_handler(void); + void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh); + void nf_unregister_queue_handler(struct net *net); void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict); +void nf_queue_entry_release_refs(struct nf_queue_entry *entry); + @@ -1225,11 +1210,10 @@ index 9c5638a..b173aa7 100644 void nf_queue_entry_get_refs(struct nf_queue_entry *entry); void nf_queue_entry_release_refs(struct nf_queue_entry *entry); -diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h -index 401038d..4668849 100644 ---- a/include/net/pkt_sched.h -+++ b/include/net/pkt_sched.h -@@ -104,6 +104,8 @@ int sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q, +diff -Naupr linux-4.7_orig/include/net/pkt_sched.h linux-4.7/include/net/pkt_sched.h +--- linux-4.7_orig/include/net/pkt_sched.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/net/pkt_sched.h 2016-07-26 20:58:55.642568359 +0700 +@@ -105,6 +105,8 @@ int sch_direct_xmit(struct sk_buff *skb, void __qdisc_run(struct Qdisc *q); @@ -1238,11 +1222,10 @@ index 401038d..4668849 100644 static inline void qdisc_run(struct Qdisc *q) { if (qdisc_run_begin(q)) -diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h -index b2a8e63..d9feaa3 100644 ---- a/include/net/sch_generic.h -+++ b/include/net/sch_generic.h -@@ -506,6 +506,12 @@ static inline int qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch) +diff -Naupr linux-4.7_orig/include/net/sch_generic.h linux-4.7/include/net/sch_generic.h +--- linux-4.7_orig/include/net/sch_generic.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/net/sch_generic.h 2016-07-26 20:58:55.642568359 +0700 +@@ -523,6 +523,12 @@ static inline int qdisc_enqueue(struct s return sch->enqueue(skb, sch); } @@ -1255,10 +1238,9 @@ index b2a8e63..d9feaa3 100644 static inline bool qdisc_is_percpu_stats(const struct Qdisc *q) { return q->flags & TCQ_F_CPUSTATS; -diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h -index d93f949..23fb6d1 100644 ---- a/include/uapi/linux/netfilter.h -+++ b/include/uapi/linux/netfilter.h +diff -Naupr linux-4.7_orig/include/uapi/linux/netfilter.h linux-4.7/include/uapi/linux/netfilter.h +--- linux-4.7_orig/include/uapi/linux/netfilter.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/include/uapi/linux/netfilter.h 2016-07-26 20:58:55.642568359 +0700 @@ -14,7 +14,8 @@ #define NF_QUEUE 3 #define NF_REPEAT 4 @@ -1269,11 +1251,10 @@ index d93f949..23fb6d1 100644 /* we overload the higher bits for encoding auxiliary data such as the queue * number or errno values. Not nice, but better than additional function -diff --git a/net/core/dev.c b/net/core/dev.c -index ae00b89..1cdcd02 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -137,6 +137,9 @@ +diff -Naupr linux-4.7_orig/net/core/dev.c linux-4.7/net/core/dev.c +--- linux-4.7_orig/net/core/dev.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/core/dev.c 2016-07-26 20:58:55.642568359 +0700 +@@ -139,6 +139,9 @@ #include #include #include @@ -1283,7 +1264,7 @@ index ae00b89..1cdcd02 100644 #include "net-sysfs.h" -@@ -2705,7 +2708,12 @@ static int xmit_one(struct sk_buff *skb, struct net_device *dev, +@@ -2908,7 +2911,12 @@ static int xmit_one(struct sk_buff *skb, unsigned int len; int rc; @@ -1296,7 +1277,7 @@ index ae00b89..1cdcd02 100644 dev_queue_xmit_nit(skb, dev); len = skb->len; -@@ -2743,6 +2751,7 @@ out: +@@ -2946,6 +2954,7 @@ out: *ret = rc; return skb; } @@ -1304,7 +1285,7 @@ index ae00b89..1cdcd02 100644 static struct sk_buff *validate_xmit_vlan(struct sk_buff *skb, netdev_features_t features) -@@ -2831,6 +2840,7 @@ struct sk_buff *validate_xmit_skb_list(struct sk_buff *skb, struct net_device *d +@@ -3032,6 +3041,7 @@ struct sk_buff *validate_xmit_skb_list(s } return head; } @@ -1312,11 +1293,10 @@ index ae00b89..1cdcd02 100644 static void qdisc_pkt_len_init(struct sk_buff *skb) { -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index b2df375..bc3c51e 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -79,6 +79,87 @@ +diff -Naupr linux-4.7_orig/net/core/skbuff.c linux-4.7/net/core/skbuff.c +--- linux-4.7_orig/net/core/skbuff.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/core/skbuff.c 2016-07-26 20:58:55.645901708 +0700 +@@ -81,6 +81,87 @@ struct kmem_cache *skbuff_head_cache __r static struct kmem_cache *skbuff_fclone_cache __read_mostly; int sysctl_max_skb_frags __read_mostly = MAX_SKB_FRAGS; EXPORT_SYMBOL(sysctl_max_skb_frags); @@ -1404,7 +1384,7 @@ index b2df375..bc3c51e 100644 /** * skb_panic - private function for out-of-line support -@@ -643,6 +724,28 @@ static void skb_release_head_state(struct sk_buff *skb) +@@ -653,6 +734,28 @@ static void skb_release_head_state(struc WARN_ON(in_irq()); skb->destructor(skb); } @@ -1433,7 +1413,7 @@ index b2df375..bc3c51e 100644 #if IS_ENABLED(CONFIG_NF_CONNTRACK) nf_conntrack_put(skb->nfct); #endif -@@ -765,6 +868,10 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old) +@@ -842,6 +945,10 @@ static void __copy_skb_header(struct sk_ new->sp = secpath_get(old->sp); #endif __nf_copy(new, old, false); @@ -1444,7 +1424,7 @@ index b2df375..bc3c51e 100644 /* Note : this field could be in headers_start/headers_end section * It is not yet because we do not want to have a 16 bit hole -@@ -3325,6 +3432,13 @@ void __init skb_init(void) +@@ -3433,6 +3540,13 @@ void __init skb_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); @@ -1458,11 +1438,10 @@ index b2df375..bc3c51e 100644 } /** -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index e6a7bd15..c81496e 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -65,9 +65,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * +diff -Naupr linux-4.7_orig/net/ipv6/ip6_output.c linux-4.7/net/ipv6/ip6_output.c +--- linux-4.7_orig/net/ipv6/ip6_output.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/ipv6/ip6_output.c 2016-07-26 20:58:55.645901708 +0700 +@@ -65,9 +65,6 @@ static int ip6_finish_output2(struct net struct in6_addr *nexthop; int ret; @@ -1472,7 +1451,7 @@ index e6a7bd15..c81496e 100644 if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) { struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); -@@ -142,6 +139,13 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) +@@ -142,6 +139,13 @@ int ip6_output(struct net *net, struct s return 0; } @@ -1486,11 +1465,27 @@ index e6a7bd15..c81496e 100644 return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, net, sk, skb, NULL, dev, ip6_finish_output, -diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig -index 4692782..dce47db 100644 ---- a/net/netfilter/Kconfig -+++ b/net/netfilter/Kconfig -@@ -785,6 +785,18 @@ config NETFILTER_XT_TARGET_LOG +diff -Naupr linux-4.7_orig/net/netfilter/core.c linux-4.7/net/netfilter/core.c +--- linux-4.7_orig/net/netfilter/core.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/netfilter/core.c 2016-07-26 20:58:55.645901708 +0700 +@@ -311,9 +311,11 @@ next_hook: + ret = NF_DROP_GETERR(verdict); + if (ret == 0) + ret = -EPERM; +- } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { ++ } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE || ++ (verdict & NF_VERDICT_MASK) == NF_IMQ_QUEUE) { + int err = nf_queue(skb, elem, state, +- verdict >> NF_VERDICT_QBITS); ++ verdict >> NF_VERDICT_QBITS, ++ verdict & NF_VERDICT_MASK); + if (err < 0) { + if (err == -ESRCH && + (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) +diff -Naupr linux-4.7_orig/net/netfilter/Kconfig linux-4.7/net/netfilter/Kconfig +--- linux-4.7_orig/net/netfilter/Kconfig 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/netfilter/Kconfig 2016-07-26 20:58:55.645901708 +0700 +@@ -807,6 +807,18 @@ config NETFILTER_XT_TARGET_LOG To compile it as a module, choose M here. If unsure, say N. @@ -1509,11 +1504,10 @@ index 4692782..dce47db 100644 config NETFILTER_XT_TARGET_MARK tristate '"MARK" target support' depends on NETFILTER_ADVANCED -diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile -index 7638c36..614ad8a 100644 ---- a/net/netfilter/Makefile -+++ b/net/netfilter/Makefile -@@ -108,6 +108,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o +diff -Naupr linux-4.7_orig/net/netfilter/Makefile linux-4.7/net/netfilter/Makefile +--- linux-4.7_orig/net/netfilter/Makefile 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/netfilter/Makefile 2016-07-26 20:58:55.645901708 +0700 +@@ -115,6 +115,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o @@ -1521,29 +1515,10 @@ index 7638c36..614ad8a 100644 obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) += xt_NETMAP.o -diff --git a/net/netfilter/core.c b/net/netfilter/core.c -index f39276d..9877a27 100644 ---- a/net/netfilter/core.c -+++ b/net/netfilter/core.c -@@ -311,9 +311,11 @@ next_hook: - ret = NF_DROP_GETERR(verdict); - if (ret == 0) - ret = -EPERM; -- } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { -+ } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE || -+ (verdict & NF_VERDICT_MASK) == NF_IMQ_QUEUE) { - int err = nf_queue(skb, elem, state, -- verdict >> NF_VERDICT_QBITS); -+ verdict >> NF_VERDICT_QBITS, -+ verdict & NF_VERDICT_MASK); - if (err < 0) { - if (err == -ESRCH && - (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) -diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h -index 0655225..25d4141 100644 ---- a/net/netfilter/nf_internals.h -+++ b/net/netfilter/nf_internals.h -@@ -18,7 +18,7 @@ unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb, +diff -Naupr linux-4.7_orig/net/netfilter/nf_internals.h linux-4.7/net/netfilter/nf_internals.h +--- linux-4.7_orig/net/netfilter/nf_internals.h 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/netfilter/nf_internals.h 2016-07-26 20:58:55.645901708 +0700 +@@ -18,7 +18,7 @@ unsigned int nf_iterate(struct list_head /* nf_queue.c */ int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem, @@ -1552,13 +1527,12 @@ index 0655225..25d4141 100644 void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops); int __init netfilter_queue_init(void); -diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c -index 5baa8e2..9740e8c 100644 ---- a/net/netfilter/nf_queue.c -+++ b/net/netfilter/nf_queue.c -@@ -28,6 +28,23 @@ +diff -Naupr linux-4.7_orig/net/netfilter/nf_queue.c linux-4.7/net/netfilter/nf_queue.c +--- linux-4.7_orig/net/netfilter/nf_queue.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/netfilter/nf_queue.c 2016-07-26 20:58:55.649235058 +0700 +@@ -27,6 +27,23 @@ + * receives, no matter what. */ - static const struct nf_queue_handler __rcu *queue_handler __read_mostly; +#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE) +static const struct nf_queue_handler __rcu *queue_imq_handler __read_mostly; @@ -1579,8 +1553,8 @@ index 5baa8e2..9740e8c 100644 + /* return EBUSY when somebody else is registered, return EEXIST if the * same handler is registered, return 0 in case of success. */ - void nf_register_queue_handler(const struct nf_queue_handler *qh) -@@ -116,7 +133,8 @@ void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops) + void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh) +@@ -114,7 +131,8 @@ void nf_queue_nf_hook_drop(struct net *n int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem, struct nf_hook_state *state, @@ -1590,11 +1564,11 @@ index 5baa8e2..9740e8c 100644 { int status = -ENOENT; struct nf_queue_entry *entry = NULL; -@@ -124,7 +142,17 @@ int nf_queue(struct sk_buff *skb, - const struct nf_queue_handler *qh; +@@ -123,7 +141,17 @@ int nf_queue(struct sk_buff *skb, + struct net *net = state->net; /* QUEUE == DROP if no one is waiting, to be safe. */ -- qh = rcu_dereference(queue_handler); +- qh = rcu_dereference(net->nf.queue_handler); + if (queuetype == NF_IMQ_QUEUE) { +#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE) + qh = rcu_dereference(queue_imq_handler); @@ -1603,13 +1577,13 @@ index 5baa8e2..9740e8c 100644 + goto err_unlock; +#endif + } else { -+ qh = rcu_dereference(queue_handler); ++ qh = rcu_dereference(net->nf.queue_handler); + } + if (!qh) { status = -ESRCH; goto err; -@@ -199,8 +227,10 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) +@@ -198,8 +226,10 @@ void nf_reinject(struct nf_queue_entry * local_bh_enable(); break; case NF_QUEUE: @@ -1621,11 +1595,9 @@ index 5baa8e2..9740e8c 100644 if (err < 0) { if (err == -ESRCH && (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) -diff --git a/net/netfilter/xt_IMQ.c b/net/netfilter/xt_IMQ.c -new file mode 100644 -index 0000000..86d7b84 ---- /dev/null -+++ b/net/netfilter/xt_IMQ.c +diff -Naupr linux-4.7_orig/net/netfilter/xt_IMQ.c linux-4.7/net/netfilter/xt_IMQ.c +--- linux-4.7_orig/net/netfilter/xt_IMQ.c 1970-01-01 07:00:00.000000000 +0700 ++++ linux-4.7/net/netfilter/xt_IMQ.c 2016-07-26 20:58:55.649235058 +0700 @@ -0,0 +1,72 @@ +/* + * This target marks packets to be enqueued to an imq device @@ -1693,17 +1665,16 @@ index 0000000..86d7b84 +module_init(imq_init); +module_exit(imq_fini); + -+MODULE_AUTHOR("http://https://github.com/imq/linuximq"); ++MODULE_AUTHOR("https://github.com/imq/linuximq"); +MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See https://github.com/imq/linuximq/wiki for more information."); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_IMQ"); +MODULE_ALIAS("ip6t_IMQ"); + -diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c -index e82a1ad..b55331d 100644 ---- a/net/sched/sch_generic.c -+++ b/net/sched/sch_generic.c -@@ -108,6 +108,14 @@ static struct sk_buff *dequeue_skb(struct Qdisc *q, bool *validate, +diff -Naupr linux-4.7_orig/net/sched/sch_generic.c linux-4.7/net/sched/sch_generic.c +--- linux-4.7_orig/net/sched/sch_generic.c 2016-07-25 02:23:50.000000000 +0700 ++++ linux-4.7/net/sched/sch_generic.c 2016-07-26 20:58:55.649235058 +0700 +@@ -110,6 +110,14 @@ static struct sk_buff *dequeue_skb(struc return skb; } @@ -1715,6 +1686,6 @@ index e82a1ad..b55331d 100644 +} +EXPORT_SYMBOL(qdisc_dequeue_skb); + - static inline int handle_dev_cpu_collision(struct sk_buff *skb, - struct netdev_queue *dev_queue, - struct Qdisc *q) + /* + * Transmit possibly several skbs, and handle the return status as + * required. Holding the __QDISC___STATE_RUNNING bit guarantees that diff --git a/kernel.spec b/kernel.spec index 9f276a4a..a210d7f6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -165,9 +165,6 @@ Patch40: kernel-layer7.patch ### End netfilter -# http://zph.bratcheda.org/linux-2.6.26.3-zph.patch -Patch49: kernel-zph.patch - # http://www.linuximq.net Patch50: kernel-imq.patch @@ -218,7 +215,7 @@ Patch2003: kernel-regressions.patch Patch2004: kernel-libata-ahci-pm.patch # git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor -# branch v4.2-aa2.8-out-of-tree +# branch v4.7-aa2.8-out-of-tree Patch5000: kernel-apparmor.patch # for rescuecd @@ -669,10 +666,6 @@ cd linux-%{basever} ## # end of netfilter -# zph -# FIXME or DROPME -%patch49 -p1 - %if %{with imq} %patch50 -p1 %endif -- 2.44.0