Author: arekm Date: Thu Oct 21 18:20:14 2010 GMT Module: packages Tag: HEAD ---- Log message: - add missing features in 2.6.36 apparmor
---- Files affected: packages/kernel: kernel-apparmor.patch (1.8 -> 1.9) , kernel.spec (1.841 -> 1.842) ---- Diffs: ================================================================ Index: packages/kernel/kernel-apparmor.patch diff -u packages/kernel/kernel-apparmor.patch:1.8 packages/kernel/kernel-apparmor.patch:1.9 --- packages/kernel/kernel-apparmor.patch:1.8 Thu Aug 5 21:52:26 2010 +++ packages/kernel/kernel-apparmor.patch Thu Oct 21 20:20:08 2010 @@ -1,392 +1,76 @@ -From 3f980257e048429a1f0a5dbce0b027a93c0781cc Mon Sep 17 00:00:00 2001 +From 6ab924a333c81d552eb92900509113bdf2fccb2e Mon Sep 17 00:00:00 2001 From: John Johansen <[email protected]> -Date: Wed, 4 Aug 2010 04:42:50 -0700 -Subject: [PATCH] AppArmor: security module v2.6 + compat patches as of 29-07-2010 (security-next) +Date: Mon, 4 Oct 2010 15:03:36 -0700 +Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll -AppArmor v2.6 module as synced to security-next 29-07-2010 backported to -2.6.35 + AppArmor 2.4 compatibility patches. +Add compatibility for v5 network rules. Signed-off-by: John Johansen <[email protected]> --- - Documentation/apparmor.txt | 40 + - Documentation/kernel-parameters.txt | 8 + - MAINTAINERS | 8 + - include/linux/lsm_audit.h | 31 + - security/Kconfig | 6 + - security/Makefile | 2 + - security/apparmor/.gitignore | 5 + - security/apparmor/Kconfig | 40 + - security/apparmor/Makefile | 30 + - security/apparmor/apparmorfs-24.c | 287 +++++++ - security/apparmor/apparmorfs.c | 253 ++++++ - security/apparmor/audit.c | 215 ++++++ - security/apparmor/capability.c | 141 ++++ - security/apparmor/context.c | 216 ++++++ - security/apparmor/domain.c | 823 ++++++++++++++++++++ - security/apparmor/file.c | 457 +++++++++++ - security/apparmor/include/apparmor.h | 92 +++ - security/apparmor/include/apparmorfs.h | 26 + - security/apparmor/include/audit.h | 123 +++ - security/apparmor/include/capability.h | 45 ++ - security/apparmor/include/context.h | 154 ++++ - security/apparmor/include/domain.h | 36 + - security/apparmor/include/file.h | 217 ++++++ - security/apparmor/include/ipc.h | 28 + - security/apparmor/include/match.h | 132 ++++ - security/apparmor/include/net.h | 40 + - security/apparmor/include/path.h | 31 + - security/apparmor/include/policy.h | 308 ++++++++ - security/apparmor/include/policy_unpack.h | 20 + - security/apparmor/include/procattr.h | 26 + - security/apparmor/include/resource.h | 46 ++ - security/apparmor/include/sid.h | 24 + - security/apparmor/ipc.c | 114 +++ - security/apparmor/lib.c | 133 ++++ - security/apparmor/lsm.c | 1051 +++++++++++++++++++++++++ - security/apparmor/match.c | 370 +++++++++ - security/apparmor/net.c | 169 ++++ - security/apparmor/path.c | 235 ++++++ - security/apparmor/policy.c | 1185 +++++++++++++++++++++++++++++ - security/apparmor/policy_unpack.c | 740 ++++++++++++++++++ - security/apparmor/policy_unpack.c.rej | 11 + - security/apparmor/procattr.c | 170 ++++ - security/apparmor/resource.c | 134 ++++ - security/apparmor/sid.c | 55 ++ - 44 files changed, 8277 insertions(+), 0 deletions(-) - create mode 100644 Documentation/apparmor.txt - create mode 100644 security/apparmor/.gitignore - create mode 100644 security/apparmor/Kconfig - create mode 100644 security/apparmor/Makefile - create mode 100644 security/apparmor/apparmorfs-24.c - create mode 100644 security/apparmor/apparmorfs.c - create mode 100644 security/apparmor/audit.c - create mode 100644 security/apparmor/capability.c - create mode 100644 security/apparmor/context.c - create mode 100644 security/apparmor/domain.c - create mode 100644 security/apparmor/file.c - create mode 100644 security/apparmor/include/apparmor.h - create mode 100644 security/apparmor/include/apparmorfs.h - create mode 100644 security/apparmor/include/audit.h - create mode 100644 security/apparmor/include/capability.h - create mode 100644 security/apparmor/include/context.h - create mode 100644 security/apparmor/include/domain.h - create mode 100644 security/apparmor/include/file.h - create mode 100644 security/apparmor/include/ipc.h - create mode 100644 security/apparmor/include/match.h + include/linux/lsm_audit.h | 4 + + security/apparmor/Makefile | 6 +- + security/apparmor/include/net.h | 40 +++++++++ + security/apparmor/include/policy.h | 3 + + security/apparmor/lsm.c | 112 +++++++++++++++++++++++ + security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++ + security/apparmor/policy.c | 1 + + security/apparmor/policy_unpack.c | 48 ++++++++++- + 8 files changed, 382 insertions(+), 2 deletions(-) create mode 100644 security/apparmor/include/net.h - create mode 100644 security/apparmor/include/path.h - create mode 100644 security/apparmor/include/policy.h - create mode 100644 security/apparmor/include/policy_unpack.h - create mode 100644 security/apparmor/include/procattr.h - create mode 100644 security/apparmor/include/resource.h - create mode 100644 security/apparmor/include/sid.h - create mode 100644 security/apparmor/ipc.c - create mode 100644 security/apparmor/lib.c - create mode 100644 security/apparmor/lsm.c - create mode 100644 security/apparmor/match.c create mode 100644 security/apparmor/net.c - create mode 100644 security/apparmor/path.c - create mode 100644 security/apparmor/policy.c - create mode 100644 security/apparmor/policy_unpack.c - create mode 100644 security/apparmor/policy_unpack.c.rej - create mode 100644 security/apparmor/procattr.c - create mode 100644 security/apparmor/resource.c - create mode 100644 security/apparmor/sid.c -diff --git a/Documentation/apparmor.txt b/Documentation/apparmor.txt -new file mode 100644 -index 0000000..6240438 ---- /dev/null -+++ b/Documentation/apparmor.txt -@@ -0,0 +1,40 @@ -+--- What is AppArmor? --- -+ -+AppArmor is MAC style security extension for the Linux kernel. It implements -+a task centered policy, with task "profiles" being created and loaded -+from user space. Tasks on the system that do not have a profile defined for -+them run in an unconfined state which is equivalent to standard Linux DAC -+permissions. -+ -+--- How to enable/disable --- -+ -+set CONFIG_SECURITY_APPARMOR=y -+ -+If AppArmor should be selected as the default security module then -+ set CONFIG_DEFAULT_SECURITY="apparmor" -+ and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 -+ -+Build the kernel -+ -+If AppArmor is not the default security module it can be enabled by passing -+security=apparmor on the kernel's command line. -+ -+If AppArmor is the default security module it can be disabled by passing -+apparmor=0, security=XXXX (where XXX is valid security module), on the -+kernel's command line -+ -+For AppArmor to enforce any restrictions beyond standard Linux DAC permissions -+policy must be loaded into the kernel from user space (see the Documentation -+and tools links). -+ -+--- Documentation --- -+ -+Documentation can be found on the wiki. -+ -+--- Links --- -+ -+Mailing List - [email protected] -+Wiki - http://apparmor.wiki.kernel.org/ -+User space tools - https://launchpad.net/apparmor -+Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git -+ -diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 2b2407d..b61f89f 100644 ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -93,6 +93,7 @@ parameter is applicable: - Documentation/scsi/. - SECURITY Different security models are enabled. - SELINUX SELinux support is enabled. -+ APPARMOR AppArmor support is enabled. - SERIAL Serial support is enabled. - SH SuperH architecture is enabled. - SMP The kernel is an SMP kernel. -@@ -2312,6 +2313,13 @@ and is between 256 and 4096 characters. It is defined in the file - If enabled at boot time, /selinux/disable can be used - later to disable prior to initial policy load. - -+ apparmor= [APPARMOR] Disable or enable AppArmor at boot time -+ Format: { "0" | "1" } -+ See security/apparmor/Kconfig help text -+ 0 -- disable. -+ 1 -- enable. -+ Default value is set via kernel config option. -+ - serialnumber [BUGS=X86-32] - - shapers= [NET] -diff --git a/MAINTAINERS b/MAINTAINERS -index 02f75fc..a8d5851 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -5061,6 +5061,14 @@ S: Supported - F: include/linux/selinux* - F: security/selinux/ - -+APPARMOR SECURITY MODULE -+M: John Johansen <[email protected]> -+L: [email protected] (subscribers-only, general discussion) -+W: apparmor.wiki.kernel.org -+T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git -+S: Supported -+F: security/apparmor/ -+ - SENSABLE PHANTOM - M: Jiri Slaby <[email protected]> - S: Maintained diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h -index 6907251..3474e45 100644 +index 112a550..d5f3dd7 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h -@@ -94,6 +94,37 @@ struct common_audit_data { - int result; - } selinux_audit_data; - #endif -+#ifdef CONFIG_SECURITY_APPARMOR -+ struct { -+ int error; -+ int op; -+ int type; -+ void *profile; -+ const char *name; -+ const char *info; -+ union { -+ void *target; -+ struct { -+ long pos; -+ void *target; -+ } iface; -+ struct { -+ int rlim; -+ unsigned long max; -+ } rlim; -+ struct { -+ const char *target; -+ u32 request; -+ u32 denied; -+ uid_t ouid; -+ } fs; +@@ -123,6 +123,10 @@ struct common_audit_data { + u32 denied; + uid_t ouid; + } fs; + struct { + int type, protocol; + struct sock *sk; + } net; -+ }; -+ } apparmor_audit_data; -+#endif - }; - /* these callback will be implemented by a specific LSM */ - void (*lsm_pre_audit)(struct audit_buffer *, void *); -diff --git a/security/Kconfig b/security/Kconfig -index 226b955..bd72ae6 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR - source security/selinux/Kconfig - source security/smack/Kconfig - source security/tomoyo/Kconfig -+source security/apparmor/Kconfig - - source security/integrity/ima/Kconfig - -@@ -148,6 +149,7 @@ choice - default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX - default DEFAULT_SECURITY_SMACK if SECURITY_SMACK - default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO -+ default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR - default DEFAULT_SECURITY_DAC - - help -@@ -163,6 +165,9 @@ choice - config DEFAULT_SECURITY_TOMOYO - bool "TOMOYO" if SECURITY_TOMOYO=y - -+ config DEFAULT_SECURITY_APPARMOR -+ bool "AppArmor" if SECURITY_APPARMOR=y -+ - config DEFAULT_SECURITY_DAC - bool "Unix Discretionary Access Controls" + }; + } apparmor_audit_data; + #endif +diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile +index f204869..a9a1db0 100644 +--- a/security/apparmor/Makefile ++++ b/security/apparmor/Makefile +@@ -4,17 +4,21 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o -@@ -173,6 +178,7 @@ config DEFAULT_SECURITY - default "selinux" if DEFAULT_SECURITY_SELINUX - default "smack" if DEFAULT_SECURITY_SMACK - default "tomoyo" if DEFAULT_SECURITY_TOMOYO -+ default "apparmor" if DEFAULT_SECURITY_APPARMOR - default "" if DEFAULT_SECURITY_DAC + apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ + path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ +- resource.o sid.o file.o ++ resource.o sid.o file.o net.o - endmenu -diff --git a/security/Makefile b/security/Makefile -index da20a19..8bb0fe9 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/ - subdir-$(CONFIG_SECURITY_SELINUX) += selinux - subdir-$(CONFIG_SECURITY_SMACK) += smack - subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo -+subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor + clean-files: capability_names.h af_names.h - # always enable default capabilities - obj-y += commoncap.o -@@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o - obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o - obj-$(CONFIG_AUDIT) += lsm_audit.o - obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o -+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o - obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + quiet_cmd_make-caps = GEN $@ + cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ - # Object integrity file lists -diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore -new file mode 100644 -index 0000000..0a0a99f ---- /dev/null -+++ b/security/apparmor/.gitignore -@@ -0,0 +1,5 @@ -+# -+# Generated include files -+# -+af_names.h -+capability_names.h -diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig -new file mode 100644 -index 0000000..fdf3022 ---- /dev/null -+++ b/security/apparmor/Kconfig -@@ -0,0 +1,40 @@ -+config SECURITY_APPARMOR -+ bool "AppArmor support" -+ depends on SECURITY -+ select AUDIT -+ select SECURITY_PATH -+ select SECURITYFS -+ select SECURITY_NETWORK -+ default n -+ help -+ This enables the AppArmor security module. -+ Required userspace tools (if they are not included in your -+ distribution) and further information may be found at -+ http://apparmor.wiki.kernel.org -+ -+ If you are unsure how to answer this question, answer N. -+ -+config SECURITY_APPARMOR_BOOTPARAM_VALUE -+ int "AppArmor boot parameter default value" -+ depends on SECURITY_APPARMOR -+ range 0 1 -+ default 1 -+ help -+ This option sets the default value for the kernel parameter -+ 'apparmor', which allows AppArmor to be enabled or disabled -+ at boot. If this option is set to 0 (zero), the AppArmor -+ kernel parameter will default to 0, disabling AppArmor at -+ boot. If this option is set to 1 (one), the AppArmor -+ kernel parameter will default to 1, enabling AppArmor at -+ boot. -+ -+ If you are unsure how to answer this question, answer 1. -+ -+config SECURITY_APPARMOR_COMPAT_24 -+ bool "Enable AppArmor 2.4 compatability" -+ depends on SECURITY_APPARMOR -+ default y -+ help -+ This option enables compatability with AppArmor 2.4. It is -+ recommended if compatability with older versions of AppArmor -+ is desired. -diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -new file mode 100644 -index 0000000..e5e8968 ---- /dev/null -+++ b/security/apparmor/Makefile -@@ -0,0 +1,30 @@ -+# Makefile for AppArmor Linux Security Module -+# -+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o -+ -+apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ -+ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ -+ resource.o sid.o file.o net.o -+ -+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o -+ -+clean-files: capability_names.h af_names.h -+ -+quiet_cmd_make-caps = GEN $@ -+cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ -+ +quiet_cmd_make-af = GEN $@ +cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ + -+quiet_cmd_make-rlim = GEN $@ -+cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@ -+ -+$(obj)/capability.o : $(obj)/capability_names.h + quiet_cmd_make-rlim = GEN $@ + cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@ + + $(obj)/capability.o : $(obj)/capability_names.h +$(obj)/net.o : $(obj)/af_names.h -+$(obj)/resource.o : $(obj)/rlim_names.h -+$(obj)/capability_names.h : $(srctree)/include/linux/capability.h -+ $(call cmd,make-caps) -+$(obj)/af_names.h : $(srctree)/include/linux/socket.h -+ $(call cmd,make-af) -+$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h -+ $(call cmd,make-rlim) -diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c + $(obj)/resource.o : $(obj)/rlim_names.h + $(obj)/capability_names.h : $(srctree)/include/linux/capability.h + $(call cmd,make-caps) +diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h new file mode 100644 -index 0000000..dc8c744 +index 0000000..3c7d599 --- /dev/null -+++ b/security/apparmor/apparmorfs-24.c -@@ -0,0 +1,287 @@ ++++ b/security/apparmor/include/net.h +@@ -0,0 +1,40 @@ +/* + * AppArmor security module + * -+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions ++ * This file contains AppArmor network mediation definitions. + * + * Copyright (C) 1998-2008 Novell/SUSE + * Copyright 2009-2010 Canonical Ltd. @@ -395,7176 +79,209 @@ + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. -+ * -+ * -+ * This file contain functions providing an interface for <= AppArmor 2.4 -+ * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24 -+ * being set (see Makefile). + */ + -+#include <linux/security.h> -+#include <linux/vmalloc.h> -+#include <linux/module.h> -+#include <linux/seq_file.h> -+#include <linux/uaccess.h> -+#include <linux/namei.h> ++#ifndef __AA_NET_H ++#define __AA_NET_H + -+#include "include/apparmor.h" -+#include "include/audit.h" -+#include "include/context.h" -+#include "include/policy.h" ++#include <net/sock.h> ++ ++/* struct aa_net - network confinement data ++ * @allowed: basic network families permissions ++ * @audit_network: which network permissions to force audit ++ * @quiet_network: which network permissions to quiet rejects ++ */ ++struct aa_net { ++ u16 allow[AF_MAX]; ++ u16 audit[AF_MAX]; ++ u16 quiet[AF_MAX]; ++}; + ++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family, ++ int type, int protocol, struct sock *sk); ++extern int aa_revalidate_sk(int op, struct sock *sk); + -+/* apparmor/matching */ -+static ssize_t aa_matching_read(struct file *file, char __user *buf, -+ size_t size, loff_t *ppos) ++static inline void aa_free_net_rules(struct aa_net *new) +{ -+ const char matching[] = "pattern=aadfa audit perms=crwxamlk/ " -+ "user::other"; -+ -+ return simple_read_from_buffer(buf, size, ppos, matching, -+ sizeof(matching) - 1); ++ /* NOP */ +} + -+const struct file_operations aa_fs_matching_fops = { -+ .read = aa_matching_read, -+}; -+ -+/* apparmor/features */ -+static ssize_t aa_features_read(struct file *file, char __user *buf, -+ size_t size, loff_t *ppos) ++#endif /* __AA_NET_H */ +diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h +index aeda5cf..6776929 100644 +--- a/security/apparmor/include/policy.h ++++ b/security/apparmor/include/policy.h +@@ -27,6 +27,7 @@ + #include "capability.h" + #include "domain.h" + #include "file.h" ++#include "net.h" + #include "resource.h" + + extern const char *profile_mode_names[]; +@@ -145,6 +146,7 @@ struct aa_namespace { + * @size: the memory consumed by this profiles rules + * @file: The set of rules governing basic file access and domain transitions + * @caps: capabilities for the profile ++ * @net: network controls for the profile + * @rlimits: rlimits for the profile + * + * The AppArmor profile contains the basic confinement data. Each profile +@@ -181,6 +183,7 @@ struct aa_profile { + + struct aa_file_rules file; + struct aa_caps caps; ++ struct aa_net net; + struct aa_rlimit rlimits; + }; + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index cf1de44..324ab91 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -31,6 +31,7 @@ + #include "include/context.h" + #include "include/file.h" + #include "include/ipc.h" ++#include "include/net.h" + #include "include/path.h" + #include "include/policy.h" + #include "include/procattr.h" +@@ -619,6 +620,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, + return error; + } + ++static int apparmor_socket_create(int family, int type, int protocol, int kern) +{ -+ const char features[] = "file=3.1 capability=2.0 network=1.0 " -+ "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1"; ++ struct aa_profile *profile; ++ int error = 0; + -+ return simple_read_from_buffer(buf, size, ppos, features, -+ sizeof(features) - 1); -+} ++ if (kern) ++ return 0; + -+const struct file_operations aa_fs_features_fops = { -+ .read = aa_features_read, -+}; ++ profile = __aa_current_profile(); ++ if (!unconfined(profile)) ++ error = aa_net_perm(OP_CREATE, profile, family, type, protocol, ++ NULL); ++ return error; ++} + -+/** -+ * __next_namespace - find the next namespace to list -+ * @root: root namespace to stop search at (NOT NULL) -+ * @ns: current ns position (NOT NULL) -+ * -+ * Find the next namespace from @ns under @root and handle all locking needed -+ * while switching current namespace. -+ * -+ * Returns: next namespace or NULL if at last namespace under @root -+ * NOTE: will not unlock root->lock -+ */ -+static struct aa_namespace *__next_namespace(struct aa_namespace *root, -+ struct aa_namespace *ns) ++static int apparmor_socket_bind(struct socket *sock, ++ struct sockaddr *address, int addrlen) +{ -+ struct aa_namespace *parent; -+ -+ /* is next namespace a child */ -+ if (!list_empty(&ns->sub_ns)) { -+ struct aa_namespace *next; -+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); -+ read_lock(&next->lock); -+ return next; -+ } <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-apparmor.patch?r1=1.8&r2=1.9&f=u http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel.spec?r1=1.841&r2=1.842&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
