commit d75b40d30104146bf463bd313b39b71675d6c884 Author: Arkadiusz MiĆkiewicz <ar...@maven.pl> Date: Thu Feb 1 09:33:05 2018 +0100
- use 4.15 patches ...d-base-infastructure-for-socket-mediation.patch | 63 ++++++++++------------ ....patch => 0002-apparmor-af_unix-mediation.patch | 19 +++---- kernel.spec | 6 +-- 3 files changed, 40 insertions(+), 48 deletions(-) --- diff --git a/kernel.spec b/kernel.spec index 37aad89d..8b490b3d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -216,9 +216,9 @@ Patch2000: kernel-small_fixes.patch Patch2001: kernel-pwc-uncompress.patch Patch2003: kernel-regressions.patch -# https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches/v4.14 -Patch5001: 0012-apparmor-add-base-infastructure-for-socket-mediation.patch -Patch5002: 0001-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch +# https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches/v4.15 +Patch5001: 0001-apparmor-add-base-infastructure-for-socket-mediation.patch +Patch5002: 0002-apparmor-af_unix-mediation.patch # for rescuecd # based on ftp://ftp.leg.uct.ac.za/pub/linux/rip/tmpfs_root-2.6.30.diff.gz diff --git a/0012-apparmor-add-base-infastructure-for-socket-mediation.patch b/0001-apparmor-add-base-infastructure-for-socket-mediation.patch similarity index 96% rename from 0012-apparmor-add-base-infastructure-for-socket-mediation.patch rename to 0001-apparmor-add-base-infastructure-for-socket-mediation.patch index 5369c3ae..4fae1ca0 100644 --- a/0012-apparmor-add-base-infastructure-for-socket-mediation.patch +++ b/0001-apparmor-add-base-infastructure-for-socket-mediation.patch @@ -1,7 +1,7 @@ -From 853cbdfb6924857a2ee2a1cd5b9fa494f8e7efa2 Mon Sep 17 00:00:00 2001 +From 27d9aac1346ff7feb6a49bfb33510c2d79a41da7 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johan...@canonical.com> Date: Tue, 18 Jul 2017 23:18:33 -0700 -Subject: [PATCH 12/17] apparmor: add base infastructure for socket mediation +Subject: [PATCH 1/2] apparmor: add base infastructure for socket mediation Provide a basic mediation of sockets. This is not a full net mediation but just whether a spcific family of socket can be used by an @@ -32,13 +32,12 @@ eg. Signed-off-by: John Johansen <john.johan...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> -(cherry picked from commit 56387cbe3f287034ee6959cb9e8f419889e38bd9) --- security/apparmor/.gitignore | 1 + security/apparmor/Makefile | 43 ++++- security/apparmor/apparmorfs.c | 1 + security/apparmor/file.c | 30 +++ - security/apparmor/include/audit.h | 26 ++- + security/apparmor/include/audit.h | 16 +- security/apparmor/include/net.h | 114 +++++++++++ security/apparmor/include/perms.h | 5 +- security/apparmor/include/policy.h | 13 ++ @@ -46,7 +45,7 @@ Acked-by: Seth Arnold <seth.arn...@canonical.com> security/apparmor/lsm.c | 387 +++++++++++++++++++++++++++++++++++++ security/apparmor/net.c | 184 ++++++++++++++++++ security/apparmor/policy_unpack.c | 47 ++++- - 12 files changed, 840 insertions(+), 16 deletions(-) + 12 files changed, 834 insertions(+), 12 deletions(-) create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/net.c @@ -62,10 +61,10 @@ index 9cdec70d72b8..d5b291e94264 100644 capability_names.h rlim_names.h diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index 81a34426d024..dafdd387d42b 100644 +index 9a6b4033d52b..e7ff2183532a 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile -@@ -4,11 +4,44 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o +@@ -5,11 +5,44 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ @@ -112,7 +111,7 @@ index 81a34426d024..dafdd387d42b 100644 # Build a lower case string table of capability names # Transforms lines from -@@ -61,6 +94,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ +@@ -62,6 +95,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ $(obj)/capability.o : $(obj)/capability_names.h @@ -120,7 +119,7 @@ index 81a34426d024..dafdd387d42b 100644 $(obj)/resource.o : $(obj)/rlim_names.h $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ $(src)/Makefile -@@ -68,3 +102,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ +@@ -69,3 +103,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ $(src)/Makefile $(call cmd,make-rlim) @@ -130,7 +129,7 @@ index 81a34426d024..dafdd387d42b 100644 + $(call cmd,make-af) + $(call cmd,make-sock) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 7acea14c850b..125dad5c3fde 100644 +index d4fa04d91439..694c4f48a975 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2202,6 +2202,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = { @@ -142,7 +141,7 @@ index 7acea14c850b..125dad5c3fde 100644 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), diff --git a/security/apparmor/file.c b/security/apparmor/file.c -index 3382518b87fa..db80221891c6 100644 +index e79bf44396a3..86d57e56fabe 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -21,6 +21,7 @@ @@ -153,7 +152,7 @@ index 3382518b87fa..db80221891c6 100644 #include "include/path.h" #include "include/policy.h" #include "include/label.h" -@@ -566,6 +567,32 @@ static int __file_path_perm(const char *op, struct aa_label *label, +@@ -560,6 +561,32 @@ static int __file_path_perm(const char *op, struct aa_label *label, return error; } @@ -186,7 +185,7 @@ index 3382518b87fa..db80221891c6 100644 /** * aa_file_perm - do permission revalidation check & audit for @file * @op: operation being checked -@@ -610,6 +637,9 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file, +@@ -604,6 +631,9 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file, error = __file_path_perm(op, label, flabel, file, request, denied); @@ -197,40 +196,32 @@ index 3382518b87fa..db80221891c6 100644 rcu_read_unlock(); diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h -index 620e81169659..ff4316e1068d 100644 +index 4ac095118717..ff4316e1068d 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h -@@ -121,23 +121,29 @@ struct apparmor_audit_data { - /* these entries require a custom callback fn */ - struct { +@@ -123,10 +123,20 @@ struct apparmor_audit_data { struct aa_label *peer; -- union { -- struct { + union { + struct { - const char *target; -- kuid_t ouid; -- } fs; -- int signal; -- }; -+ union { -+ struct { -+ kuid_t ouid; + kuid_t ouid; + const char *target; -+ } fs; + } fs; + struct { + int type, protocol; + struct sock *peer_sk; + void *addr; + int addrlen; + } net; -+ int signal; + int signal; + struct { + int rlim; + unsigned long max; + } rlim; -+ }; + }; }; struct { - struct aa_profile *profile; +@@ -134,10 +144,6 @@ struct apparmor_audit_data { const char *ns; long pos; } iface; @@ -362,10 +353,10 @@ index 000000000000..140c8efcf364 + +#endif /* __AA_NET_H */ diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h -index 2b27bb79aec4..af04d5a7d73d 100644 +index d7b7e7115160..38aa6247d00f 100644 --- a/security/apparmor/include/perms.h +++ b/security/apparmor/include/perms.h -@@ -135,9 +135,10 @@ extern struct aa_perms allperms; +@@ -138,9 +138,10 @@ extern struct aa_perms allperms; void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask); @@ -424,7 +415,7 @@ index 17fe41a9cac3..4364088a0b9e 100644 * aa_get_profile - increment refcount on profile @p * @p: profile (MAYBE NULL) diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c -index 08ca26bcca77..8818621b5d95 100644 +index 4d5e98e49d5e..068a9f471f77 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -211,7 +211,8 @@ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask) @@ -447,7 +438,7 @@ index 08ca26bcca77..8818621b5d95 100644 char str[33]; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index 4ad0b3a45142..cc5ab23a2d84 100644 +index 9a65eeaf7dfa..0cd717614fd0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -33,6 +33,7 @@ @@ -1049,7 +1040,7 @@ index 000000000000..33d54435f8d6 + return aa_label_sk_perm(label, op, request, sock->sk); +} diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 4ede87c30f8b..5a2aec358322 100644 +index 59a1a25b7d43..68b168e8f499 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) @@ -1121,5 +1112,5 @@ index 4ede87c30f8b..5a2aec358322 100644 /* generic policy dfa - optional and may be NULL */ info = "failed to unpack policydb"; -- -2.11.0 +2.14.1 diff --git a/0001-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch b/0002-apparmor-af_unix-mediation.patch similarity index 98% rename from 0001-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch rename to 0002-apparmor-af_unix-mediation.patch index 5a1b2208..e01c72fc 100644 --- a/0001-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch +++ b/0002-apparmor-af_unix-mediation.patch @@ -1,12 +1,13 @@ -From a3b0cb6676a04cdad5cc357bc422d0398083b435 Mon Sep 17 00:00:00 2001 +From 8f0a917911fe19f9911d972fe85c43243f7eaa37 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johan...@canonical.com> Date: Tue, 18 Jul 2017 23:27:23 -0700 -Subject: [PATCH 17/17] UBUNTU: SAUCE: apparmor: af_unix mediation +Subject: [PATCH 2/2] apparmor: af_unix mediation af_socket mediation did not make it into 4.14 so add remaining out of tree patch Signed-off-by: John Johansen <john.johan...@canonical.com> +Signed-off-by: Seth Forshee <seth.fors...@canonical.com> --- security/apparmor/Makefile | 3 +- security/apparmor/af_unix.c | 651 ++++++++++++++++++++++++++++++++++++ @@ -23,10 +24,10 @@ Signed-off-by: John Johansen <john.johan...@canonical.com> create mode 100644 security/apparmor/include/af_unix.h diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile -index dafdd387d42b..ef39226ff4aa 100644 +index e7ff2183532a..90c118f39e13 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile -@@ -4,7 +4,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o +@@ -5,7 +5,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ @@ -694,7 +695,7 @@ index 000000000000..c6876db2dbde + return error; +} diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c -index 125dad5c3fde..20cdb1c4b266 100644 +index 694c4f48a975..850c401502f1 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2187,6 +2187,11 @@ static struct aa_sfs_entry aa_sfs_entry_ns[] = { @@ -718,7 +719,7 @@ index 125dad5c3fde..20cdb1c4b266 100644 { } }; diff --git a/security/apparmor/file.c b/security/apparmor/file.c -index db80221891c6..e62791106900 100644 +index 86d57e56fabe..348c9ff3da4e 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -16,6 +16,7 @@ @@ -729,7 +730,7 @@ index db80221891c6..e62791106900 100644 #include "include/apparmor.h" #include "include/audit.h" #include "include/context.h" -@@ -289,7 +290,8 @@ int __aa_path_perm(const char *op, struct aa_profile *profile, const char *name, +@@ -283,7 +284,8 @@ int __aa_path_perm(const char *op, struct aa_profile *profile, const char *name, { int e = 0; @@ -920,7 +921,7 @@ index 4364088a0b9e..26660a1a50b0 100644 if (!state) return 0; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c -index cc5ab23a2d84..0ede66d80a53 100644 +index 0cd717614fd0..245c98ef311e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -26,6 +26,7 @@ @@ -1390,5 +1391,5 @@ index 33d54435f8d6..dd1953b08e58 100644 + aa_label_sk_perm(label, op, request, sock->sk)); } -- -2.11.0 +2.14.1 ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/d75b40d30104146bf463bd313b39b71675d6c884 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit