SOURCES (LINUX_2_6_16): linux-2.6-apparmor.patch (NEW) - apparmor-...
zbyniu
zbyniu at pld-linux.org
Mon Dec 11 21:47:06 CET 2006
Author: zbyniu Date: Mon Dec 11 20:47:06 2006 GMT
Module: SOURCES Tag: LINUX_2_6_16
---- Log message:
- apparmor-2.6.16.29-v154-fullseries.patch
---- Files affected:
SOURCES:
linux-2.6-apparmor.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-apparmor.patch
diff -u /dev/null SOURCES/linux-2.6-apparmor.patch:1.1.2.1
--- /dev/null Mon Dec 11 21:47:06 2006
+++ SOURCES/linux-2.6-apparmor.patch Mon Dec 11 21:47:01 2006
@@ -0,0 +1,8223 @@
+ fs/namespace.c | 3
+ include/linux/audit.h | 5
+ include/linux/namespace.h | 3
+ kernel/audit.c | 12
+ security/Kconfig | 1
+ security/Makefile | 1
+ security/apparmor/Kbuild | 10
+ security/apparmor/Kconfig | 9
+ security/apparmor/Makefile | 25
+ security/apparmor/aamatch/Kbuild | 6
+ security/apparmor/aamatch/match.h | 137 ++
+ security/apparmor/aamatch/match_pcre.c | 169 ++
+ security/apparmor/aamatch/pcre_exec.c | 1945 ++++++++++++++++++++++++++++++++
+ security/apparmor/aamatch/pcre_exec.h | 308 +++++
+ security/apparmor/aamatch/pcre_tables.h | 184 +++
+ security/apparmor/apparmor.h | 302 ++++
+ security/apparmor/apparmor_version.c | 42
+ security/apparmor/apparmorfs.c | 440 +++++++
+ security/apparmor/capabilities.c | 54
+ security/apparmor/inline.h | 364 +++++
+ security/apparmor/list.c | 271 ++++
+ security/apparmor/lsm.c | 959 +++++++++++++++
+ security/apparmor/main.c | 1691 +++++++++++++++++++++++++++
+ security/apparmor/module_interface.c | 712 +++++++++++
+ security/apparmor/module_interface.h | 37
+ security/apparmor/procattr.c | 329 +++++
+ security/apparmor/shared.h | 47
+ 27 files changed, 8063 insertions(+), 3 deletions(-)
+
+--- linux-2.6.16.29.orig/fs/namespace.c 2006-10-12 21:11:17.000000000 -0700
++++ linux-2.6.16.29/fs/namespace.c 2006-10-12 21:11:14.000000000 -0700
+@@ -46,7 +46,8 @@ static int event;
+ static struct list_head *mount_hashtable;
+ static int hash_mask __read_mostly, hash_bits __read_mostly;
+ static kmem_cache_t *mnt_cache;
+-static struct rw_semaphore namespace_sem;
++struct rw_semaphore namespace_sem;
++EXPORT_SYMBOL_GPL(namespace_sem);
+
+ /* /sys/fs */
+ decl_subsys(fs, NULL, NULL);
+--- linux-2.6.16.29.orig/include/linux/audit.h 2006-10-12 21:11:17.000000000 -0700
++++ linux-2.6.16.29/include/linux/audit.h 2006-10-12 21:11:14.000000000 -0700
+@@ -73,6 +73,8 @@
+ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
+ #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
+
++#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
++
+ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
+
+ /* Rule flags */
+@@ -265,6 +267,9 @@ extern void audit_log(struct audit_
+ __attribute__((format(printf,4,5)));
+
+ extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
++extern void audit_log_vformat(struct audit_buffer *ab,
++ const char *fmt, va_list args)
++ __attribute__((format(printf,2,0)));
+ extern void audit_log_format(struct audit_buffer *ab,
+ const char *fmt, ...)
+ __attribute__((format(printf,2,3)));
+--- linux-2.6.16.29.orig/include/linux/namespace.h 2006-10-12 21:11:17.000000000 -0700
++++ linux-2.6.16.29/include/linux/namespace.h 2006-10-12 21:11:14.000000000 -0700
+@@ -5,6 +5,9 @@
+ #include <linux/mount.h>
+ #include <linux/sched.h>
+
++/* exported for AppArmor (SubDomain) */
++extern struct rw_semaphore namespace_sem;
++
+ struct namespace {
+ atomic_t count;
+ struct vfsmount * root;
+--- linux-2.6.16.29.orig/kernel/audit.c 2006-10-12 21:11:17.000000000 -0700
++++ linux-2.6.16.29/kernel/audit.c 2006-10-12 21:11:14.000000000 -0700
+@@ -733,8 +733,8 @@ static inline int audit_expand(struct au
+ * room in the audit buffer, more room will be allocated and vsnprint
+ * will be called a second time. Currently, we assume that a printk
+ * can't format message larger than 1024 bytes, so we don't either. */
+-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
+- va_list args)
++void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
++ va_list args)
+ {
+ int len, avail;
+ struct sk_buff *skb;
+@@ -895,3 +895,11 @@ void audit_log(struct audit_context *ctx
+ audit_log_end(ab);
+ }
+ }
++
++EXPORT_SYMBOL_GPL(audit_log_start);
++EXPORT_SYMBOL_GPL(audit_log_vformat);
++EXPORT_SYMBOL_GPL(audit_log_format);
++EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
++EXPORT_SYMBOL_GPL(audit_log_d_path);
++EXPORT_SYMBOL_GPL(audit_log_end);
++EXPORT_SYMBOL_GPL(audit_log);
+--- linux-2.6.16.29.orig/security/apparmor/aamatch/Kbuild 1969-12-31 16:00:00.000000000 -0800
++++ linux-2.6.16.29/security/apparmor/aamatch/Kbuild 2006-10-12 21:11:15.000000000 -0700
+@@ -0,0 +1,6 @@
++# Makefile for AppArmor aamatch submodule
++#
++
++obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_pcre.o
++
++aamatch_pcre-y := match_pcre.o pcre_exec.o
+--- linux-2.6.16.29.orig/security/apparmor/aamatch/match.h 1969-12-31 16:00:00.000000000 -0800
++++ linux-2.6.16.29/security/apparmor/aamatch/match.h 2006-10-12 21:11:15.000000000 -0700
+@@ -0,0 +1,137 @@
++/*
++ * Copyright (C) 2002-2005 Novell/SUSE
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ * AppArmor submodule (match) prototypes
++ */
++
++#ifndef __MATCH_H
++#define __MATCH_H
++
++#include "../module_interface.h"
++#include "../apparmor.h"
++
++/* The following functions implement an interface used by the primary
++ * AppArmor module to perform name matching (n.b. "AppArmor" was previously
++ * called "SubDomain").
++
++ * sdmatch_alloc
++ * sdmatch_free
++ * sdmatch_features
++ * sdmatch_serialize
++ * sdmatch_match
++ *
++ * The intent is for the primary module to export (via virtual fs entries)
++ * the features provided by the submodule (sdmatch_features) so that the
++ * parser may only load policy that can be supported.
++ *
++ * The primary module will call sdmatch_serialize to allow the submodule
++ * to consume submodule specific data from parser data stream and will call
++ * sdmatch_match to determine if a pathname matches an sd_entry.
++ */
++
++typedef int (*sdmatch_serializecb)
++ (struct sd_ext *, enum sd_code, void *, const char *);
++
++/**
++ * sdmatch_alloc: allocate extradata (if necessary)
++ * @entry_type: type of entry being allocated
++ * Return value: NULL indicates no data was allocated (ERR_PTR(x) on error)
++ */
++extern void* sdmatch_alloc(enum entry_t entry_type);
++
++/**
++ * sdmatch_free: release data allocated by sdmatch_alloc
++ * @entry_extradata: data previously allocated by sdmatch_alloc
++ */
++extern void sdmatch_free(void *entry_extradata);
++
++/**
++ * sdmatch_features: return match types supported
++ * Return value: space seperated string (of types supported - use type=value
++ * to indicate variants of a type)
++ */
++extern const char* sdmatch_features(void);
++
++/**
++ * sdmatch_serialize: serialize extradata
++ * @entry_extradata: data previously allocated by sdmatch_alloc
++ * @e: input stream
++ * @cb: callback fn (consume incoming data stream)
++ * Return value: 0 success, -ve error
++ */
++extern int sdmatch_serialize(void *entry_extradata, struct sd_ext *e,
++ sdmatch_serializecb cb);
++
++/**
++ * sdmatch_match: determine if pathname matches entry
++ * @pathname: pathname to verify
++ * @entry_name: entry name
++ * @entry_type: type of entry
++ * @entry_extradata: data previously allocated by sdmatch_alloc
++ * Return value: 1 match, 0 othersise
++ */
++extern unsigned int sdmatch_match(const char *pathname, const char *entry_name,
++ enum entry_t entry_type,
++ void *entry_extradata);
++
++
++/**
++ * sd_getentry_type - return string representation of entry_t
++ * @etype: entry type
++ */
++static inline const char *sd_getentry_type(enum entry_t etype)
++{
++ const char *etype_names[] = {
++ "sd_entry_literal",
++ "sd_entry_tailglob",
++ "sd_entry_pattern",
++ "sd_entry_invalid"
++ };
++
++ if (etype >= sd_entry_invalid) {
++ etype = sd_entry_invalid;
++ }
++
++ return etype_names[etype];
++}
++
++/**
++ * sdmatch_match_common - helper function to check if a pathname matches
++ * a literal/tailglob
++ * @path: path requested to search for
++ * @entry_name: name from sd_entry
++ * @etype: type of entry
++ */
++static inline int sdmatch_match_common(const char *path,
++ const char *entry_name,
++ enum entry_t etype)
++{
++ int retval;
++
++ /* literal, no pattern matching characters */
++ if (etype == sd_entry_literal) {
++ retval = (strcmp(entry_name, path) == 0);
++ /* trailing ** glob pattern */
++ } else if (etype == sd_entry_tailglob) {
++ retval = (strncmp(entry_name, path,
++ strlen(entry_name) - 2) == 0);
++ } else {
++ SD_WARN("%s: Invalid entry_t %d\n", __FUNCTION__, etype);
++ retval = 0;
++ }
++
++#if 0
++ SD_DEBUG("%s(%d): %s %s [%s]\n",
++ __FUNCTION__, retval, path, entry_name,
++ sd_getentry_type(etype));
++#endif
++
++ return retval;
++}
++
++#endif /* __MATCH_H */
+--- linux-2.6.16.29.orig/security/apparmor/aamatch/match_pcre.c 1969-12-31 16:00:00.000000000 -0800
++++ linux-2.6.16.29/security/apparmor/aamatch/match_pcre.c 2006-10-12 21:11:15.000000000 -0700
+@@ -0,0 +1,169 @@
++/*
++ * Copyright (C) 2002-2005 Novell/SUSE
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ * http://forge.novell.com/modules/xfmod/project/?apparmor
++ *
++ * AppArmor aamatch submodule (w/ pattern expansion).
++ *
++ * This module makes use of a slightly modified version of the PCRE
++ * library developed by Philip Hazel <ph10 at cam.ac.uk>. See the files
++ * pcre_* in this directory.
++ */
++
++#include <linux/module.h>
++#include "match.h"
++#include "pcre_exec.h"
++#include "pcre_tables.h"
++
++static const char *features="literal tailglob pattern=pcre";
++
++struct sdmatch_entry
++{
++ char *pattern;
++ pcre *compiled;
++};
++
++void* sdmatch_alloc(enum entry_t entry_type)
++{
++void *ptr=NULL;
++
++ if (entry_type == sd_entry_pattern) {
++ ptr = kmalloc(sizeof(struct sdmatch_entry), GFP_KERNEL);
++ if (ptr)
++ memset(ptr, 0, sizeof(struct sdmatch_entry));
++ else
++ ptr=ERR_PTR(-ENOMEM);
++ } else if (entry_type != sd_entry_literal &&
++ entry_type != sd_entry_tailglob) {
++ ptr = ERR_PTR(-EINVAL);
++ }
++
++ return ptr;
++}
++
++void sdmatch_free(void *ptr)
++{
++ if (ptr) {
++ struct sdmatch_entry *ed = (struct sdmatch_entry *) ptr;
++ kfree(ed->pattern);
++ kfree(ed->compiled); /* allocated by SD_READ_X */
++ }
++ kfree(ptr);
++}
++
++const char *sdmatch_features(void)
++{
++ return features;
++}
++
++int sdmatch_serialize(void *entry_extradata, struct sd_ext *e,
++ sdmatch_serializecb cb)
++{
++#define SD_READ_X(E, C, D, N) \
++ do { \
++ if (!cb((E), (C), (D), (N))) { \
++ error = -EINVAL; \
++ goto done; \
++ }\
++ } while (0)
++
++ int error = 0;
++ u32 size, magic, opts;
++ u8 t_char;
++ struct sdmatch_entry *ed = (struct sdmatch_entry *) entry_extradata;
++
++ if (ed == NULL)
++ goto done;
++
++ SD_READ_X(e, SD_DYN_STRING, &ed->pattern, NULL);
++
++ /* size determines the real size of the pcre struct,
++ it is size_t - sizeof(pcre) on user side.
++ uschar must be the same in user and kernel space */
++ /* check that we are processing the correct structure */
++ SD_READ_X(e, SD_STRUCT, NULL, "pcre");
++ SD_READ_X(e, SD_U32, &size, "pattern.size");
++ SD_READ_X(e, SD_U32, &magic, "pattern.magic");
++
++ /* the allocation of pcre is delayed because it depends on the size
++ * of the pattern */
++ ed->compiled = (pcre *) kmalloc(size + sizeof(pcre), GFP_KERNEL);
++ if (!ed->compiled) {
++ error = -ENOMEM;
++ goto done;
++ }
++
++ memset(ed->compiled, 0, size + sizeof(pcre));
++ ed->compiled->magic_number = magic;
++ ed->compiled->size = size + sizeof(pcre);
++
++ SD_READ_X(e, SD_U32, &opts, "pattern.options");
++ ed->compiled->options = opts;
++ SD_READ_X(e, SD_U16, &ed->compiled->top_bracket, "pattern.top_bracket");
++ SD_READ_X(e, SD_U16, &ed->compiled->top_backref, "pattern.top_backref");
++ SD_READ_X(e, SD_U8, &t_char, "pattern.first_char");
++ ed->compiled->first_char = t_char;
++ SD_READ_X(e, SD_U8, &t_char, "pattern.req_char");
++ ed->compiled->req_char = t_char;
++ SD_READ_X(e, SD_U8, &t_char, "pattern.code[0]");
++ ed->compiled->code[0] = t_char;
++
++ SD_READ_X(e, SD_STATIC_BLOB, &ed->compiled->code[1], NULL);
++
++ SD_READ_X(e, SD_STRUCTEND, NULL, NULL);
++
++ /* stitch in pcre patterns, it was NULLed out by parser
++ * pcre_default_tables defined in pcre_tables.h */
++ ed->compiled->tables = pcre_default_tables;
++
++done:
++ if (error != 0 && ed) {
++ kfree(ed->pattern); /* allocated by SD_READ_X */
++ kfree(ed->compiled);
++ ed->pattern = NULL;
++ ed->compiled = NULL;
++ }
++
++ return error;
++}
++
++unsigned int sdmatch_match(const char *pathname, const char *entry_name,
++ enum entry_t entry_type, void *entry_extradata)
++{
++ int ret;
++
++ if (entry_type == sd_entry_pattern) {
++ int pcreret;
++ struct sdmatch_entry *ed =
++ (struct sdmatch_entry *) entry_extradata;
++
++ pcreret = pcre_exec(ed->compiled, NULL,
++ pathname, strlen(pathname),
++ 0, 0, NULL, 0);
++
++ ret = (pcreret >= 0);
++
++ // XXX - this needs access to subdomain_debug, hmmm
++ //SD_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__,
++ // ret, pathname, ed->pattern, pcreret);
++ } else {
++ ret = sdmatch_match_common(pathname, entry_name, entry_type);
++ }
++
++ return ret;
++}
++
++EXPORT_SYMBOL_GPL(sdmatch_alloc);
++EXPORT_SYMBOL_GPL(sdmatch_free);
++EXPORT_SYMBOL_GPL(sdmatch_features);
++EXPORT_SYMBOL_GPL(sdmatch_serialize);
++EXPORT_SYMBOL_GPL(sdmatch_match);
++
++MODULE_DESCRIPTION("AppArmor aa_match module [pcre]");
++MODULE_AUTHOR("Tony Jones <tonyj at suse.de>");
++MODULE_LICENSE("GPL");
+--- linux-2.6.16.29.orig/security/apparmor/aamatch/pcre_exec.c 1969-12-31 16:00:00.000000000 -0800
++++ linux-2.6.16.29/security/apparmor/aamatch/pcre_exec.c 2006-10-12 21:11:15.000000000 -0700
+@@ -0,0 +1,1945 @@
++/*
++ * This is a modified version of pcre.c containing only the code/data
++ * required to support pcre_exec()
++ */
++
++
++/*************************************************
++* Perl-Compatible Regular Expressions *
++*************************************************/
++
++/*
++This is a library of functions to support regular expressions whose syntax
++and semantics are as close as possible to those of the Perl 5 language. See
++the file Tech.Notes for some information on the internals.
++
++Written by: Philip Hazel <ph10 at cam.ac.uk>
++
++ Copyright (c) 1997-2001 University of Cambridge
++
++-----------------------------------------------------------------------------
++Permission is granted to anyone to use this software for any purpose on any
++computer system, and to redistribute it freely, subject to the following
++restrictions:
++
++1. This software is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++
++2. The origin of this software must not be misrepresented, either by
++ explicit claim or by omission.
++
++3. Altered versions must be plainly marked as such, and must not be
++ misrepresented as being the original software.
++
++4. If PCRE is embedded in any software that is released under the GNU
++ General Purpose Licence (GPL), then the terms of that licence shall
++ supersede any condition above with which it is incompatible.
++-----------------------------------------------------------------------------
++*/
++
++
++/* Define DEBUG to get debugging output on stdout. */
++
++/* #define DEBUG */
++
++/* Use a macro for debugging printing, 'cause that eliminates the use of #ifdef
++inline, and there are *still* stupid compilers about that don't like indented
++pre-processor statements. I suppose it's only been 10 years... */
++
++#ifdef DEBUG
++#define DPRINTF(p) PCRE_PRINTF p
++#else
++#define DPRINTF(p) /*nothing*/
++#endif
++
++/* Include the internals header, which itself includes Standard C headers plus
++the external pcre header. */
++
++#include "pcre_exec.h"
++
++
++/* ---- CODE DELETED ---- */
++
++
++/* Min and max values for the common repeats; for the maxima, 0 => infinity */
++
++static const char rep_min[] = { 0, 0, 1, 1, 0, 0 };
++static const char rep_max[] = { 0, 0, 0, 0, 1, 1 };
++
++
++/* ---- CODE DELETED ---- */
++
++
++/* Structure for building a chain of data that actually lives on the
++ * stack, for holding the values of the subject pointer at the start of each
++ * subpattern, so as to detect when an empty string has been matched by a
++ * subpattern - to break infinite loops. */
++
++typedef struct eptrblock {
++ struct eptrblock *prev;
++ const uschar *saved_eptr;
++} eptrblock;
++
++/* Flag bits for the match() function */
++
++#define match_condassert 0x01 /* Called to check a condition assertion */
++#define match_isgroup 0x02 /* Set if start of bracketed group */
++
++
++/* ---- CODE DELETED ---- */
++
++
++/*************************************************
++ * * Global variables *
++ * *************************************************/
++
++/* PCRE is thread-clean and doesn't use any global variables in the normal
++ * sense. However, it calls memory allocation and free functions via the two
++ * indirections below, which are can be changed by the caller, but are shared
++ * between all threads. */
++
++#ifdef __KERNEL__
++static void *kern_malloc(size_t sz)
++{
++ return kmalloc(sz, GFP_KERNEL);
++}
++void *(*pcre_malloc)(size_t) = kern_malloc;
++void (*pcre_free)(const void *) = kfree;
++#else
++void *(*pcre_malloc)(size_t) = malloc;
++void (*pcre_free)(const void *) = free;
++#endif
++
++
++/*************************************************
++ * * Macros and tables for character handling *
++ * *************************************************/
++
++/* When UTF-8 encoding is being used, a character is no longer just a single
++ * byte. The macros for character handling generate simple sequences when used in
++ * byte-mode, and more complicated ones for UTF-8 characters. */
++
++#ifndef SUPPORT_UTF8
++#define GETCHARINC(c, eptr) c = *eptr++;
++#define GETCHARLEN(c, eptr, len) c = *eptr;
++#define BACKCHAR(eptr)
++#endif
++
++/* ---- CODE DELETED ---- */
++
++#ifdef DEBUG
++/*************************************************
++* Debugging function to print chars *
++*************************************************/
++
++/* Print a sequence of chars in printable format, stopping at the end of the
++subject if the requested.
++
++Arguments:
++ p points to characters
++ length number to print
++ is_subject TRUE if printing from within md->start_subject
++ md pointer to matching data block, if is_subject is TRUE
++
++Returns: nothing
++*/
++
++static void
++pchars(const uschar *p, int length, BOOL is_subject, match_data *md)
++{
++int c;
++if (is_subject && length > md->end_subject - p) length = md->end_subject - p;
++while (length-- > 0)
++ if (isprint(c = *(p++))) PCRE_PRINTF("%c", c); else PCRE_PRINTF("\\x%02x", c);
++}
++#endif /* DEBUG */
++
++/* ---- CODE DELETED ---- */
++
++
++/*************************************************
++* Match a back-reference *
++*************************************************/
++
++/* If a back reference hasn't been set, the length that is passed is greater
++than the number of characters left in the string, so the match fails.
++
++Arguments:
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list