packages: kernel/kernel-apparmor.patch, kernel/kernel.spec - add missing fe...
arekm
arekm at pld-linux.org
Thu Oct 21 20:20:14 CEST 2010
Author: arekm Date: Thu Oct 21 18:20:14 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- add missing features in 2.6.36 apparmor
---- Files affected:
packages/kernel:
kernel-apparmor.patch (1.8 -> 1.9) , kernel.spec (1.841 -> 1.842)
---- Diffs:
================================================================
Index: packages/kernel/kernel-apparmor.patch
diff -u packages/kernel/kernel-apparmor.patch:1.8 packages/kernel/kernel-apparmor.patch:1.9
--- packages/kernel/kernel-apparmor.patch:1.8 Thu Aug 5 21:52:26 2010
+++ packages/kernel/kernel-apparmor.patch Thu Oct 21 20:20:08 2010
@@ -1,392 +1,76 @@
-From 3f980257e048429a1f0a5dbce0b027a93c0781cc Mon Sep 17 00:00:00 2001
+From 6ab924a333c81d552eb92900509113bdf2fccb2e Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
-Date: Wed, 4 Aug 2010 04:42:50 -0700
-Subject: [PATCH] AppArmor: security module v2.6 + compat patches as of 29-07-2010 (security-next)
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
-AppArmor v2.6 module as synced to security-next 29-07-2010 backported to
-2.6.35 + AppArmor 2.4 compatibility patches.
+Add compatibility for v5 network rules.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
- Documentation/apparmor.txt | 40 +
- Documentation/kernel-parameters.txt | 8 +
- MAINTAINERS | 8 +
- include/linux/lsm_audit.h | 31 +
- security/Kconfig | 6 +
- security/Makefile | 2 +
- security/apparmor/.gitignore | 5 +
- security/apparmor/Kconfig | 40 +
- security/apparmor/Makefile | 30 +
- security/apparmor/apparmorfs-24.c | 287 +++++++
- security/apparmor/apparmorfs.c | 253 ++++++
- security/apparmor/audit.c | 215 ++++++
- security/apparmor/capability.c | 141 ++++
- security/apparmor/context.c | 216 ++++++
- security/apparmor/domain.c | 823 ++++++++++++++++++++
- security/apparmor/file.c | 457 +++++++++++
- security/apparmor/include/apparmor.h | 92 +++
- security/apparmor/include/apparmorfs.h | 26 +
- security/apparmor/include/audit.h | 123 +++
- security/apparmor/include/capability.h | 45 ++
- security/apparmor/include/context.h | 154 ++++
- security/apparmor/include/domain.h | 36 +
- security/apparmor/include/file.h | 217 ++++++
- security/apparmor/include/ipc.h | 28 +
- security/apparmor/include/match.h | 132 ++++
- security/apparmor/include/net.h | 40 +
- security/apparmor/include/path.h | 31 +
- security/apparmor/include/policy.h | 308 ++++++++
- security/apparmor/include/policy_unpack.h | 20 +
- security/apparmor/include/procattr.h | 26 +
- security/apparmor/include/resource.h | 46 ++
- security/apparmor/include/sid.h | 24 +
- security/apparmor/ipc.c | 114 +++
- security/apparmor/lib.c | 133 ++++
- security/apparmor/lsm.c | 1051 +++++++++++++++++++++++++
- security/apparmor/match.c | 370 +++++++++
- security/apparmor/net.c | 169 ++++
- security/apparmor/path.c | 235 ++++++
- security/apparmor/policy.c | 1185 +++++++++++++++++++++++++++++
- security/apparmor/policy_unpack.c | 740 ++++++++++++++++++
- security/apparmor/policy_unpack.c.rej | 11 +
- security/apparmor/procattr.c | 170 ++++
- security/apparmor/resource.c | 134 ++++
- security/apparmor/sid.c | 55 ++
- 44 files changed, 8277 insertions(+), 0 deletions(-)
- create mode 100644 Documentation/apparmor.txt
- create mode 100644 security/apparmor/.gitignore
- create mode 100644 security/apparmor/Kconfig
- create mode 100644 security/apparmor/Makefile
- create mode 100644 security/apparmor/apparmorfs-24.c
- create mode 100644 security/apparmor/apparmorfs.c
- create mode 100644 security/apparmor/audit.c
- create mode 100644 security/apparmor/capability.c
- create mode 100644 security/apparmor/context.c
- create mode 100644 security/apparmor/domain.c
- create mode 100644 security/apparmor/file.c
- create mode 100644 security/apparmor/include/apparmor.h
- create mode 100644 security/apparmor/include/apparmorfs.h
- create mode 100644 security/apparmor/include/audit.h
- create mode 100644 security/apparmor/include/capability.h
- create mode 100644 security/apparmor/include/context.h
- create mode 100644 security/apparmor/include/domain.h
- create mode 100644 security/apparmor/include/file.h
- create mode 100644 security/apparmor/include/ipc.h
- create mode 100644 security/apparmor/include/match.h
+ include/linux/lsm_audit.h | 4 +
+ security/apparmor/Makefile | 6 +-
+ security/apparmor/include/net.h | 40 +++++++++
+ security/apparmor/include/policy.h | 3 +
+ security/apparmor/lsm.c | 112 +++++++++++++++++++++++
+ security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c | 1 +
+ security/apparmor/policy_unpack.c | 48 ++++++++++-
+ 8 files changed, 382 insertions(+), 2 deletions(-)
create mode 100644 security/apparmor/include/net.h
- create mode 100644 security/apparmor/include/path.h
- create mode 100644 security/apparmor/include/policy.h
- create mode 100644 security/apparmor/include/policy_unpack.h
- create mode 100644 security/apparmor/include/procattr.h
- create mode 100644 security/apparmor/include/resource.h
- create mode 100644 security/apparmor/include/sid.h
- create mode 100644 security/apparmor/ipc.c
- create mode 100644 security/apparmor/lib.c
- create mode 100644 security/apparmor/lsm.c
- create mode 100644 security/apparmor/match.c
create mode 100644 security/apparmor/net.c
- create mode 100644 security/apparmor/path.c
- create mode 100644 security/apparmor/policy.c
- create mode 100644 security/apparmor/policy_unpack.c
- create mode 100644 security/apparmor/policy_unpack.c.rej
- create mode 100644 security/apparmor/procattr.c
- create mode 100644 security/apparmor/resource.c
- create mode 100644 security/apparmor/sid.c
-diff --git a/Documentation/apparmor.txt b/Documentation/apparmor.txt
-new file mode 100644
-index 0000000..6240438
---- /dev/null
-+++ b/Documentation/apparmor.txt
-@@ -0,0 +1,40 @@
-+--- What is AppArmor? ---
-+
-+AppArmor is MAC style security extension for the Linux kernel. It implements
-+a task centered policy, with task "profiles" being created and loaded
-+from user space. Tasks on the system that do not have a profile defined for
-+them run in an unconfined state which is equivalent to standard Linux DAC
-+permissions.
-+
-+--- How to enable/disable ---
-+
-+set CONFIG_SECURITY_APPARMOR=y
-+
-+If AppArmor should be selected as the default security module then
-+ set CONFIG_DEFAULT_SECURITY="apparmor"
-+ and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
-+
-+Build the kernel
-+
-+If AppArmor is not the default security module it can be enabled by passing
-+security=apparmor on the kernel's command line.
-+
-+If AppArmor is the default security module it can be disabled by passing
-+apparmor=0, security=XXXX (where XXX is valid security module), on the
-+kernel's command line
-+
-+For AppArmor to enforce any restrictions beyond standard Linux DAC permissions
-+policy must be loaded into the kernel from user space (see the Documentation
-+and tools links).
-+
-+--- Documentation ---
-+
-+Documentation can be found on the wiki.
-+
-+--- Links ---
-+
-+Mailing List - apparmor at lists.ubuntu.com
-+Wiki - http://apparmor.wiki.kernel.org/
-+User space tools - https://launchpad.net/apparmor
-+Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
-+
-diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 2b2407d..b61f89f 100644
---- a/Documentation/kernel-parameters.txt
-+++ b/Documentation/kernel-parameters.txt
-@@ -93,6 +93,7 @@ parameter is applicable:
- Documentation/scsi/.
- SECURITY Different security models are enabled.
- SELINUX SELinux support is enabled.
-+ APPARMOR AppArmor support is enabled.
- SERIAL Serial support is enabled.
- SH SuperH architecture is enabled.
- SMP The kernel is an SMP kernel.
-@@ -2312,6 +2313,13 @@ and is between 256 and 4096 characters. It is defined in the file
- If enabled at boot time, /selinux/disable can be used
- later to disable prior to initial policy load.
-
-+ apparmor= [APPARMOR] Disable or enable AppArmor at boot time
-+ Format: { "0" | "1" }
-+ See security/apparmor/Kconfig help text
-+ 0 -- disable.
-+ 1 -- enable.
-+ Default value is set via kernel config option.
-+
- serialnumber [BUGS=X86-32]
-
- shapers= [NET]
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 02f75fc..a8d5851 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -5061,6 +5061,14 @@ S: Supported
- F: include/linux/selinux*
- F: security/selinux/
-
-+APPARMOR SECURITY MODULE
-+M: John Johansen <john.johansen at canonical.com>
-+L: apparmor at lists.ubuntu.com (subscribers-only, general discussion)
-+W: apparmor.wiki.kernel.org
-+T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
-+S: Supported
-+F: security/apparmor/
-+
- SENSABLE PHANTOM
- M: Jiri Slaby <jirislaby at gmail.com>
- S: Maintained
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
-index 6907251..3474e45 100644
+index 112a550..d5f3dd7 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
-@@ -94,6 +94,37 @@ struct common_audit_data {
- int result;
- } selinux_audit_data;
- #endif
-+#ifdef CONFIG_SECURITY_APPARMOR
-+ struct {
-+ int error;
-+ int op;
-+ int type;
-+ void *profile;
-+ const char *name;
-+ const char *info;
-+ union {
-+ void *target;
-+ struct {
-+ long pos;
-+ void *target;
-+ } iface;
-+ struct {
-+ int rlim;
-+ unsigned long max;
-+ } rlim;
-+ struct {
-+ const char *target;
-+ u32 request;
-+ u32 denied;
-+ uid_t ouid;
-+ } fs;
+@@ -123,6 +123,10 @@ struct common_audit_data {
+ u32 denied;
+ uid_t ouid;
+ } fs;
+ struct {
+ int type, protocol;
+ struct sock *sk;
+ } net;
-+ };
-+ } apparmor_audit_data;
-+#endif
- };
- /* these callback will be implemented by a specific LSM */
- void (*lsm_pre_audit)(struct audit_buffer *, void *);
-diff --git a/security/Kconfig b/security/Kconfig
-index 226b955..bd72ae6 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
- source security/selinux/Kconfig
- source security/smack/Kconfig
- source security/tomoyo/Kconfig
-+source security/apparmor/Kconfig
-
- source security/integrity/ima/Kconfig
-
-@@ -148,6 +149,7 @@ choice
- default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
- default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
- default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
-+ default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
- default DEFAULT_SECURITY_DAC
-
- help
-@@ -163,6 +165,9 @@ choice
- config DEFAULT_SECURITY_TOMOYO
- bool "TOMOYO" if SECURITY_TOMOYO=y
-
-+ config DEFAULT_SECURITY_APPARMOR
-+ bool "AppArmor" if SECURITY_APPARMOR=y
-+
- config DEFAULT_SECURITY_DAC
- bool "Unix Discretionary Access Controls"
+ };
+ } apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index f204869..a9a1db0 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,17 +4,21 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
-@@ -173,6 +178,7 @@ config DEFAULT_SECURITY
- default "selinux" if DEFAULT_SECURITY_SELINUX
- default "smack" if DEFAULT_SECURITY_SMACK
- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
-+ default "apparmor" if DEFAULT_SECURITY_APPARMOR
- default "" if DEFAULT_SECURITY_DAC
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+- resource.o sid.o file.o
++ resource.o sid.o file.o net.o
- endmenu
-diff --git a/security/Makefile b/security/Makefile
-index da20a19..8bb0fe9 100644
---- a/security/Makefile
-+++ b/security/Makefile
-@@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
- subdir-$(CONFIG_SECURITY_SELINUX) += selinux
- subdir-$(CONFIG_SECURITY_SMACK) += smack
- subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
-+subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
+ clean-files: capability_names.h af_names.h
- # always enable default capabilities
- obj-y += commoncap.o
-@@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
- obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
- obj-$(CONFIG_AUDIT) += lsm_audit.o
- obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
-+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
- obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+ quiet_cmd_make-caps = GEN $@
+ cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
- # Object integrity file lists
-diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
-new file mode 100644
-index 0000000..0a0a99f
---- /dev/null
-+++ b/security/apparmor/.gitignore
-@@ -0,0 +1,5 @@
-+#
-+# Generated include files
-+#
-+af_names.h
-+capability_names.h
-diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
-new file mode 100644
-index 0000000..fdf3022
---- /dev/null
-+++ b/security/apparmor/Kconfig
-@@ -0,0 +1,40 @@
-+config SECURITY_APPARMOR
-+ bool "AppArmor support"
-+ depends on SECURITY
-+ select AUDIT
-+ select SECURITY_PATH
-+ select SECURITYFS
-+ select SECURITY_NETWORK
-+ default n
-+ help
-+ This enables the AppArmor security module.
-+ Required userspace tools (if they are not included in your
-+ distribution) and further information may be found at
-+ http://apparmor.wiki.kernel.org
-+
-+ If you are unsure how to answer this question, answer N.
-+
-+config SECURITY_APPARMOR_BOOTPARAM_VALUE
-+ int "AppArmor boot parameter default value"
-+ depends on SECURITY_APPARMOR
-+ range 0 1
-+ default 1
-+ help
-+ This option sets the default value for the kernel parameter
-+ 'apparmor', which allows AppArmor to be enabled or disabled
-+ at boot. If this option is set to 0 (zero), the AppArmor
-+ kernel parameter will default to 0, disabling AppArmor at
-+ boot. If this option is set to 1 (one), the AppArmor
-+ kernel parameter will default to 1, enabling AppArmor at
-+ boot.
-+
-+ If you are unsure how to answer this question, answer 1.
-+
-+config SECURITY_APPARMOR_COMPAT_24
-+ bool "Enable AppArmor 2.4 compatability"
-+ depends on SECURITY_APPARMOR
-+ default y
-+ help
-+ This option enables compatability with AppArmor 2.4. It is
-+ recommended if compatability with older versions of AppArmor
-+ is desired.
-diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-new file mode 100644
-index 0000000..e5e8968
---- /dev/null
-+++ b/security/apparmor/Makefile
-@@ -0,0 +1,30 @@
-+# Makefile for AppArmor Linux Security Module
-+#
-+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
-+
-+apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
-+ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
-+ resource.o sid.o file.o net.o
-+
-+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
-+
-+clean-files: capability_names.h af_names.h
-+
-+quiet_cmd_make-caps = GEN $@
-+cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
-+
+quiet_cmd_make-af = GEN $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
+
-+quiet_cmd_make-rlim = GEN $@
-+cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@
-+
-+$(obj)/capability.o : $(obj)/capability_names.h
+ quiet_cmd_make-rlim = GEN $@
+ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@
+
+ $(obj)/capability.o : $(obj)/capability_names.h
+$(obj)/net.o : $(obj)/af_names.h
-+$(obj)/resource.o : $(obj)/rlim_names.h
-+$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
-+ $(call cmd,make-caps)
-+$(obj)/af_names.h : $(srctree)/include/linux/socket.h
-+ $(call cmd,make-af)
-+$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
-+ $(call cmd,make-rlim)
-diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ $(call cmd,make-caps)
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
new file mode 100644
-index 0000000..dc8c744
+index 0000000..3c7d599
--- /dev/null
-+++ b/security/apparmor/apparmorfs-24.c
-@@ -0,0 +1,287 @@
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
+/*
+ * AppArmor security module
+ *
-+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
@@ -395,7176 +79,209 @@
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
-+ *
-+ *
-+ * This file contain functions providing an interface for <= AppArmor 2.4
-+ * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
-+ * being set (see Makefile).
+ */
+
-+#include <linux/security.h>
-+#include <linux/vmalloc.h>
-+#include <linux/module.h>
-+#include <linux/seq_file.h>
-+#include <linux/uaccess.h>
-+#include <linux/namei.h>
++#ifndef __AA_NET_H
++#define __AA_NET_H
+
-+#include "include/apparmor.h"
-+#include "include/audit.h"
-+#include "include/context.h"
-+#include "include/policy.h"
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++ u16 allow[AF_MAX];
++ u16 audit[AF_MAX];
++ u16 quiet[AF_MAX];
++};
+
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++ int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
+
-+/* apparmor/matching */
-+static ssize_t aa_matching_read(struct file *file, char __user *buf,
-+ size_t size, loff_t *ppos)
++static inline void aa_free_net_rules(struct aa_net *new)
+{
-+ const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
-+ "user::other";
-+
-+ return simple_read_from_buffer(buf, size, ppos, matching,
-+ sizeof(matching) - 1);
++ /* NOP */
+}
+
-+const struct file_operations aa_fs_matching_fops = {
-+ .read = aa_matching_read,
-+};
-+
-+/* apparmor/features */
-+static ssize_t aa_features_read(struct file *file, char __user *buf,
-+ size_t size, loff_t *ppos)
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+ * @size: the memory consumed by this profiles rules
+ * @file: The set of rules governing basic file access and domain transitions
+ * @caps: capabilities for the profile
++ * @net: network controls for the profile
+ * @rlimits: rlimits for the profile
+ *
+ * The AppArmor profile contains the basic confinement data. Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+
+ struct aa_file_rules file;
+ struct aa_caps caps;
++ struct aa_net net;
+ struct aa_rlimit rlimits;
+ };
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index cf1de44..324ab91 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -31,6 +31,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -619,6 +620,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ return error;
+ }
+
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
-+ const char features[] = "file=3.1 capability=2.0 network=1.0 "
-+ "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++ struct aa_profile *profile;
++ int error = 0;
+
-+ return simple_read_from_buffer(buf, size, ppos, features,
-+ sizeof(features) - 1);
-+}
++ if (kern)
++ return 0;
+
-+const struct file_operations aa_fs_features_fops = {
-+ .read = aa_features_read,
-+};
++ profile = __aa_current_profile();
++ if (!unconfined(profile))
++ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++ NULL);
++ return error;
++}
+
-+/**
-+ * __next_namespace - find the next namespace to list
-+ * @root: root namespace to stop search at (NOT NULL)
-+ * @ns: current ns position (NOT NULL)
-+ *
-+ * Find the next namespace from @ns under @root and handle all locking needed
-+ * while switching current namespace.
-+ *
-+ * Returns: next namespace or NULL if at last namespace under @root
-+ * NOTE: will not unlock root->lock
-+ */
-+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
-+ struct aa_namespace *ns)
++static int apparmor_socket_bind(struct socket *sock,
++ struct sockaddr *address, int addrlen)
+{
-+ struct aa_namespace *parent;
-+
-+ /* is next namespace a child */
-+ if (!list_empty(&ns->sub_ns)) {
-+ struct aa_namespace *next;
-+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
-+ read_lock(&next->lock);
-+ return next;
-+ }
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-apparmor.patch?r1=1.8&r2=1.9&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel.spec?r1=1.841&r2=1.842&f=u
More information about the pld-cvs-commit
mailing list