packages: kernel/kernel-apparmor.patch, kernel/kernel-vserver-2.3.patch, ke...
arekm
arekm at pld-linux.org
Tue May 22 09:21:43 CEST 2012
Author: arekm Date: Tue May 22 07:21:42 2012 GMT
Module: packages Tag: HEAD
---- Log message:
- apparmor (2.8) and vserver (2.3.3.4) update
---- Files affected:
packages/kernel:
kernel-apparmor.patch (1.15 -> 1.16) , kernel-vserver-2.3.patch (1.94 -> 1.95) , kernel.spec (1.1047 -> 1.1048)
---- Diffs:
================================================================
Index: packages/kernel/kernel-apparmor.patch
diff -u packages/kernel/kernel-apparmor.patch:1.15 packages/kernel/kernel-apparmor.patch:1.16
--- packages/kernel/kernel-apparmor.patch:1.15 Mon Aug 29 21:07:37 2011
+++ packages/kernel/kernel-apparmor.patch Tue May 22 09:21:36 2012
@@ -1,41 +1,289 @@
-From 0ae314bc92d8b22250f04f85e4bd36ee9ed30890 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
-Date: Mon, 4 Oct 2010 15:03:36 -0700
-Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+Date: Thu, 22 Jul 2010 09:32:02 +0000 (-0700)
+Subject: UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjj%2Flinux-apparmor.git;a=commitdiff_plain;h=8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8
-Add compatibility for v5 network rules.
+UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface
+
+Add the dynamic profiles file to the interace, to allow load policy
+introspection.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Kees Cook <kees at ubuntu.com>
+Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
+---
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..89bdc62 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,232 @@ const struct file_operations aa_fs_seq_file_ops = {
+ .release = single_release,
+ };
+
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ struct aa_namespace *parent;
++
++ /* is next namespace a child */
++ if (!list_empty(&ns->sub_ns)) {
++ struct aa_namespace *next;
++ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++ read_lock(&next->lock);
++ return next;
++ }
++
++ /* check if the next ns is a sibling, parent, gp, .. */
++ parent = ns->parent;
++ while (parent) {
++ read_unlock(&ns->lock);
++ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++ read_lock(&ns->lock);
++ return ns;
++ }
++ if (parent == root)
++ return NULL;
++ ns = parent;
++ parent = parent->parent;
++ }
++
++ return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++ struct aa_namespace *ns)
++{
++ for ( ; ns; ns = __next_namespace(root, ns)) {
++ if (!list_empty(&ns->base.profiles))
++ return list_first_entry(&ns->base.profiles,
++ struct aa_profile, base.list);
++ }
++ return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++ struct aa_profile *parent;
++ struct aa_namespace *ns = p->ns;
++
++ /* is next profile a child */
++ if (!list_empty(&p->base.profiles))
++ return list_first_entry(&p->base.profiles, typeof(*p),
++ base.list);
++
++ /* is next profile a sibling, parent sibling, gp, subling, .. */
++ parent = p->parent;
++ while (parent) {
++ list_for_each_entry_continue(p, &parent->base.profiles,
++ base.list)
++ return p;
++ p = parent;
++ parent = parent->parent;
++ }
++
++ /* is next another profile in the namespace */
++ list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++ return p;
++
++ return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace (NOT NULL)
++ * @profile: current profile (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++ struct aa_profile *profile)
++{
++ struct aa_profile *next = __next_profile(profile);
++ if (next)
++ return next;
++
++ /* finished all profiles in namespace move to next namespace */
++ return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++ __acquires(root->lock)
++{
++ struct aa_profile *profile = NULL;
++ struct aa_namespace *root = aa_current_profile()->ns;
++ loff_t l = *pos;
++ f->private = aa_get_namespace(root);
++
++
++ /* find the first profile */
++ read_lock(&root->lock);
++ profile = __first_profile(root, root);
++
++ /* skip to position */
++ for (; profile && l > 0; l--)
++ profile = next_profile(root, profile);
++
++ return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private;
++ (*pos)++;
++
++ return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++ __releases(root->lock)
++{
++ struct aa_profile *profile = p;
++ struct aa_namespace *root = f->private, *ns;
++
++ if (profile) {
++ for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++ read_unlock(&ns->lock);
++ }
++ read_unlock(&root->lock);
++ aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile) (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++ struct aa_profile *profile = (struct aa_profile *)p;
++ struct aa_namespace *root = f->private;
++
++ if (profile->ns != root)
++ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++ seq_printf(f, "%s (%s)\n", profile->base.hname,
++ COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++ return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++ .start = p_start,
++ .next = p_next,
++ .stop = p_stop,
++ .show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++ return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++ return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++ .open = profiles_open,
++ .read = seq_read,
++ .llseek = seq_lseek,
++ .release = profiles_release,
++};
++
+ /** Base file system setup **/
+
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +436,7 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
++ AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
+ AA_FS_DIR("features", aa_fs_entry_features),
+ { }
+ };
+From: John Johansen <john.johansen at canonical.com>
+Date: Mon, 4 Oct 2010 22:03:36 +0000 (-0700)
+Subject: UBUNTU: SAUCE: AppArmor: basic networking rules
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fjj%2Flinux-apparmor.git;a=commitdiff_plain;h=423e2cb454d75d6185eecd0c1b5cf6ccc2d8482d
+
+UBUNTU: SAUCE: AppArmor: basic networking rules
+
+Base support for network mediation.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
- include/linux/lsm_audit.h | 4 +
- security/apparmor/Makefile | 19 ++++-
- security/apparmor/include/net.h | 40 +++++++++
- security/apparmor/include/policy.h | 3 +
- security/apparmor/lsm.c | 112 +++++++++++++++++++++++
- security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++
- security/apparmor/policy.c | 1 +
- security/apparmor/policy_unpack.c | 48 ++++++++++-
- 8 files changed, 394 insertions(+), 3 deletions(-)
- create mode 100644 security/apparmor/include/net.h
- create mode 100644 security/apparmor/net.c
-
-diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
-index 112a550..d5f3dd7 100644
---- a/include/linux/lsm_audit.h
-+++ b/include/linux/lsm_audit.h
-@@ -123,6 +123,10 @@ struct common_audit_data {
- u32 denied;
- uid_t ouid;
- } fs;
-+ struct {
-+ int type, protocol;
-+ struct sock *sk;
-+ } net;
- };
- } apparmor_audit_data;
- #endif
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 4d995ae..d5b291e 100644
+--- a/security/apparmor/.gitignore
++++ b/security/apparmor/.gitignore
+@@ -1,6 +1,6 @@
+ #
+ # Generated include files
+ #
+-af_names.h
++net_names.h
+ capability_names.h
+ rlim_names.h
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-index 2dafe50..7cefef9 100644
+index 806bd19..19daa85 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
@@ -46,49 +294,106 @@
+ resource.o sid.o file.o net.o
-clean-files := capability_names.h rlim_names.h
-+clean-files := capability_names.h rlim_names.h af_names.h
++clean-files := capability_names.h rlim_names.h net_names.h
# Build a lower case string table of capability names
-@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
- sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
echo "};" >> $@
-+# Build a lower case string table of address family names.
++# Build a lower case string table of address family names
+# Transform lines from
-+# #define AF_INET 2 /* Internet IP Protocol */
++# define AF_LOCAL 1 /* POSIX name for AF_UNIX */
++# #define AF_INET 2 /* Internet IP Protocol */
+# to
-+# [2] = "inet",
++# [1] = "local",
++# [2] = "inet",
++#
++# and build the securityfs entries for the mapping.
++# Transforms lines from
++# #define AF_INET 2 /* Internet IP Protocol */
++# to
++# #define AA_FS_AF_MASK "local inet"
+quiet_cmd_make-af = GEN $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
-+ sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
-+ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
-+ echo "};" >> $@
-+
++ sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++ echo "};" >> $@ ;\
++ echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
++ sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
++ $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
++# Build a lower case string table of sock type names
++# Transform lines from
++# SOCK_STREAM = 1,
++# to
++# [1] = "stream",
++quiet_cmd_make-sock = GEN $@
++cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
++ sed $^ >>$@ -r -n \
++ -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++ echo "};" >> $@
+
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
$(obj)/capability.o : $(obj)/capability_names.h
++$(obj)/net.o : $(obj)/net_names.h
$(obj)/resource.o : $(obj)/rlim_names.h
-+$(obj)/net.o : $(obj)/af_names.h
- $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
- $(call cmd,make-caps)
- $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(src)/Makefile
+@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+ $(src)/Makefile
$(call cmd,make-rlim)
-+$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
++ $(srctree)/include/linux/net.h \
++ $(src)/Makefile
+ $(call cmd,make-af)
-\ No newline at end of file
++ $(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 89bdc62..c66315d 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -427,6 +427,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ AA_FS_DIR("domain", aa_fs_entry_domain),
+ AA_FS_DIR("file", aa_fs_entry_file),
++ AA_FS_DIR("network", aa_fs_entry_network),
+ AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
+ AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
+ { }
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 3868b1e..c1ff09c 100644
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -126,6 +126,10 @@ struct apparmor_audit_data {
+ u32 denied;
+ uid_t ouid;
+ } fs;
++ struct {
++ int type, protocol;
++ struct sock *sk;
++ } net;
+ };
+ };
+
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
new file mode 100644
-index 0000000..3c7d599
+index 0000000..cb8a121
--- /dev/null
+++ b/security/apparmor/include/net.h
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,44 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
-+ * Copyright 2009-2010 Canonical Ltd.
++ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
@@ -101,6 +406,8 @@
+
+#include <net/sock.h>
+
++#include "apparmorfs.h"
++
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
@@ -112,6 +419,8 @@
+ u16 quiet[AF_MAX];
+};
+
++extern struct aa_fs_entry aa_fs_entry_network[];
++
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+ int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
@@ -123,7 +432,7 @@
+
+#endif /* __AA_NET_H */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
-index aeda5cf..6776929 100644
+index bda4569..eb13a73 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -27,6 +27,7 @@
@@ -133,17 +442,17 @@
+#include "net.h"
#include "resource.h"
- extern const char *profile_mode_names[];
-@@ -145,6 +146,7 @@ struct aa_namespace {
- * @size: the memory consumed by this profiles rules
+ extern const char *const profile_mode_names[];
+@@ -157,6 +158,7 @@ struct aa_policydb {
+ * @policy: general match rules governing policy
* @file: The set of rules governing basic file access and domain transitions
* @caps: capabilities for the profile
+ * @net: network controls for the profile
* @rlimits: rlimits for the profile
*
* The AppArmor profile contains the basic confinement data. Each profile
-@@ -181,6 +183,7 @@ struct aa_profile {
-
+@@ -194,6 +196,7 @@ struct aa_profile {
+ struct aa_policydb policy;
struct aa_file_rules file;
struct aa_caps caps;
+ struct aa_net net;
@@ -151,7 +460,7 @@
};
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index ae3a698..05c018b 100644
+index ad05d39..3cde194 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -32,6 +32,7 @@
@@ -162,7 +471,7 @@
#include "include/path.h"
#include "include/policy.h"
#include "include/procattr.h"
-@@ -610,5 +611,103 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -622,6 +623,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
@@ -264,9 +573,10 @@
+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
- static int apparmor_task_setrlimit(struct task_struct *task,
- unsigned int resource, struct rlimit *new_rlim)
-@@ -651,6 +750,19 @@ static struct security_operations apparmor_ops = {
+ static struct security_operations apparmor_ops = {
+ .name = "apparmor",
+
+@@ -653,6 +752,19 @@ static struct security_operations apparmor_ops = {
.getprocattr = apparmor_getprocattr,
.setprocattr = apparmor_setprocattr,
@@ -288,17 +598,17 @@
.cred_prepare = apparmor_cred_prepare,
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
new file mode 100644
-index 0000000..1765901
+index 0000000..084232b
--- /dev/null
+++ b/security/apparmor/net.c
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,162 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
-+ * Copyright 2009-2010 Canonical Ltd.
++ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
@@ -312,20 +622,11 @@
+#include "include/net.h"
+#include "include/policy.h"
+
-+#include "af_names.h"
++#include "net_names.h"
+
-+static const char *sock_type_names[] = {
-+ "unknown(0)",
-+ "stream",
-+ "dgram",
-+ "raw",
-+ "rdm",
-+ "seqpacket",
-+ "dccp",
-+ "unknown(7)",
-+ "unknown(8)",
-+ "unknown(9)",
-+ "packet",
++struct aa_fs_entry aa_fs_entry_network[] = {
++ AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
++ { }
+};
+
+/* audit callback for net specific fields */
@@ -334,20 +635,18 @@
+ struct common_audit_data *sa = va;
+
+ audit_log_format(ab, " family=");
-+ if (address_family_names[sa->u.net.family]) {
-+ audit_log_string(ab, address_family_names[sa->u.net.family]);
++ if (address_family_names[sa->u.net->family]) {
++ audit_log_string(ab, address_family_names[sa->u.net->family]);
+ } else {
-+ audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++ audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
+ }
-+
+ audit_log_format(ab, " sock_type=");
-+ if (sock_type_names[sa->aad.net.type]) {
-+ audit_log_string(ab, sock_type_names[sa->aad.net.type]);
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/packages/kernel/kernel-apparmor.patch?r1=1.15&r2=1.16
http://cvs.pld-linux.org/packages/kernel/kernel-vserver-2.3.patch?r1=1.94&r2=1.95
http://cvs.pld-linux.org/packages/kernel/kernel.spec?r1=1.1047&r2=1.1048
More information about the pld-cvs-commit
mailing list