[packages/kernel] - builds; imq updated; apparmor updated; zph dropped (unmaintained for few years)

arekm arekm at pld-linux.org
Fri Jul 29 12:45:50 CEST 2016


commit 0776672ee02c20aad1fc3255f8d47289c503a927
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Fri Jul 29 12:45:42 2016 +0200

    - builds; imq updated; apparmor updated; zph dropped (unmaintained for few years)

 kernel-apparmor.patch | 1261 ++++++++++++++++++++++++++++++++++++++++++++-----
 kernel-imq.patch      |  543 ++++++++++-----------
 kernel.spec           |    9 +-
 3 files changed, 1413 insertions(+), 400 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 9f276a4..a210d7f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -165,9 +165,6 @@ Patch40:	kernel-layer7.patch
 
 ### End netfilter
 
-# http://zph.bratcheda.org/linux-2.6.26.3-zph.patch
-Patch49:	kernel-zph.patch
-
 # http://www.linuximq.net
 Patch50:	kernel-imq.patch
 
@@ -218,7 +215,7 @@ Patch2003:	kernel-regressions.patch
 Patch2004:	kernel-libata-ahci-pm.patch
 
 # git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
-# branch v4.2-aa2.8-out-of-tree
+# branch v4.7-aa2.8-out-of-tree
 Patch5000:	kernel-apparmor.patch
 
 # for rescuecd
@@ -669,10 +666,6 @@ cd linux-%{basever}
 ##
 # end of netfilter
 
-# zph
-# FIXME or DROPME
-%patch49 -p1
-
 %if %{with imq}
 %patch50 -p1
 %endif
diff --git a/kernel-apparmor.patch b/kernel-apparmor.patch
index d6d4585..9d10f82 100644
--- a/kernel-apparmor.patch
+++ b/kernel-apparmor.patch
@@ -1,11 +1,1064 @@
-From e37c855a09ba7a8fa69334e9e3c7f5b0f66de896 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen at canonical.com>
-Date: Mon, 4 Oct 2010 15:03:36 -0700
-Subject: UBUNTU: SAUCE: AppArmor: basic networking rules
+commit 5ea33f587f5f7324c40c5986286d0f38307923bb
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Mon Apr 11 16:55:10 2016 -0700
 
-Base support for network mediation.
+    apparmor: fix refcount bug in profile replacement
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
 
-Signed-off-by: John Johansen <john.johansen at canonical.com>
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 705c287..222052f 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 				aa_get_profile(newest);
+ 				aa_put_profile(parent);
+ 				rcu_assign_pointer(ent->new->parent, newest);
+-			} else
+-				aa_put_profile(newest);
++			}
+ 			/* aafs interface uses replacedby */
+ 			rcu_assign_pointer(ent->new->replacedby->profile,
+ 					   aa_get_profile(ent->new));
+ 			__list_add_profile(&parent->base.profiles, ent->new);
++			aa_put_profile(newest);
+ 		} else {
+ 			/* aafs interface uses replacedby */
+ 			rcu_assign_pointer(ent->new->replacedby->profile,
+
+commit f65b1c9b72442e6166332c04f332e4b4d4797887
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Mon Apr 11 16:57:19 2016 -0700
+
+    apparmor: fix replacement bug that adds new child to old parent
+    
+    When set atomic replacement is used and the parent is updated before the
+    child, and the child did not exist in the old parent so there is no
+    direct replacement then the new child is incorrectly added to the old
+    parent. This results in the new parent not having the child(ren) that
+    it should and the old parent when being destroyed asserting the
+    following error.
+    
+    AppArmor: policy_destroy: internal error, policy '<profile/name>' still
+    contains profiles
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 222052f..c92a9f6 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 			/* aafs interface uses replacedby */
+ 			rcu_assign_pointer(ent->new->replacedby->profile,
+ 					   aa_get_profile(ent->new));
+-			__list_add_profile(&parent->base.profiles, ent->new);
++			__list_add_profile(&newest->base.profiles, ent->new);
+ 			aa_put_profile(newest);
+ 		} else {
+ 			/* aafs interface uses replacedby */
+
+commit b6669bef20c9d934bc6498e79fffa220f6226518
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Sun Jun 8 11:20:54 2014 -0700
+
+    apparmor: fix uninitialized lsm_audit member
+    
+    BugLink: http://bugs.launchpad.net/bugs/1268727
+    
+    The task field in the lsm_audit struct needs to be initialized if
+    a change_hat fails, otherwise the following oops will occur
+    
+    BUG: unable to handle kernel paging request at 0000002fbead7d08
+    IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+    PGD 1e3f35067 PUD 0
+    Oops: 0002 [#1] SMP
+    Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
+    CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF          O 3.13.0-7-generic #25-Ubuntu
+    Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
+    task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
+    RIP: 0010:[<ffffffff8171153e>]  [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+    RSP: 0018:ffff880212987b68  EFLAGS: 00010006
+    RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
+    RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
+    RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
+    R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
+    R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
+    FS:  00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
+    Stack:
+     ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
+     0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
+     0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
+    Call Trace:
+     [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
+     [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+     [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
+     [<ffffffff81075fee>] send_sig_info+0x1e/0x30
+     [<ffffffff8130242d>] aa_audit+0x13d/0x190
+     [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
+     [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+     [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
+     [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
+     [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
+     [<ffffffff812cee56>] security_setprocattr+0x16/0x20
+     [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
+     [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
+     [<ffffffff811b8039>] SyS_write+0x49/0xa0
+     [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index 89c7865..3a7f1da 100644
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -200,7 +200,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
+ 
+ 	if (sa->aad->type == AUDIT_APPARMOR_KILL)
+ 		(void)send_sig_info(SIGKILL, NULL,
+-				    sa->u.tsk ?  sa->u.tsk : current);
++			sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
++				    sa->u.tsk : current);
+ 
+ 	if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
+ 		return complain_error(sa->aad->error);
+diff --git a/security/apparmor/file.c b/security/apparmor/file.c
+index d186674..4d2af4b 100644
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+ 	int type = AUDIT_APPARMOR_AUTO;
+ 	struct common_audit_data sa;
+ 	struct apparmor_audit_data aad = {0,};
+-	sa.type = LSM_AUDIT_DATA_NONE;
++	sa.type = LSM_AUDIT_DATA_TASK;
++	sa.u.tsk = NULL;
+ 	sa.aad = &aad;
+ 	aad.op = op,
+ 	aad.fs.request = request;
+
+commit aeab4cbfb86d0faeeb709e8201672e0662aa2c6f
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Fri Jul 25 04:02:03 2014 -0700
+
+    apparmor: exec should not be returning ENOENT when it denies
+    
+    The current behavior is confusing as it causes exec failures to report
+    the executable is missing instead of identifying that apparmor
+    caused the failure.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index dc0027b..67a7418 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 				new_profile = aa_get_newest_profile(ns->unconfined);
+ 				info = "ux fallback";
+ 			} else {
+-				error = -ENOENT;
++				error = -EACCES;
+ 				info = "profile not found";
+ 				/* remove MAY_EXEC to audit as failure */
+ 				perms.allow &= ~MAY_EXEC;
+
+commit 752e4263021d90cf23c262f2fd3ebfd6dbccd455
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Fri Jul 25 04:01:56 2014 -0700
+
+    apparmor: fix update the mtime of the profile file on replacement
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index ad4fa49..45a6199 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -379,6 +379,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old,
+ 
+ 	for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
+ 		new->dents[i] = old->dents[i];
++		if (new->dents[i])
++			new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
+ 		old->dents[i] = NULL;
+ 	}
+ }
+
+commit 0c67233b18406dc7a8629faf8f9452feace6fb13
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Fri Jul 25 04:02:08 2014 -0700
+
+    apparmor: fix disconnected bind mnts reconnection
+    
+    Bind mounts can fail to be properly reconnected when PATH_CONNECT is
+    specified. Ensure that when PATH_CONNECT is specified the path has
+    a root.
+    
+    BugLink: http://bugs.launchpad.net/bugs/1319984
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/path.c b/security/apparmor/path.c
+index edddc02..f261678 100644
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -141,7 +141,10 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ 			error = -EACCES;
+ 			if (*res == '/')
+ 				*name = res + 1;
+-		}
++		} else if (*res != '/')
++			/* CONNECT_PATH with missing root */
++			error = prepend(name, *name - buf, "/", 1);
++
+ 	}
+ 
+ out:
+
+commit 30c2b759b4f456e97e859ca550666c8abe84ff3c
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Fri Jul 25 04:02:10 2014 -0700
+
+    apparmor: internal paths should be treated as disconnected
+    
+    Internal mounts are not mounted anywhere and as such should be treated
+    as disconnected paths.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/path.c b/security/apparmor/path.c
+index f261678..a8fc7d0 100644
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -25,7 +25,6 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+ 
+-
+ /* modified from dcache.c */
+ static int prepend(char **buffer, int buflen, const char *str, int namelen)
+ {
+@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
+ 
+ #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
+ 
++/* If the path is not connected to the expected root,
++ * check if it is a sysctl and handle specially else remove any
++ * leading / that __d_path may have returned.
++ * Unless
++ *     specifically directed to connect the path,
++ * OR
++ *     if in a chroot and doing chroot relative paths and the path
++ *     resolves to the namespace root (would be connected outside
++ *     of chroot) and specifically directed to connect paths to
++ *     namespace root.
++ */
++static int disconnect(const struct path *path, char *buf, char **name,
++		      int flags)
++{
++	int error = 0;
++
++	if (!(flags & PATH_CONNECT_PATH) &&
++	    !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
++	      our_mnt(path->mnt))) {
++		/* disconnected path, don't return pathname starting
++		 * with '/'
++		 */
++		error = -EACCES;
++		if (**name == '/')
++			*name = *name + 1;
++	} else if (**name != '/')
++		/* CONNECT_PATH with missing root */
++		error = prepend(name, *name - buf, "/", 1);
++
++	return error;
++}
++
+ /**
+  * d_namespace_path - lookup a name associated with a given path
+  * @path: path to lookup  (NOT NULL)
+@@ -74,7 +105,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ 			 * control instead of hard coded /proc
+ 			 */
+ 			return prepend(name, *name - buf, "/proc", 5);
+-		}
++		} else
++			return disconnect(path, buf, name, flags);
+ 		return 0;
+ 	}
+ 
+@@ -120,32 +152,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
+ 			goto out;
+ 	}
+ 
+-	/* If the path is not connected to the expected root,
+-	 * check if it is a sysctl and handle specially else remove any
+-	 * leading / that __d_path may have returned.
+-	 * Unless
+-	 *     specifically directed to connect the path,
+-	 * OR
+-	 *     if in a chroot and doing chroot relative paths and the path
+-	 *     resolves to the namespace root (would be connected outside
+-	 *     of chroot) and specifically directed to connect paths to
+-	 *     namespace root.
+-	 */
+-	if (!connected) {
+-		if (!(flags & PATH_CONNECT_PATH) &&
+-			   !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+-			     our_mnt(path->mnt))) {
+-			/* disconnected path, don't return pathname starting
+-			 * with '/'
+-			 */
+-			error = -EACCES;
+-			if (*res == '/')
+-				*name = res + 1;
+-		} else if (*res != '/')
+-			/* CONNECT_PATH with missing root */
+-			error = prepend(name, *name - buf, "/", 1);
+-
+-	}
++	if (!connected)
++		error = disconnect(path, buf, name, flags);
+ 
+ out:
+ 	return error;
+
+commit 35f89b597a40c870f93a068bc92a7ef4f9b16a66
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Sat Apr 16 13:59:02 2016 -0700
+
+    apparmor: fix put() parent ref after updating the active ref
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index c92a9f6..455c9f8 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 			/* parent replaced in this atomic set? */
+ 			if (newest != parent) {
+ 				aa_get_profile(newest);
+-				aa_put_profile(parent);
+ 				rcu_assign_pointer(ent->new->parent, newest);
++				aa_put_profile(parent);
+ 			}
+ 			/* aafs interface uses replacedby */
+ 			rcu_assign_pointer(ent->new->replacedby->profile,
+
+commit 7b1ec6a04ca57fabe250f1102f2803dea7fbd03b
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Sat Apr 16 14:16:50 2016 -0700
+
+    apparmor: fix log failures for all profiles in a set
+    
+    currently only the profile that is causing the failure is logged. This
+    makes it more confusing than necessary about which profiles loaded
+    and which didn't. So make sure to log success and failure messages for
+    all profiles in the set being loaded.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 455c9f8..db31bc5 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
+  */
+ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ {
+-	const char *ns_name, *name = NULL, *info = NULL;
++	const char *ns_name, *info = NULL;
+ 	struct aa_namespace *ns = NULL;
+ 	struct aa_load_ent *ent, *tmp;
+ 	int op = OP_PROF_REPL;
+@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 	/* released below */
+ 	ns = aa_prepare_namespace(ns_name);
+ 	if (!ns) {
+-		info = "failed to prepare namespace";
+-		error = -ENOMEM;
+-		name = ns_name;
+-		goto fail;
++		error = audit_policy(op, GFP_KERNEL, ns_name,
++				     "failed to prepare namespace", -ENOMEM);
++		goto free;
+ 	}
+ 
+ 	mutex_lock(&ns->lock);
+ 	/* setup parent and ns info */
+ 	list_for_each_entry(ent, &lh, list) {
+ 		struct aa_policy *policy;
+-
+-		name = ent->new->base.hname;
+ 		error = __lookup_replace(ns, ent->new->base.hname, noreplace,
+ 					 &ent->old, &info);
+ 		if (error)
+@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 			if (!p) {
+ 				error = -ENOENT;
+ 				info = "parent does not exist";
+-				name = ent->new->base.hname;
+ 				goto fail_lock;
+ 			}
+ 			rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
+@@ -1214,9 +1210,22 @@ out:
+ 
+ fail_lock:
+ 	mutex_unlock(&ns->lock);
+-fail:
+-	error = audit_policy(op, GFP_KERNEL, name, info, error);
+ 
++	/* audit cause of failure */
++	op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++	audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
++	/* audit status that rest of profiles in the atomic set failed too */
++	info = "valid profile in failed atomic policy load";
++	list_for_each_entry(tmp, &lh, list) {
++		if (tmp == ent) {
++			info = "unchecked profile in failed atomic policy load";
++			/* skip entry that caused failure */
++			continue;
++		}
++		op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++		audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
++	}
++free:
+ 	list_for_each_entry_safe(ent, tmp, &lh, list) {
+ 		list_del_init(&ent->list);
+ 		aa_load_ent_free(ent);
+
+commit 4c475747a31b0637f0d47cb9bddaf2c6efb02854
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Sat Apr 16 14:19:38 2016 -0700
+
+    apparmor: fix audit full profile hname on successful load
+    
+    Currently logging of a successful profile load only logs the basename
+    of the profile. This can result in confusion when a child profile has
+    the same name as the another profile in the set. Logging the hname
+    will ensure there is no confusion.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index db31bc5..ca402d0 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ 		list_del_init(&ent->list);
+ 		op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
+ 
+-		audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
++		audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
+ 
+ 		if (ent->old) {
+ 			__replace_profile(ent->old, ent->new, 1);
+
+commit 430741dd766291d2e618b04e918ee6da844c230a
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Apr 20 14:18:18 2016 -0700
+
+    apparmor: ensure the target profile name is always audited
+    
+    The target profile name was not being correctly audited in a few
+    cases because the target variable was not being set and gotos
+    passed the code to set it at apply:
+    
+    Since it is always based on new_profile just drop the target var
+    and conditionally report based on new_profile.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index 67a7418..fc3036b 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -346,7 +346,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 		file_inode(bprm->file)->i_uid,
+ 		file_inode(bprm->file)->i_mode
+ 	};
+-	const char *name = NULL, *target = NULL, *info = NULL;
++	const char *name = NULL, *info = NULL;
+ 	int error = 0;
+ 
+ 	if (bprm->cred_prepared)
+@@ -399,6 +399,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 	if (cxt->onexec) {
+ 		struct file_perms cp;
+ 		info = "change_profile onexec";
++		new_profile = aa_get_newest_profile(cxt->onexec);
+ 		if (!(perms.allow & AA_MAY_ONEXEC))
+ 			goto audit;
+ 
+@@ -413,7 +414,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 
+ 		if (!(cp.allow & AA_MAY_ONEXEC))
+ 			goto audit;
+-		new_profile = aa_get_newest_profile(cxt->onexec);
+ 		goto apply;
+ 	}
+ 
+@@ -445,10 +445,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 		if (!new_profile) {
+ 			error = -ENOMEM;
+ 			info = "could not create null profile";
+-		} else {
++		} else
+ 			error = -EACCES;
+-			target = new_profile->base.hname;
+-		}
+ 		perms.xindex |= AA_X_UNSAFE;
+ 	} else
+ 		/* fail exec */
+@@ -459,7 +457,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 	 * fail the exec.
+ 	 */
+ 	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
+-		aa_put_profile(new_profile);
+ 		error = -EPERM;
+ 		goto cleanup;
+ 	}
+@@ -474,10 +471,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 
+ 	if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+ 		error = may_change_ptraced_domain(new_profile);
+-		if (error) {
+-			aa_put_profile(new_profile);
++		if (error)
+ 			goto audit;
+-		}
+ 	}
+ 
+ 	/* Determine if secure exec is needed.
+@@ -498,7 +493,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
+ 		bprm->unsafe |= AA_SECURE_X_NEEDED;
+ 	}
+ apply:
+-	target = new_profile->base.hname;
+ 	/* when transitioning profiles clear unsafe personality bits */
+ 	bprm->per_clear |= PER_CLEAR_ON_SETID;
+ 
+@@ -506,15 +500,19 @@ x_clear:
+ 	aa_put_profile(cxt->profile);
+ 	/* transfer new profile reference will be released when cxt is freed */
+ 	cxt->profile = new_profile;
++	new_profile = NULL;
+ 
+ 	/* clear out all temporary/transitional state from the context */
+ 	aa_clear_task_cxt_trans(cxt);
+ 
+ audit:
+ 	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
+-			      name, target, cond.uid, info, error);
++			      name,
++			      new_profile ? new_profile->base.hname : NULL,
++			      cond.uid, info, error);
+ 
+ cleanup:
++	aa_put_profile(new_profile);
+ 	aa_put_profile(profile);
+ 	kfree(buffer);
+ 
+
+commit 06763d057300b3d5bbe1894acfe236cf193bab78
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Thu Mar 17 12:02:54 2016 -0700
+
+    apparmor: check that xindex is in trans_table bounds
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index a689f10..c841b12 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size)
+ 	int index, xtype;
+ 	xtype = xindex & AA_X_TYPE_MASK;
+ 	index = xindex & AA_X_INDEX_MASK;
+-	if (xtype == AA_X_TABLE && index > table_size)
++	if (xtype == AA_X_TABLE && index >= table_size)
+ 		return 0;
+ 	return 1;
+ }
+
+commit 9ad29b2e7820895339f90eb71b411d0134cf1ce9
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Nov 18 11:41:05 2015 -0800
+
+    apparmor: fix ref count leak when profile sha1 hash is read
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 45a6199..0d8dd71 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)
+ 			seq_printf(seq, "%.2x", profile->hash[i]);
+ 		seq_puts(seq, "\n");
+ 	}
++	aa_put_profile(profile);
+ 
+ 	return 0;
+ }
+
+commit e13f968d154ba9d6a2c4f82f33d3312a63430b54
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Dec 16 18:09:10 2015 -0800
+
+    apparmor: fix refcount race when finding a child profile
+    
+    When finding a child profile via an rcu critical section, the profile
+    may be put and scheduled for deletion after the child is found but
+    before its refcount is incremented.
+    
+    Protect against this by repeating the lookup if the profiles refcount
+    is 0 and is one its way to deletion.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Seth Arnold <seth.arnold at canonical.com>
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index ca402d0..7807125 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
+ 	struct aa_profile *profile;
+ 
+ 	rcu_read_lock();
+-	profile = aa_get_profile(__find_child(&parent->base.profiles, name));
++	do {
++		profile = __find_child(&parent->base.profiles, name);
++	} while (profile && !aa_get_profile_not0(profile));
+ 	rcu_read_unlock();
+ 
+ 	/* refcount released by caller */
+
+commit 5833ccff1227fbc8f1bab64351f6747a6c71bdeb
+Author: Geliang Tang <geliangtang at 163.com>
+Date:   Mon Nov 16 21:46:33 2015 +0800
+
+    apparmor: use list_next_entry instead of list_entry_next
+    
+    list_next_entry has been defined in list.h, so I replace list_entry_next
+    with it.
+    
+    Signed-off-by: Geliang Tang <geliangtang at 163.com>
+    Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 0d8dd71..729e595 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -553,8 +553,6 @@ fail2:
+ }
+ 
+ 
+-#define list_entry_next(pos, member) \
+-	list_entry(pos->member.next, typeof(*pos), member)
+ #define list_entry_is_head(pos, head, member) (&pos->member == (head))
+ 
+ /**
+@@ -585,7 +583,7 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+ 	parent = ns->parent;
+ 	while (ns != root) {
+ 		mutex_unlock(&ns->lock);
+-		next = list_entry_next(ns, base.list);
++		next = list_next_entry(ns, base.list);
+ 		if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
+ 			mutex_lock(&next->lock);
+ 			return next;
+@@ -639,7 +637,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
+ 	parent = rcu_dereference_protected(p->parent,
+ 					   mutex_is_locked(&p->ns->lock));
+ 	while (parent) {
+-		p = list_entry_next(p, base.list);
++		p = list_next_entry(p, base.list);
+ 		if (!list_entry_is_head(p, &parent->base.profiles, base.list))
+ 			return p;
+ 		p = parent;
+@@ -648,7 +646,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
+ 	}
+ 
+ 	/* is next another profile in the namespace */
+-	p = list_entry_next(p, base.list);
++	p = list_next_entry(p, base.list);
+ 	if (!list_entry_is_head(p, &ns->base.profiles, base.list))
+ 		return p;
+ 
+
+commit 645801f1ddd183109c011e5ecee23ed3fdcae244
+Author: Jeff Mahoney <jeffm at suse.com>
+Date:   Fri Nov 6 15:17:30 2015 -0500
+
+    apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
+    
+    While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
+    on another task. The only other example of a AppArmor mediating access to
+    another, already running, task (ignoring fork+exec) is ptrace.
+    
+    The AppArmor model for ptrace is that one of the following must be true:
+    1) The tracer is unconfined
+    2) The tracer is in complain mode
+    3) The tracer and tracee are confined by the same profile
+    4) The tracer is confined but has SYS_CAP_PTRACE
+    
+    1), 2, and 3) are already true for setrlimit.
+    
+    We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
+    
+    We still test the values of the rlimit since it can always be overridden
+    using a value that means unlimited for a particular resource.
+    
+    Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
+index 748bf0c..67a6072 100644
+--- a/security/apparmor/resource.c
++++ b/security/apparmor/resource.c
+@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
+ 	/* TODO: extend resource control to handle other (non current)
+ 	 * profiles.  AppArmor rules currently have the implicit assumption
+ 	 * that the task is setting the resource of a task confined with
+-	 * the same profile.
++	 * the same profile or that the task setting the resource of another
++	 * task has CAP_SYS_RESOURCE.
+ 	 */
+-	if (profile != task_profile ||
++	if ((profile != task_profile &&
++	     aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
+ 	    (profile->rlimits.mask & (1 << resource) &&
+ 	     new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
+ 		error = -EACCES;
+
+commit 2be4aed1f3332d87273eb593944332054f3cffac
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Thu Jun 2 02:37:02 2016 -0700
+
+    apparmor: add missing id bounds check on dfa verification
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
+index 001c43a..a1c04fe 100644
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -62,6 +62,7 @@ struct table_set_header {
+ #define YYTD_ID_ACCEPT2 6
+ #define YYTD_ID_NXT	7
+ #define YYTD_ID_TSIZE	8
++#define YYTD_ID_MAX	8
+ 
+ #define YYTD_DATA8	1
+ #define YYTD_DATA16	2
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 727eb42..f9f57c6 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	 * it every time we use td_id as an index
+ 	 */
+ 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
++	if (th.td_id > YYTD_ID_MAX)
++		goto out;
+ 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
+ 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
+ 	blob += sizeof(struct table_header);
+
+commit c7f87d3c3363b1a0c4724e627e5c8e640a883c89
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Jun 15 09:57:55 2016 +0300
+
+    apparmor: don't check for vmalloc_addr if kvzalloc() failed
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index f9f57c6..32b72eb 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 				     u32, be32_to_cpu);
+ 		else
+ 			goto fail;
++		/* if table was vmalloced make sure the page tables are synced
++		 * before it is used, as it goes live to all cpus.
++		 */
++		if (is_vmalloc_addr(table))
++			vm_unmap_aliases();
+ 	}
+ 
+ out:
+-	/* if table was vmalloced make sure the page tables are synced
+-	 * before it is used, as it goes live to all cpus.
+-	 */
+-	if (is_vmalloc_addr(table))
+-		vm_unmap_aliases();
+ 	return table;
+ fail:
+ 	kvfree(table);
+
+commit 0f7e61013dd1e67ebb54d58eee11ab009ceb5ef3
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Jun 15 10:00:55 2016 +0300
+
+    apparmor: fix oops in profile_unpack() when policy_db is not present
+    
+    BugLink: http://bugs.launchpad.net/bugs/1592547
+    
+    If unpack_dfa() returns NULL due to the dfa not being present,
+    profile_unpack() is not checking if the dfa is not present (NULL).
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index c841b12..dac2121 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 			error = PTR_ERR(profile->policy.dfa);
+ 			profile->policy.dfa = NULL;
+ 			goto fail;
++		} else if (!profile->policy.dfa) {
++			error = -EPROTO;
++			goto fail;
+ 		}
+ 		if (!unpack_u32(e, &profile->policy.start[0], "start"))
+ 			/* default start state */
+
+commit de4ca46ec035283928e8fa40797897cefcf6ec3e
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed Jun 22 18:01:08 2016 -0700
+
+    apparmor: fix module parameters can be changed after policy is locked
+    
+    the policy_lock parameter is a one way switch that prevents policy
+    from being further modified. Unfortunately some of the module parameters
+    can effectively modify policy by turning off enforcement.
+    
+    split policy_admin_capable into a view check and a full admin check,
+    and update the admin check to test the policy_lock parameter.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index c28b0f2..52275f0 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
+ 	return profile->audit;
+ }
+ 
++bool policy_view_capable(void);
++bool policy_admin_capable(void);
+ bool aa_may_manage_policy(int op);
+ 
+ #endif /* __AA_POLICY_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 7798e16..e83eefb 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -728,51 +728,49 @@ __setup("apparmor=", apparmor_enabled_setup);
+ /* set global flag turning off the ability to load policy */
+ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+-	if (aa_g_lock_policy)
+-		return -EACCES;
+ 	return param_set_bool(val, kp);
+ }
+ 
+ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_view_capable())
+ 		return -EPERM;
+ 	return param_get_bool(buffer, kp);
+ }
+ 
+ static int param_set_aabool(const char *val, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+ 	return param_set_bool(val, kp);
+ }
+ 
+ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_view_capable())
+ 		return -EPERM;
+ 	return param_get_bool(buffer, kp);
+ }
+ 
+ static int param_set_aauint(const char *val, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+ 	return param_set_uint(val, kp);
+ }
+ 
+ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_view_capable())
+ 		return -EPERM;
+ 	return param_get_uint(buffer, kp);
+ }
+ 
+ static int param_get_audit(char *buffer, struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_view_capable())
+ 		return -EPERM;
+ 
+ 	if (!apparmor_enabled)
+@@ -784,7 +782,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
+ static int param_set_audit(const char *val, struct kernel_param *kp)
+ {
+ 	int i;
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+ 
+ 	if (!apparmor_enabled)
+@@ -805,7 +803,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
+ 
+ static int param_get_mode(char *buffer, struct kernel_param *kp)
+ {
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+ 
+ 	if (!apparmor_enabled)
+@@ -817,7 +815,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
+ static int param_set_mode(const char *val, struct kernel_param *kp)
+ {
+ 	int i;
+-	if (!capable(CAP_MAC_ADMIN))
++	if (!policy_admin_capable())
+ 		return -EPERM;
+ 
+ 	if (!apparmor_enabled)
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 7807125..179e68d 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
+ 			&sa, NULL);
+ }
+ 
++bool policy_view_capable(void)
++{
++	struct user_namespace *user_ns = current_user_ns();
++	bool response = false;
++
++	if (ns_capable(user_ns, CAP_MAC_ADMIN))
++		response = true;
++
++	return response;
++}
++
++bool policy_admin_capable(void)
++{
++	return policy_view_capable() && !aa_g_lock_policy;
++}
++
+ /**
+  * aa_may_manage_policy - can the current task manage policy
+  * @op: the policy manipulation operation being done
+@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op)
+ 		return 0;
+ 	}
+ 
+-	if (!capable(CAP_MAC_ADMIN)) {
++	if (!policy_admin_capable()) {
+ 		audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
+ 		return 0;
+ 	}
+
+commit 46c339f46b83e4cf8098f599cd182e65e9d054fc
+Author: Heinrich Schuchardt <xypron.glpk at gmx.de>
+Date:   Fri Jun 10 23:34:26 2016 +0200
+
+    apparmor: do not expose kernel stack
+    
+    Do not copy uninitalized fields th.td_hilen, th.td_data.
+    
+    Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 32b72eb..3f900fc 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 
+ 	table = kvzalloc(tsize);
+ 	if (table) {
+-		*table = th;
++		table->td_id = th.td_id;
++		table->td_flags = th.td_flags;
++		table->td_lolen = th.td_lolen;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+ 				     u8, byte_to_byte);
+
+commit 7e65e8142b2ea4891581173d6e92fc337b02ff8b
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Sat Jul 9 23:46:33 2016 -0700
+
+    apparmor: fix arg_size computation for when setprocattr is null terminated
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index e83eefb..ba8207b 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -529,7 +529,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
+ 	if (!*args)
+ 		goto out;
+ 
+-	arg_size = size - (args - (char *) value);
++	arg_size = size - (args - (largs ? largs : (char *) value));
+ 	if (strcmp(name, "current") == 0) {
+ 		if (strcmp(command, "changehat") == 0) {
+ 			error = aa_setprocattr_changehat(args, arg_size,
+
+commit b661b13237991be6b5cdf0849f137c5ec58217bf
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Mon Oct 4 15:03:36 2010 -0700
+
+    UBUNTU: SAUCE: AppArmor: basic networking rules
+    
+    Base support for network mediation.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
 
 diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
 index 9cdec70..d5b291e 100644
@@ -92,10 +1145,10 @@ index d693df8..5dbb72f 100644
 +	$(call cmd,make-af)
 +	$(call cmd,make-sock)
 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index ad4fa49..6362c5a 100644
+index 729e595..181d961 100644
 --- a/security/apparmor/apparmorfs.c
 +++ b/security/apparmor/apparmorfs.c
-@@ -806,6 +806,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
+@@ -807,6 +807,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
  	AA_FS_DIR("policy",			aa_fs_entry_policy),
  	AA_FS_DIR("domain",			aa_fs_entry_domain),
  	AA_FS_DIR("file",			aa_fs_entry_file),
@@ -169,7 +1222,7 @@ index 0000000..cb8a121
 +
 +#endif /* __AA_NET_H */
 diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
-index c28b0f2..b524d88 100644
+index 52275f0..4fc4dac 100644
 --- a/security/apparmor/include/policy.h
 +++ b/security/apparmor/include/policy.h
 @@ -27,6 +27,7 @@
@@ -197,7 +1250,7 @@ index c28b0f2..b524d88 100644
  
  	unsigned char *hash;
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index dec607c..47fd244 100644
+index ba8207b..88d3b0a 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
 @@ -32,6 +32,7 @@
@@ -208,7 +1261,7 @@ index dec607c..47fd244 100644
  #include "include/path.h"
  #include "include/policy.h"
  #include "include/procattr.h"
-@@ -605,6 +606,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -584,6 +585,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
  	return error;
  }
  
@@ -313,7 +1366,7 @@ index dec607c..47fd244 100644
  static struct security_hook_list apparmor_hooks[] = {
  	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
  	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
-@@ -634,6 +733,19 @@ static struct security_hook_list apparmor_hooks[] = {
+@@ -613,6 +712,19 @@ static struct security_hook_list apparmor_hooks[] = {
  	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
  	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
  
@@ -502,7 +1555,7 @@ index 0000000..003dd18
 +	return error;
 +}
 diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index 705c287..e2afe29 100644
+index 179e68d..f1a8541 100644
 --- a/security/apparmor/policy.c
 +++ b/security/apparmor/policy.c
 @@ -603,6 +603,7 @@ void aa_free_profile(struct aa_profile *profile)
@@ -514,7 +1567,7 @@ index 705c287..e2afe29 100644
  
  	kzfree(profile->dirname);
 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index a689f10..1a35e6b 100644
+index dac2121..0107bc4 100644
 --- a/security/apparmor/policy_unpack.c
 +++ b/security/apparmor/policy_unpack.c
 @@ -193,6 +193,19 @@ fail:
@@ -584,26 +1637,25 @@ index a689f10..1a35e6b 100644
  	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
  		/* generic policy dfa - optional and may be NULL */
  		profile->policy.dfa = unpack_dfa(e);
--- 
-cgit v0.10.2
-
-From 6b77d90baf3807b70ca17309ad6c0bd39f3297e7 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen at canonical.com>
-Date: Fri, 29 Jun 2012 17:34:00 -0700
-Subject: apparmor: Fix quieting of audit messages for network mediation
-
-If a profile specified a quieting of network denials for a given rule by
-either the quiet or deny rule qualifiers, the resultant quiet mask for
-denied requests was applied incorrectly, resulting in two potential bugs.
-1. The misapplied quiet mask would prevent denials from being correctly
-   tested against the kill mask/mode. Thus network access requests that
-   should have resulted in the application being killed did not.
 
-2. The actual quieting of the denied network request was not being applied.
-   This would result in network rejections always being logged even when
-   they had been specifically marked as quieted.
+commit 64c5e24470a219c79c2870c63f18f6bd55648b1b
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Fri Jun 29 17:34:00 2012 -0700
 
-Signed-off-by: John Johansen <john.johansen at canonical.com>
+    apparmor: Fix quieting of audit messages for network mediation
+    
+    If a profile specified a quieting of network denials for a given rule by
+    either the quiet or deny rule qualifiers, the resultant quiet mask for
+    denied requests was applied incorrectly, resulting in two potential bugs.
+    1. The misapplied quiet mask would prevent denials from being correctly
+       tested against the kill mask/mode. Thus network access requests that
+       should have resulted in the application being killed did not.
+    
+    2. The actual quieting of the denied network request was not being applied.
+       This would result in network rejections always being logged even when
+       they had been specifically marked as quieted.
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
 
 diff --git a/security/apparmor/net.c b/security/apparmor/net.c
 index 003dd18..6e6e5c9 100644
@@ -618,51 +1670,50 @@ index 003dd18..6e6e5c9 100644
  
  		if (denied & kill_mask)
  			audit_type = AUDIT_APPARMOR_KILL;
--- 
-cgit v0.10.2
 
-From a71049ba973b214e88eae89f9cb0c4965d184ead Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen at canonical.com>
-Date: Wed, 16 May 2012 10:58:05 -0700
-Subject: UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
+commit f7cef61751a2382fb4ea26c18736d7552ffdb24a
+Author: John Johansen <john.johansen at canonical.com>
+Date:   Wed May 16 10:58:05 2012 -0700
 
-Add the ability for apparmor to do mediation of mount operations. Mount
-rules require an updated apparmor_parser (2.8 series) for policy compilation.
-
-The basic form of the rules are.
-
-  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
-  [audit] [deny] remount [conds]* [path],
-  [audit] [deny] umount [conds]* [path],
-  [audit] [deny] pivotroot [oldroot=<value>] <path>
-
-  remount is just a short cut for mount options=remount
-
-  where [conds] can be
-    fstype=<expr>
-    options=<expr>
-
-Example mount commands
-  mount,		# allow all mounts, but not umount or pivotroot
-
-  mount fstype=procfs,  # allow mounting procfs anywhere
-
-  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
-
-  mount /dev/sda -> /mnt,
-
-  mount /dev/sd** -> /mnt/**,
-
-  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
-
-  umount,
-
-  umount /m*,
-
-See the apparmor userspace for full documentation
-
-Signed-off-by: John Johansen <john.johansen at canonical.com>
-Acked-by: Kees Cook <kees at ubuntu.com>
+    UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
+    
+    Add the ability for apparmor to do mediation of mount operations. Mount
+    rules require an updated apparmor_parser (2.8 series) for policy compilation.
+    
+    The basic form of the rules are.
+    
+      [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+      [audit] [deny] remount [conds]* [path],
+      [audit] [deny] umount [conds]* [path],
+      [audit] [deny] pivotroot [oldroot=<value>] <path>
+    
+      remount is just a short cut for mount options=remount
+    
+      where [conds] can be
+        fstype=<expr>
+        options=<expr>
+    
+    Example mount commands
+      mount,                # allow all mounts, but not umount or pivotroot
+    
+      mount fstype=procfs,  # allow mounting procfs anywhere
+    
+      mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
+    
+      mount /dev/sda -> /mnt,
+    
+      mount /dev/sd** -> /mnt/**,
+    
+      mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+    
+      umount,
+    
+      umount /m*,
+    
+    See the apparmor userspace for full documentation
+    
+    Signed-off-by: John Johansen <john.johansen at canonical.com>
+    Acked-by: Kees Cook <kees at ubuntu.com>
 
 diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
 index 5dbb72f..89b3445 100644
@@ -678,10 +1729,10 @@ index 5dbb72f..89b3445 100644
  
  clean-files := capability_names.h rlim_names.h net_names.h
 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 6362c5a..4917747 100644
+index 181d961..5fb67f6 100644
 --- a/security/apparmor/apparmorfs.c
 +++ b/security/apparmor/apparmorfs.c
-@@ -799,7 +799,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+@@ -800,7 +800,18 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
  
  static struct aa_fs_entry aa_fs_entry_policy[] = {
  	AA_FS_FILE_BOOLEAN("set_load",          1),
@@ -701,7 +1752,7 @@ index 6362c5a..4917747 100644
  };
  
  static struct aa_fs_entry aa_fs_entry_features[] = {
-@@ -807,6 +818,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
+@@ -808,6 +819,8 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
  	AA_FS_DIR("domain",			aa_fs_entry_domain),
  	AA_FS_DIR("file",			aa_fs_entry_file),
  	AA_FS_DIR("network",                    aa_fs_entry_network),
@@ -711,7 +1762,7 @@ index 6362c5a..4917747 100644
  	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
  	AA_FS_DIR("caps",			aa_fs_entry_caps),
 diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
-index 89c7865..7fdb5d7 100644
+index 3a7f1da..c2a8b8a 100644
 --- a/security/apparmor/audit.c
 +++ b/security/apparmor/audit.c
 @@ -44,6 +44,10 @@ const char *const op_table[] = {
@@ -726,7 +1777,7 @@ index 89c7865..7fdb5d7 100644
  	"post_create",
  	"bind",
 diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
-index dc0027b..a2e3813 100644
+index fc3036b..f2a83b4 100644
 --- a/security/apparmor/domain.c
 +++ b/security/apparmor/domain.c
 @@ -236,7 +236,7 @@ static const char *next_name(int xtype, const char *name)
@@ -797,7 +1848,7 @@ index de04464..a3f70c5 100644
  void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
 diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
 new file mode 100644
-index 0000000..bc17a53
+index 0000000..a43b1d6
 --- /dev/null
 +++ b/security/apparmor/include/mount.h
 @@ -0,0 +1,54 @@
@@ -832,31 +1883,31 @@ index 0000000..bc17a53
 +
 +#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
 +
-+int aa_remount(struct aa_profile *profile, struct path *path,
++int aa_remount(struct aa_profile *profile, const struct path *path,
 +	       unsigned long flags, void *data);
 +
-+int aa_bind_mount(struct aa_profile *profile, struct path *path,
++int aa_bind_mount(struct aa_profile *profile, const struct path *path,
 +		  const char *old_name, unsigned long flags);
 +
 +
-+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++int aa_mount_change_type(struct aa_profile *profile, const struct path *path,
 +			 unsigned long flags);
 +
-+int aa_move_mount(struct aa_profile *profile, struct path *path,
++int aa_move_mount(struct aa_profile *profile, const struct path *path,
 +		  const char *old_name);
 +
 +int aa_new_mount(struct aa_profile *profile, const char *dev_name,
-+		 struct path *path, const char *type, unsigned long flags,
++		 const struct path *path, const char *type, unsigned long flags,
 +		 void *data);
 +
 +int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
 +
-+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
-+		  struct path *new_path);
++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path,
++		 const struct path *new_path);
 +
 +#endif /* __AA_MOUNT_H */
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 47fd244..fb92441 100644
+index 88d3b0a..432cbd3 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
 @@ -36,6 +36,7 @@
@@ -867,12 +1918,12 @@ index 47fd244..fb92441 100644
  
  /* Flag indicating whether initialization completed */
  int apparmor_initialized __initdata;
-@@ -492,6 +493,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+@@ -469,6 +470,61 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
  			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
  }
  
-+static int apparmor_sb_mount(const char *dev_name, struct path *path, const char *type,
-+			     unsigned long flags, void *data)
++static int apparmor_sb_mount(const char *dev_name, const struct path *path,
++			     const char *type, unsigned long flags, void *data)
 +{
 +	struct aa_profile *profile;
 +	int error = 0;
@@ -913,7 +1964,8 @@ index 47fd244..fb92441 100644
 +	return error;
 +}
 +
-+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
++static int apparmor_sb_pivotroot(const struct path *old_path,
++				 const struct path *new_path)
 +{
 +	struct aa_profile *profile;
 +	int error = 0;
@@ -928,7 +1980,7 @@ index 47fd244..fb92441 100644
  static int apparmor_getprocattr(struct task_struct *task, char *name,
  				char **value)
  {
-@@ -710,6 +765,10 @@ static struct security_hook_list apparmor_hooks[] = {
+@@ -689,6 +745,10 @@ static struct security_hook_list apparmor_hooks[] = {
  	LSM_HOOK_INIT(capget, apparmor_capget),
  	LSM_HOOK_INIT(capable, apparmor_capable),
  
@@ -941,7 +1993,7 @@ index 47fd244..fb92441 100644
  	LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
 diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
 new file mode 100644
-index 0000000..478aa4d
+index 0000000..9cf9170
 --- /dev/null
 +++ b/security/apparmor/mount.c
 @@ -0,0 +1,620 @@
@@ -1277,13 +2329,13 @@ index 0000000..478aa4d
 +	return 0;
 +}
 +
-+static int path_flags(struct aa_profile *profile, struct path *path)
++static int path_flags(struct aa_profile *profile, const struct path *path)
 +{
 +	return profile->path_flags |
 +		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
 +}
 +
-+int aa_remount(struct aa_profile *profile, struct path *path,
++int aa_remount(struct aa_profile *profile, const struct path *path,
 +	       unsigned long flags, void *data)
 +{
 +	struct file_perms perms = { };
@@ -1310,7 +2362,7 @@ index 0000000..478aa4d
 +	return error;
 +}
 +
-+int aa_bind_mount(struct aa_profile *profile, struct path *path,
++int aa_bind_mount(struct aa_profile *profile, const struct path *path,
 +		  const char *dev_name, unsigned long flags)
 +{
 +	struct file_perms perms = { };
@@ -1352,7 +2404,7 @@ index 0000000..478aa4d
 +	return error;
 +}
 +
-+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++int aa_mount_change_type(struct aa_profile *profile, const struct path *path,
 +			 unsigned long flags)
 +{
 +	struct file_perms perms = { };
@@ -1381,7 +2433,7 @@ index 0000000..478aa4d
 +	return error;
 +}
 +
-+int aa_move_mount(struct aa_profile *profile, struct path *path,
++int aa_move_mount(struct aa_profile *profile, const struct path *path,
 +		  const char *orig_name)
 +{
 +	struct file_perms perms = { };
@@ -1422,7 +2474,7 @@ index 0000000..478aa4d
 +}
 +
 +int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
-+		 struct path *path, const char *type, unsigned long flags,
++		 const struct path *path, const char *type, unsigned long flags,
 +		 void *data)
 +{
 +	struct file_perms perms = { };
@@ -1515,8 +2567,8 @@ index 0000000..478aa4d
 +	return error;
 +}
 +
-+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
-+		  struct path *new_path)
++int aa_pivotroot(struct aa_profile *profile, const struct path *old_path,
++		 const struct path *new_path)
 +{
 +	struct file_perms perms = { };
 +	struct aa_profile *target = NULL;
@@ -1565,6 +2617,3 @@ index 0000000..478aa4d
 +
 +	return error;
 +}
--- 
-cgit v0.10.2
-
diff --git a/kernel-imq.patch b/kernel-imq.patch
index 2ca0201..b28cac4 100644
--- a/kernel-imq.patch
+++ b/kernel-imq.patch
@@ -1,150 +1,6 @@
-diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
-index f184fb5..0e08522 100644
---- a/drivers/net/Kconfig
-+++ b/drivers/net/Kconfig
-@@ -234,6 +234,125 @@ config RIONET_RX_SIZE
- 	depends on RIONET
- 	default "128"
- 
-+config IMQ
-+	tristate "IMQ (intermediate queueing device) support"
-+	depends on NETDEVICES && NETFILTER
-+	---help---
-+	  The IMQ device(s) is used as placeholder for QoS queueing
-+	  disciplines. Every packet entering/leaving the IP stack can be
-+	  directed through the IMQ device where it's enqueued/dequeued to the
-+	  attached qdisc. This allows you to treat network devices as classes
-+	  and distribute bandwidth among them. Iptables is used to specify
-+	  through which IMQ device, if any, packets travel.
-+
-+	  More information at: https://github.com/imq/linuximq
-+
-+	  To compile this driver as a module, choose M here: the module
-+	  will be called imq.  If unsure, say N.
-+
-+choice
-+	prompt "IMQ behavior (PRE/POSTROUTING)"
-+	depends on IMQ
-+	default IMQ_BEHAVIOR_AB
-+	help
-+	  This setting defines how IMQ behaves in respect to its
-+	  hooking in PREROUTING and POSTROUTING.
-+
-+	  IMQ can work in any of the following ways:
-+
-+	      PREROUTING   |      POSTROUTING
-+	  -----------------|-------------------
-+	  #1  After NAT    |      After NAT
-+	  #2  After NAT    |      Before NAT
-+	  #3  Before NAT   |      After NAT
-+	  #4  Before NAT   |      Before NAT
-+
-+	  The default behavior is to hook before NAT on PREROUTING
-+	  and after NAT on POSTROUTING (#3).
-+
-+	  This settings are specially usefull when trying to use IMQ
-+	  to shape NATed clients.
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
-+config IMQ_BEHAVIOR_AA
-+	bool "IMQ AA"
-+	help
-+	  This setting defines how IMQ behaves in respect to its
-+	  hooking in PREROUTING and POSTROUTING.
-+
-+	  Choosing this option will make IMQ hook like this:
-+
-+	  PREROUTING:   After NAT
-+	  POSTROUTING:  After NAT
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
-+config IMQ_BEHAVIOR_AB
-+	bool "IMQ AB"
-+	help
-+	  This setting defines how IMQ behaves in respect to its
-+	  hooking in PREROUTING and POSTROUTING.
-+
-+	  Choosing this option will make IMQ hook like this:
-+
-+	  PREROUTING:   After NAT
-+	  POSTROUTING:  Before NAT
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
-+config IMQ_BEHAVIOR_BA
-+	bool "IMQ BA"
-+	help
-+	  This setting defines how IMQ behaves in respect to its
-+	  hooking in PREROUTING and POSTROUTING.
-+
-+	  Choosing this option will make IMQ hook like this:
-+
-+	  PREROUTING:   Before NAT
-+	  POSTROUTING:  After NAT
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
-+config IMQ_BEHAVIOR_BB
-+	bool "IMQ BB"
-+	help
-+	  This setting defines how IMQ behaves in respect to its
-+	  hooking in PREROUTING and POSTROUTING.
-+
-+	  Choosing this option will make IMQ hook like this:
-+
-+	  PREROUTING:   Before NAT
-+	  POSTROUTING:  Before NAT
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
-+endchoice
-+
-+config IMQ_NUM_DEVS
-+	int "Number of IMQ devices"
-+	range 2 16
-+	depends on IMQ
-+	default "16"
-+	help
-+	  This setting defines how many IMQ devices will be created.
-+
-+	  The default value is 16.
-+
-+	  More information can be found at: https://github.com/imq/linuximq
-+
-+	  If not sure leave the default settings alone.
-+
- config TUN
- 	tristate "Universal TUN/TAP device driver support"
- 	depends on INET
-diff --git a/drivers/net/Makefile b/drivers/net/Makefile
-index 900b0c5..e093402 100644
---- a/drivers/net/Makefile
-+++ b/drivers/net/Makefile
-@@ -10,6 +10,7 @@ obj-$(CONFIG_IPVLAN) += ipvlan/
- obj-$(CONFIG_DUMMY) += dummy.o
- obj-$(CONFIG_EQUALIZER) += eql.o
- obj-$(CONFIG_IFB) += ifb.o
-+obj-$(CONFIG_IMQ) += imq.o
- obj-$(CONFIG_MACSEC) += macsec.o
- obj-$(CONFIG_MACVLAN) += macvlan.o
- obj-$(CONFIG_MACVTAP) += macvtap.o
-diff --git a/drivers/net/imq.c b/drivers/net/imq.c
-new file mode 100644
-index 0000000..f80258f
---- /dev/null
-+++ b/drivers/net/imq.c
+diff -Naupr linux-4.7_orig/drivers/net/imq.c linux-4.7/drivers/net/imq.c
+--- linux-4.7_orig/drivers/net/imq.c	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/drivers/net/imq.c	2016-07-26 20:58:55.635901659 +0700
 @@ -0,0 +1,903 @@
 +/*
 + *             Pseudo-driver for the intermediate queue device.
@@ -465,7 +321,7 @@ index 0000000..f80258f
 +	struct nf_queue_entry *entry = skb->nf_queue_entry;
 +
 +	skb->nf_queue_entry = NULL;
-+	dev->trans_start = jiffies;
++	netif_trans_update(dev);
 +
 +	dev->stats.tx_bytes += skb->len;
 +	dev->stats.tx_packets++;
@@ -1049,11 +905,149 @@ index 0000000..f80258f
 +MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See https://github.com/imq/linuximq/wiki for more information.");
 +MODULE_LICENSE("GPL");
 +MODULE_ALIAS_RTNL_LINK("imq");
-diff --git a/include/linux/imq.h b/include/linux/imq.h
-new file mode 100644
-index 0000000..1babb09
---- /dev/null
-+++ b/include/linux/imq.h
+diff -Naupr linux-4.7_orig/drivers/net/Kconfig linux-4.7/drivers/net/Kconfig
+--- linux-4.7_orig/drivers/net/Kconfig	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/drivers/net/Kconfig	2016-07-26 20:58:55.635901659 +0700
+@@ -258,6 +258,125 @@ config RIONET_RX_SIZE
+ 	depends on RIONET
+ 	default "128"
+ 
++config IMQ
++	tristate "IMQ (intermediate queueing device) support"
++	depends on NETDEVICES && NETFILTER
++	---help---
++	  The IMQ device(s) is used as placeholder for QoS queueing
++	  disciplines. Every packet entering/leaving the IP stack can be
++	  directed through the IMQ device where it's enqueued/dequeued to the
++	  attached qdisc. This allows you to treat network devices as classes
++	  and distribute bandwidth among them. Iptables is used to specify
++	  through which IMQ device, if any, packets travel.
++
++	  More information at: https://github.com/imq/linuximq
++
++	  To compile this driver as a module, choose M here: the module
++	  will be called imq.  If unsure, say N.
++
++choice
++	prompt "IMQ behavior (PRE/POSTROUTING)"
++	depends on IMQ
++	default IMQ_BEHAVIOR_AB
++	help
++	  This setting defines how IMQ behaves in respect to its
++	  hooking in PREROUTING and POSTROUTING.
++
++	  IMQ can work in any of the following ways:
++
++	      PREROUTING   |      POSTROUTING
++	  -----------------|-------------------
++	  #1  After NAT    |      After NAT
++	  #2  After NAT    |      Before NAT
++	  #3  Before NAT   |      After NAT
++	  #4  Before NAT   |      Before NAT
++
++	  The default behavior is to hook before NAT on PREROUTING
++	  and after NAT on POSTROUTING (#3).
++
++	  This settings are specially usefull when trying to use IMQ
++	  to shape NATed clients.
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_AA
++	bool "IMQ AA"
++	help
++	  This setting defines how IMQ behaves in respect to its
++	  hooking in PREROUTING and POSTROUTING.
++
++	  Choosing this option will make IMQ hook like this:
++
++	  PREROUTING:   After NAT
++	  POSTROUTING:  After NAT
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_AB
++	bool "IMQ AB"
++	help
++	  This setting defines how IMQ behaves in respect to its
++	  hooking in PREROUTING and POSTROUTING.
++
++	  Choosing this option will make IMQ hook like this:
++
++	  PREROUTING:   After NAT
++	  POSTROUTING:  Before NAT
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_BA
++	bool "IMQ BA"
++	help
++	  This setting defines how IMQ behaves in respect to its
++	  hooking in PREROUTING and POSTROUTING.
++
++	  Choosing this option will make IMQ hook like this:
++
++	  PREROUTING:   Before NAT
++	  POSTROUTING:  After NAT
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
++config IMQ_BEHAVIOR_BB
++	bool "IMQ BB"
++	help
++	  This setting defines how IMQ behaves in respect to its
++	  hooking in PREROUTING and POSTROUTING.
++
++	  Choosing this option will make IMQ hook like this:
++
++	  PREROUTING:   Before NAT
++	  POSTROUTING:  Before NAT
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
++endchoice
++
++config IMQ_NUM_DEVS
++	int "Number of IMQ devices"
++	range 2 16
++	depends on IMQ
++	default "16"
++	help
++	  This setting defines how many IMQ devices will be created.
++
++	  The default value is 16.
++
++	  More information can be found at: https://github.com/imq/linuximq
++
++	  If not sure leave the default settings alone.
++
+ config TUN
+ 	tristate "Universal TUN/TAP device driver support"
+ 	depends on INET
+diff -Naupr linux-4.7_orig/drivers/net/Makefile linux-4.7/drivers/net/Makefile
+--- linux-4.7_orig/drivers/net/Makefile	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/drivers/net/Makefile	2016-07-26 20:58:55.635901659 +0700
+@@ -11,6 +11,7 @@ obj-$(CONFIG_DUMMY) += dummy.o
+ obj-$(CONFIG_EQUALIZER) += eql.o
+ obj-$(CONFIG_IFB) += ifb.o
+ obj-$(CONFIG_MACSEC) += macsec.o
++obj-$(CONFIG_IMQ) += imq.o
+ obj-$(CONFIG_MACVLAN) += macvlan.o
+ obj-$(CONFIG_MACVTAP) += macvtap.o
+ obj-$(CONFIG_MII) += mii.o
+diff -Naupr linux-4.7_orig/include/linux/imq.h linux-4.7/include/linux/imq.h
+--- linux-4.7_orig/include/linux/imq.h	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/include/linux/imq.h	2016-07-26 20:58:55.639235009 +0700
 @@ -0,0 +1,13 @@
 +#ifndef _IMQ_H
 +#define _IMQ_H
@@ -1068,11 +1062,10 @@ index 0000000..1babb09
 +
 +#endif /* _IMQ_H */
 +
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 3143c84..e213b31 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -3341,6 +3341,19 @@ static inline void netif_tx_unlock_bh(struct net_device *dev)
+diff -Naupr linux-4.7_orig/include/linux/netdevice.h linux-4.7/include/linux/netdevice.h
+--- linux-4.7_orig/include/linux/netdevice.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/linux/netdevice.h	2016-07-26 20:58:55.639235009 +0700
+@@ -3558,6 +3558,19 @@ static inline void netif_tx_unlock_bh(st
  	}						\
  }
  
@@ -1092,11 +1085,9 @@ index 3143c84..e213b31 100644
  static inline void netif_tx_disable(struct net_device *dev)
  {
  	unsigned int i;
-diff --git a/include/linux/netfilter/xt_IMQ.h b/include/linux/netfilter/xt_IMQ.h
-new file mode 100644
-index 0000000..9b07230
---- /dev/null
-+++ b/include/linux/netfilter/xt_IMQ.h
+diff -Naupr linux-4.7_orig/include/linux/netfilter/xt_IMQ.h linux-4.7/include/linux/netfilter/xt_IMQ.h
+--- linux-4.7_orig/include/linux/netfilter/xt_IMQ.h	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/include/linux/netfilter/xt_IMQ.h	2016-07-26 20:58:55.639235009 +0700
 @@ -0,0 +1,9 @@
 +#ifndef _XT_IMQ_H
 +#define _XT_IMQ_H
@@ -1107,11 +1098,9 @@ index 0000000..9b07230
 +
 +#endif /* _XT_IMQ_H */
 +
-diff --git a/include/linux/netfilter_ipv4/ipt_IMQ.h b/include/linux/netfilter_ipv4/ipt_IMQ.h
-new file mode 100644
-index 0000000..7af320f
---- /dev/null
-+++ b/include/linux/netfilter_ipv4/ipt_IMQ.h
+diff -Naupr linux-4.7_orig/include/linux/netfilter_ipv4/ipt_IMQ.h linux-4.7/include/linux/netfilter_ipv4/ipt_IMQ.h
+--- linux-4.7_orig/include/linux/netfilter_ipv4/ipt_IMQ.h	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/include/linux/netfilter_ipv4/ipt_IMQ.h	2016-07-26 20:58:55.639235009 +0700
 @@ -0,0 +1,10 @@
 +#ifndef _IPT_IMQ_H
 +#define _IPT_IMQ_H
@@ -1123,11 +1112,9 @@ index 0000000..7af320f
 +
 +#endif /* _IPT_IMQ_H */
 +
-diff --git a/include/linux/netfilter_ipv6/ip6t_IMQ.h b/include/linux/netfilter_ipv6/ip6t_IMQ.h
-new file mode 100644
-index 0000000..198ac01
---- /dev/null
-+++ b/include/linux/netfilter_ipv6/ip6t_IMQ.h
+diff -Naupr linux-4.7_orig/include/linux/netfilter_ipv6/ip6t_IMQ.h linux-4.7/include/linux/netfilter_ipv6/ip6t_IMQ.h
+--- linux-4.7_orig/include/linux/netfilter_ipv6/ip6t_IMQ.h	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/include/linux/netfilter_ipv6/ip6t_IMQ.h	2016-07-26 20:58:55.639235009 +0700
 @@ -0,0 +1,10 @@
 +#ifndef _IP6T_IMQ_H
 +#define _IP6T_IMQ_H
@@ -1139,10 +1126,9 @@ index 0000000..198ac01
 +
 +#endif /* _IP6T_IMQ_H */
 +
-diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 4355129..47914c0 100644
---- a/include/linux/skbuff.h
-+++ b/include/linux/skbuff.h
+diff -Naupr linux-4.7_orig/include/linux/skbuff.h linux-4.7/include/linux/skbuff.h
+--- linux-4.7_orig/include/linux/skbuff.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/linux/skbuff.h	2016-07-26 20:58:55.639235009 +0700
 @@ -38,6 +38,10 @@
  #include <linux/splice.h>
  #include <linux/in6.h>
@@ -1152,9 +1138,9 @@ index 4355129..47914c0 100644
 +#endif
 +
  
- /* A. Checksumming of received packets by device.
-  *
-@@ -566,6 +570,9 @@ struct sk_buff {
+ /* The interface for checksum offload between the stack and networking drivers
+  * is as follows...
+@@ -647,6 +651,9 @@ struct sk_buff {
  	 * first. This is owned by whoever has the skb queued ATM.
  	 */
  	char			cb[48] __aligned(8);
@@ -1164,7 +1150,7 @@ index 4355129..47914c0 100644
  
  	unsigned long		_skb_refdst;
  	void			(*destructor)(struct sk_buff *skb);
-@@ -575,6 +582,9 @@ struct sk_buff {
+@@ -656,6 +663,9 @@ struct sk_buff {
  #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
  	struct nf_conntrack	*nfct;
  #endif
@@ -1174,7 +1160,7 @@ index 4355129..47914c0 100644
  #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
  	struct nf_bridge_info	*nf_bridge;
  #endif
-@@ -642,6 +652,9 @@ struct sk_buff {
+@@ -723,6 +733,9 @@ struct sk_buff {
  	__u8			inner_protocol_type:1;
  	__u8			remcsum_offload:1;
  	/* 3 or 5 bit hole */
@@ -1184,7 +1170,7 @@ index 4355129..47914c0 100644
  
  #ifdef CONFIG_NET_SCHED
  	__u16			tc_index;	/* traffic control index */
-@@ -798,6 +811,12 @@ void kfree_skb_list(struct sk_buff *segs);
+@@ -879,6 +892,12 @@ void kfree_skb_list(struct sk_buff *segs
  void skb_tx_error(struct sk_buff *skb);
  void consume_skb(struct sk_buff *skb);
  void  __kfree_skb(struct sk_buff *skb);
@@ -1197,7 +1183,7 @@ index 4355129..47914c0 100644
  extern struct kmem_cache *skbuff_head_cache;
  
  void kfree_skb_partial(struct sk_buff *skb, bool head_stolen);
-@@ -3344,6 +3363,10 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
+@@ -3523,6 +3542,10 @@ static inline void __nf_copy(struct sk_b
  	if (copy)
  		dst->nfctinfo = src->nfctinfo;
  #endif
@@ -1208,13 +1194,12 @@ index 4355129..47914c0 100644
  #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
  	dst->nf_bridge  = src->nf_bridge;
  	nf_bridge_get(src->nf_bridge);
-diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
-index 9c5638a..b173aa7 100644
---- a/include/net/netfilter/nf_queue.h
-+++ b/include/net/netfilter/nf_queue.h
+diff -Naupr linux-4.7_orig/include/net/netfilter/nf_queue.h linux-4.7/include/net/netfilter/nf_queue.h
+--- linux-4.7_orig/include/net/netfilter/nf_queue.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/net/netfilter/nf_queue.h	2016-07-26 20:58:55.642568359 +0700
 @@ -31,6 +31,12 @@ struct nf_queue_handler {
- void nf_register_queue_handler(const struct nf_queue_handler *qh);
- void nf_unregister_queue_handler(void);
+ void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh);
+ void nf_unregister_queue_handler(struct net *net);
  void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
 +void nf_queue_entry_release_refs(struct nf_queue_entry *entry);
 +
@@ -1225,11 +1210,10 @@ index 9c5638a..b173aa7 100644
  
  void nf_queue_entry_get_refs(struct nf_queue_entry *entry);
  void nf_queue_entry_release_refs(struct nf_queue_entry *entry);
-diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
-index 401038d..4668849 100644
---- a/include/net/pkt_sched.h
-+++ b/include/net/pkt_sched.h
-@@ -104,6 +104,8 @@ int sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q,
+diff -Naupr linux-4.7_orig/include/net/pkt_sched.h linux-4.7/include/net/pkt_sched.h
+--- linux-4.7_orig/include/net/pkt_sched.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/net/pkt_sched.h	2016-07-26 20:58:55.642568359 +0700
+@@ -105,6 +105,8 @@ int sch_direct_xmit(struct sk_buff *skb,
  
  void __qdisc_run(struct Qdisc *q);
  
@@ -1238,11 +1222,10 @@ index 401038d..4668849 100644
  static inline void qdisc_run(struct Qdisc *q)
  {
  	if (qdisc_run_begin(q))
-diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
-index b2a8e63..d9feaa3 100644
---- a/include/net/sch_generic.h
-+++ b/include/net/sch_generic.h
-@@ -506,6 +506,12 @@ static inline int qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+diff -Naupr linux-4.7_orig/include/net/sch_generic.h linux-4.7/include/net/sch_generic.h
+--- linux-4.7_orig/include/net/sch_generic.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/net/sch_generic.h	2016-07-26 20:58:55.642568359 +0700
+@@ -523,6 +523,12 @@ static inline int qdisc_enqueue(struct s
  	return sch->enqueue(skb, sch);
  }
  
@@ -1255,10 +1238,9 @@ index b2a8e63..d9feaa3 100644
  static inline bool qdisc_is_percpu_stats(const struct Qdisc *q)
  {
  	return q->flags & TCQ_F_CPUSTATS;
-diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
-index d93f949..23fb6d1 100644
---- a/include/uapi/linux/netfilter.h
-+++ b/include/uapi/linux/netfilter.h
+diff -Naupr linux-4.7_orig/include/uapi/linux/netfilter.h linux-4.7/include/uapi/linux/netfilter.h
+--- linux-4.7_orig/include/uapi/linux/netfilter.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/include/uapi/linux/netfilter.h	2016-07-26 20:58:55.642568359 +0700
 @@ -14,7 +14,8 @@
  #define NF_QUEUE 3
  #define NF_REPEAT 4
@@ -1269,11 +1251,10 @@ index d93f949..23fb6d1 100644
  
  /* we overload the higher bits for encoding auxiliary data such as the queue
   * number or errno values. Not nice, but better than additional function
-diff --git a/net/core/dev.c b/net/core/dev.c
-index ae00b89..1cdcd02 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -137,6 +137,9 @@
+diff -Naupr linux-4.7_orig/net/core/dev.c linux-4.7/net/core/dev.c
+--- linux-4.7_orig/net/core/dev.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/core/dev.c	2016-07-26 20:58:55.642568359 +0700
+@@ -139,6 +139,9 @@
  #include <linux/hrtimer.h>
  #include <linux/netfilter_ingress.h>
  #include <linux/sctp.h>
@@ -1283,7 +1264,7 @@ index ae00b89..1cdcd02 100644
  
  #include "net-sysfs.h"
  
-@@ -2705,7 +2708,12 @@ static int xmit_one(struct sk_buff *skb, struct net_device *dev,
+@@ -2908,7 +2911,12 @@ static int xmit_one(struct sk_buff *skb,
  	unsigned int len;
  	int rc;
  
@@ -1296,7 +1277,7 @@ index ae00b89..1cdcd02 100644
  		dev_queue_xmit_nit(skb, dev);
  
  	len = skb->len;
-@@ -2743,6 +2751,7 @@ out:
+@@ -2946,6 +2954,7 @@ out:
  	*ret = rc;
  	return skb;
  }
@@ -1304,7 +1285,7 @@ index ae00b89..1cdcd02 100644
  
  static struct sk_buff *validate_xmit_vlan(struct sk_buff *skb,
  					  netdev_features_t features)
-@@ -2831,6 +2840,7 @@ struct sk_buff *validate_xmit_skb_list(struct sk_buff *skb, struct net_device *d
+@@ -3032,6 +3041,7 @@ struct sk_buff *validate_xmit_skb_list(s
  	}
  	return head;
  }
@@ -1312,11 +1293,10 @@ index ae00b89..1cdcd02 100644
  
  static void qdisc_pkt_len_init(struct sk_buff *skb)
  {
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index b2df375..bc3c51e 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -79,6 +79,87 @@
+diff -Naupr linux-4.7_orig/net/core/skbuff.c linux-4.7/net/core/skbuff.c
+--- linux-4.7_orig/net/core/skbuff.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/core/skbuff.c	2016-07-26 20:58:55.645901708 +0700
+@@ -81,6 +81,87 @@ struct kmem_cache *skbuff_head_cache __r
  static struct kmem_cache *skbuff_fclone_cache __read_mostly;
  int sysctl_max_skb_frags __read_mostly = MAX_SKB_FRAGS;
  EXPORT_SYMBOL(sysctl_max_skb_frags);
@@ -1404,7 +1384,7 @@ index b2df375..bc3c51e 100644
  
  /**
   *	skb_panic - private function for out-of-line support
-@@ -643,6 +724,28 @@ static void skb_release_head_state(struct sk_buff *skb)
+@@ -653,6 +734,28 @@ static void skb_release_head_state(struc
  		WARN_ON(in_irq());
  		skb->destructor(skb);
  	}
@@ -1433,7 +1413,7 @@ index b2df375..bc3c51e 100644
  #if IS_ENABLED(CONFIG_NF_CONNTRACK)
  	nf_conntrack_put(skb->nfct);
  #endif
-@@ -765,6 +868,10 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
+@@ -842,6 +945,10 @@ static void __copy_skb_header(struct sk_
  	new->sp			= secpath_get(old->sp);
  #endif
  	__nf_copy(new, old, false);
@@ -1444,7 +1424,7 @@ index b2df375..bc3c51e 100644
  
  	/* Note : this field could be in headers_start/headers_end section
  	 * It is not yet because we do not want to have a 16 bit hole
-@@ -3325,6 +3432,13 @@ void __init skb_init(void)
+@@ -3433,6 +3540,13 @@ void __init skb_init(void)
  						0,
  						SLAB_HWCACHE_ALIGN|SLAB_PANIC,
  						NULL);
@@ -1458,11 +1438,10 @@ index b2df375..bc3c51e 100644
  }
  
  /**
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index e6a7bd15..c81496e 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -65,9 +65,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+diff -Naupr linux-4.7_orig/net/ipv6/ip6_output.c linux-4.7/net/ipv6/ip6_output.c
+--- linux-4.7_orig/net/ipv6/ip6_output.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/ipv6/ip6_output.c	2016-07-26 20:58:55.645901708 +0700
+@@ -65,9 +65,6 @@ static int ip6_finish_output2(struct net
  	struct in6_addr *nexthop;
  	int ret;
  
@@ -1472,7 +1451,7 @@ index e6a7bd15..c81496e 100644
  	if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
  		struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
  
-@@ -142,6 +139,13 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+@@ -142,6 +139,13 @@ int ip6_output(struct net *net, struct s
  		return 0;
  	}
  
@@ -1486,11 +1465,27 @@ index e6a7bd15..c81496e 100644
  	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
  			    net, sk, skb, NULL, dev,
  			    ip6_finish_output,
-diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
-index 4692782..dce47db 100644
---- a/net/netfilter/Kconfig
-+++ b/net/netfilter/Kconfig
-@@ -785,6 +785,18 @@ config NETFILTER_XT_TARGET_LOG
+diff -Naupr linux-4.7_orig/net/netfilter/core.c linux-4.7/net/netfilter/core.c
+--- linux-4.7_orig/net/netfilter/core.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/netfilter/core.c	2016-07-26 20:58:55.645901708 +0700
+@@ -311,9 +311,11 @@ next_hook:
+ 		ret = NF_DROP_GETERR(verdict);
+ 		if (ret == 0)
+ 			ret = -EPERM;
+-	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
++	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE ||
++		(verdict & NF_VERDICT_MASK) == NF_IMQ_QUEUE) {
+ 		int err = nf_queue(skb, elem, state,
+-				   verdict >> NF_VERDICT_QBITS);
++				   verdict >> NF_VERDICT_QBITS,
++				  verdict & NF_VERDICT_MASK);
+ 		if (err < 0) {
+ 			if (err == -ESRCH &&
+ 			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
+diff -Naupr linux-4.7_orig/net/netfilter/Kconfig linux-4.7/net/netfilter/Kconfig
+--- linux-4.7_orig/net/netfilter/Kconfig	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/netfilter/Kconfig	2016-07-26 20:58:55.645901708 +0700
+@@ -807,6 +807,18 @@ config NETFILTER_XT_TARGET_LOG
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
@@ -1509,11 +1504,10 @@ index 4692782..dce47db 100644
  config NETFILTER_XT_TARGET_MARK
  	tristate '"MARK" target support'
  	depends on NETFILTER_ADVANCED
-diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
-index 7638c36..614ad8a 100644
---- a/net/netfilter/Makefile
-+++ b/net/netfilter/Makefile
-@@ -108,6 +108,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
+diff -Naupr linux-4.7_orig/net/netfilter/Makefile linux-4.7/net/netfilter/Makefile
+--- linux-4.7_orig/net/netfilter/Makefile	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/netfilter/Makefile	2016-07-26 20:58:55.645901708 +0700
+@@ -115,6 +115,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) +=
  obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o
@@ -1521,29 +1515,10 @@ index 7638c36..614ad8a 100644
  obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) += xt_NETMAP.o
-diff --git a/net/netfilter/core.c b/net/netfilter/core.c
-index f39276d..9877a27 100644
---- a/net/netfilter/core.c
-+++ b/net/netfilter/core.c
-@@ -311,9 +311,11 @@ next_hook:
- 		ret = NF_DROP_GETERR(verdict);
- 		if (ret == 0)
- 			ret = -EPERM;
--	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
-+	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE ||
-+		(verdict & NF_VERDICT_MASK) == NF_IMQ_QUEUE) {
- 		int err = nf_queue(skb, elem, state,
--				   verdict >> NF_VERDICT_QBITS);
-+				   verdict >> NF_VERDICT_QBITS,
-+				  verdict & NF_VERDICT_MASK);
- 		if (err < 0) {
- 			if (err == -ESRCH &&
- 			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
-diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
-index 0655225..25d4141 100644
---- a/net/netfilter/nf_internals.h
-+++ b/net/netfilter/nf_internals.h
-@@ -18,7 +18,7 @@ unsigned int nf_iterate(struct list_head *head, struct sk_buff *skb,
+diff -Naupr linux-4.7_orig/net/netfilter/nf_internals.h linux-4.7/net/netfilter/nf_internals.h
+--- linux-4.7_orig/net/netfilter/nf_internals.h	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/netfilter/nf_internals.h	2016-07-26 20:58:55.645901708 +0700
+@@ -18,7 +18,7 @@ unsigned int nf_iterate(struct list_head
  
  /* nf_queue.c */
  int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem,
@@ -1552,13 +1527,12 @@ index 0655225..25d4141 100644
  void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops);
  int __init netfilter_queue_init(void);
  
-diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
-index 5baa8e2..9740e8c 100644
---- a/net/netfilter/nf_queue.c
-+++ b/net/netfilter/nf_queue.c
-@@ -28,6 +28,23 @@
+diff -Naupr linux-4.7_orig/net/netfilter/nf_queue.c linux-4.7/net/netfilter/nf_queue.c
+--- linux-4.7_orig/net/netfilter/nf_queue.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/netfilter/nf_queue.c	2016-07-26 20:58:55.649235058 +0700
+@@ -27,6 +27,23 @@
+  * receives, no matter what.
   */
- static const struct nf_queue_handler __rcu *queue_handler __read_mostly;
  
 +#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
 +static const struct nf_queue_handler __rcu *queue_imq_handler __read_mostly;
@@ -1579,8 +1553,8 @@ index 5baa8e2..9740e8c 100644
 +
  /* return EBUSY when somebody else is registered, return EEXIST if the
   * same handler is registered, return 0 in case of success. */
- void nf_register_queue_handler(const struct nf_queue_handler *qh)
-@@ -116,7 +133,8 @@ void nf_queue_nf_hook_drop(struct net *net, struct nf_hook_ops *ops)
+ void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh)
+@@ -114,7 +131,8 @@ void nf_queue_nf_hook_drop(struct net *n
  int nf_queue(struct sk_buff *skb,
  	     struct nf_hook_ops *elem,
  	     struct nf_hook_state *state,
@@ -1590,11 +1564,11 @@ index 5baa8e2..9740e8c 100644
  {
  	int status = -ENOENT;
  	struct nf_queue_entry *entry = NULL;
-@@ -124,7 +142,17 @@ int nf_queue(struct sk_buff *skb,
- 	const struct nf_queue_handler *qh;
+@@ -123,7 +141,17 @@ int nf_queue(struct sk_buff *skb,
+ 	struct net *net = state->net;
  
  	/* QUEUE == DROP if no one is waiting, to be safe. */
--	qh = rcu_dereference(queue_handler);
+-	qh = rcu_dereference(net->nf.queue_handler);
 +	if (queuetype == NF_IMQ_QUEUE) {
 +#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
 +		qh = rcu_dereference(queue_imq_handler);
@@ -1603,13 +1577,13 @@ index 5baa8e2..9740e8c 100644
 +		goto err_unlock;
 +#endif
 +	} else {
-+		qh = rcu_dereference(queue_handler);
++		qh = rcu_dereference(net->nf.queue_handler);
 +	}
 +
  	if (!qh) {
  		status = -ESRCH;
  		goto err;
-@@ -199,8 +227,10 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
+@@ -198,8 +226,10 @@ void nf_reinject(struct nf_queue_entry *
  		local_bh_enable();
  		break;
  	case NF_QUEUE:
@@ -1621,11 +1595,9 @@ index 5baa8e2..9740e8c 100644
  		if (err < 0) {
  			if (err == -ESRCH &&
  			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
-diff --git a/net/netfilter/xt_IMQ.c b/net/netfilter/xt_IMQ.c
-new file mode 100644
-index 0000000..86d7b84
---- /dev/null
-+++ b/net/netfilter/xt_IMQ.c
+diff -Naupr linux-4.7_orig/net/netfilter/xt_IMQ.c linux-4.7/net/netfilter/xt_IMQ.c
+--- linux-4.7_orig/net/netfilter/xt_IMQ.c	1970-01-01 07:00:00.000000000 +0700
++++ linux-4.7/net/netfilter/xt_IMQ.c	2016-07-26 20:58:55.649235058 +0700
 @@ -0,0 +1,72 @@
 +/*
 + * This target marks packets to be enqueued to an imq device
@@ -1693,17 +1665,16 @@ index 0000000..86d7b84
 +module_init(imq_init);
 +module_exit(imq_fini);
 +
-+MODULE_AUTHOR("http://https://github.com/imq/linuximq");
++MODULE_AUTHOR("https://github.com/imq/linuximq");
 +MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See https://github.com/imq/linuximq/wiki for more information.");
 +MODULE_LICENSE("GPL");
 +MODULE_ALIAS("ipt_IMQ");
 +MODULE_ALIAS("ip6t_IMQ");
 +
-diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
-index e82a1ad..b55331d 100644
---- a/net/sched/sch_generic.c
-+++ b/net/sched/sch_generic.c
-@@ -108,6 +108,14 @@ static struct sk_buff *dequeue_skb(struct Qdisc *q, bool *validate,
+diff -Naupr linux-4.7_orig/net/sched/sch_generic.c linux-4.7/net/sched/sch_generic.c
+--- linux-4.7_orig/net/sched/sch_generic.c	2016-07-25 02:23:50.000000000 +0700
++++ linux-4.7/net/sched/sch_generic.c	2016-07-26 20:58:55.649235058 +0700
+@@ -110,6 +110,14 @@ static struct sk_buff *dequeue_skb(struc
  	return skb;
  }
  
@@ -1715,6 +1686,6 @@ index e82a1ad..b55331d 100644
 +}
 +EXPORT_SYMBOL(qdisc_dequeue_skb);
 +
- static inline int handle_dev_cpu_collision(struct sk_buff *skb,
- 					   struct netdev_queue *dev_queue,
- 					   struct Qdisc *q)
+ /*
+  * Transmit possibly several skbs, and handle the return status as
+  * required. Holding the __QDISC___STATE_RUNNING bit guarantees that
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/0776672ee02c20aad1fc3255f8d47289c503a927



More information about the pld-cvs-commit mailing list