apparmor/kernel-patches/for-mainline/apparmor-failed-name-error.diff

---
 security/apparmor/main.c |   39 ++++++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 11 deletions(-)

--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -216,6 +216,12 @@ static int aa_perm_dentry(struct aa_prof
 		else {
 			sa->denied_mask = sa->request_mask;
 			sa->error_code = PTR_ERR(sa->name);
+			if (sa->error_code == -ENOENT)
+				sa->info = "Failed name resolution - object not a valid entry";
+			else if (sa->error_code == -ENAMETOOLONG)
+				sa->info = "Failed name resolution - name too long";
+			else
+				sa->info = "Failed name resolution";
 		}
 		sa->name = NULL;
 	} else
@@ -371,8 +377,11 @@ static int aa_audit_base(struct aa_profi
 	if (sa->operation)
 		audit_log_format(ab, "operation=\"%s\"", sa->operation);
 
-	if (sa->info)
+	if (sa->info) {
 		audit_log_format(ab, " info=\"%s\"", sa->info);
+		if (sa->error_code)
+			audit_log_format(ab, " error=%d", sa->error_code);
+	}
 
 	if (sa->request_mask)
 		aa_audit_file_mask(ab, "requested_mask", sa->request_mask);
@@ -918,23 +927,29 @@ int aa_register(struct linux_binprm *bpr
 
 	AA_DEBUG("%s\n", __FUNCTION__);
 
-	filename = aa_get_name(filp->f_dentry, filp->f_vfsmnt, &buffer, 0);
-	if (IS_ERR(filename)) {
-		AA_ERROR("%s: Failed to get filename", __FUNCTION__);
-		return -ENOENT;
-	}
+	profile = aa_get_profile(current);
 
 	shift = aa_inode_mode(filp->f_dentry->d_inode);
-	exec_mode = AA_EXEC_UNSAFE << shift;
-
 	memset(&sa, 0, sizeof(sa));
 	sa.operation = "exec";
 	sa.gfp_mask = GFP_KERNEL;
-	sa.name = filename;
 	sa.request_mask = MAY_EXEC << shift;
 
+	filename = aa_get_name(filp->f_dentry, filp->f_vfsmnt, &buffer, 0);
+	if (IS_ERR(filename)) {
+		if (profile) {
+			sa.info = "Failed name resolution - exec failed";
+			sa.error_code = PTR_ERR(filename);
+			aa_audit_reject(profile, &sa);
+			return sa.error_code;
+		} else
+			return 0;
+	}
+	sa.name = filename;
+
+	exec_mode = AA_EXEC_UNSAFE << shift;
+
 repeat:
-	profile = aa_get_profile(current);
 	if (profile) {
 		complain = PROFILE_COMPLAIN(profile);
 
@@ -1011,8 +1026,10 @@ repeat:
 	if (IS_ERR(old_profile)) {
 		aa_put_profile(new_profile);
 		aa_put_profile(profile);
-		if (PTR_ERR(old_profile) == -ESTALE)
+		if (PTR_ERR(old_profile) == -ESTALE) {
+			profile = aa_get_profile(current);
 			goto repeat;
+		}
 		if (PTR_ERR(old_profile) == -EPERM) {
 			sa.denied_mask = sa.request_mask;
 			sa.info = "unable to set profile due to ptrace";
M split_init.diff - fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore 2008-03-13 16:36:38 +00:00			`---`
			`security/apparmor/main.c \| 39 ++++++++++++++++++++++++++++-----------`
			`1 file changed, 28 insertions(+), 11 deletions(-)`

			`--- a/security/apparmor/main.c`
			`+++ b/security/apparmor/main.c`
			`@@ -216,6 +216,12 @@ static int aa_perm_dentry(struct aa_prof`
			`else {`
			`sa->denied_mask = sa->request_mask;`
			`sa->error_code = PTR_ERR(sa->name);`
			`+ if (sa->error_code == -ENOENT)`
			`+ sa->info = "Failed name resolution - object not a valid entry";`
			`+ else if (sa->error_code == -ENAMETOOLONG)`
			`+ sa->info = "Failed name resolution - name too long";`
			`+ else`
			`+ sa->info = "Failed name resolution";`
			`}`
			`sa->name = NULL;`
			`} else`
			`@@ -371,8 +377,11 @@ static int aa_audit_base(struct aa_profi`
			`if (sa->operation)`
			`audit_log_format(ab, "operation=\"%s\"", sa->operation);`

			`- if (sa->info)`
			`+ if (sa->info) {`
			`audit_log_format(ab, " info=\"%s\"", sa->info);`
			`+ if (sa->error_code)`
			`+ audit_log_format(ab, " error=%d", sa->error_code);`
			`+ }`

			`if (sa->request_mask)`
			`aa_audit_file_mask(ab, "requested_mask", sa->request_mask);`
			`@@ -918,23 +927,29 @@ int aa_register(struct linux_binprm *bpr`

			`AA_DEBUG("%s\n", __FUNCTION__);`

			`- filename = aa_get_name(filp->f_dentry, filp->f_vfsmnt, &buffer, 0);`
			`- if (IS_ERR(filename)) {`
			`- AA_ERROR("%s: Failed to get filename", __FUNCTION__);`
			`- return -ENOENT;`
			`- }`
			`+ profile = aa_get_profile(current);`

			`shift = aa_inode_mode(filp->f_dentry->d_inode);`
			`- exec_mode = AA_EXEC_UNSAFE << shift;`
			`-`
			`memset(&sa, 0, sizeof(sa));`
			`sa.operation = "exec";`
			`sa.gfp_mask = GFP_KERNEL;`
			`- sa.name = filename;`
			`sa.request_mask = MAY_EXEC << shift;`

			`+ filename = aa_get_name(filp->f_dentry, filp->f_vfsmnt, &buffer, 0);`
			`+ if (IS_ERR(filename)) {`
			`+ if (profile) {`
			`+ sa.info = "Failed name resolution - exec failed";`
			`+ sa.error_code = PTR_ERR(filename);`
			`+ aa_audit_reject(profile, &sa);`
			`+ return sa.error_code;`
			`+ } else`
			`+ return 0;`
			`+ }`
			`+ sa.name = filename;`
			`+`
			`+ exec_mode = AA_EXEC_UNSAFE << shift;`
			`+`
			`repeat:`
			`- profile = aa_get_profile(current);`
			`if (profile) {`
			`complain = PROFILE_COMPLAIN(profile);`

			`@@ -1011,8 +1026,10 @@ repeat:`
			`if (IS_ERR(old_profile)) {`
			`aa_put_profile(new_profile);`
			`aa_put_profile(profile);`
			`- if (PTR_ERR(old_profile) == -ESTALE)`
			`+ if (PTR_ERR(old_profile) == -ESTALE) {`
			`+ profile = aa_get_profile(current);`
			`goto repeat;`
			`+ }`
			`if (PTR_ERR(old_profile) == -EPERM) {`
			`sa.denied_mask = sa.request_mask;`
			`sa.info = "unable to set profile due to ptrace";`