mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

Enable fix-aa_register.diff. Add no-new-namespaces.diff.

Browse Source
This commit is contained in:
Andreas Gruenbacher
2007-02-24 18:14:47 +00:00
parent bd442e3869
commit 06a239c9c8
4 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kernel-patches/for-mainline/fix-aa_register.diff
View File

@@ -2,7 +2,7 @@ Index: b/security/apparmor/main.c
=================================================================== ===================================================================
--- a/security/apparmor/main.c --- a/security/apparmor/main.c
+++ b/security/apparmor/main.c +++ b/security/apparmor/main.c
@@ -844,16 +844,16 @@ repeat: @@ -843,16 +843,16 @@ repeat:
*/ */
exec_mode = aa_match(profile->file_rules, filename); exec_mode = aa_match(profile->file_rules, filename);
@@ -23,7 +23,7 @@ Index: b/security/apparmor/main.c
AA_DEBUG("%s: UNCONSTRAINED %s\n", AA_DEBUG("%s: UNCONSTRAINED %s\n",
__FUNCTION__, __FUNCTION__,
filename); filename);
@@ -862,7 +862,7 @@ repeat: @@ -861,7 +861,7 @@ repeat:
newprofile = NULL; newprofile = NULL;
break; break;

35
kernel-patches/for-mainline/no-new-namespaces.diff Normal file
View File

@@ -0,0 +1,35 @@
Index: b/security/apparmor/lsm.c
===================================================================
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -467,6 +467,22 @@ out:
return error;
}
+static int apparmor_task_create(unsigned long clone_flags)
+{
+ struct aa_profile *profile;
+ int error = 0;
+
+ profile = aa_get_profile(current);
+ if (profile) {
+ /* Don't allow to create new namespaces. */
+ if (clone_flags & CLONE_NEWNS)
+ error = -EPERM;
+ }
+ aa_put_profile(profile);
+
+ return error;
+}
+
static int apparmor_file_alloc_security(struct file *file)
{
struct aa_profile *profile;
@@ -714,6 +730,7 @@ struct security_operations apparmor_ops
.file_mmap = apparmor_file_mmap,
.file_mprotect = apparmor_file_mprotect,
+ .task_create = apparmor_task_create,
.task_alloc_security = apparmor_task_alloc_security,
.task_free_security = apparmor_task_free_security,
.task_post_setuid = apparmor_task_post_setuid,

2
kernel-patches/for-mainline/rework-locking-2.diff
View File

@@ -107,7 +107,7 @@ Index: b/security/apparmor/main.c
+ new_profile = NULL; + new_profile = NULL;
break; break;
case AA_EXEC_PROFILE: case MAY_EXEC | AA_EXEC_PROFILE:
AA_DEBUG("%s: PROFILE %s\n", AA_DEBUG("%s: PROFILE %s\n",
__FUNCTION__, __FUNCTION__,
filename); filename);

3
kernel-patches/for-mainline/series
View File

@@ -70,7 +70,7 @@ match-changes.diff
rename-audit_context.diff rename-audit_context.diff
cleanup-aa_register.diff cleanup-aa_register.diff
cleanup-aa_register-2.diff cleanup-aa_register-2.diff
# ? fix-aa_register.diff fix-aa_register.diff
rewrite-profile-list-functions.diff rewrite-profile-list-functions.diff
make-parent-point-to-itself.diff make-parent-point-to-itself.diff
per-profile-task-contexts.diff per-profile-task-contexts.diff
@@ -84,3 +84,4 @@ tell-files-from-dirs.diff
ptrace.diff ptrace.diff
clarify-audit-status-handling.diff clarify-audit-status-handling.diff
link-subset-check.diff link-subset-check.diff
no-new-namespaces.diff