diff --git a/kernel-patches/for-mainline/apparmor-aa_-to-aa.diff b/kernel-patches/for-mainline/apparmor-aa_-to-aa.diff index 31186674f..c086f43db 100644 --- a/kernel-patches/for-mainline/apparmor-aa_-to-aa.diff +++ b/kernel-patches/for-mainline/apparmor-aa_-to-aa.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -45,14 +45,14 @@ extern int apparmor_logsyscall; * which is not related to profile accesses. */ @@ -252,10 +252,10 @@ Index: linux-2.6/security/apparmor/apparmor.h +unsigned int aamatch(struct aadfa *dfa, const char *pathname); #endif /* __APPARMOR_H */ -Index: linux-2.6/security/apparmor/apparmorfs.c +Index: b/security/apparmor/apparmorfs.c =================================================================== ---- linux-2.6.orig/security/apparmor/apparmorfs.c -+++ linux-2.6/security/apparmor/apparmorfs.c +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c @@ -19,56 +19,56 @@ #include "inline.h" @@ -546,10 +546,10 @@ Index: linux-2.6/security/apparmor/apparmorfs.c + if (AAFS_DENTRY) clear_apparmorfs(); } -Index: linux-2.6/security/apparmor/inline.h +Index: b/security/apparmor/inline.h =================================================================== ---- linux-2.6.orig/security/apparmor/inline.h -+++ linux-2.6/security/apparmor/inline.h +--- a/security/apparmor/inline.h ++++ b/security/apparmor/inline.h @@ -12,42 +12,42 @@ #include @@ -815,10 +815,10 @@ Index: linux-2.6/security/apparmor/inline.h } } return NULL; -Index: linux-2.6/security/apparmor/list.c +Index: b/security/apparmor/list.c =================================================================== ---- linux-2.6.orig/security/apparmor/list.c -+++ linux-2.6/security/apparmor/list.c +--- a/security/apparmor/list.c ++++ b/security/apparmor/list.c @@ -22,45 +22,45 @@ static LIST_HEAD(subdomain_list); static rwlock_t subdomain_lock = RW_LOCK_UNLOCKED; @@ -1045,10 +1045,10 @@ Index: linux-2.6/security/apparmor/list.c seq_printf(f, "%s (%s)\n", profile->name, PROFILE_COMPLAIN(profile) ? "complain" : "enforce"); return 0; -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -28,20 +28,20 @@ * can be associated to files which keep their reference even if apparmor is * unloaded @@ -1216,14 +1216,15 @@ Index: linux-2.6/security/apparmor/main.c if (l_mode == t_mode) ret = 0; -@@ -194,25 +194,25 @@ static int aa_link_perm(struct aa_profil +@@ -194,26 +194,26 @@ static int aa_link_perm(struct aa_profil return ret; } -static int _aa_perm_vfsmount(struct aa_profile *active, struct dentry *dentry, -- struct vfsmount *mnt, struct aa_audit *sa, int mask) +- struct vfsmount *mnt, struct aa_audit *sa, +static int _aaperm_vfsmount(struct aaprofile *active, struct dentry *dentry, -+ struct vfsmount *mnt, struct aaaudit *sa, int mask) ++ struct vfsmount *mnt, struct aaaudit *sa, + int mask) { int permerror, error; @@ -1249,7 +1250,7 @@ Index: linux-2.6/security/apparmor/main.c return error; } -@@ -227,12 +227,12 @@ static int _aa_perm_vfsmount(struct aa_p +@@ -228,12 +228,12 @@ static int _aa_perm_vfsmount(struct aa_p * * Return %0 (success) or error (-%ENOMEM) */ @@ -1265,7 +1266,7 @@ Index: linux-2.6/security/apparmor/main.c if (!hat) goto fail; if (profile->flags.complain) -@@ -252,7 +252,7 @@ int attach_nullprofile(struct aa_profile +@@ -253,7 +253,7 @@ int attach_nullprofile(struct aa_profile fail: kfree(hatname); @@ -1274,7 +1275,7 @@ Index: linux-2.6/security/apparmor/main.c return -ENOMEM; } -@@ -265,7 +265,7 @@ fail: +@@ -266,7 +266,7 @@ fail: */ int alloc_null_complain_profile(void) { @@ -1283,7 +1284,7 @@ Index: linux-2.6/security/apparmor/main.c if (!null_complain_profile) goto fail; -@@ -282,8 +282,8 @@ int alloc_null_complain_profile(void) +@@ -283,8 +283,8 @@ int alloc_null_complain_profile(void) return 0; fail: @@ -1294,7 +1295,7 @@ Index: linux-2.6/security/apparmor/main.c null_complain_profile = NULL; return -ENOMEM; -@@ -294,24 +294,24 @@ fail: +@@ -295,24 +295,24 @@ fail: */ void free_null_complain_profile(void) { @@ -1324,7 +1325,7 @@ Index: linux-2.6/security/apparmor/main.c sa.name = fmt; va_start(sa.vaval, fmt); sa.flags = flags; -@@ -319,7 +319,7 @@ int aa_audit_message(struct aa_profile * +@@ -320,7 +320,7 @@ int aa_audit_message(struct aa_profile * sa.error_code = 0; sa.result = 0; /* fake failure: force message to be logged */ @@ -1333,7 +1334,7 @@ Index: linux-2.6/security/apparmor/main.c va_end(sa.vaval); -@@ -327,32 +327,32 @@ int aa_audit_message(struct aa_profile * +@@ -328,32 +328,32 @@ int aa_audit_message(struct aa_profile * } /** @@ -1373,7 +1374,7 @@ Index: linux-2.6/security/apparmor/main.c { struct audit_buffer *ab = NULL; struct audit_context *ctx; -@@ -366,7 +366,7 @@ int aa_audit(struct aa_profile *active, +@@ -367,7 +367,7 @@ int aa_audit(struct aa_profile *active, const gfp_t gfp_mask = sa->gfp_mask; @@ -1382,7 +1383,7 @@ Index: linux-2.6/security/apparmor/main.c /* * sa->result: 1 success, 0 failure -@@ -388,13 +388,13 @@ int aa_audit(struct aa_profile *active, +@@ -389,13 +389,13 @@ int aa_audit(struct aa_profile *active, audit_log(current->audit_context, gfp_mask, AUDIT_SD, "Internal error auditing event type %d (error %d)", sa->type, sa->error_code); @@ -1400,7 +1401,7 @@ Index: linux-2.6/security/apparmor/main.c */ logcls = "REJECTING"; } else { -@@ -407,23 +407,23 @@ int aa_audit(struct aa_profile *active, +@@ -408,23 +408,23 @@ int aa_audit(struct aa_profile *active, */ flags = sa->flags; if (apparmor_logsyscall) @@ -1428,7 +1429,7 @@ Index: linux-2.6/security/apparmor/main.c sa->type); if (complain) error = 0; -@@ -431,7 +431,7 @@ int aa_audit(struct aa_profile *active, +@@ -432,7 +432,7 @@ int aa_audit(struct aa_profile *active, } /* messages get special handling */ @@ -1437,7 +1438,7 @@ Index: linux-2.6/security/apparmor/main.c audit_log_vformat(ab, sa->name, sa->vaval); audit_log_end(ab); error = 0; -@@ -442,23 +442,23 @@ int aa_audit(struct aa_profile *active, +@@ -443,23 +443,23 @@ int aa_audit(struct aa_profile *active, audit_log_format(ab, "%s ", logcls); /* REJECTING/ALLOWING/etc */ @@ -1469,7 +1470,7 @@ Index: linux-2.6/security/apparmor/main.c struct iattr *iattr = (struct iattr*)sa->pval; audit_log_format(ab, -@@ -474,25 +474,25 @@ int aa_audit(struct aa_profile *active, +@@ -475,25 +475,25 @@ int aa_audit(struct aa_profile *active, iattr->ia_valid & ATTR_CTIME ? "ctime," : "", sa->name); @@ -1499,7 +1500,7 @@ Index: linux-2.6/security/apparmor/main.c audit_log_format(ab, "access to syscall '%s' ", sa->name); opspec_error = -EPERM; -@@ -517,14 +517,14 @@ out: +@@ -518,14 +518,14 @@ out: } /** @@ -1517,7 +1518,7 @@ Index: linux-2.6/security/apparmor/main.c { char *page, *name; -@@ -550,7 +550,7 @@ char *aa_get_name(struct dentry *dentry, +@@ -551,7 +551,7 @@ char *aa_get_name(struct dentry *dentry, size > deleted_size && strcmp(name + size - deleted_size, deleted_str) == 0) name[size - deleted_size] = '\0'; @@ -1526,7 +1527,7 @@ Index: linux-2.6/security/apparmor/main.c } out: -@@ -562,29 +562,29 @@ out: +@@ -563,29 +563,29 @@ out: ***********************************/ /** @@ -1562,7 +1563,7 @@ Index: linux-2.6/security/apparmor/main.c * @active: profile to check against * @dentry: file to check * @mnt: mount of file to check -@@ -592,26 +592,26 @@ int aa_attr(struct aa_profile *active, s +@@ -593,26 +593,26 @@ int aa_attr(struct aa_profile *active, s * @xattr_name: name of xattr to check * @mask: access mode requested */ @@ -1594,7 +1595,7 @@ Index: linux-2.6/security/apparmor/main.c * @active: profile to check against * @dentry: dentry * @mnt: mountpoint -@@ -620,27 +620,27 @@ int aa_perm_xattr(struct aa_profile *act +@@ -621,27 +621,27 @@ int aa_perm_xattr(struct aa_profile *act * Determine if access (mask) for dentry is authorized by active * profile. Result, %0 (success), -ve (error) */ @@ -1628,7 +1629,7 @@ Index: linux-2.6/security/apparmor/main.c * @active: profile to check against * @dentry: requested dentry * @mnt: mount of file to check -@@ -651,33 +651,33 @@ out: +@@ -652,33 +652,33 @@ out: * by @active profile. * Result, %0 (success), -ve (error) */ @@ -1670,7 +1671,7 @@ Index: linux-2.6/security/apparmor/main.c sa.name = NULL; sa.capability = cap; sa.flags = 0; -@@ -685,27 +685,27 @@ int aa_capability(struct aa_profile *act +@@ -686,27 +686,27 @@ int aa_capability(struct aa_profile *act sa.result = cap_raised(active->capabilities, cap); sa.gfp_mask = GFP_ATOMIC; @@ -1693,43 +1694,42 @@ Index: linux-2.6/security/apparmor/main.c struct dentry *link, struct vfsmount *link_mnt, struct dentry *target, struct vfsmount *target_mnt) { - int permerror = -EPERM, error; + int permerror = -EPERM, error; - struct aa_audit sa; + struct aaaudit sa; -- sa.name = aa_get_name(link, link_mnt); -- sa.pval = aa_get_name(target, target_mnt); -+ sa.name = aaget_name(link, link_mnt); -+ sa.pval = aaget_name(target, target_mnt); +- sa.name = aa_get_name(link, link_mnt); +- sa.pval = aa_get_name(target, target_mnt); ++ sa.name = aaget_name(link, link_mnt); ++ sa.pval = aaget_name(target, target_mnt); - if (IS_ERR(sa.name)) { - permerror = PTR_ERR(sa.name); -@@ -717,18 +717,18 @@ int aa_link(struct aa_profile *active, + if (IS_ERR(sa.name)) { + permerror = PTR_ERR(sa.name); +@@ -718,18 +718,18 @@ int aa_link(struct aa_profile *active, } if (sa.name && sa.pval) - permerror = aa_link_perm(active, sa.name, sa.pval); + permerror = aalink_perm(active, sa.name, sa.pval); -- aa_permerror2result(permerror, &sa); -+ aapermerror2result(permerror, &sa); +- aa_permerror2result(permerror, &sa); ++ aapermerror2result(permerror, &sa); -- sa.type = AA_AUDITTYPE_LINK; -+ sa.type = AAAUDITTYPE_LINK; + sa.type = AA_AUDITTYPE_LINK; sa.flags = 0; sa.gfp_mask = GFP_KERNEL; - error = aa_audit(active, &sa); + error = aaaudit(active, &sa); -- aa_put_name(sa.name); -- aa_put_name(sa.pval); -+ aaput_name(sa.name); -+ aaput_name(sa.pval); +- aa_put_name(sa.name); +- aa_put_name(sa.pval); ++ aaput_name(sa.name); ++ aaput_name(sa.pval); - return error; + return error; } -@@ -738,27 +738,27 @@ int aa_link(struct aa_profile *active, +@@ -739,27 +739,27 @@ int aa_link(struct aa_profile *active, *******************************/ /** @@ -1763,7 +1763,7 @@ Index: linux-2.6/security/apparmor/main.c unsigned long flags; newsd = alloc_subdomain(p); -@@ -771,7 +771,7 @@ int aa_fork(struct task_struct *p) +@@ -772,7 +772,7 @@ int aa_fork(struct task_struct *p) * new reference to be consistent. */ spin_lock_irqsave(&sd_lock, flags); @@ -1772,7 +1772,7 @@ Index: linux-2.6/security/apparmor/main.c newsd->hat_magic = sd->hat_magic; spin_unlock_irqrestore(&sd_lock, flags); -@@ -786,18 +786,18 @@ int aa_fork(struct task_struct *p) +@@ -787,18 +787,18 @@ int aa_fork(struct task_struct *p) } /** @@ -1795,7 +1795,7 @@ Index: linux-2.6/security/apparmor/main.c int error = -ENOMEM, exec_mode = 0, find_profile = 0, -@@ -805,17 +805,17 @@ int aa_register(struct linux_binprm *bpr +@@ -806,17 +806,17 @@ int aa_register(struct linux_binprm *bpr complain = 0, unsafe_exec = 0; @@ -1817,7 +1817,7 @@ Index: linux-2.6/security/apparmor/main.c if (!active) { /* Unconfined task, load profile if it exists */ -@@ -828,22 +828,22 @@ int aa_register(struct linux_binprm *bpr +@@ -829,22 +829,22 @@ int aa_register(struct linux_binprm *bpr /* Confined task, determine what mode inherit, unconstrained or * mandatory to load new profile */ @@ -1848,7 +1848,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__, filename); -@@ -851,8 +851,8 @@ int aa_register(struct linux_binprm *bpr +@@ -852,8 +852,8 @@ int aa_register(struct linux_binprm *bpr newprofile = &unconstrained_flag; break; @@ -1859,7 +1859,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__, filename); -@@ -860,13 +860,13 @@ int aa_register(struct linux_binprm *bpr +@@ -861,13 +861,13 @@ int aa_register(struct linux_binprm *bpr find_profile_mandatory = 1; break; @@ -1876,7 +1876,7 @@ Index: linux-2.6/security/apparmor/main.c "(%s(%d) profile %s active %s\n", __FUNCTION__, filename, -@@ -876,7 +876,7 @@ int aa_register(struct linux_binprm *bpr +@@ -877,7 +877,7 @@ int aa_register(struct linux_binprm *bpr break; default: @@ -1885,7 +1885,7 @@ Index: linux-2.6/security/apparmor/main.c "Unknown exec qualifier %x " "(%s (pid %d) profile %s active %s)\n", __FUNCTION__, -@@ -893,10 +893,10 @@ int aa_register(struct linux_binprm *bpr +@@ -894,10 +894,10 @@ int aa_register(struct linux_binprm *bpr * describing mode to execute image in. * Drop into null-profile (disabling secure exec). */ @@ -1898,7 +1898,7 @@ Index: linux-2.6/security/apparmor/main.c "Unable to determine exec qualifier " "(%s (pid %d) profile %s active %s)\n", __FUNCTION__, -@@ -912,9 +912,9 @@ find_profile: +@@ -913,9 +913,9 @@ find_profile: goto apply_profile; /* Locate new profile */ @@ -1910,7 +1910,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__, newprofile->name); } else if (find_profile_mandatory) { /* Profile (mandatory) could not be found */ -@@ -926,9 +926,9 @@ find_profile: +@@ -927,9 +927,9 @@ find_profile: current->pid, BASE_PROFILE(active)->name, active->name); @@ -1922,7 +1922,7 @@ Index: linux-2.6/security/apparmor/main.c "Profile mandatory and not found " "(%s(%d) profile %s active %s)\n", filename, -@@ -945,7 +945,7 @@ find_profile: +@@ -946,7 +946,7 @@ find_profile: WARN_ON(active); @@ -1931,7 +1931,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__, filename); } /* newprofile */ -@@ -978,15 +978,15 @@ apply_profile: +@@ -979,15 +979,15 @@ apply_profile: * the transition occured before replacement. * * - If newprofile points to an actual profile (result of @@ -1950,7 +1950,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__); error = -ENOMEM; goto cleanup; -@@ -995,7 +995,7 @@ apply_profile: +@@ -996,7 +996,7 @@ apply_profile: spin_lock_irqsave(&sd_lock, flags); @@ -1959,7 +1959,7 @@ Index: linux-2.6/security/apparmor/main.c if (lazy_sd) { if (sd) { /* raced by setprofile - created sd */ -@@ -1016,10 +1016,10 @@ apply_profile: +@@ -1017,10 +1017,10 @@ apply_profile: if (newprofile && unlikely(newprofile->isstale)) { WARN_ON(newprofile == null_complain_profile); @@ -1973,7 +1973,7 @@ Index: linux-2.6/security/apparmor/main.c if (!newprofile) { /* Race, profile was removed, not replaced. -@@ -1039,16 +1039,16 @@ apply_profile: +@@ -1040,16 +1040,16 @@ apply_profile: * Cases 2 and 3 are marked as requiring secure exec * (unless policy specified "unsafe exec") */ @@ -1994,7 +1994,7 @@ Index: linux-2.6/security/apparmor/main.c if (complain && newprofile == null_complain_profile) LOG_HINT(newprofile, GFP_ATOMIC, HINT_CHGPROF, -@@ -1059,16 +1059,16 @@ apply_profile: +@@ -1060,16 +1060,16 @@ apply_profile: } cleanup: @@ -2014,7 +2014,7 @@ Index: linux-2.6/security/apparmor/main.c * @p: task being released * * This is called after a task has exited and the parent has reaped it. -@@ -1077,17 +1077,17 @@ out: +@@ -1078,17 +1078,17 @@ out: * This is the one case where we don't need to hold the sd_lock before * removing a profile from a subdomain. Once the subdomain has been * removed from the subdomain_list, we are no longer racing other writers. @@ -2037,7 +2037,7 @@ Index: linux-2.6/security/apparmor/main.c kfree(sd); } -@@ -1106,15 +1106,15 @@ void aa_release(struct task_struct *p) +@@ -1107,15 +1107,15 @@ void aa_release(struct task_struct *p) */ static inline int do_change_hat(const char *hat_name, struct subdomain *sd) { @@ -2057,7 +2057,7 @@ Index: linux-2.6/security/apparmor/main.c } else { /* There is no such subprofile change to a NULL profile. * The NULL profile grants no file access. -@@ -1133,7 +1133,7 @@ static inline int do_change_hat(const ch +@@ -1134,7 +1134,7 @@ static inline int do_change_hat(const ch BASE_PROFILE(sd->active)->name, sd->active->name); } else { @@ -2066,7 +2066,7 @@ Index: linux-2.6/security/apparmor/main.c "Changing to NULL profile " "(%s(%d) profile %s active %s)\n", __FUNCTION__, -@@ -1143,14 +1143,14 @@ static inline int do_change_hat(const ch +@@ -1144,14 +1144,14 @@ static inline int do_change_hat(const ch sd->active->name); error = -EACCES; } @@ -2083,7 +2083,7 @@ Index: linux-2.6/security/apparmor/main.c * @hat_name: specifies hat to change to * @hat_magic: token to validate hat change * -@@ -1160,25 +1160,25 @@ static inline int do_change_hat(const ch +@@ -1161,25 +1161,25 @@ static inline int do_change_hat(const ch * return to original top level profile. Returns %0 on success, error * otherwise. */ @@ -2114,7 +2114,7 @@ Index: linux-2.6/security/apparmor/main.c error = -EPERM; goto out; } -@@ -1198,7 +1198,7 @@ int aa_change_hat(const char *hat_name, +@@ -1199,7 +1199,7 @@ int aa_change_hat(const char *hat_name, * parent */ if (hat_name) { @@ -2123,7 +2123,7 @@ Index: linux-2.6/security/apparmor/main.c __FUNCTION__, hat_name, hat_magic); -@@ -1232,7 +1232,7 @@ int aa_change_hat(const char *hat_name, +@@ -1233,7 +1233,7 @@ int aa_change_hat(const char *hat_name, * Got here via changehat(NULL, magic) * Return from subprofile, back to parent */ @@ -2132,7 +2132,7 @@ Index: linux-2.6/security/apparmor/main.c /* Reset hat_magic to zero. * New value will be passed on next changehat -@@ -1243,7 +1243,7 @@ int aa_change_hat(const char *hat_name, +@@ -1244,7 +1244,7 @@ int aa_change_hat(const char *hat_name, error = do_change_hat(hat_name, sd); } } else if (sd->hat_magic) { @@ -2141,7 +2141,7 @@ Index: linux-2.6/security/apparmor/main.c "Invalid change_hat() magic# 0x%x " "(hatname %s profile %s active %s)\n", current->comm, current->pid, -@@ -1255,7 +1255,7 @@ int aa_change_hat(const char *hat_name, +@@ -1256,7 +1256,7 @@ int aa_change_hat(const char *hat_name, /* terminate current process */ (void)send_sig_info(SIGKILL, NULL, current); } else { /* sd->hat_magic == NULL */ @@ -2150,10 +2150,10 @@ Index: linux-2.6/security/apparmor/main.c "Task was confined to current subprofile " "(profile %s active %s)\n", current->comm, current->pid, -Index: linux-2.6/security/apparmor/match.c +Index: b/security/apparmor/match.c =================================================================== ---- linux-2.6.orig/security/apparmor/match.c -+++ linux-2.6/security/apparmor/match.c +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c @@ -16,7 +16,7 @@ #include #include "match.h" @@ -2254,10 +2254,10 @@ Index: linux-2.6/security/apparmor/match.c return 0; } -Index: linux-2.6/security/apparmor/match.h +Index: b/security/apparmor/match.h =================================================================== ---- linux-2.6.orig/security/apparmor/match.h -+++ linux-2.6/security/apparmor/match.h +--- a/security/apparmor/match.h ++++ b/security/apparmor/match.h @@ -49,7 +49,7 @@ struct table_header { #define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC - 1]->td_data)) #define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT - 1]->td_data)) @@ -2267,10 +2267,10 @@ Index: linux-2.6/security/apparmor/match.h struct table_header *tables[YYTD_ID_NXT]; struct table_set_header th; -Index: linux-2.6/security/apparmor/module_interface.c +Index: b/security/apparmor/module_interface.c =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.c -+++ linux-2.6/security/apparmor/module_interface.c +--- a/security/apparmor/module_interface.c ++++ b/security/apparmor/module_interface.c @@ -15,26 +15,26 @@ #include "inline.h" #include "module_interface.h" @@ -3066,10 +3066,10 @@ Index: linux-2.6/security/apparmor/module_interface.c kfree(profile->name); } -Index: linux-2.6/security/apparmor/module_interface.h +Index: b/security/apparmor/module_interface.h =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.h -+++ linux-2.6/security/apparmor/module_interface.h +--- a/security/apparmor/module_interface.h ++++ b/security/apparmor/module_interface.h @@ -2,33 +2,33 @@ #define __MODULEINTERFACE_H @@ -3122,10 +3122,10 @@ Index: linux-2.6/security/apparmor/module_interface.h void *start; void *end; void *pos; /* pointer to current position in the buffer */ -Index: linux-2.6/security/apparmor/procattr.c +Index: b/security/apparmor/procattr.c =================================================================== ---- linux-2.6.orig/security/apparmor/procattr.c -+++ linux-2.6/security/apparmor/procattr.c +--- a/security/apparmor/procattr.c ++++ b/security/apparmor/procattr.c @@ -15,7 +15,7 @@ #include "apparmor.h" #include "inline.h" @@ -3331,10 +3331,10 @@ Index: linux-2.6/security/apparmor/procattr.c */ sd->hat_magic = 0; } -Index: linux-2.6/security/apparmor/shared.h +Index: b/security/apparmor/shared.h =================================================================== ---- linux-2.6.orig/security/apparmor/shared.h -+++ linux-2.6/security/apparmor/shared.h +--- a/security/apparmor/shared.h ++++ b/security/apparmor/shared.h @@ -13,39 +13,39 @@ #define _SHARED_H @@ -3403,10 +3403,10 @@ Index: linux-2.6/security/apparmor/shared.h +#define AAVALID_PERM_MASK ((1 << (POS_AAFILE_MAX + 1)) - 1) #endif /* _SHARED_H */ -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -66,15 +66,15 @@ MODULE_PARM_DESC(apparmor_logsyscall, "T static int apparmor_ptrace(struct task_struct *parent, struct task_struct *child) diff --git a/kernel-patches/for-mainline/apparmor-audit-cleanup.diff b/kernel-patches/for-mainline/apparmor-audit-cleanup.diff index 3d5f366da..54212914c 100644 --- a/kernel-patches/for-mainline/apparmor-audit-cleanup.diff +++ b/kernel-patches/for-mainline/apparmor-audit-cleanup.diff @@ -4,10 +4,10 @@ only mess up the code. Pass the name of the operation in aa_audit instead. Use a union for the remaining users of ival in aa_audit: this is more readable. -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -145,8 +145,12 @@ struct aa_audit { gfp_t gfp_mask; int error_code; @@ -62,10 +62,10 @@ Index: linux-2.6/security/apparmor/apparmor.h extern int aa_link(struct aaprofile *active, struct dentry *link, struct vfsmount *link_mnt, struct dentry *target, struct vfsmount *target_mnt); -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -443,7 +443,7 @@ int aa_audit(struct aaprofile *active, c audit_log_format(ab, "%s ", logcls); /* REJECTING/ALLOWING/etc */ @@ -221,10 +221,10 @@ Index: linux-2.6/security/apparmor/main.c sa.flags = 0; sa.error_code = 0; sa.result = cap_raised(active->capabilities, cap); -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -244,7 +244,7 @@ static int apparmor_inode_mkdir(struct i active = get_active_aaprofile(); diff --git a/kernel-patches/for-mainline/apparmor-audit.diff b/kernel-patches/for-mainline/apparmor-audit.diff index 456180788..d4126ff53 100644 --- a/kernel-patches/for-mainline/apparmor-audit.diff +++ b/kernel-patches/for-mainline/apparmor-audit.diff @@ -12,10 +12,10 @@ Patch is not in mainline -- pending AppArmor code submission to lkml kernel/audit.c | 6 ++++-- 2 files changed, 9 insertions(+), 2 deletions(-) -Index: linux-2.6/include/linux/audit.h +Index: b/include/linux/audit.h =================================================================== ---- linux-2.6.orig/include/linux/audit.h -+++ linux-2.6/include/linux/audit.h +--- a/include/linux/audit.h ++++ b/include/linux/audit.h @@ -110,6 +110,8 @@ #define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ @@ -35,10 +35,10 @@ Index: linux-2.6/include/linux/audit.h extern void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) __attribute__((format(printf,2,3))); -Index: linux-2.6/kernel/audit.c +Index: b/kernel/audit.c =================================================================== ---- linux-2.6.orig/kernel/audit.c -+++ linux-2.6/kernel/audit.c +--- a/kernel/audit.c ++++ b/kernel/audit.c @@ -956,8 +956,7 @@ static inline int audit_expand(struct au * will be called a second time. Currently, we assume that a printk * can't format message larger than 1024 bytes, so we don't either. diff --git a/kernel-patches/for-mainline/apparmor-bootdisable.diff b/kernel-patches/for-mainline/apparmor-bootdisable.diff index 6c48e68f1..253cc9b20 100644 --- a/kernel-patches/for-mainline/apparmor-bootdisable.diff +++ b/kernel-patches/for-mainline/apparmor-bootdisable.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -24,6 +24,15 @@ /* struct subdomain write update lock (read side is RCU). */ spinlock_t sd_lock = SPIN_LOCK_UNLOCKED; @@ -10,8 +10,8 @@ Index: linux-2.6/security/apparmor/lsm.c +int apparmor_enabled=1; +static int __init apparmor_enabled_setup(char *str) +{ -+ apparmor_enabled = simple_strtol(str, NULL, 0); -+ return 1; ++ apparmor_enabled = simple_strtol(str, NULL, 0); ++ return 1; +} +__setup("apparmor=", apparmor_enabled_setup); + diff --git a/kernel-patches/for-mainline/apparmor-builtinonly.diff b/kernel-patches/for-mainline/apparmor-builtinonly.diff index 9ad4c4e06..212f879fe 100644 --- a/kernel-patches/for-mainline/apparmor-builtinonly.diff +++ b/kernel-patches/for-mainline/apparmor-builtinonly.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/Kconfig +Index: b/security/apparmor/Kconfig =================================================================== ---- linux-2.6.orig/security/apparmor/Kconfig -+++ linux-2.6/security/apparmor/Kconfig +--- a/security/apparmor/Kconfig ++++ b/security/apparmor/Kconfig @@ -1,8 +1,9 @@ config SECURITY_APPARMOR - tristate "AppArmor support" @@ -15,10 +15,10 @@ Index: linux-2.6/security/apparmor/Kconfig Required userspace tools (if they are not included in your distribution) and further information may be found at -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -54,36 +54,6 @@ int apparmor_logsyscall = 0; module_param_named(logsyscall, apparmor_logsyscall, int, S_IRUSR); MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode"); @@ -124,16 +124,16 @@ Index: linux-2.6/security/apparmor/lsm.c -MODULE_DESCRIPTION("AppArmor process confinement"); -MODULE_AUTHOR("Tony Jones "); -MODULE_LICENSE("GPL"); -Index: linux-2.6/security/Makefile +Index: b/security/Makefile =================================================================== ---- linux-2.6.orig/security/Makefile -+++ linux-2.6/security/Makefile +--- a/security/Makefile ++++ b/security/Makefile @@ -16,7 +16,7 @@ obj-$(CONFIG_SECURITY) += security.o d # Must precede capability.o in order to stack properly. obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o ifeq ($(CONFIG_SECURITY_APPARMOR),y) --obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o -+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o commoncap.o +-obj-y += apparmor/built-in.o ++obj-y += apparmor/built-in.o commoncap.o endif obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o diff --git a/kernel-patches/for-mainline/apparmor-cleanup-aa.diff b/kernel-patches/for-mainline/apparmor-cleanup-aa.diff index 8f484a832..e3dd4234a 100644 --- a/kernel-patches/for-mainline/apparmor-cleanup-aa.diff +++ b/kernel-patches/for-mainline/apparmor-cleanup-aa.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -68,7 +68,7 @@ struct flagval { #define AA_EXEC_MODIFIER_MASK(mask) ((mask) & AA_EXEC_MODIFIERS) #define AA_EXEC_MASK(mask) ((mask) & (AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE)) @@ -135,10 +135,10 @@ Index: linux-2.6/security/apparmor/apparmor.h +unsigned int aa_match(struct aa_dfa *dfa, const char *pathname); #endif /* __APPARMOR_H */ -Index: linux-2.6/security/apparmor/apparmorfs.c +Index: b/security/apparmor/apparmorfs.c =================================================================== ---- linux-2.6.orig/security/apparmor/apparmorfs.c -+++ linux-2.6/security/apparmor/apparmorfs.c +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c @@ -19,7 +19,7 @@ #include "inline.h" @@ -198,10 +198,10 @@ Index: linux-2.6/security/apparmor/apparmorfs.c + if (AA_FS_DENTRY) clear_apparmorfs(); } -Index: linux-2.6/security/apparmor/inline.h +Index: b/security/apparmor/inline.h =================================================================== ---- linux-2.6.orig/security/apparmor/inline.h -+++ linux-2.6/security/apparmor/inline.h +--- a/security/apparmor/inline.h ++++ b/security/apparmor/inline.h @@ -44,10 +44,10 @@ static inline int aa_sub_defined(void) } @@ -350,10 +350,10 @@ Index: linux-2.6/security/apparmor/inline.h return p; } else { AA_DEBUG("%s: skipping %s\n", __FUNCTION__, p->name); -Index: linux-2.6/security/apparmor/list.c +Index: b/security/apparmor/list.c =================================================================== ---- linux-2.6.orig/security/apparmor/list.c -+++ linux-2.6/security/apparmor/list.c +--- a/security/apparmor/list.c ++++ b/security/apparmor/list.c @@ -28,9 +28,9 @@ static rwlock_t subdomain_lock = RW_LOCK * Search the profile list for profile @name. Return refcounted profile on * success, NULL on failure. @@ -474,10 +474,10 @@ Index: linux-2.6/security/apparmor/list.c seq_printf(f, "%s (%s)\n", profile->name, PROFILE_COMPLAIN(profile) ? "complain" : "enforce"); return 0; -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -66,7 +66,7 @@ MODULE_PARM_DESC(apparmor_logsyscall, "T static int apparmor_ptrace(struct task_struct *parent, struct task_struct *child) @@ -877,10 +877,10 @@ Index: linux-2.6/security/apparmor/lsm.c } else { /* unknown operation */ AA_WARN("%s: Unknown setprocattr command '%.*s' by task %s(%d) " -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -28,7 +28,7 @@ * can be associated to files which keep their reference even if apparmor is * unloaded @@ -935,16 +935,19 @@ Index: linux-2.6/security/apparmor/main.c const char *link, const char *target) { int l_mode, t_mode, ret = -EPERM; -@@ -194,7 +194,7 @@ static int aa_link_perm(struct aaprofile +@@ -194,8 +194,9 @@ static int aa_link_perm(struct aaprofile return ret; } -static int _aa_perm_vfsmount(struct aaprofile *active, struct dentry *dentry, +- struct vfsmount *mnt, struct aa_audit *sa, int mask) +static int _aa_perm_vfsmount(struct aa_profile *active, struct dentry *dentry, - struct vfsmount *mnt, struct aa_audit *sa, int mask) ++ struct vfsmount *mnt, struct aa_audit *sa, ++ int mask) { int permerror, error; -@@ -227,12 +227,12 @@ static int _aa_perm_vfsmount(struct aapr + +@@ -227,12 +228,12 @@ static int _aa_perm_vfsmount(struct aapr * * Return %0 (success) or error (-%ENOMEM) */ @@ -960,7 +963,7 @@ Index: linux-2.6/security/apparmor/main.c if (!hat) goto fail; if (profile->flags.complain) -@@ -252,7 +252,7 @@ int attach_nullprofile(struct aaprofile +@@ -252,7 +253,7 @@ int attach_nullprofile(struct aaprofile fail: kfree(hatname); @@ -969,7 +972,7 @@ Index: linux-2.6/security/apparmor/main.c return -ENOMEM; } -@@ -265,7 +265,7 @@ fail: +@@ -265,7 +266,7 @@ fail: */ int alloc_null_complain_profile(void) { @@ -978,7 +981,7 @@ Index: linux-2.6/security/apparmor/main.c if (!null_complain_profile) goto fail; -@@ -282,8 +282,8 @@ int alloc_null_complain_profile(void) +@@ -282,8 +283,8 @@ int alloc_null_complain_profile(void) return 0; fail: @@ -989,7 +992,7 @@ Index: linux-2.6/security/apparmor/main.c null_complain_profile = NULL; return -ENOMEM; -@@ -294,7 +294,7 @@ fail: +@@ -294,7 +295,7 @@ fail: */ void free_null_complain_profile(void) { @@ -998,7 +1001,7 @@ Index: linux-2.6/security/apparmor/main.c null_complain_profile = NULL; } -@@ -305,7 +305,7 @@ void free_null_complain_profile(void) +@@ -305,7 +306,7 @@ void free_null_complain_profile(void) * @flags: audit flags * @fmt: varargs fmt */ @@ -1007,7 +1010,7 @@ Index: linux-2.6/security/apparmor/main.c const char *fmt, ...) { int ret; -@@ -332,7 +332,7 @@ int aa_audit_message(struct aaprofile *a +@@ -332,7 +333,7 @@ int aa_audit_message(struct aaprofile *a * @msg: string describing syscall being rejected * @gfp: memory allocation flags */ @@ -1016,7 +1019,7 @@ Index: linux-2.6/security/apparmor/main.c const char *msg) { struct aa_audit sa; -@@ -352,7 +352,7 @@ int aa_audit_syscallreject(struct aaprof +@@ -352,7 +353,7 @@ int aa_audit_syscallreject(struct aaprof * @active: profile to check against * @sa: audit event */ @@ -1025,7 +1028,7 @@ Index: linux-2.6/security/apparmor/main.c { struct audit_buffer *ab = NULL; struct audit_context *ctx; -@@ -567,7 +567,7 @@ out: +@@ -567,7 +568,7 @@ out: * @dentry: file to check * @iattr: attribute changes requested */ @@ -1034,7 +1037,7 @@ Index: linux-2.6/security/apparmor/main.c struct vfsmount *mnt, struct iattr *iattr) { int error; -@@ -592,7 +592,7 @@ int aa_attr(struct aaprofile *active, st +@@ -592,7 +593,7 @@ int aa_attr(struct aaprofile *active, st * @xattr_name: name of xattr to check * @mask: access mode requested */ @@ -1043,7 +1046,7 @@ Index: linux-2.6/security/apparmor/main.c struct vfsmount *mnt, const char *operation, const char *xattr_name, int mask) { -@@ -620,7 +620,7 @@ int aa_perm_xattr(struct aaprofile *acti +@@ -620,7 +621,7 @@ int aa_perm_xattr(struct aaprofile *acti * Determine if access (mask) for dentry is authorized by active * profile. Result, %0 (success), -ve (error) */ @@ -1052,7 +1055,7 @@ Index: linux-2.6/security/apparmor/main.c struct vfsmount *mnt, int mask) { int error = 0; -@@ -651,7 +651,7 @@ out: +@@ -651,7 +652,7 @@ out: * by @active profile. * Result, %0 (success), -ve (error) */ @@ -1061,7 +1064,7 @@ Index: linux-2.6/security/apparmor/main.c struct vfsmount *mnt, const char *operation, int mask) { struct aa_audit sa; -@@ -672,7 +672,7 @@ int aa_perm_dir(struct aaprofile *active +@@ -672,7 +673,7 @@ int aa_perm_dir(struct aaprofile *active * Look up capability in active profile capability set. * Return %0 (success), -%EPERM (error) */ @@ -1070,7 +1073,7 @@ Index: linux-2.6/security/apparmor/main.c { int error = 0; struct aa_audit sa; -@@ -697,7 +697,7 @@ int aa_capability(struct aaprofile *acti +@@ -697,7 +698,7 @@ int aa_capability(struct aaprofile *acti * @target: dentry for link target * @mnt: vfsmount (-EXDEV is link and target are not on same vfsmount) */ @@ -1079,7 +1082,7 @@ Index: linux-2.6/security/apparmor/main.c struct dentry *link, struct vfsmount *link_mnt, struct dentry *target, struct vfsmount *target_mnt) { -@@ -796,8 +796,8 @@ int aa_register(struct linux_binprm *bpr +@@ -796,8 +797,8 @@ int aa_register(struct linux_binprm *bpr { char *filename; struct file *filp = bprm->file; @@ -1090,7 +1093,7 @@ Index: linux-2.6/security/apparmor/main.c int error = -ENOMEM, exec_mode = 0, find_profile = 0, -@@ -815,7 +815,7 @@ int aa_register(struct linux_binprm *bpr +@@ -815,7 +816,7 @@ int aa_register(struct linux_binprm *bpr error = 0; @@ -1099,7 +1102,7 @@ Index: linux-2.6/security/apparmor/main.c if (!active) { /* Unconfined task, load profile if it exists */ -@@ -828,7 +828,7 @@ int aa_register(struct linux_binprm *bpr +@@ -828,7 +829,7 @@ int aa_register(struct linux_binprm *bpr /* Confined task, determine what mode inherit, unconstrained or * mandatory to load new profile */ @@ -1108,7 +1111,7 @@ Index: linux-2.6/security/apparmor/main.c unsafe_exec = exec_mode & AA_EXEC_UNSAFE; if (exec_mode) { -@@ -893,7 +893,7 @@ int aa_register(struct linux_binprm *bpr +@@ -893,7 +894,7 @@ int aa_register(struct linux_binprm *bpr * describing mode to execute image in. * Drop into null-profile (disabling secure exec). */ @@ -1117,7 +1120,7 @@ Index: linux-2.6/security/apparmor/main.c unsafe_exec = 1; } else { AA_WARN("%s: Rejecting exec(2) of image '%s'. " -@@ -926,7 +926,7 @@ find_profile: +@@ -926,7 +927,7 @@ find_profile: current->pid, BASE_PROFILE(active)->name, active->name); @@ -1126,7 +1129,7 @@ Index: linux-2.6/security/apparmor/main.c } else { AA_WARN("REJECTING exec(2) of image '%s'. " "Profile mandatory and not found " -@@ -1016,8 +1016,8 @@ apply_profile: +@@ -1016,8 +1017,8 @@ apply_profile: if (newprofile && unlikely(newprofile->isstale)) { WARN_ON(newprofile == null_complain_profile); @@ -1137,7 +1140,7 @@ Index: linux-2.6/security/apparmor/main.c newprofile = aa_profilelist_find(filename); -@@ -1048,7 +1048,7 @@ apply_profile: +@@ -1048,7 +1049,7 @@ apply_profile: } aa_switch(sd, newprofile); @@ -1146,7 +1149,7 @@ Index: linux-2.6/security/apparmor/main.c if (complain && newprofile == null_complain_profile) LOG_HINT(newprofile, GFP_ATOMIC, HINT_CHGPROF, -@@ -1061,7 +1061,7 @@ apply_profile: +@@ -1061,7 +1062,7 @@ apply_profile: cleanup: aa_put_name(filename); @@ -1155,7 +1158,7 @@ Index: linux-2.6/security/apparmor/main.c out: return error; -@@ -1106,7 +1106,7 @@ void aa_release(struct task_struct *p) +@@ -1106,7 +1107,7 @@ void aa_release(struct task_struct *p) */ static inline int do_change_hat(const char *hat_name, struct subdomain *sd) { @@ -1164,7 +1167,7 @@ Index: linux-2.6/security/apparmor/main.c int error = 0; sub = __aa_find_profile(hat_name, &BASE_PROFILE(sd->active)->sub); -@@ -1114,7 +1114,7 @@ static inline int do_change_hat(const ch +@@ -1114,7 +1115,7 @@ static inline int do_change_hat(const ch if (sub) { /* change hat */ aa_switch(sd, sub); @@ -1173,10 +1176,10 @@ Index: linux-2.6/security/apparmor/main.c } else { /* There is no such subprofile change to a NULL profile. * The NULL profile grants no file access. -Index: linux-2.6/security/apparmor/match.c +Index: b/security/apparmor/match.c =================================================================== ---- linux-2.6.orig/security/apparmor/match.c -+++ linux-2.6/security/apparmor/match.c +--- a/security/apparmor/match.c ++++ b/security/apparmor/match.c @@ -16,7 +16,7 @@ #include #include "match.h" @@ -1260,10 +1263,10 @@ Index: linux-2.6/security/apparmor/match.c return 0; } -Index: linux-2.6/security/apparmor/module_interface.c +Index: b/security/apparmor/module_interface.c =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.c -+++ linux-2.6/security/apparmor/module_interface.c +--- a/security/apparmor/module_interface.c ++++ b/security/apparmor/module_interface.c @@ -17,24 +17,24 @@ /* aa_code defined in module_interface.h */ @@ -1605,10 +1608,10 @@ Index: linux-2.6/security/apparmor/module_interface.c } if (profile->name) { -Index: linux-2.6/security/apparmor/procattr.c +Index: b/security/apparmor/procattr.c =================================================================== ---- linux-2.6.orig/security/apparmor/procattr.c -+++ linux-2.6/security/apparmor/procattr.c +--- a/security/apparmor/procattr.c ++++ b/security/apparmor/procattr.c @@ -15,7 +15,7 @@ #include "apparmor.h" #include "inline.h" diff --git a/kernel-patches/for-mainline/apparmor-d_namespace.diff b/kernel-patches/for-mainline/apparmor-d_namespace.diff index 1e945f9d7..c5e4d086b 100644 --- a/kernel-patches/for-mainline/apparmor-d_namespace.diff +++ b/kernel-patches/for-mainline/apparmor-d_namespace.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -12,6 +12,7 @@ #include #include diff --git a/kernel-patches/for-mainline/apparmor-dfa.diff b/kernel-patches/for-mainline/apparmor-dfa.diff index 9e62d714b..b2bf3a696 100644 --- a/kernel-patches/for-mainline/apparmor-dfa.diff +++ b/kernel-patches/for-mainline/apparmor-dfa.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/match/Kbuild +Index: b/security/apparmor/match/Kbuild =================================================================== ---- linux-2.6.orig/security/apparmor/match/Kbuild -+++ linux-2.6/security/apparmor/match/Kbuild +--- a/security/apparmor/match/Kbuild ++++ b/security/apparmor/match/Kbuild @@ -1,6 +1,6 @@ # Makefile for AppArmor aamatch submodule # @@ -11,10 +11,10 @@ Index: linux-2.6/security/apparmor/match/Kbuild -aamatch_pcre-y := match_pcre.o pcre_exec.o +aamatch_dfa-y := match_dfa.o -Index: linux-2.6/security/apparmor/match/match_dfa.c +Index: b/security/apparmor/match/match_dfa.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/match_dfa.c ++++ b/security/apparmor/match/match_dfa.c @@ -0,0 +1,398 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -414,10 +414,10 @@ Index: linux-2.6/security/apparmor/match/match_dfa.c +MODULE_DESCRIPTION("AppArmor aa_match module [dfa]"); +MODULE_AUTHOR("John Johansen "); +MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/module_interface.c +Index: b/security/apparmor/module_interface.c =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.c -+++ linux-2.6/security/apparmor/module_interface.c +--- a/security/apparmor/module_interface.c ++++ b/security/apparmor/module_interface.c @@ -206,6 +206,7 @@ static void aaconvert(enum aa_code code, *(u16 *)dest = le16_to_cpu(get_unaligned((u16 *)src)); break; @@ -465,10 +465,10 @@ Index: linux-2.6/security/apparmor/module_interface.c free_aa_entry(entry); return NULL; } -Index: linux-2.6/security/apparmor/module_interface.h +Index: b/security/apparmor/module_interface.h =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.h -+++ linux-2.6/security/apparmor/module_interface.h +--- a/security/apparmor/module_interface.h ++++ b/security/apparmor/module_interface.h @@ -20,6 +20,7 @@ enum aa_code { AA_LIST, AA_LISTEND, @@ -477,10 +477,10 @@ Index: linux-2.6/security/apparmor/module_interface.h AA_BAD }; -Index: linux-2.6/security/apparmor/shared.h +Index: b/security/apparmor/shared.h =================================================================== ---- linux-2.6.orig/security/apparmor/shared.h -+++ linux-2.6/security/apparmor/shared.h +--- a/security/apparmor/shared.h ++++ b/security/apparmor/shared.h @@ -28,6 +28,9 @@ #define POS_AA_EXEC_UNSAFE (POS_AA_EXEC_MMAP + 1) #define POS_AA_FILE_MAX POS_AA_EXEC_UNSAFE diff --git a/kernel-patches/for-mainline/apparmor-intree.diff b/kernel-patches/for-mainline/apparmor-intree.diff index 2b39e23bb..10c036139 100644 --- a/kernel-patches/for-mainline/apparmor-intree.diff +++ b/kernel-patches/for-mainline/apparmor-intree.diff @@ -1,7 +1,7 @@ -Index: linux-2.6-apparmor/security/Kconfig +Index: b/security/Kconfig =================================================================== ---- linux-2.6-apparmor.orig/security/Kconfig -+++ linux-2.6-apparmor/security/Kconfig +--- a/security/Kconfig ++++ b/security/Kconfig @@ -94,6 +94,7 @@ config SECURITY_ROOTPLUG If you are unsure how to answer this question, answer N. @@ -10,10 +10,10 @@ Index: linux-2.6-apparmor/security/Kconfig endmenu -Index: linux-2.6-apparmor/security/Makefile +Index: b/security/Makefile =================================================================== ---- linux-2.6-apparmor.orig/security/Makefile -+++ linux-2.6-apparmor/security/Makefile +--- a/security/Makefile ++++ b/security/Makefile @@ -4,6 +4,7 @@ obj-$(CONFIG_KEYS) += keys/ diff --git a/kernel-patches/for-mainline/apparmor-match_perms.diff b/kernel-patches/for-mainline/apparmor-match_perms.diff index 4f6942ade..f351eafbf 100644 --- a/kernel-patches/for-mainline/apparmor-match_perms.diff +++ b/kernel-patches/for-mainline/apparmor-match_perms.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -61,7 +61,7 @@ static inline int aa_taskattr_access(con static inline int aa_file_mode(struct aaprofile *profile, const char *name) { @@ -171,10 +171,10 @@ Index: linux-2.6/security/apparmor/main.c done: return error; -Index: linux-2.6/security/apparmor/match/match.h +Index: b/security/apparmor/match/match.h =================================================================== ---- linux-2.6.orig/security/apparmor/match/match.h -+++ linux-2.6/security/apparmor/match/match.h +--- a/security/apparmor/match/match.h ++++ b/security/apparmor/match/match.h @@ -69,16 +69,11 @@ extern int aamatch_serialize(void *entry /** @@ -231,10 +231,10 @@ Index: linux-2.6/security/apparmor/match/match.h } #endif /* __MATCH_H */ -Index: linux-2.6/security/apparmor/match/match_default.c +Index: b/security/apparmor/match/match_default.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/match_default.c -+++ linux-2.6/security/apparmor/match/match_default.c +--- a/security/apparmor/match/match_default.c ++++ b/security/apparmor/match/match_default.c @@ -36,12 +36,11 @@ int aamatch_serialize(void *entry_extrad return 0; } @@ -250,10 +250,10 @@ Index: linux-2.6/security/apparmor/match/match_default.c return ret; } -Index: linux-2.6/security/apparmor/match/match_pcre.c +Index: b/security/apparmor/match/match_pcre.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/match_pcre.c -+++ linux-2.6/security/apparmor/match/match_pcre.c +--- a/security/apparmor/match/match_pcre.c ++++ b/security/apparmor/match/match_pcre.c @@ -132,27 +132,26 @@ done: return error; } @@ -271,19 +271,19 @@ Index: linux-2.6/security/apparmor/match/match_pcre.c - (struct aamatch_entry *) entry_extradata; + (struct aamatch_entry *) entry->extradata; - pcreret = pcre_exec(ed->compiled, NULL, + pcreret = pcre_exec(ed->compiled, NULL, pathname, strlen(pathname), 0, 0, NULL, 0); -- ret = (pcreret >= 0); -+ ret = (pcreret >= 0) ? entry->mode : 0; +- ret = (pcreret >= 0); ++ ret = (pcreret >= 0) ? entry->mode : 0; // XXX - this needs access to subdomain_debug, hmmm - //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, + //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, // ret, pathname, ed->pattern, pcreret); } else { - ret = aamatch_match_common(pathname, entry_name, entry_type); + ret = aamatch_match_common(entry, pathname); } - return ret; + return ret; diff --git a/kernel-patches/for-mainline/apparmor-minor-stuff.diff b/kernel-patches/for-mainline/apparmor-minor-stuff.diff index 03f55d9d3..b46b9742a 100644 --- a/kernel-patches/for-mainline/apparmor-minor-stuff.diff +++ b/kernel-patches/for-mainline/apparmor-minor-stuff.diff @@ -4,10 +4,10 @@ Defining and initializing a variable at the same time is okay. Rename struct task *p to . -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -66,12 +66,8 @@ MODULE_PARM_DESC(apparmor_logsyscall, "T static int apparmor_ptrace(struct task_struct *parent, struct task_struct *child) diff --git a/kernel-patches/for-mainline/apparmor-novalidfstype.diff b/kernel-patches/for-mainline/apparmor-novalidfstype.diff index bebb74bb6..0ab885dad 100644 --- a/kernel-patches/for-mainline/apparmor-novalidfstype.diff +++ b/kernel-patches/for-mainline/apparmor-novalidfstype.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -25,17 +25,6 @@ extern int apparmor_debug; extern int apparmor_audit; extern int apparmor_logsyscall; @@ -14,8 +14,8 @@ Index: linux-2.6/security/apparmor/apparmor.h -#define INOTIFYFS_MAGIC 0xBAD1DEA - -#define VALID_FSTYPE(inode) ((inode)->i_sb->s_magic != PIPEFS_MAGIC && \ -- (inode)->i_sb->s_magic != SOCKFS_MAGIC && \ -- (inode)->i_sb->s_magic != INOTIFYFS_MAGIC) +- (inode)->i_sb->s_magic != SOCKFS_MAGIC && \ +- (inode)->i_sb->s_magic != INOTIFYFS_MAGIC) - #define PROFILE_COMPLAIN(_profile) \ (apparmor_complain == 1 || ((_profile) && (_profile)->flags.complain)) @@ -52,10 +52,10 @@ Index: linux-2.6/security/apparmor/apparmor.h /** * struct subdomain - primary label for confined tasks * @active: the current active profile -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -203,6 +203,9 @@ static int apparmor_sb_mount(char *dev_n if (active) { error = aa_audit_syscallreject(active, GFP_KERNEL, "mount"); diff --git a/kernel-patches/for-mainline/apparmor-setprocattr.diff b/kernel-patches/for-mainline/apparmor-setprocattr.diff index 10dbc726d..6863f8336 100644 --- a/kernel-patches/for-mainline/apparmor-setprocattr.diff +++ b/kernel-patches/for-mainline/apparmor-setprocattr.diff @@ -5,10 +5,10 @@ I'm not sure we need all the syslogging going on here. There are some self-explanatory comments (not only here). -Index: linux-2.6-apparmor/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6-apparmor.orig/security/apparmor/lsm.c -+++ linux-2.6-apparmor/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -594,19 +594,15 @@ static int apparmor_setprocattr(struct t const char *cmd_changehat = "changehat ", *cmd_setprofile = "setprofile "; diff --git a/kernel-patches/for-mainline/apparmor-single_module.diff b/kernel-patches/for-mainline/apparmor-single_module.diff index dde23f8f0..a8d44564b 100644 --- a/kernel-patches/for-mainline/apparmor-single_module.diff +++ b/kernel-patches/for-mainline/apparmor-single_module.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/Makefile +Index: b/security/apparmor/Makefile =================================================================== ---- linux-2.6.orig/security/apparmor/Makefile -+++ linux-2.6/security/apparmor/Makefile +--- a/security/apparmor/Makefile ++++ b/security/apparmor/Makefile @@ -1,6 +1,6 @@ # Makefile for AppArmor Linux Security Module # @@ -11,10 +11,10 @@ Index: linux-2.6/security/apparmor/Makefile apparmor-y := main.o list.o procattr.o lsm.o apparmorfs.o capabilities.o \ - module_interface.o + module_interface.o match.o -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -17,6 +17,7 @@ #include @@ -115,10 +115,10 @@ Index: linux-2.6/security/apparmor/apparmor.h +unsigned int aamatch(struct aa_dfa *dfa, const char *pathname); + #endif /* __APPARMOR_H */ -Index: linux-2.6/security/apparmor/inline.h +Index: b/security/apparmor/inline.h =================================================================== ---- linux-2.6.orig/security/apparmor/inline.h -+++ linux-2.6/security/apparmor/inline.h +--- a/security/apparmor/inline.h ++++ b/security/apparmor/inline.h @@ -199,14 +199,8 @@ static inline struct aaprofile *alloc_aa GFP_KERNEL); AA_DEBUG("%s(%p)\n", __FUNCTION__, profile); @@ -134,10 +134,10 @@ Index: linux-2.6/security/apparmor/inline.h INIT_RCU_HEAD(&profile->rcu); kref_init(&profile->count); } -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -14,7 +14,6 @@ #include @@ -349,9 +349,9 @@ Index: linux-2.6/security/apparmor/main.c case AA_EXEC_INHERIT: /* do nothing - setting of profile * already handed in aa_fork -Index: linux-2.6/security/apparmor/match/Kbuild +Index: b/security/apparmor/match/Kbuild =================================================================== ---- linux-2.6.orig/security/apparmor/match/Kbuild +--- a/security/apparmor/match/Kbuild +++ /dev/null @@ -1,6 +0,0 @@ -# Makefile for AppArmor aamatch submodule @@ -360,9 +360,9 @@ Index: linux-2.6/security/apparmor/match/Kbuild -obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_dfa.o - -aamatch_dfa-y := match_dfa.o -Index: linux-2.6/security/apparmor/match/Makefile +Index: b/security/apparmor/match/Makefile =================================================================== ---- linux-2.6.orig/security/apparmor/match/Makefile +--- a/security/apparmor/match/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -# Makefile for AppArmor aamatch submodule @@ -370,9 +370,9 @@ Index: linux-2.6/security/apparmor/match/Makefile -obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_pcre.o - -aamatch_pcre-y := match_pcre.o pcre_exec.o -Index: linux-2.6/security/apparmor/match/match.h +Index: b/security/apparmor/match/match.h =================================================================== ---- linux-2.6.orig/security/apparmor/match/match.h +--- a/security/apparmor/match/match.h +++ /dev/null @@ -1,126 +0,0 @@ -/* @@ -501,9 +501,9 @@ Index: linux-2.6/security/apparmor/match/match.h -} - -#endif /* __MATCH_H */ -Index: linux-2.6/security/apparmor/match/match_default.c +Index: b/security/apparmor/match/match_default.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/match_default.c +--- a/security/apparmor/match/match_default.c +++ /dev/null @@ -1,56 +0,0 @@ -/* @@ -562,9 +562,9 @@ Index: linux-2.6/security/apparmor/match/match_default.c -MODULE_DESCRIPTION("AppArmor match module (aamatch) [default]"); -MODULE_AUTHOR("Tony Jones "); -MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/match/match_dfa.c +Index: b/security/apparmor/match/match_dfa.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/match_dfa.c +--- a/security/apparmor/match/match_dfa.c +++ /dev/null @@ -1,398 +0,0 @@ -/* @@ -965,9 +965,9 @@ Index: linux-2.6/security/apparmor/match/match_dfa.c -MODULE_DESCRIPTION("AppArmor aa_match module [dfa]"); -MODULE_AUTHOR("John Johansen "); -MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/match/match_pcre.c +Index: b/security/apparmor/match/match_pcre.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/match_pcre.c +--- a/security/apparmor/match/match_pcre.c +++ /dev/null @@ -1,168 +0,0 @@ -/* @@ -1113,20 +1113,20 @@ Index: linux-2.6/security/apparmor/match/match_pcre.c - struct aamatch_entry *ed = - (struct aamatch_entry *) entry->extradata; - -- pcreret = pcre_exec(ed->compiled, NULL, +- pcreret = pcre_exec(ed->compiled, NULL, - pathname, strlen(pathname), - 0, 0, NULL, 0); - -- ret = (pcreret >= 0) ? entry->mode : 0; +- ret = (pcreret >= 0) ? entry->mode : 0; - - // XXX - this needs access to subdomain_debug, hmmm -- //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, +- //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, - // ret, pathname, ed->pattern, pcreret); - } else { - ret = aamatch_match_common(entry, pathname); - } - -- return ret; +- return ret; -} - -EXPORT_SYMBOL_GPL(aamatch_alloc); @@ -1138,9 +1138,9 @@ Index: linux-2.6/security/apparmor/match/match_pcre.c -MODULE_DESCRIPTION("AppArmor aa_match module [pcre]"); -MODULE_AUTHOR("Tony Jones "); -MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/match/pcre_exec.c +Index: b/security/apparmor/match/pcre_exec.c =================================================================== ---- linux-2.6.orig/security/apparmor/match/pcre_exec.c +--- a/security/apparmor/match/pcre_exec.c +++ /dev/null @@ -1,1945 +0,0 @@ -/* @@ -1160,7 +1160,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - -Written by: Philip Hazel - -- Copyright (c) 1997-2001 University of Cambridge +- Copyright (c) 1997-2001 University of Cambridge - ------------------------------------------------------------------------------ -Permission is granted to anyone to use this software for any purpose on any @@ -1373,10 +1373,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - md pointer to "static" info for the match - ims current /i, /m, and /s options - eptrb pointer to chain of blocks containing eptr at start of -- brackets - for testing for empty matches +- brackets - for testing for empty matches - flags can contain -- match_condassert - this is an assertion condition -- match_isgroup - this is the start of a bracketed group +- match_condassert - this is an assertion condition +- match_isgroup - this is the start of a bracketed group - -Returns: TRUE if matched -*/ @@ -1452,11 +1452,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - md->offset_vector[md->offset_end - number] = eptr - md->start_subject; - - do -- { -- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; -- ecode += (ecode[1] << 8) + ecode[2]; -- } +- { +- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) +- return TRUE; +- ecode += (ecode[1] << 8) + ecode[2]; +- } - while (*ecode == OP_ALT); - - DPRINTF(("bracket %d failed\n", number)); @@ -1482,7 +1482,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - do - { - if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; +- return TRUE; - ecode += (ecode[1] << 8) + ecode[2]; - } - while (*ecode == OP_ALT); @@ -1499,9 +1499,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - int offset = (ecode[4] << 9) | (ecode[5] << 1); /* Doubled ref number */ - return match(eptr, -- ecode + ((offset < offset_top && md->offset_vector[offset] >= 0)? -- 6 : 3 + (ecode[1] << 8) + ecode[2]), -- offset_top, md, ims, eptrb, match_isgroup); +- ecode + ((offset < offset_top && md->offset_vector[offset] >= 0)? +- 6 : 3 + (ecode[1] << 8) + ecode[2]), +- offset_top, md, ims, eptrb, match_isgroup); - } - - /* The condition is an assertion. Call match() to evaluate it - setting @@ -1510,11 +1510,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - else - { - if (match(eptr, ecode+3, offset_top, md, ims, NULL, -- match_condassert | match_isgroup)) -- { -- ecode += 3 + (ecode[4] << 8) + ecode[5]; -- while (*ecode == OP_ALT) ecode += (ecode[1] << 8) + ecode[2]; -- } +- match_condassert | match_isgroup)) +- { +- ecode += 3 + (ecode[4] << 8) + ecode[5]; +- while (*ecode == OP_ALT) ecode += (ecode[1] << 8) + ecode[2]; +- } - else ecode += (ecode[1] << 8) + ecode[2]; - return match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup); - } @@ -1580,7 +1580,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - do - { - if (match(eptr, ecode+3, offset_top, md, ims, NULL, match_isgroup)) -- return FALSE; +- return FALSE; - ecode += (ecode[1] << 8) + ecode[2]; - } - while (*ecode == OP_ALT); @@ -1632,21 +1632,21 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - c = md->offset_max; - - if (c < 16) save = stacksave; else -- { -- save = (int *)(pcre_malloc)((c+1) * sizeof(int)); -- if (save == NULL) -- { -- save = stacksave; -- c = 15; -- } -- } +- { +- save = (int *)(pcre_malloc)((c+1) * sizeof(int)); +- if (save == NULL) +- { +- save = stacksave; +- c = 15; +- } +- } - - for (i = 1; i <= c; i++) -- save[i] = md->offset_vector[md->offset_end - i]; +- save[i] = md->offset_vector[md->offset_end - i]; - rc = match(eptr, md->start_pattern, offset_top, md, ims, eptrb, -- match_isgroup); +- match_isgroup); - for (i = 1; i <= c; i++) -- md->offset_vector[md->offset_end - i] = save[i]; +- md->offset_vector[md->offset_end - i] = save[i]; - if (save != stacksave) (pcre_free)(save); - if (!rc) return FALSE; - @@ -1673,11 +1673,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - const uschar *saved_eptr = eptr; - - do -- { -- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -- break; -- ecode += (ecode[1] << 8) + ecode[2]; -- } +- { +- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) +- break; +- ecode += (ecode[1] << 8) + ecode[2]; +- } - while (*ecode == OP_ALT); - - /* If hit the end of the group (which could be repeated), fail */ @@ -1699,10 +1699,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - course of events. */ - - if (*ecode == OP_KET || eptr == saved_eptr) -- { -- ecode += 3; -- break; -- } +- { +- ecode += 3; +- break; +- } - - /* The repeating kets try the rest of the pattern or restart from the - preceding bracket, in the appropriate order. We need to reset any options @@ -1710,22 +1710,22 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - opcode. */ - - if (ecode[3] == OP_OPT) -- { -- ims = (ims & ~PCRE_IMS) | ecode[4]; -- DPRINTF(("ims set to %02lx at group repeat\n", ims)); -- } +- { +- ims = (ims & ~PCRE_IMS) | ecode[4]; +- DPRINTF(("ims set to %02lx at group repeat\n", ims)); +- } - - if (*ecode == OP_KETRMIN) -- { -- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || -- match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; -- } +- { +- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || +- match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) +- return TRUE; +- } - else /* OP_KETRMAX */ -- { -- if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || -- match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; -- } +- { +- if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || +- match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; +- } - } - return FALSE; - @@ -1746,7 +1746,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - const uschar *next = ecode+1; - if (match(eptr, next, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; +- return TRUE; - do next += (next[1] << 8) + next[2]; while (*next == OP_ALT); - ecode = next + 3; - } @@ -1757,7 +1757,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - const uschar *next = ecode+1; - do next += (next[1] << 8) + next[2]; while (*next == OP_ALT); - if (match(eptr, next+3, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; +- return TRUE; - ecode++; - } - break; @@ -1777,45 +1777,45 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - eptrb = eptrb->prev; /* Back up the stack of bracket start pointers */ - - if (*prev == OP_ASSERT || *prev == OP_ASSERT_NOT || -- *prev == OP_ASSERTBACK || *prev == OP_ASSERTBACK_NOT || -- *prev == OP_ONCE) -- { -- md->end_match_ptr = eptr; /* For ONCE */ -- md->end_offset_top = offset_top; -- return TRUE; -- } +- *prev == OP_ASSERTBACK || *prev == OP_ASSERTBACK_NOT || +- *prev == OP_ONCE) +- { +- md->end_match_ptr = eptr; /* For ONCE */ +- md->end_offset_top = offset_top; +- return TRUE; +- } - - /* In all other cases except a conditional group we have to check the - group number back at the start and if necessary complete handling an - extraction by setting the offsets and bumping the high water mark. */ - - if (*prev != OP_COND) -- { -- int offset; -- int number = *prev - OP_BRA; +- { +- int offset; +- int number = *prev - OP_BRA; - -- /* For extended extraction brackets (large number), we have to fish out -- the number from a dummy opcode at the start. */ +- /* For extended extraction brackets (large number), we have to fish out +- the number from a dummy opcode at the start. */ - -- if (number > EXTRACT_BASIC_MAX) number = (prev[4] << 8) | prev[5]; -- offset = number << 1; +- if (number > EXTRACT_BASIC_MAX) number = (prev[4] << 8) | prev[5]; +- offset = number << 1; - -#ifdef DEBUG -- PCRE_PRINTF("end bracket %d", number); -- PCRE_PRINTF("\n"); +- PCRE_PRINTF("end bracket %d", number); +- PCRE_PRINTF("\n"); -#endif - -- if (number > 0) -- { -- if (offset >= md->offset_max) md->offset_overflow = TRUE; else -- { -- md->offset_vector[offset] = -- md->offset_vector[md->offset_end - number]; -- md->offset_vector[offset+1] = eptr - md->start_subject; -- if (offset_top <= offset) offset_top = offset + 2; -- } -- } -- } +- if (number > 0) +- { +- if (offset >= md->offset_max) md->offset_overflow = TRUE; else +- { +- md->offset_vector[offset] = +- md->offset_vector[md->offset_end - number]; +- md->offset_vector[offset+1] = eptr - md->start_subject; +- if (offset_top <= offset) offset_top = offset + 2; +- } +- } +- } - - /* Reset the value of the ims flags, in case they got changed during - the group. */ @@ -1830,25 +1830,25 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - course of events. */ - - if (*ecode == OP_KET || eptr == saved_eptr) -- { -- ecode += 3; -- break; -- } +- { +- ecode += 3; +- break; +- } - - /* The repeating kets try the rest of the pattern or restart from the - preceding bracket, in the appropriate order. */ - - if (*ecode == OP_KETRMIN) -- { -- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || -- match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) -- return TRUE; -- } +- { +- if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || +- match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) +- return TRUE; +- } - else /* OP_KETRMAX */ -- { -- if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || -- match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; -- } +- { +- if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || +- match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; +- } - } - return FALSE; - @@ -1878,7 +1878,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - if ((ims & PCRE_MULTILINE) != 0) - { - if (eptr < md->end_subject) { if (*eptr != NEWLINE) return FALSE; } -- else { if (md->noteol) return FALSE; } +- else { if (md->noteol) return FALSE; } - ecode++; - break; - } @@ -1886,13 +1886,13 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - if (md->noteol) return FALSE; - if (!md->endonly) -- { -- if (eptr < md->end_subject - 1 || -- (eptr == md->end_subject - 1 && *eptr != NEWLINE)) return FALSE; +- { +- if (eptr < md->end_subject - 1 || +- (eptr == md->end_subject - 1 && *eptr != NEWLINE)) return FALSE; - -- ecode++; -- break; -- } +- ecode++; +- break; +- } - } - /* ... else fall through */ - @@ -1917,12 +1917,12 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - case OP_WORD_BOUNDARY: - { - BOOL prev_is_word = (eptr != md->start_subject) && -- ((md->ctypes[eptr[-1]] & ctype_word) != 0); +- ((md->ctypes[eptr[-1]] & ctype_word) != 0); - BOOL cur_is_word = (eptr < md->end_subject) && -- ((md->ctypes[*eptr] & ctype_word) != 0); +- ((md->ctypes[*eptr] & ctype_word) != 0); - if ((*ecode++ == OP_WORD_BOUNDARY)? -- cur_is_word == prev_is_word : cur_is_word != prev_is_word) -- return FALSE; +- cur_is_word == prev_is_word : cur_is_word != prev_is_word) +- return FALSE; - } - break; - @@ -2001,40 +2001,40 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - minima. */ - - length = (offset >= offset_top || md->offset_vector[offset] < 0)? -- md->end_subject - eptr + 1 : -- md->offset_vector[offset+1] - md->offset_vector[offset]; +- md->end_subject - eptr + 1 : +- md->offset_vector[offset+1] - md->offset_vector[offset]; - - /* Set up for repetition, or handle the non-repeated case */ - - switch (*ecode) -- { -- case OP_CRSTAR: -- case OP_CRMINSTAR: -- case OP_CRPLUS: -- case OP_CRMINPLUS: -- case OP_CRQUERY: -- case OP_CRMINQUERY: -- c = *ecode++ - OP_CRSTAR; -- minimize = (c & 1) != 0; -- min = rep_min[c]; /* Pick up values from tables; */ -- max = rep_max[c]; /* zero for max => infinity */ -- if (max == 0) max = INT_MAX; -- break; +- { +- case OP_CRSTAR: +- case OP_CRMINSTAR: +- case OP_CRPLUS: +- case OP_CRMINPLUS: +- case OP_CRQUERY: +- case OP_CRMINQUERY: +- c = *ecode++ - OP_CRSTAR; +- minimize = (c & 1) != 0; +- min = rep_min[c]; /* Pick up values from tables; */ +- max = rep_max[c]; /* zero for max => infinity */ +- if (max == 0) max = INT_MAX; +- break; - -- case OP_CRRANGE: -- case OP_CRMINRANGE: -- minimize = (*ecode == OP_CRMINRANGE); -- min = (ecode[1] << 8) + ecode[2]; -- max = (ecode[3] << 8) + ecode[4]; -- if (max == 0) max = INT_MAX; -- ecode += 5; -- break; +- case OP_CRRANGE: +- case OP_CRMINRANGE: +- minimize = (*ecode == OP_CRMINRANGE); +- min = (ecode[1] << 8) + ecode[2]; +- max = (ecode[3] << 8) + ecode[4]; +- if (max == 0) max = INT_MAX; +- ecode += 5; +- break; - -- default: /* No repeat follows */ -- if (!match_ref(offset, eptr, length, md, ims)) return FALSE; -- eptr += length; -- continue; /* With the main loop */ -- } +- default: /* No repeat follows */ +- if (!match_ref(offset, eptr, length, md, ims)) return FALSE; +- eptr += length; +- continue; /* With the main loop */ +- } - - /* If the length of the reference is zero, just continue with the - main loop. */ @@ -2046,10 +2046,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - address of eptr, so that eptr can be a register variable. */ - - for (i = 1; i <= min; i++) -- { -- if (!match_ref(offset, eptr, length, md, ims)) return FALSE; -- eptr += length; -- } +- { +- if (!match_ref(offset, eptr, length, md, ims)) return FALSE; +- eptr += length; +- } - - /* If min = max, continue at the same level without recursion. - They are not both allowed to be zero. */ @@ -2059,36 +2059,36 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - /* If minimizing, keep trying and advancing the pointer */ - - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || !match_ref(offset, eptr, length, md, ims)) -- return FALSE; -- eptr += length; -- } -- /* Control never gets here */ -- } +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || !match_ref(offset, eptr, length, md, ims)) +- return FALSE; +- eptr += length; +- } +- /* Control never gets here */ +- } - - /* If maximizing, find the longest string and work backwards */ - - else -- { -- const uschar *pp = eptr; -- for (i = min; i < max; i++) -- { -- if (!match_ref(offset, eptr, length, md, ims)) break; -- eptr += length; -- } -- while (eptr >= pp) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- eptr -= length; -- } -- return FALSE; -- } +- { +- const uschar *pp = eptr; +- for (i = min; i < max; i++) +- { +- if (!match_ref(offset, eptr, length, md, ims)) break; +- eptr += length; +- } +- while (eptr >= pp) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- eptr -= length; +- } +- return FALSE; +- } - } - /* Control never gets here */ - @@ -2104,49 +2104,49 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - ecode += 33; /* Advance past the item */ - - switch (*ecode) -- { -- case OP_CRSTAR: -- case OP_CRMINSTAR: -- case OP_CRPLUS: -- case OP_CRMINPLUS: -- case OP_CRQUERY: -- case OP_CRMINQUERY: -- c = *ecode++ - OP_CRSTAR; -- minimize = (c & 1) != 0; -- min = rep_min[c]; /* Pick up values from tables; */ -- max = rep_max[c]; /* zero for max => infinity */ -- if (max == 0) max = INT_MAX; -- break; +- { +- case OP_CRSTAR: +- case OP_CRMINSTAR: +- case OP_CRPLUS: +- case OP_CRMINPLUS: +- case OP_CRQUERY: +- case OP_CRMINQUERY: +- c = *ecode++ - OP_CRSTAR; +- minimize = (c & 1) != 0; +- min = rep_min[c]; /* Pick up values from tables; */ +- max = rep_max[c]; /* zero for max => infinity */ +- if (max == 0) max = INT_MAX; +- break; - -- case OP_CRRANGE: -- case OP_CRMINRANGE: -- minimize = (*ecode == OP_CRMINRANGE); -- min = (ecode[1] << 8) + ecode[2]; -- max = (ecode[3] << 8) + ecode[4]; -- if (max == 0) max = INT_MAX; -- ecode += 5; -- break; +- case OP_CRRANGE: +- case OP_CRMINRANGE: +- minimize = (*ecode == OP_CRMINRANGE); +- min = (ecode[1] << 8) + ecode[2]; +- max = (ecode[3] << 8) + ecode[4]; +- if (max == 0) max = INT_MAX; +- ecode += 5; +- break; - -- default: /* No repeat follows */ -- min = max = 1; -- break; -- } +- default: /* No repeat follows */ +- min = max = 1; +- break; +- } - - /* First, ensure the minimum number of matches are present. */ - - for (i = 1; i <= min; i++) -- { -- if (eptr >= md->end_subject) return FALSE; -- GETCHARINC(c, eptr) /* Get character; increment eptr */ +- { +- if (eptr >= md->end_subject) return FALSE; +- GETCHARINC(c, eptr) /* Get character; increment eptr */ - -#ifdef SUPPORT_UTF8 -- /* We do not yet support class members > 255 */ -- if (c > 255) return FALSE; +- /* We do not yet support class members > 255 */ +- if (c > 255) return FALSE; -#endif - -- if ((data[c/8] & (1 << (c&7))) != 0) continue; -- return FALSE; -- } +- if ((data[c/8] & (1 << (c&7))) != 0) continue; +- return FALSE; +- } - - /* If max == min we can continue with the main loop without the - need to recurse. */ @@ -2157,54 +2157,54 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - the pointer while it matches the class. */ - - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || eptr >= md->end_subject) return FALSE; -- GETCHARINC(c, eptr) /* Get character; increment eptr */ +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || eptr >= md->end_subject) return FALSE; +- GETCHARINC(c, eptr) /* Get character; increment eptr */ - -#ifdef SUPPORT_UTF8 -- /* We do not yet support class members > 255 */ -- if (c > 255) return FALSE; +- /* We do not yet support class members > 255 */ +- if (c > 255) return FALSE; -#endif -- if ((data[c/8] & (1 << (c&7))) != 0) continue; -- return FALSE; -- } -- /* Control never gets here */ -- } +- if ((data[c/8] & (1 << (c&7))) != 0) continue; +- return FALSE; +- } +- /* Control never gets here */ +- } - - /* If maximizing, find the longest possible run, then work backwards. */ - - else -- { -- const uschar *pp = eptr; -- int len = 1; -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject) break; -- GETCHARLEN(c, eptr, len) /* Get character, set length if UTF-8 */ +- { +- const uschar *pp = eptr; +- int len = 1; +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject) break; +- GETCHARLEN(c, eptr, len) /* Get character, set length if UTF-8 */ - -#ifdef SUPPORT_UTF8 -- /* We do not yet support class members > 255 */ -- if (c > 255) break; +- /* We do not yet support class members > 255 */ +- if (c > 255) break; -#endif -- if ((data[c/8] & (1 << (c&7))) == 0) break; -- eptr += len; -- } +- if ((data[c/8] & (1 << (c&7))) == 0) break; +- eptr += len; +- } - -- while (eptr >= pp) -- { -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; +- while (eptr >= pp) +- { +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; - -#ifdef SUPPORT_UTF8 -- BACKCHAR(eptr) +- BACKCHAR(eptr) -#endif -- } -- return FALSE; -- } +- } +- return FALSE; +- } - } - /* Control never gets here */ - @@ -2217,28 +2217,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - -#ifdef DEBUG /* Sigh. Some compilers never learn. */ - if (eptr >= md->end_subject) -- PCRE_PRINTF("matching subject against pattern "); +- PCRE_PRINTF("matching subject against pattern "); - else -- { -- PCRE_PRINTF("matching subject "); -- pchars(eptr, length, TRUE, md); -- PCRE_PRINTF(" against pattern "); -- } +- { +- PCRE_PRINTF("matching subject "); +- pchars(eptr, length, TRUE, md); +- PCRE_PRINTF(" against pattern "); +- } - pchars(ecode, length, FALSE, md); - PCRE_PRINTF("\n"); -#endif - - if (length > md->end_subject - eptr) return FALSE; - if ((ims & PCRE_CASELESS) != 0) -- { -- while (length-- > 0) -- if (md->lcc[*ecode++] != md->lcc[*eptr++]) -- return FALSE; -- } +- { +- while (length-- > 0) +- if (md->lcc[*ecode++] != md->lcc[*eptr++]) +- return FALSE; +- } - else -- { -- while (length-- > 0) if (*ecode++ != *eptr++) return FALSE; -- } +- { +- while (length-- > 0) if (*ecode++ != *eptr++) return FALSE; +- } - } - break; - @@ -2292,33 +2292,33 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - c = md->lcc[c]; - for (i = 1; i <= min; i++) -- if (c != md->lcc[*eptr++]) return FALSE; +- if (c != md->lcc[*eptr++]) return FALSE; - if (min == max) continue; - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || eptr >= md->end_subject || -- c != md->lcc[*eptr++]) -- return FALSE; -- } -- /* Control never gets here */ -- } +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || eptr >= md->end_subject || +- c != md->lcc[*eptr++]) +- return FALSE; +- } +- /* Control never gets here */ +- } - else -- { -- const uschar *pp = eptr; -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || c != md->lcc[*eptr]) break; -- eptr++; -- } -- while (eptr >= pp) -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- return FALSE; -- } +- { +- const uschar *pp = eptr; +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || c != md->lcc[*eptr]) break; +- eptr++; +- } +- while (eptr >= pp) +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- return FALSE; +- } - /* Control never gets here */ - } - @@ -2329,28 +2329,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - for (i = 1; i <= min; i++) if (c != *eptr++) return FALSE; - if (min == max) continue; - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || eptr >= md->end_subject || c != *eptr++) return FALSE; -- } -- /* Control never gets here */ -- } +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || eptr >= md->end_subject || c != *eptr++) return FALSE; +- } +- /* Control never gets here */ +- } - else -- { -- const uschar *pp = eptr; -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || c != *eptr) break; -- eptr++; -- } -- while (eptr >= pp) -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- return FALSE; -- } +- { +- const uschar *pp = eptr; +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || c != *eptr) break; +- eptr++; +- } +- while (eptr >= pp) +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- return FALSE; +- } - } - /* Control never gets here */ - @@ -2423,33 +2423,33 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - c = md->lcc[c]; - for (i = 1; i <= min; i++) -- if (c == md->lcc[*eptr++]) return FALSE; +- if (c == md->lcc[*eptr++]) return FALSE; - if (min == max) continue; - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || eptr >= md->end_subject || -- c == md->lcc[*eptr++]) -- return FALSE; -- } -- /* Control never gets here */ -- } +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || eptr >= md->end_subject || +- c == md->lcc[*eptr++]) +- return FALSE; +- } +- /* Control never gets here */ +- } - else -- { -- const uschar *pp = eptr; -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || c == md->lcc[*eptr]) break; -- eptr++; -- } -- while (eptr >= pp) -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- return FALSE; -- } +- { +- const uschar *pp = eptr; +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || c == md->lcc[*eptr]) break; +- eptr++; +- } +- while (eptr >= pp) +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- return FALSE; +- } - /* Control never gets here */ - } - @@ -2460,28 +2460,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - for (i = 1; i <= min; i++) if (c == *eptr++) return FALSE; - if (min == max) continue; - if (minimize) -- { -- for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- if (i >= max || eptr >= md->end_subject || c == *eptr++) return FALSE; -- } -- /* Control never gets here */ -- } +- { +- for (i = min;; i++) +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- if (i >= max || eptr >= md->end_subject || c == *eptr++) return FALSE; +- } +- /* Control never gets here */ +- } - else -- { -- const uschar *pp = eptr; -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || c == *eptr) break; -- eptr++; -- } -- while (eptr >= pp) -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; -- return FALSE; -- } +- { +- const uschar *pp = eptr; +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || c == *eptr) break; +- eptr++; +- } +- while (eptr >= pp) +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; +- return FALSE; +- } - } - /* Control never gets here */ - @@ -2533,53 +2533,53 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - case OP_ANY: -#ifdef SUPPORT_UTF8 - if (md->utf8) -- { -- for (i = 1; i <= min; i++) -- { -- if (eptr >= md->end_subject || -- (*eptr++ == NEWLINE && (ims & PCRE_DOTALL) == 0)) -- return FALSE; -- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -- } -- break; -- } +- { +- for (i = 1; i <= min; i++) +- { +- if (eptr >= md->end_subject || +- (*eptr++ == NEWLINE && (ims & PCRE_DOTALL) == 0)) +- return FALSE; +- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; +- } +- break; +- } -#endif - /* Non-UTF8 can be faster */ - if ((ims & PCRE_DOTALL) == 0) -- { for (i = 1; i <= min; i++) if (*eptr++ == NEWLINE) return FALSE; } +- { for (i = 1; i <= min; i++) if (*eptr++ == NEWLINE) return FALSE; } - else eptr += min; - break; - - case OP_NOT_DIGIT: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_digit) != 0) return FALSE; +- if ((md->ctypes[*eptr++] & ctype_digit) != 0) return FALSE; - break; - - case OP_DIGIT: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_digit) == 0) return FALSE; +- if ((md->ctypes[*eptr++] & ctype_digit) == 0) return FALSE; - break; - - case OP_NOT_WHITESPACE: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_space) != 0) return FALSE; +- if ((md->ctypes[*eptr++] & ctype_space) != 0) return FALSE; - break; - - case OP_WHITESPACE: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_space) == 0) return FALSE; +- if ((md->ctypes[*eptr++] & ctype_space) == 0) return FALSE; - break; - - case OP_NOT_WORDCHAR: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_word) != 0) -- return FALSE; +- if ((md->ctypes[*eptr++] & ctype_word) != 0) +- return FALSE; - break; - - case OP_WORDCHAR: - for (i = 1; i <= min; i++) -- if ((md->ctypes[*eptr++] & ctype_word) == 0) -- return FALSE; +- if ((md->ctypes[*eptr++] & ctype_word) == 0) +- return FALSE; - break; - } - @@ -2593,46 +2593,46 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - if (minimize) - { - for (i = min;; i++) -- { -- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) return TRUE; -- if (i >= max || eptr >= md->end_subject) return FALSE; +- { +- if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) return TRUE; +- if (i >= max || eptr >= md->end_subject) return FALSE; - -- c = *eptr++; -- switch(ctype) -- { -- case OP_ANY: -- if ((ims & PCRE_DOTALL) == 0 && c == NEWLINE) return FALSE; +- c = *eptr++; +- switch(ctype) +- { +- case OP_ANY: +- if ((ims & PCRE_DOTALL) == 0 && c == NEWLINE) return FALSE; -#ifdef SUPPORT_UTF8 -- if (md->utf8) -- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; +- if (md->utf8) +- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -#endif -- break; +- break; - -- case OP_NOT_DIGIT: -- if ((md->ctypes[c] & ctype_digit) != 0) return FALSE; -- break; +- case OP_NOT_DIGIT: +- if ((md->ctypes[c] & ctype_digit) != 0) return FALSE; +- break; - -- case OP_DIGIT: -- if ((md->ctypes[c] & ctype_digit) == 0) return FALSE; -- break; +- case OP_DIGIT: +- if ((md->ctypes[c] & ctype_digit) == 0) return FALSE; +- break; - -- case OP_NOT_WHITESPACE: -- if ((md->ctypes[c] & ctype_space) != 0) return FALSE; -- break; +- case OP_NOT_WHITESPACE: +- if ((md->ctypes[c] & ctype_space) != 0) return FALSE; +- break; - -- case OP_WHITESPACE: -- if ((md->ctypes[c] & ctype_space) == 0) return FALSE; -- break; +- case OP_WHITESPACE: +- if ((md->ctypes[c] & ctype_space) == 0) return FALSE; +- break; - -- case OP_NOT_WORDCHAR: -- if ((md->ctypes[c] & ctype_word) != 0) return FALSE; -- break; +- case OP_NOT_WORDCHAR: +- if ((md->ctypes[c] & ctype_word) != 0) return FALSE; +- break; - -- case OP_WORDCHAR: -- if ((md->ctypes[c] & ctype_word) == 0) return FALSE; -- break; -- } -- } +- case OP_WORDCHAR: +- if ((md->ctypes[c] & ctype_word) == 0) return FALSE; +- break; +- } +- } - /* Control never gets here */ - } - @@ -2643,115 +2643,115 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - const uschar *pp = eptr; - switch(ctype) -- { -- case OP_ANY: +- { +- case OP_ANY: - -- /* Special code is required for UTF8, but when the maximum is unlimited -- we don't need it. */ +- /* Special code is required for UTF8, but when the maximum is unlimited +- we don't need it. */ - -#ifdef SUPPORT_UTF8 -- if (md->utf8 && max < INT_MAX) -- { -- if ((ims & PCRE_DOTALL) == 0) -- { -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || *eptr++ == NEWLINE) break; -- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -- } -- } -- else -- { -- for (i = min; i < max; i++) -- { -- eptr++; -- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -- } -- } -- break; -- } +- if (md->utf8 && max < INT_MAX) +- { +- if ((ims & PCRE_DOTALL) == 0) +- { +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || *eptr++ == NEWLINE) break; +- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; +- } +- } +- else +- { +- for (i = min; i < max; i++) +- { +- eptr++; +- while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; +- } +- } +- break; +- } -#endif -- /* Non-UTF8 can be faster */ -- if ((ims & PCRE_DOTALL) == 0) -- { -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || *eptr == NEWLINE) break; -- eptr++; -- } -- } -- else -- { -- c = max - min; -- if (c > md->end_subject - eptr) c = md->end_subject - eptr; -- eptr += c; -- } -- break; +- /* Non-UTF8 can be faster */ +- if ((ims & PCRE_DOTALL) == 0) +- { +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || *eptr == NEWLINE) break; +- eptr++; +- } +- } +- else +- { +- c = max - min; +- if (c > md->end_subject - eptr) c = md->end_subject - eptr; +- eptr += c; +- } +- break; - -- case OP_NOT_DIGIT: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) != 0) -- break; -- eptr++; -- } -- break; +- case OP_NOT_DIGIT: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) != 0) +- break; +- eptr++; +- } +- break; - -- case OP_DIGIT: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) == 0) -- break; -- eptr++; -- } -- break; +- case OP_DIGIT: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) == 0) +- break; +- eptr++; +- } +- break; - -- case OP_NOT_WHITESPACE: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) != 0) -- break; -- eptr++; -- } -- break; +- case OP_NOT_WHITESPACE: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) != 0) +- break; +- eptr++; +- } +- break; - -- case OP_WHITESPACE: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) == 0) -- break; -- eptr++; -- } -- break; +- case OP_WHITESPACE: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) == 0) +- break; +- eptr++; +- } +- break; - -- case OP_NOT_WORDCHAR: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) != 0) -- break; -- eptr++; -- } -- break; +- case OP_NOT_WORDCHAR: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) != 0) +- break; +- eptr++; +- } +- break; - -- case OP_WORDCHAR: -- for (i = min; i < max; i++) -- { -- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) == 0) -- break; -- eptr++; -- } -- break; -- } +- case OP_WORDCHAR: +- for (i = min; i < max; i++) +- { +- if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) == 0) +- break; +- eptr++; +- } +- break; +- } - - while (eptr >= pp) -- { -- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -- return TRUE; +- { +- if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) +- return TRUE; -#ifdef SUPPORT_UTF8 -- if (md->utf8) -- while (eptr > pp && (*eptr & 0xc0) == 0x80) eptr--; +- if (md->utf8) +- while (eptr > pp && (*eptr & 0xc0) == 0x80) eptr--; -#endif -- } +- } - return FALSE; - } - /* Control never gets here */ @@ -2792,9 +2792,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - offsetcount the number of elements in the vector - -Returns: > 0 => success; value is the number of elements filled in -- = 0 => success, but offsets is not big enough -- -1 => failed to match -- < -1 => some kind of unexpected problem +- = 0 => success, but offsets is not big enough +- -1 => failed to match +- < -1 => some kind of unexpected problem -*/ - -int @@ -2905,7 +2905,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - else - if (!startline && extra != NULL && - (extra->options & PCRE_STUDY_MAPPED) != 0) -- start_bits = extra->start_bits; +- start_bits = extra->start_bits; - } - -/* For anchored or unanchored matches, there may be a "last known required @@ -2942,11 +2942,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - { - if ((ims & PCRE_CASELESS) != 0) - while (start_match < end_subject && -- match_block.lcc[*start_match] != first_char) -- start_match++; +- match_block.lcc[*start_match] != first_char) +- start_match++; - else - while (start_match < end_subject && *start_match != first_char) -- start_match++; +- start_match++; - } - - /* Or to just after \n for a multiline match if possible */ @@ -2956,7 +2956,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - if (start_match > match_block.start_subject + start_offset) - { - while (start_match < end_subject && start_match[-1] != NEWLINE) -- start_match++; +- start_match++; - } - } - @@ -3000,23 +3000,23 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - /* Do a single test if no case difference is set up */ - - if (req_char == req_char2) -- { -- while (p < end_subject) -- { -- if (*p++ == req_char) { p--; break; } -- } -- } +- { +- while (p < end_subject) +- { +- if (*p++ == req_char) { p--; break; } +- } +- } - - /* Otherwise test for either case */ - - else -- { -- while (p < end_subject) -- { -- register int pp = *p++; -- if (pp == req_char || pp == req_char2) { p--; break; } -- } -- } +- { +- while (p < end_subject) +- { +- register int pp = *p++; +- if (pp == req_char || pp == req_char2) { p--; break; } +- } +- } - - /* If we can't find the required character, break the matching loop */ - @@ -3048,7 +3048,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c - if (offsetcount >= 4) - { - memcpy(offsets + 2, match_block.offset_vector + 2, -- (offsetcount - 2) * sizeof(int)); +- (offsetcount - 2) * sizeof(int)); - DPRINTF(("Copied offsets from temporary memory\n")); - } - if (match_block.end_offset_top > offsetcount) @@ -3088,9 +3088,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c -} - -/* End of pcre.c */ -Index: linux-2.6/security/apparmor/match/pcre_exec.h +Index: b/security/apparmor/match/pcre_exec.h =================================================================== ---- linux-2.6.orig/security/apparmor/match/pcre_exec.h +--- a/security/apparmor/match/pcre_exec.h +++ /dev/null @@ -1,308 +0,0 @@ -/* @@ -3303,11 +3303,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.h - OP_BRAMINZERO, /* order. */ - - OP_BRANUMBER, /* Used for extracting brackets whose number is greater -- than can fit into an opcode. */ +- than can fit into an opcode. */ - - OP_BRA /* This and greater values are used for brackets that -- extract substrings up to a basic limit. After that, -- use is made of OP_BRANUMBER. */ +- extract substrings up to a basic limit. After that, +- use is made of OP_BRANUMBER. */ -}; - -/* The highest extraction number before we have to start using additional @@ -3401,9 +3401,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.h - -#endif // _PCRE_H - /* End of pcre.h */ -Index: linux-2.6/security/apparmor/match/pcre_tables.h +Index: b/security/apparmor/match/pcre_tables.h =================================================================== ---- linux-2.6.orig/security/apparmor/match/pcre_tables.h +--- a/security/apparmor/match/pcre_tables.h +++ /dev/null @@ -1,184 +0,0 @@ - @@ -3590,10 +3590,10 @@ Index: linux-2.6/security/apparmor/match/pcre_tables.h - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};/* 248-255 */ - -/* End of chartables.c */ -Index: linux-2.6/security/apparmor/module_interface.c +Index: b/security/apparmor/module_interface.c =================================================================== ---- linux-2.6.orig/security/apparmor/module_interface.c -+++ linux-2.6/security/apparmor/module_interface.c +--- a/security/apparmor/module_interface.c ++++ b/security/apparmor/module_interface.c @@ -14,7 +14,6 @@ #include "apparmor.h" #include "inline.h" @@ -3862,10 +3862,10 @@ Index: linux-2.6/security/apparmor/module_interface.c /* use free_aaprofile instead of put_aaprofile to destroy the * null_profile, because the null_profile use the same reference -Index: linux-2.6/security/apparmor/apparmorfs.c +Index: b/security/apparmor/apparmorfs.c =================================================================== ---- linux-2.6.orig/security/apparmor/apparmorfs.c -+++ linux-2.6/security/apparmor/apparmorfs.c +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c @@ -17,7 +17,6 @@ #include "apparmor.h" @@ -3874,10 +3874,10 @@ Index: linux-2.6/security/apparmor/apparmorfs.c #define SECFS_AA "apparmor" static struct dentry *aafs_dentry = NULL; -Index: linux-2.6/security/apparmor/match.c +Index: b/security/apparmor/match.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match.c ++++ b/security/apparmor/match.c @@ -0,0 +1,274 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -4153,10 +4153,10 @@ Index: linux-2.6/security/apparmor/match.c + + return 0; +} -Index: linux-2.6/security/apparmor/match.h +Index: b/security/apparmor/match.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match.h ++++ b/security/apparmor/match.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE diff --git a/kernel-patches/for-mainline/apparmor-vfsmnt.diff b/kernel-patches/for-mainline/apparmor-vfsmnt.diff index 3b470ce43..89eef57bc 100644 --- a/kernel-patches/for-mainline/apparmor-vfsmnt.diff +++ b/kernel-patches/for-mainline/apparmor-vfsmnt.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== ---- linux-2.6.orig/security/apparmor/apparmor.h -+++ linux-2.6/security/apparmor/apparmor.h +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -188,16 +188,6 @@ struct subdomain { typedef int (*aa_iter) (struct subdomain *, void *); @@ -45,10 +45,10 @@ Index: linux-2.6/security/apparmor/apparmor.h extern int aa_fork(struct task_struct *p); extern int aa_register(struct linux_binprm *bprm); extern void aa_release(struct task_struct *p); -Index: linux-2.6/security/apparmor/inline.h +Index: b/security/apparmor/inline.h =================================================================== ---- linux-2.6.orig/security/apparmor/inline.h -+++ linux-2.6/security/apparmor/inline.h +--- a/security/apparmor/inline.h ++++ b/security/apparmor/inline.h @@ -10,7 +10,7 @@ #ifndef __INLINE_H #define __INLINE_H @@ -143,10 +143,10 @@ Index: linux-2.6/security/apparmor/inline.h -} - #endif /* __INLINE_H__ */ -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== ---- linux-2.6.orig/security/apparmor/lsm.c -+++ linux-2.6/security/apparmor/lsm.c +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -15,6 +15,8 @@ #include #include @@ -477,10 +477,10 @@ Index: linux-2.6/security/apparmor/lsm.c return error; } -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== ---- linux-2.6.orig/security/apparmor/main.c -+++ linux-2.6/security/apparmor/main.c +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -35,34 +35,6 @@ struct aaprofile *null_complain_profile; **************************/ @@ -595,8 +595,6 @@ Index: linux-2.6/security/apparmor/main.c - } - } while (name); + int permerror, error; -+ -+ sa->name = aa_get_name(dentry, mnt); - if ((path_error = aa_path_end(&data)) != 0) { - dentry_xlate_error(dentry, path_error, "dentry"); @@ -606,6 +604,8 @@ Index: linux-2.6/security/apparmor/main.c - } else if (name) { - if (failed_name) - aa_put_name(failed_name); ++ sa->name = aa_get_name(dentry, mnt); ++ + if (IS_ERR(sa->name)) { + permerror = PTR_ERR(sa->name); + sa->name = NULL; @@ -675,12 +675,12 @@ Index: linux-2.6/security/apparmor/main.c - permerror = _aa_perm_dentry(active, dentry, mask, &sa.name); - aa_permerror2result(permerror, &sa); -- ++ error = _aa_perm_vfsmount(active, dentry, mnt, &sa, mask); + - error = aa_audit(active, &sa); - - aa_put_name(sa.name); -+ error = _aa_perm_vfsmount(active, dentry, mnt, &sa, mask); - +- -out: return error; } @@ -806,10 +806,10 @@ Index: linux-2.6/security/apparmor/main.c - aa_permerror2result(permerror, &sa); - - error = aa_audit(active, &sa); +- +- aa_put_name(sa.name); + error = _aa_perm_vfsmount(active, dentry, mnt, &sa, MAY_WRITE); -- aa_put_name(sa.name); -- -out: return error; } @@ -822,7 +822,7 @@ Index: linux-2.6/security/apparmor/main.c struct aa_audit sa; sa.type = AA_AUDITTYPE_CAP; -@@ -1030,124 +867,42 @@ int aa_capability(struct aaprofile *acti +@@ -1030,122 +867,40 @@ int aa_capability(struct aaprofile *acti * @active: profile to check against * @link: dentry for link being created * @target: dentry for link target @@ -894,7 +894,9 @@ Index: linux-2.6/security/apparmor/main.c - if ((path_error = aa_path_end(&idata)) != 0) { - dentry_xlate_error(target, path_error, - "inner dentry [link]"); -- ++ sa.name = aa_get_name(link, link_mnt); ++ sa.pval = aa_get_name(target, target_mnt); + - /* name should not be set if error */ - WARN_ON(iname); - @@ -906,9 +908,7 @@ Index: linux-2.6/security/apparmor/main.c - aa_put_name(oname); - } - } while (oname && !match); -+ sa.name = aa_get_name(link, link_mnt); -+ sa.pval = aa_get_name(target, target_mnt); - +- - if (error_code != 0) { - /* inner error */ - (void)aa_path_end(&odata); @@ -963,8 +963,5 @@ Index: linux-2.6/security/apparmor/main.c + aa_put_name(sa.name); + aa_put_name(sa.pval); -- return error; -+ return error; + return error; } - - /******************************* diff --git a/kernel-patches/for-mainline/apparmor.diff b/kernel-patches/for-mainline/apparmor.diff index d3fef2888..7cc00d563 100644 --- a/kernel-patches/for-mainline/apparmor.diff +++ b/kernel-patches/for-mainline/apparmor.diff @@ -1,7 +1,7 @@ -Index: linux-2.6/security/apparmor/Kconfig +Index: b/security/apparmor/Kconfig =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/Kconfig ++++ b/security/apparmor/Kconfig @@ -0,0 +1,9 @@ +config SECURITY_APPARMOR + tristate "AppArmor support" @@ -12,10 +12,10 @@ Index: linux-2.6/security/apparmor/Kconfig + distribution) and further information may be found at + + If you are unsure how to answer this question, answer N. -Index: linux-2.6/security/apparmor/Makefile +Index: b/security/apparmor/Makefile =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/Makefile ++++ b/security/apparmor/Makefile @@ -0,0 +1,6 @@ +# Makefile for AppArmor Linux Security Module +# @@ -23,10 +23,10 @@ Index: linux-2.6/security/apparmor/Makefile + +apparmor-y := main.o list.o procattr.o lsm.o apparmorfs.o capabilities.o \ + module_interface.o -Index: linux-2.6/security/apparmor/apparmor.h +Index: b/security/apparmor/apparmor.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h @@ -0,0 +1,338 @@ +/* + * Copyright (C) 1998-2005 Novell/SUSE @@ -63,8 +63,8 @@ Index: linux-2.6/security/apparmor/apparmor.h +#define INOTIFYFS_MAGIC 0xBAD1DEA + +#define VALID_FSTYPE(inode) ((inode)->i_sb->s_magic != PIPEFS_MAGIC && \ -+ (inode)->i_sb->s_magic != SOCKFS_MAGIC && \ -+ (inode)->i_sb->s_magic != INOTIFYFS_MAGIC) ++ (inode)->i_sb->s_magic != SOCKFS_MAGIC && \ ++ (inode)->i_sb->s_magic != INOTIFYFS_MAGIC) + +#define PROFILE_COMPLAIN(_profile) \ + (apparmor_complain == 1 || ((_profile) && (_profile)->flags.complain)) @@ -366,10 +366,10 @@ Index: linux-2.6/security/apparmor/apparmor.h +extern const char *capability_to_name(unsigned int cap); + +#endif /* __APPARMOR_H */ -Index: linux-2.6/security/apparmor/apparmorfs.c +Index: b/security/apparmor/apparmorfs.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c @@ -0,0 +1,432 @@ +/* + * Copyright (C) 2005 Novell/SUSE @@ -803,10 +803,10 @@ Index: linux-2.6/security/apparmor/apparmorfs.c + if (AAFS_DENTRY) + clear_apparmorfs(); +} -Index: linux-2.6/security/apparmor/capabilities.c +Index: b/security/apparmor/capabilities.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/capabilities.c ++++ b/security/apparmor/capabilities.c @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2005 Novell/SUSE @@ -862,10 +862,10 @@ Index: linux-2.6/security/apparmor/capabilities.c + + return name; +} -Index: linux-2.6/security/apparmor/inline.h +Index: b/security/apparmor/inline.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/inline.h ++++ b/security/apparmor/inline.h @@ -0,0 +1,335 @@ +/* + * Copyright (C) 2005 Novell/SUSE @@ -1202,10 +1202,10 @@ Index: linux-2.6/security/apparmor/inline.h +} + +#endif /* __INLINE_H__ */ -Index: linux-2.6/security/apparmor/list.c +Index: b/security/apparmor/list.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/list.c ++++ b/security/apparmor/list.c @@ -0,0 +1,268 @@ +/* + * Copyright (C) 1998-2005 Novell/SUSE @@ -1475,10 +1475,10 @@ Index: linux-2.6/security/apparmor/list.c + .stop = p_stop, + .show = seq_show_profile, +}; -Index: linux-2.6/security/apparmor/lsm.c +Index: b/security/apparmor/lsm.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c @@ -0,0 +1,898 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -2378,10 +2378,10 @@ Index: linux-2.6/security/apparmor/lsm.c +MODULE_DESCRIPTION("AppArmor process confinement"); +MODULE_AUTHOR("Tony Jones "); +MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/main.c +Index: b/security/apparmor/main.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/main.c ++++ b/security/apparmor/main.c @@ -0,0 +1,1687 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -4070,10 +4070,10 @@ Index: linux-2.6/security/apparmor/main.c +out: + return error; +} -Index: linux-2.6/security/apparmor/module_interface.c +Index: b/security/apparmor/module_interface.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/module_interface.c ++++ b/security/apparmor/module_interface.c @@ -0,0 +1,846 @@ +/* + * Copyright (C) 1998-2005 Novell/SUSE @@ -4921,10 +4921,10 @@ Index: linux-2.6/security/apparmor/module_interface.c + + kfree(profile); +} -Index: linux-2.6/security/apparmor/module_interface.h +Index: b/security/apparmor/module_interface.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/module_interface.h ++++ b/security/apparmor/module_interface.h @@ -0,0 +1,37 @@ +#ifndef __MODULEINTERFACE_H +#define __MODULEINTERFACE_H @@ -4963,10 +4963,10 @@ Index: linux-2.6/security/apparmor/module_interface.h +}; + +#endif /* __MODULEINTERFACE_H */ -Index: linux-2.6/security/apparmor/procattr.c +Index: b/security/apparmor/procattr.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/procattr.c ++++ b/security/apparmor/procattr.c @@ -0,0 +1,332 @@ +/* + * Copyright (C) 2005 Novell/SUSE @@ -5300,10 +5300,10 @@ Index: linux-2.6/security/apparmor/procattr.c + + return error; +} -Index: linux-2.6/security/apparmor/shared.h +Index: b/security/apparmor/shared.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/shared.h ++++ b/security/apparmor/shared.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2000, 2001, 2004, 2005 Novell/SUSE @@ -5351,10 +5351,10 @@ Index: linux-2.6/security/apparmor/shared.h + AA_EXEC_PROFILE) + +#endif /* _SHARED_H */ -Index: linux-2.6/security/apparmor/match/Kbuild +Index: b/security/apparmor/match/Kbuild =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/Kbuild ++++ b/security/apparmor/match/Kbuild @@ -0,0 +1,6 @@ +# Makefile for AppArmor aamatch submodule +# @@ -5362,20 +5362,20 @@ Index: linux-2.6/security/apparmor/match/Kbuild +obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_pcre.o + +aamatch_pcre-y := match_pcre.o pcre_exec.o -Index: linux-2.6/security/apparmor/match/Makefile +Index: b/security/apparmor/match/Makefile =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/Makefile ++++ b/security/apparmor/match/Makefile @@ -0,0 +1,5 @@ +# Makefile for AppArmor aamatch submodule +# +obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_pcre.o + +aamatch_pcre-y := match_pcre.o pcre_exec.o -Index: linux-2.6/security/apparmor/match/match.h +Index: b/security/apparmor/match/match.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/match.h ++++ b/security/apparmor/match/match.h @@ -0,0 +1,132 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -5509,10 +5509,10 @@ Index: linux-2.6/security/apparmor/match/match.h +} + +#endif /* __MATCH_H */ -Index: linux-2.6/security/apparmor/match/match_default.c +Index: b/security/apparmor/match/match_default.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/match_default.c ++++ b/security/apparmor/match/match_default.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -5571,10 +5571,10 @@ Index: linux-2.6/security/apparmor/match/match_default.c +MODULE_DESCRIPTION("AppArmor match module (aamatch) [default]"); +MODULE_AUTHOR("Tony Jones "); +MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/match/match_pcre.c +Index: b/security/apparmor/match/match_pcre.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/match_pcre.c ++++ b/security/apparmor/match/match_pcre.c @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2002-2005 Novell/SUSE @@ -5720,20 +5720,20 @@ Index: linux-2.6/security/apparmor/match/match_pcre.c + struct aamatch_entry *ed = + (struct aamatch_entry *) entry_extradata; + -+ pcreret = pcre_exec(ed->compiled, NULL, ++ pcreret = pcre_exec(ed->compiled, NULL, + pathname, strlen(pathname), + 0, 0, NULL, 0); + -+ ret = (pcreret >= 0); ++ ret = (pcreret >= 0); + + // XXX - this needs access to subdomain_debug, hmmm -+ //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, ++ //AA_DEBUG("%s(%d): %s %s %d\n", __FUNCTION__, + // ret, pathname, ed->pattern, pcreret); + } else { + ret = aamatch_match_common(pathname, entry_name, entry_type); + } + -+ return ret; ++ return ret; +} + +EXPORT_SYMBOL_GPL(aamatch_alloc); @@ -5745,10 +5745,10 @@ Index: linux-2.6/security/apparmor/match/match_pcre.c +MODULE_DESCRIPTION("AppArmor aa_match module [pcre]"); +MODULE_AUTHOR("Tony Jones "); +MODULE_LICENSE("GPL"); -Index: linux-2.6/security/apparmor/match/pcre_exec.c +Index: b/security/apparmor/match/pcre_exec.c =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/pcre_exec.c ++++ b/security/apparmor/match/pcre_exec.c @@ -0,0 +1,1945 @@ +/* + * This is a modified version of pcre.c containing only the code/data @@ -5767,7 +5767,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + +Written by: Philip Hazel + -+ Copyright (c) 1997-2001 University of Cambridge ++ Copyright (c) 1997-2001 University of Cambridge + +----------------------------------------------------------------------------- +Permission is granted to anyone to use this software for any purpose on any @@ -5980,10 +5980,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + md pointer to "static" info for the match + ims current /i, /m, and /s options + eptrb pointer to chain of blocks containing eptr at start of -+ brackets - for testing for empty matches ++ brackets - for testing for empty matches + flags can contain -+ match_condassert - this is an assertion condition -+ match_isgroup - this is the start of a bracketed group ++ match_condassert - this is an assertion condition ++ match_isgroup - this is the start of a bracketed group + +Returns: TRUE if matched +*/ @@ -6059,11 +6059,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + md->offset_vector[md->offset_end - number] = eptr - md->start_subject; + + do -+ { -+ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; -+ ecode += (ecode[1] << 8) + ecode[2]; -+ } ++ { ++ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) ++ return TRUE; ++ ecode += (ecode[1] << 8) + ecode[2]; ++ } + while (*ecode == OP_ALT); + + DPRINTF(("bracket %d failed\n", number)); @@ -6089,7 +6089,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + do + { + if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; ++ return TRUE; + ecode += (ecode[1] << 8) + ecode[2]; + } + while (*ecode == OP_ALT); @@ -6106,9 +6106,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + int offset = (ecode[4] << 9) | (ecode[5] << 1); /* Doubled ref number */ + return match(eptr, -+ ecode + ((offset < offset_top && md->offset_vector[offset] >= 0)? -+ 6 : 3 + (ecode[1] << 8) + ecode[2]), -+ offset_top, md, ims, eptrb, match_isgroup); ++ ecode + ((offset < offset_top && md->offset_vector[offset] >= 0)? ++ 6 : 3 + (ecode[1] << 8) + ecode[2]), ++ offset_top, md, ims, eptrb, match_isgroup); + } + + /* The condition is an assertion. Call match() to evaluate it - setting @@ -6117,11 +6117,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + else + { + if (match(eptr, ecode+3, offset_top, md, ims, NULL, -+ match_condassert | match_isgroup)) -+ { -+ ecode += 3 + (ecode[4] << 8) + ecode[5]; -+ while (*ecode == OP_ALT) ecode += (ecode[1] << 8) + ecode[2]; -+ } ++ match_condassert | match_isgroup)) ++ { ++ ecode += 3 + (ecode[4] << 8) + ecode[5]; ++ while (*ecode == OP_ALT) ecode += (ecode[1] << 8) + ecode[2]; ++ } + else ecode += (ecode[1] << 8) + ecode[2]; + return match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup); + } @@ -6187,7 +6187,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + do + { + if (match(eptr, ecode+3, offset_top, md, ims, NULL, match_isgroup)) -+ return FALSE; ++ return FALSE; + ecode += (ecode[1] << 8) + ecode[2]; + } + while (*ecode == OP_ALT); @@ -6239,21 +6239,21 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + c = md->offset_max; + + if (c < 16) save = stacksave; else -+ { -+ save = (int *)(pcre_malloc)((c+1) * sizeof(int)); -+ if (save == NULL) -+ { -+ save = stacksave; -+ c = 15; -+ } -+ } ++ { ++ save = (int *)(pcre_malloc)((c+1) * sizeof(int)); ++ if (save == NULL) ++ { ++ save = stacksave; ++ c = 15; ++ } ++ } + + for (i = 1; i <= c; i++) -+ save[i] = md->offset_vector[md->offset_end - i]; ++ save[i] = md->offset_vector[md->offset_end - i]; + rc = match(eptr, md->start_pattern, offset_top, md, ims, eptrb, -+ match_isgroup); ++ match_isgroup); + for (i = 1; i <= c; i++) -+ md->offset_vector[md->offset_end - i] = save[i]; ++ md->offset_vector[md->offset_end - i] = save[i]; + if (save != stacksave) (pcre_free)(save); + if (!rc) return FALSE; + @@ -6280,11 +6280,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + const uschar *saved_eptr = eptr; + + do -+ { -+ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) -+ break; -+ ecode += (ecode[1] << 8) + ecode[2]; -+ } ++ { ++ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, match_isgroup)) ++ break; ++ ecode += (ecode[1] << 8) + ecode[2]; ++ } + while (*ecode == OP_ALT); + + /* If hit the end of the group (which could be repeated), fail */ @@ -6306,10 +6306,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + course of events. */ + + if (*ecode == OP_KET || eptr == saved_eptr) -+ { -+ ecode += 3; -+ break; -+ } ++ { ++ ecode += 3; ++ break; ++ } + + /* The repeating kets try the rest of the pattern or restart from the + preceding bracket, in the appropriate order. We need to reset any options @@ -6317,22 +6317,22 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + opcode. */ + + if (ecode[3] == OP_OPT) -+ { -+ ims = (ims & ~PCRE_IMS) | ecode[4]; -+ DPRINTF(("ims set to %02lx at group repeat\n", ims)); -+ } ++ { ++ ims = (ims & ~PCRE_IMS) | ecode[4]; ++ DPRINTF(("ims set to %02lx at group repeat\n", ims)); ++ } + + if (*ecode == OP_KETRMIN) -+ { -+ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || -+ match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; -+ } ++ { ++ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || ++ match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) ++ return TRUE; ++ } + else /* OP_KETRMAX */ -+ { -+ if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || -+ match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; -+ } ++ { ++ if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || ++ match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; ++ } + } + return FALSE; + @@ -6353,7 +6353,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + const uschar *next = ecode+1; + if (match(eptr, next, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; ++ return TRUE; + do next += (next[1] << 8) + next[2]; while (*next == OP_ALT); + ecode = next + 3; + } @@ -6364,7 +6364,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + const uschar *next = ecode+1; + do next += (next[1] << 8) + next[2]; while (*next == OP_ALT); + if (match(eptr, next+3, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; ++ return TRUE; + ecode++; + } + break; @@ -6384,45 +6384,45 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + eptrb = eptrb->prev; /* Back up the stack of bracket start pointers */ + + if (*prev == OP_ASSERT || *prev == OP_ASSERT_NOT || -+ *prev == OP_ASSERTBACK || *prev == OP_ASSERTBACK_NOT || -+ *prev == OP_ONCE) -+ { -+ md->end_match_ptr = eptr; /* For ONCE */ -+ md->end_offset_top = offset_top; -+ return TRUE; -+ } ++ *prev == OP_ASSERTBACK || *prev == OP_ASSERTBACK_NOT || ++ *prev == OP_ONCE) ++ { ++ md->end_match_ptr = eptr; /* For ONCE */ ++ md->end_offset_top = offset_top; ++ return TRUE; ++ } + + /* In all other cases except a conditional group we have to check the + group number back at the start and if necessary complete handling an + extraction by setting the offsets and bumping the high water mark. */ + + if (*prev != OP_COND) -+ { -+ int offset; -+ int number = *prev - OP_BRA; ++ { ++ int offset; ++ int number = *prev - OP_BRA; + -+ /* For extended extraction brackets (large number), we have to fish out -+ the number from a dummy opcode at the start. */ ++ /* For extended extraction brackets (large number), we have to fish out ++ the number from a dummy opcode at the start. */ + -+ if (number > EXTRACT_BASIC_MAX) number = (prev[4] << 8) | prev[5]; -+ offset = number << 1; ++ if (number > EXTRACT_BASIC_MAX) number = (prev[4] << 8) | prev[5]; ++ offset = number << 1; + +#ifdef DEBUG -+ PCRE_PRINTF("end bracket %d", number); -+ PCRE_PRINTF("\n"); ++ PCRE_PRINTF("end bracket %d", number); ++ PCRE_PRINTF("\n"); +#endif + -+ if (number > 0) -+ { -+ if (offset >= md->offset_max) md->offset_overflow = TRUE; else -+ { -+ md->offset_vector[offset] = -+ md->offset_vector[md->offset_end - number]; -+ md->offset_vector[offset+1] = eptr - md->start_subject; -+ if (offset_top <= offset) offset_top = offset + 2; -+ } -+ } -+ } ++ if (number > 0) ++ { ++ if (offset >= md->offset_max) md->offset_overflow = TRUE; else ++ { ++ md->offset_vector[offset] = ++ md->offset_vector[md->offset_end - number]; ++ md->offset_vector[offset+1] = eptr - md->start_subject; ++ if (offset_top <= offset) offset_top = offset + 2; ++ } ++ } ++ } + + /* Reset the value of the ims flags, in case they got changed during + the group. */ @@ -6437,25 +6437,25 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + course of events. */ + + if (*ecode == OP_KET || eptr == saved_eptr) -+ { -+ ecode += 3; -+ break; -+ } ++ { ++ ecode += 3; ++ break; ++ } + + /* The repeating kets try the rest of the pattern or restart from the + preceding bracket, in the appropriate order. */ + + if (*ecode == OP_KETRMIN) -+ { -+ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || -+ match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) -+ return TRUE; -+ } ++ { ++ if (match(eptr, ecode+3, offset_top, md, ims, eptrb, 0) || ++ match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup)) ++ return TRUE; ++ } + else /* OP_KETRMAX */ -+ { -+ if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || -+ match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; -+ } ++ { ++ if (match(eptr, prev, offset_top, md, ims, eptrb, match_isgroup) || ++ match(eptr, ecode+3, offset_top, md, ims, eptrb, 0)) return TRUE; ++ } + } + return FALSE; + @@ -6485,7 +6485,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + if ((ims & PCRE_MULTILINE) != 0) + { + if (eptr < md->end_subject) { if (*eptr != NEWLINE) return FALSE; } -+ else { if (md->noteol) return FALSE; } ++ else { if (md->noteol) return FALSE; } + ecode++; + break; + } @@ -6493,13 +6493,13 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + if (md->noteol) return FALSE; + if (!md->endonly) -+ { -+ if (eptr < md->end_subject - 1 || -+ (eptr == md->end_subject - 1 && *eptr != NEWLINE)) return FALSE; ++ { ++ if (eptr < md->end_subject - 1 || ++ (eptr == md->end_subject - 1 && *eptr != NEWLINE)) return FALSE; + -+ ecode++; -+ break; -+ } ++ ecode++; ++ break; ++ } + } + /* ... else fall through */ + @@ -6524,12 +6524,12 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + case OP_WORD_BOUNDARY: + { + BOOL prev_is_word = (eptr != md->start_subject) && -+ ((md->ctypes[eptr[-1]] & ctype_word) != 0); ++ ((md->ctypes[eptr[-1]] & ctype_word) != 0); + BOOL cur_is_word = (eptr < md->end_subject) && -+ ((md->ctypes[*eptr] & ctype_word) != 0); ++ ((md->ctypes[*eptr] & ctype_word) != 0); + if ((*ecode++ == OP_WORD_BOUNDARY)? -+ cur_is_word == prev_is_word : cur_is_word != prev_is_word) -+ return FALSE; ++ cur_is_word == prev_is_word : cur_is_word != prev_is_word) ++ return FALSE; + } + break; + @@ -6608,40 +6608,40 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + minima. */ + + length = (offset >= offset_top || md->offset_vector[offset] < 0)? -+ md->end_subject - eptr + 1 : -+ md->offset_vector[offset+1] - md->offset_vector[offset]; ++ md->end_subject - eptr + 1 : ++ md->offset_vector[offset+1] - md->offset_vector[offset]; + + /* Set up for repetition, or handle the non-repeated case */ + + switch (*ecode) -+ { -+ case OP_CRSTAR: -+ case OP_CRMINSTAR: -+ case OP_CRPLUS: -+ case OP_CRMINPLUS: -+ case OP_CRQUERY: -+ case OP_CRMINQUERY: -+ c = *ecode++ - OP_CRSTAR; -+ minimize = (c & 1) != 0; -+ min = rep_min[c]; /* Pick up values from tables; */ -+ max = rep_max[c]; /* zero for max => infinity */ -+ if (max == 0) max = INT_MAX; -+ break; ++ { ++ case OP_CRSTAR: ++ case OP_CRMINSTAR: ++ case OP_CRPLUS: ++ case OP_CRMINPLUS: ++ case OP_CRQUERY: ++ case OP_CRMINQUERY: ++ c = *ecode++ - OP_CRSTAR; ++ minimize = (c & 1) != 0; ++ min = rep_min[c]; /* Pick up values from tables; */ ++ max = rep_max[c]; /* zero for max => infinity */ ++ if (max == 0) max = INT_MAX; ++ break; + -+ case OP_CRRANGE: -+ case OP_CRMINRANGE: -+ minimize = (*ecode == OP_CRMINRANGE); -+ min = (ecode[1] << 8) + ecode[2]; -+ max = (ecode[3] << 8) + ecode[4]; -+ if (max == 0) max = INT_MAX; -+ ecode += 5; -+ break; ++ case OP_CRRANGE: ++ case OP_CRMINRANGE: ++ minimize = (*ecode == OP_CRMINRANGE); ++ min = (ecode[1] << 8) + ecode[2]; ++ max = (ecode[3] << 8) + ecode[4]; ++ if (max == 0) max = INT_MAX; ++ ecode += 5; ++ break; + -+ default: /* No repeat follows */ -+ if (!match_ref(offset, eptr, length, md, ims)) return FALSE; -+ eptr += length; -+ continue; /* With the main loop */ -+ } ++ default: /* No repeat follows */ ++ if (!match_ref(offset, eptr, length, md, ims)) return FALSE; ++ eptr += length; ++ continue; /* With the main loop */ ++ } + + /* If the length of the reference is zero, just continue with the + main loop. */ @@ -6653,10 +6653,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + address of eptr, so that eptr can be a register variable. */ + + for (i = 1; i <= min; i++) -+ { -+ if (!match_ref(offset, eptr, length, md, ims)) return FALSE; -+ eptr += length; -+ } ++ { ++ if (!match_ref(offset, eptr, length, md, ims)) return FALSE; ++ eptr += length; ++ } + + /* If min = max, continue at the same level without recursion. + They are not both allowed to be zero. */ @@ -6666,36 +6666,36 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + /* If minimizing, keep trying and advancing the pointer */ + + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || !match_ref(offset, eptr, length, md, ims)) -+ return FALSE; -+ eptr += length; -+ } -+ /* Control never gets here */ -+ } ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || !match_ref(offset, eptr, length, md, ims)) ++ return FALSE; ++ eptr += length; ++ } ++ /* Control never gets here */ ++ } + + /* If maximizing, find the longest string and work backwards */ + + else -+ { -+ const uschar *pp = eptr; -+ for (i = min; i < max; i++) -+ { -+ if (!match_ref(offset, eptr, length, md, ims)) break; -+ eptr += length; -+ } -+ while (eptr >= pp) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ eptr -= length; -+ } -+ return FALSE; -+ } ++ { ++ const uschar *pp = eptr; ++ for (i = min; i < max; i++) ++ { ++ if (!match_ref(offset, eptr, length, md, ims)) break; ++ eptr += length; ++ } ++ while (eptr >= pp) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ eptr -= length; ++ } ++ return FALSE; ++ } + } + /* Control never gets here */ + @@ -6711,49 +6711,49 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + ecode += 33; /* Advance past the item */ + + switch (*ecode) -+ { -+ case OP_CRSTAR: -+ case OP_CRMINSTAR: -+ case OP_CRPLUS: -+ case OP_CRMINPLUS: -+ case OP_CRQUERY: -+ case OP_CRMINQUERY: -+ c = *ecode++ - OP_CRSTAR; -+ minimize = (c & 1) != 0; -+ min = rep_min[c]; /* Pick up values from tables; */ -+ max = rep_max[c]; /* zero for max => infinity */ -+ if (max == 0) max = INT_MAX; -+ break; ++ { ++ case OP_CRSTAR: ++ case OP_CRMINSTAR: ++ case OP_CRPLUS: ++ case OP_CRMINPLUS: ++ case OP_CRQUERY: ++ case OP_CRMINQUERY: ++ c = *ecode++ - OP_CRSTAR; ++ minimize = (c & 1) != 0; ++ min = rep_min[c]; /* Pick up values from tables; */ ++ max = rep_max[c]; /* zero for max => infinity */ ++ if (max == 0) max = INT_MAX; ++ break; + -+ case OP_CRRANGE: -+ case OP_CRMINRANGE: -+ minimize = (*ecode == OP_CRMINRANGE); -+ min = (ecode[1] << 8) + ecode[2]; -+ max = (ecode[3] << 8) + ecode[4]; -+ if (max == 0) max = INT_MAX; -+ ecode += 5; -+ break; ++ case OP_CRRANGE: ++ case OP_CRMINRANGE: ++ minimize = (*ecode == OP_CRMINRANGE); ++ min = (ecode[1] << 8) + ecode[2]; ++ max = (ecode[3] << 8) + ecode[4]; ++ if (max == 0) max = INT_MAX; ++ ecode += 5; ++ break; + -+ default: /* No repeat follows */ -+ min = max = 1; -+ break; -+ } ++ default: /* No repeat follows */ ++ min = max = 1; ++ break; ++ } + + /* First, ensure the minimum number of matches are present. */ + + for (i = 1; i <= min; i++) -+ { -+ if (eptr >= md->end_subject) return FALSE; -+ GETCHARINC(c, eptr) /* Get character; increment eptr */ ++ { ++ if (eptr >= md->end_subject) return FALSE; ++ GETCHARINC(c, eptr) /* Get character; increment eptr */ + +#ifdef SUPPORT_UTF8 -+ /* We do not yet support class members > 255 */ -+ if (c > 255) return FALSE; ++ /* We do not yet support class members > 255 */ ++ if (c > 255) return FALSE; +#endif + -+ if ((data[c/8] & (1 << (c&7))) != 0) continue; -+ return FALSE; -+ } ++ if ((data[c/8] & (1 << (c&7))) != 0) continue; ++ return FALSE; ++ } + + /* If max == min we can continue with the main loop without the + need to recurse. */ @@ -6764,54 +6764,54 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + the pointer while it matches the class. */ + + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || eptr >= md->end_subject) return FALSE; -+ GETCHARINC(c, eptr) /* Get character; increment eptr */ ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || eptr >= md->end_subject) return FALSE; ++ GETCHARINC(c, eptr) /* Get character; increment eptr */ + +#ifdef SUPPORT_UTF8 -+ /* We do not yet support class members > 255 */ -+ if (c > 255) return FALSE; ++ /* We do not yet support class members > 255 */ ++ if (c > 255) return FALSE; +#endif -+ if ((data[c/8] & (1 << (c&7))) != 0) continue; -+ return FALSE; -+ } -+ /* Control never gets here */ -+ } ++ if ((data[c/8] & (1 << (c&7))) != 0) continue; ++ return FALSE; ++ } ++ /* Control never gets here */ ++ } + + /* If maximizing, find the longest possible run, then work backwards. */ + + else -+ { -+ const uschar *pp = eptr; -+ int len = 1; -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject) break; -+ GETCHARLEN(c, eptr, len) /* Get character, set length if UTF-8 */ ++ { ++ const uschar *pp = eptr; ++ int len = 1; ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject) break; ++ GETCHARLEN(c, eptr, len) /* Get character, set length if UTF-8 */ + +#ifdef SUPPORT_UTF8 -+ /* We do not yet support class members > 255 */ -+ if (c > 255) break; ++ /* We do not yet support class members > 255 */ ++ if (c > 255) break; +#endif -+ if ((data[c/8] & (1 << (c&7))) == 0) break; -+ eptr += len; -+ } ++ if ((data[c/8] & (1 << (c&7))) == 0) break; ++ eptr += len; ++ } + -+ while (eptr >= pp) -+ { -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; ++ while (eptr >= pp) ++ { ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; + +#ifdef SUPPORT_UTF8 -+ BACKCHAR(eptr) ++ BACKCHAR(eptr) +#endif -+ } -+ return FALSE; -+ } ++ } ++ return FALSE; ++ } + } + /* Control never gets here */ + @@ -6824,28 +6824,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + +#ifdef DEBUG /* Sigh. Some compilers never learn. */ + if (eptr >= md->end_subject) -+ PCRE_PRINTF("matching subject against pattern "); ++ PCRE_PRINTF("matching subject against pattern "); + else -+ { -+ PCRE_PRINTF("matching subject "); -+ pchars(eptr, length, TRUE, md); -+ PCRE_PRINTF(" against pattern "); -+ } ++ { ++ PCRE_PRINTF("matching subject "); ++ pchars(eptr, length, TRUE, md); ++ PCRE_PRINTF(" against pattern "); ++ } + pchars(ecode, length, FALSE, md); + PCRE_PRINTF("\n"); +#endif + + if (length > md->end_subject - eptr) return FALSE; + if ((ims & PCRE_CASELESS) != 0) -+ { -+ while (length-- > 0) -+ if (md->lcc[*ecode++] != md->lcc[*eptr++]) -+ return FALSE; -+ } ++ { ++ while (length-- > 0) ++ if (md->lcc[*ecode++] != md->lcc[*eptr++]) ++ return FALSE; ++ } + else -+ { -+ while (length-- > 0) if (*ecode++ != *eptr++) return FALSE; -+ } ++ { ++ while (length-- > 0) if (*ecode++ != *eptr++) return FALSE; ++ } + } + break; + @@ -6899,33 +6899,33 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + c = md->lcc[c]; + for (i = 1; i <= min; i++) -+ if (c != md->lcc[*eptr++]) return FALSE; ++ if (c != md->lcc[*eptr++]) return FALSE; + if (min == max) continue; + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || eptr >= md->end_subject || -+ c != md->lcc[*eptr++]) -+ return FALSE; -+ } -+ /* Control never gets here */ -+ } ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || eptr >= md->end_subject || ++ c != md->lcc[*eptr++]) ++ return FALSE; ++ } ++ /* Control never gets here */ ++ } + else -+ { -+ const uschar *pp = eptr; -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || c != md->lcc[*eptr]) break; -+ eptr++; -+ } -+ while (eptr >= pp) -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ return FALSE; -+ } ++ { ++ const uschar *pp = eptr; ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || c != md->lcc[*eptr]) break; ++ eptr++; ++ } ++ while (eptr >= pp) ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ return FALSE; ++ } + /* Control never gets here */ + } + @@ -6936,28 +6936,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + for (i = 1; i <= min; i++) if (c != *eptr++) return FALSE; + if (min == max) continue; + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || eptr >= md->end_subject || c != *eptr++) return FALSE; -+ } -+ /* Control never gets here */ -+ } ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || eptr >= md->end_subject || c != *eptr++) return FALSE; ++ } ++ /* Control never gets here */ ++ } + else -+ { -+ const uschar *pp = eptr; -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || c != *eptr) break; -+ eptr++; -+ } -+ while (eptr >= pp) -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ return FALSE; -+ } ++ { ++ const uschar *pp = eptr; ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || c != *eptr) break; ++ eptr++; ++ } ++ while (eptr >= pp) ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ return FALSE; ++ } + } + /* Control never gets here */ + @@ -7030,33 +7030,33 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + c = md->lcc[c]; + for (i = 1; i <= min; i++) -+ if (c == md->lcc[*eptr++]) return FALSE; ++ if (c == md->lcc[*eptr++]) return FALSE; + if (min == max) continue; + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || eptr >= md->end_subject || -+ c == md->lcc[*eptr++]) -+ return FALSE; -+ } -+ /* Control never gets here */ -+ } ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || eptr >= md->end_subject || ++ c == md->lcc[*eptr++]) ++ return FALSE; ++ } ++ /* Control never gets here */ ++ } + else -+ { -+ const uschar *pp = eptr; -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || c == md->lcc[*eptr]) break; -+ eptr++; -+ } -+ while (eptr >= pp) -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ return FALSE; -+ } ++ { ++ const uschar *pp = eptr; ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || c == md->lcc[*eptr]) break; ++ eptr++; ++ } ++ while (eptr >= pp) ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ return FALSE; ++ } + /* Control never gets here */ + } + @@ -7067,28 +7067,28 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + for (i = 1; i <= min; i++) if (c == *eptr++) return FALSE; + if (min == max) continue; + if (minimize) -+ { -+ for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ if (i >= max || eptr >= md->end_subject || c == *eptr++) return FALSE; -+ } -+ /* Control never gets here */ -+ } ++ { ++ for (i = min;; i++) ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ if (i >= max || eptr >= md->end_subject || c == *eptr++) return FALSE; ++ } ++ /* Control never gets here */ ++ } + else -+ { -+ const uschar *pp = eptr; -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || c == *eptr) break; -+ eptr++; -+ } -+ while (eptr >= pp) -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; -+ return FALSE; -+ } ++ { ++ const uschar *pp = eptr; ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || c == *eptr) break; ++ eptr++; ++ } ++ while (eptr >= pp) ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; ++ return FALSE; ++ } + } + /* Control never gets here */ + @@ -7140,53 +7140,53 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + case OP_ANY: +#ifdef SUPPORT_UTF8 + if (md->utf8) -+ { -+ for (i = 1; i <= min; i++) -+ { -+ if (eptr >= md->end_subject || -+ (*eptr++ == NEWLINE && (ims & PCRE_DOTALL) == 0)) -+ return FALSE; -+ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -+ } -+ break; -+ } ++ { ++ for (i = 1; i <= min; i++) ++ { ++ if (eptr >= md->end_subject || ++ (*eptr++ == NEWLINE && (ims & PCRE_DOTALL) == 0)) ++ return FALSE; ++ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; ++ } ++ break; ++ } +#endif + /* Non-UTF8 can be faster */ + if ((ims & PCRE_DOTALL) == 0) -+ { for (i = 1; i <= min; i++) if (*eptr++ == NEWLINE) return FALSE; } ++ { for (i = 1; i <= min; i++) if (*eptr++ == NEWLINE) return FALSE; } + else eptr += min; + break; + + case OP_NOT_DIGIT: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_digit) != 0) return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_digit) != 0) return FALSE; + break; + + case OP_DIGIT: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_digit) == 0) return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_digit) == 0) return FALSE; + break; + + case OP_NOT_WHITESPACE: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_space) != 0) return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_space) != 0) return FALSE; + break; + + case OP_WHITESPACE: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_space) == 0) return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_space) == 0) return FALSE; + break; + + case OP_NOT_WORDCHAR: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_word) != 0) -+ return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_word) != 0) ++ return FALSE; + break; + + case OP_WORDCHAR: + for (i = 1; i <= min; i++) -+ if ((md->ctypes[*eptr++] & ctype_word) == 0) -+ return FALSE; ++ if ((md->ctypes[*eptr++] & ctype_word) == 0) ++ return FALSE; + break; + } + @@ -7200,46 +7200,46 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + if (minimize) + { + for (i = min;; i++) -+ { -+ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) return TRUE; -+ if (i >= max || eptr >= md->end_subject) return FALSE; ++ { ++ if (match(eptr, ecode, offset_top, md, ims, eptrb, 0)) return TRUE; ++ if (i >= max || eptr >= md->end_subject) return FALSE; + -+ c = *eptr++; -+ switch(ctype) -+ { -+ case OP_ANY: -+ if ((ims & PCRE_DOTALL) == 0 && c == NEWLINE) return FALSE; ++ c = *eptr++; ++ switch(ctype) ++ { ++ case OP_ANY: ++ if ((ims & PCRE_DOTALL) == 0 && c == NEWLINE) return FALSE; +#ifdef SUPPORT_UTF8 -+ if (md->utf8) -+ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; ++ if (md->utf8) ++ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; +#endif -+ break; ++ break; + -+ case OP_NOT_DIGIT: -+ if ((md->ctypes[c] & ctype_digit) != 0) return FALSE; -+ break; ++ case OP_NOT_DIGIT: ++ if ((md->ctypes[c] & ctype_digit) != 0) return FALSE; ++ break; + -+ case OP_DIGIT: -+ if ((md->ctypes[c] & ctype_digit) == 0) return FALSE; -+ break; ++ case OP_DIGIT: ++ if ((md->ctypes[c] & ctype_digit) == 0) return FALSE; ++ break; + -+ case OP_NOT_WHITESPACE: -+ if ((md->ctypes[c] & ctype_space) != 0) return FALSE; -+ break; ++ case OP_NOT_WHITESPACE: ++ if ((md->ctypes[c] & ctype_space) != 0) return FALSE; ++ break; + -+ case OP_WHITESPACE: -+ if ((md->ctypes[c] & ctype_space) == 0) return FALSE; -+ break; ++ case OP_WHITESPACE: ++ if ((md->ctypes[c] & ctype_space) == 0) return FALSE; ++ break; + -+ case OP_NOT_WORDCHAR: -+ if ((md->ctypes[c] & ctype_word) != 0) return FALSE; -+ break; ++ case OP_NOT_WORDCHAR: ++ if ((md->ctypes[c] & ctype_word) != 0) return FALSE; ++ break; + -+ case OP_WORDCHAR: -+ if ((md->ctypes[c] & ctype_word) == 0) return FALSE; -+ break; -+ } -+ } ++ case OP_WORDCHAR: ++ if ((md->ctypes[c] & ctype_word) == 0) return FALSE; ++ break; ++ } ++ } + /* Control never gets here */ + } + @@ -7250,115 +7250,115 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + const uschar *pp = eptr; + switch(ctype) -+ { -+ case OP_ANY: ++ { ++ case OP_ANY: + -+ /* Special code is required for UTF8, but when the maximum is unlimited -+ we don't need it. */ ++ /* Special code is required for UTF8, but when the maximum is unlimited ++ we don't need it. */ + +#ifdef SUPPORT_UTF8 -+ if (md->utf8 && max < INT_MAX) -+ { -+ if ((ims & PCRE_DOTALL) == 0) -+ { -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || *eptr++ == NEWLINE) break; -+ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -+ } -+ } -+ else -+ { -+ for (i = min; i < max; i++) -+ { -+ eptr++; -+ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; -+ } -+ } -+ break; -+ } ++ if (md->utf8 && max < INT_MAX) ++ { ++ if ((ims & PCRE_DOTALL) == 0) ++ { ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || *eptr++ == NEWLINE) break; ++ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; ++ } ++ } ++ else ++ { ++ for (i = min; i < max; i++) ++ { ++ eptr++; ++ while (eptr < md->end_subject && (*eptr & 0xc0) == 0x80) eptr++; ++ } ++ } ++ break; ++ } +#endif -+ /* Non-UTF8 can be faster */ -+ if ((ims & PCRE_DOTALL) == 0) -+ { -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || *eptr == NEWLINE) break; -+ eptr++; -+ } -+ } -+ else -+ { -+ c = max - min; -+ if (c > md->end_subject - eptr) c = md->end_subject - eptr; -+ eptr += c; -+ } -+ break; ++ /* Non-UTF8 can be faster */ ++ if ((ims & PCRE_DOTALL) == 0) ++ { ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || *eptr == NEWLINE) break; ++ eptr++; ++ } ++ } ++ else ++ { ++ c = max - min; ++ if (c > md->end_subject - eptr) c = md->end_subject - eptr; ++ eptr += c; ++ } ++ break; + -+ case OP_NOT_DIGIT: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) != 0) -+ break; -+ eptr++; -+ } -+ break; ++ case OP_NOT_DIGIT: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) != 0) ++ break; ++ eptr++; ++ } ++ break; + -+ case OP_DIGIT: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) == 0) -+ break; -+ eptr++; -+ } -+ break; ++ case OP_DIGIT: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_digit) == 0) ++ break; ++ eptr++; ++ } ++ break; + -+ case OP_NOT_WHITESPACE: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) != 0) -+ break; -+ eptr++; -+ } -+ break; ++ case OP_NOT_WHITESPACE: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) != 0) ++ break; ++ eptr++; ++ } ++ break; + -+ case OP_WHITESPACE: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) == 0) -+ break; -+ eptr++; -+ } -+ break; ++ case OP_WHITESPACE: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_space) == 0) ++ break; ++ eptr++; ++ } ++ break; + -+ case OP_NOT_WORDCHAR: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) != 0) -+ break; -+ eptr++; -+ } -+ break; ++ case OP_NOT_WORDCHAR: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) != 0) ++ break; ++ eptr++; ++ } ++ break; + -+ case OP_WORDCHAR: -+ for (i = min; i < max; i++) -+ { -+ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) == 0) -+ break; -+ eptr++; -+ } -+ break; -+ } ++ case OP_WORDCHAR: ++ for (i = min; i < max; i++) ++ { ++ if (eptr >= md->end_subject || (md->ctypes[*eptr] & ctype_word) == 0) ++ break; ++ eptr++; ++ } ++ break; ++ } + + while (eptr >= pp) -+ { -+ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) -+ return TRUE; ++ { ++ if (match(eptr--, ecode, offset_top, md, ims, eptrb, 0)) ++ return TRUE; +#ifdef SUPPORT_UTF8 -+ if (md->utf8) -+ while (eptr > pp && (*eptr & 0xc0) == 0x80) eptr--; ++ if (md->utf8) ++ while (eptr > pp && (*eptr & 0xc0) == 0x80) eptr--; +#endif -+ } ++ } + return FALSE; + } + /* Control never gets here */ @@ -7399,9 +7399,9 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + offsetcount the number of elements in the vector + +Returns: > 0 => success; value is the number of elements filled in -+ = 0 => success, but offsets is not big enough -+ -1 => failed to match -+ < -1 => some kind of unexpected problem ++ = 0 => success, but offsets is not big enough ++ -1 => failed to match ++ < -1 => some kind of unexpected problem +*/ + +int @@ -7512,7 +7512,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + else + if (!startline && extra != NULL && + (extra->options & PCRE_STUDY_MAPPED) != 0) -+ start_bits = extra->start_bits; ++ start_bits = extra->start_bits; + } + +/* For anchored or unanchored matches, there may be a "last known required @@ -7549,11 +7549,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + { + if ((ims & PCRE_CASELESS) != 0) + while (start_match < end_subject && -+ match_block.lcc[*start_match] != first_char) -+ start_match++; ++ match_block.lcc[*start_match] != first_char) ++ start_match++; + else + while (start_match < end_subject && *start_match != first_char) -+ start_match++; ++ start_match++; + } + + /* Or to just after \n for a multiline match if possible */ @@ -7563,7 +7563,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + if (start_match > match_block.start_subject + start_offset) + { + while (start_match < end_subject && start_match[-1] != NEWLINE) -+ start_match++; ++ start_match++; + } + } + @@ -7607,23 +7607,23 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + /* Do a single test if no case difference is set up */ + + if (req_char == req_char2) -+ { -+ while (p < end_subject) -+ { -+ if (*p++ == req_char) { p--; break; } -+ } -+ } ++ { ++ while (p < end_subject) ++ { ++ if (*p++ == req_char) { p--; break; } ++ } ++ } + + /* Otherwise test for either case */ + + else -+ { -+ while (p < end_subject) -+ { -+ register int pp = *p++; -+ if (pp == req_char || pp == req_char2) { p--; break; } -+ } -+ } ++ { ++ while (p < end_subject) ++ { ++ register int pp = *p++; ++ if (pp == req_char || pp == req_char2) { p--; break; } ++ } ++ } + + /* If we can't find the required character, break the matching loop */ + @@ -7655,7 +7655,7 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c + if (offsetcount >= 4) + { + memcpy(offsets + 2, match_block.offset_vector + 2, -+ (offsetcount - 2) * sizeof(int)); ++ (offsetcount - 2) * sizeof(int)); + DPRINTF(("Copied offsets from temporary memory\n")); + } + if (match_block.end_offset_top > offsetcount) @@ -7695,10 +7695,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.c +} + +/* End of pcre.c */ -Index: linux-2.6/security/apparmor/match/pcre_exec.h +Index: b/security/apparmor/match/pcre_exec.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/pcre_exec.h ++++ b/security/apparmor/match/pcre_exec.h @@ -0,0 +1,308 @@ +/* + * This is a modified header file containing the definitions from @@ -7910,11 +7910,11 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.h + OP_BRAMINZERO, /* order. */ + + OP_BRANUMBER, /* Used for extracting brackets whose number is greater -+ than can fit into an opcode. */ ++ than can fit into an opcode. */ + + OP_BRA /* This and greater values are used for brackets that -+ extract substrings up to a basic limit. After that, -+ use is made of OP_BRANUMBER. */ ++ extract substrings up to a basic limit. After that, ++ use is made of OP_BRANUMBER. */ +}; + +/* The highest extraction number before we have to start using additional @@ -8008,10 +8008,10 @@ Index: linux-2.6/security/apparmor/match/pcre_exec.h + +#endif // _PCRE_H + /* End of pcre.h */ -Index: linux-2.6/security/apparmor/match/pcre_tables.h +Index: b/security/apparmor/match/pcre_tables.h =================================================================== --- /dev/null -+++ linux-2.6/security/apparmor/match/pcre_tables.h ++++ b/security/apparmor/match/pcre_tables.h @@ -0,0 +1,184 @@ + +/*************************************************