diff --git a/kernel-patches/for-mainline/cleanup-aa_register.diff b/kernel-patches/for-mainline/cleanup-aa_register.diff new file mode 100644 index 000000000..82249cfb1 --- /dev/null +++ b/kernel-patches/for-mainline/cleanup-aa_register.diff @@ -0,0 +1,62 @@ +Make it more obvious in aa_register which AA_EXEC flags we are +testing against. + +The MAY_EXEC case is dead code; MAY_EXEC is not in AA_EXEC_MODIFIERS. +Q: should we be testing for MAY_EXEC here, too? It wouldn't help + much, but... + +Index: b/security/apparmor/main.c +=================================================================== +--- a/security/apparmor/main.c ++++ b/security/apparmor/main.c +@@ -816,11 +816,12 @@ int aa_register(struct linux_binprm *bpr + /* Confined task, determine what mode inherit, unconstrained or + * mandatory to load new profile + */ +- exec_mode = AA_EXEC_MASK(aa_match(profile->file_rules, filename)); ++ exec_mode = aa_match(profile->file_rules, filename); + unsafe_exec = exec_mode & AA_EXEC_UNSAFE; ++ exec_mode &= AA_EXEC_MODIFIERS; + + if (exec_mode) { +- switch (AA_EXEC_MODIFIER_MASK(exec_mode)) { ++ switch (exec_mode) { + case AA_EXEC_INHERIT: + /* do nothing - setting of profile + * already handed in aa_fork +@@ -848,21 +849,6 @@ int aa_register(struct linux_binprm *bpr + find_profile_mandatory = 1; + break; + +- case MAY_EXEC: +- /* this should not happen, entries +- * with just EXEC only should be +- * rejected at profile load time +- */ +- AA_ERROR("%s: Rejecting exec(2) of image '%s'. " +- "MAY_EXEC without exec qualifier invalid " +- "(%s(%d) profile %s active %s\n", +- __FUNCTION__, +- filename, +- current->comm, current->pid, +- BASE_PROFILE(profile)->name, profile->name); +- error = -EPERM; +- break; +- + default: + AA_ERROR("%s: Rejecting exec(2) of image '%s'. " + "Unknown exec qualifier %x " +Index: b/security/apparmor/apparmor.h +=================================================================== +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h +@@ -80,9 +80,6 @@ static inline int mediated_filesystem(st + + #define AA_SECURE_EXEC_NEEDED 0x00000001 + +-#define AA_EXEC_MODIFIER_MASK(mask) ((mask) & AA_EXEC_MODIFIERS) +-#define AA_EXEC_MASK(mask) ((mask) & (AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE)) +- + /* struct aa_profile - basic confinement data + * @parent: non refcounted pointer to parent profile + * @name: the profiles name diff --git a/kernel-patches/for-mainline/d_path-lazy-unmounts.diff b/kernel-patches/for-mainline/d_path-lazy-unmounts.diff index c3729d87d..cea6916fc 100644 --- a/kernel-patches/for-mainline/d_path-lazy-unmounts.diff +++ b/kernel-patches/for-mainline/d_path-lazy-unmounts.diff @@ -129,9 +129,9 @@ Index: b/fs/dcache.c - *--end = '/'; - retval = end; + buflen -= namelen + 1; -+ buffer -= namelen + 1; ++ buffer -= namelen; + memcpy(buffer, dentry->d_name.name, namelen); -+ *buffer = '/'; ++ *--buffer = '/'; dentry = parent; } + /* Get '/' right. */ diff --git a/kernel-patches/for-mainline/export-profile-list.diff b/kernel-patches/for-mainline/export-profile-list.diff new file mode 100644 index 000000000..3c0c29735 --- /dev/null +++ b/kernel-patches/for-mainline/export-profile-list.diff @@ -0,0 +1,29 @@ +Index: b/security/apparmor/apparmor.h +=================================================================== +--- a/security/apparmor/apparmor.h ++++ b/security/apparmor/apparmor.h +@@ -142,6 +142,9 @@ static inline void unlock_profile(struct + spin_unlock_irqrestore(&profile->lock, profile->interrupt_flags); + } + ++extern struct list_head profile_list; ++extern rwlock_t profile_list_lock; ++ + /** + * struct aa_task_context - primary label for confined tasks + * @profile: the current profile +Index: b/security/apparmor/list.c +=================================================================== +--- a/security/apparmor/list.c ++++ b/security/apparmor/list.c +@@ -14,8 +14,8 @@ + #include "inline.h" + + /* list of all profiles and lock */ +-static LIST_HEAD(profile_list); +-static rwlock_t profile_list_lock = RW_LOCK_UNLOCKED; ++LIST_HEAD(profile_list); ++rwlock_t profile_list_lock = RW_LOCK_UNLOCKED; + + /* list of all task_contexts and lock */ + static LIST_HEAD(task_context_list); diff --git a/kernel-patches/for-mainline/series b/kernel-patches/for-mainline/series index 98213a1d3..c08f26913 100644 --- a/kernel-patches/for-mainline/series +++ b/kernel-patches/for-mainline/series @@ -69,3 +69,9 @@ rename-profile-lock.diff match-features.diff match-changes.diff rename-audit_context.diff +cleanup-aa_register.diff +cleanup-aa_register-2.diff +aa_task_context_list_release-does-nothing-useful.diff +per-profile-task-contexts.diff +export-profile-list.diff +# rework-locking.diff