From c60fb0e392d1c8d61b397065da98759e97082c31 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 4 Jan 2007 08:30:08 +0000
Subject: [PATCH] This patch fixes some audit error messages that apparmor
 generates in 2.6.18.

It turns out that audit and selinux were modified to slightly change the
behavior of getprocattr.

The changes are:
1.  when the audit subsystem calls security_getprocattr it only allows
    for a return code of EINVAL

2.  when the audit subsystem calls security_getprocattr with the size
    paramter set to 0.  It expects the returned size to be the size
    that would be put in the buffer.

    This behavior is undocumented in LSM but the changes showed up in
    audit and selinux.


This patch fixes AA so that when 0 is passed it will return the size
that would have been read.  This in turn fixes the problem where the
audit system spits out a ton of
error in audit_log_task_context messages

the AA getprocattr handling can still return error messages that are
not EINVAL but these should not happen in the audit log context unless
audit makes an error.

The possible places are:
- audit passes a buffer that is to small - this shouldn't happen since
  audit uses the return value from a prob with parameter size == 0
- audit task context is trying to read a /proc/<pid>/attr/current that is
  the current tasks context.
  This shouldn't happen since the task context is for the current task.
- memory allocation fails
  This one will generate the message but the audit code its self will
  generate the message if its allocation fails.
---
 module/lsm.c      | 5 -----
 module/procattr.c | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/module/lsm.c b/module/lsm.c
index 092146b5f..3bf5457da 100644
--- a/module/lsm.c
+++ b/module/lsm.c
@@ -667,11 +667,6 @@ static int subdomain_getprocattr(struct task_struct *p, char *name, void *value,
 		goto out;
 	}
 
-	if (!size) {
-		error = -ERANGE;
-		goto out;
-	}
-
 	/* must be task querying itself or admin */
 	if (current != p && !capable(CAP_SYS_ADMIN)) {
 		error = -EPERM;
diff --git a/module/procattr.c b/module/procattr.c
index 952ae0e41..4eb1d7b4a 100644
--- a/module/procattr.c
+++ b/module/procattr.c
@@ -52,6 +52,8 @@ size_t sd_getprocattr(struct subdomain *sd, char *str, size_t size)
 			str += lenm;
 			*str++ = '\n';
 			error = len;
+		} else if (size == 0) {
+			error = len;
 		} else {
 			error = -ERANGE;
 		}
@@ -63,6 +65,8 @@ size_t sd_getprocattr(struct subdomain *sd, char *str, size_t size)
 		if (len <= size) {
 			memcpy(str, unconstrained_str, len);
 			error = len;
+		} else if (size == 0) {
+			error = len;
 		} else {
 			error = -ERANGE;
 		}