d_namespace & minor cleanup patches

kernel-patches/for-mainline/apparmor-audit-cleanup.diff

@@ -0,0 +1,289 @@
+The aa_diroptype and aa_xattroptype enumerations don't help a thing; they
+only mess up the code. Pass the name of the operation in aa_audit instead.
+
+Use a union for the remaining users of ival in aa_audit: this is more
+readable.
+
+Index: linux-2.6/security/apparmor/apparmor.h
+===================================================================
+--- linux-2.6.orig/security/apparmor/apparmor.h
++++ linux-2.6/security/apparmor/apparmor.h
+@@ -145,8 +145,12 @@ struct aa_audit {
+ 	gfp_t gfp_mask;
+ 	int error_code;
+ 
++	const char *operation;
+ 	const char *name;
+-	unsigned int ival;
++	union {
++		int capability;
++		int mask;
++	};
+ 	union {
+ 		const void *pval;
+ 		va_list vaval;
+@@ -180,20 +184,6 @@ struct aa_audit {
+ 			"LOGPROF-HINT " hint " " fmt, ##args);\
+ 	} while(0)
+ 
+-/* directory op type, for aa_perm_dir */
+-enum aa_diroptype {
+-	aa_dir_mkdir,
+-	aa_dir_rmdir
+-};
+-
+-/* xattr op type, for aa_xattr */
+-enum aa_xattroptype {
+-	aa_xattr_get,
+-	aa_xattr_set,
+-	aa_xattr_list,
+-	aa_xattr_remove
+-};
+-
+ #define BASE_PROFILE(p) ((p)->parent ? (p)->parent : (p))
+ #define IN_SUBPROFILE(p) ((p)->parent)
+ 
+@@ -210,14 +200,14 @@ extern char *aa_get_name(struct dentry *
+ 
+ extern int aa_attr(struct aaprofile *active, struct dentry *dentry,
+ 		   struct vfsmount *mnt, struct iattr *iattr);
+-extern int aa_xattr(struct aaprofile *active, struct dentry *dentry,
+-		    struct vfsmount *mnt,
+-		    const char *xattr, enum aa_xattroptype xattroptype);
++extern int aa_perm_xattr(struct aaprofile *active, struct dentry *dentry,
++			 struct vfsmount *mnt, const char *operation,
++			 const char *xattr_xattr, int mask);
+ extern int aa_capability(struct aaprofile *active, int cap);
+ extern int aa_perm(struct aaprofile *active, struct dentry *dentry,
+ 		   struct vfsmount *mnt, int mask);
+ extern int aa_perm_dir(struct aaprofile *active, struct dentry *dentry,
+-		       struct vfsmount *mnt, enum aa_diroptype diroptype);
++		       struct vfsmount *mnt, const char *operation, int mask);
+ extern int aa_link(struct aaprofile *active,
+ 		   struct dentry *link, struct vfsmount *link_mnt,
+ 		   struct dentry *target, struct vfsmount *target_mnt);
+Index: linux-2.6/security/apparmor/main.c
+===================================================================
+--- linux-2.6.orig/security/apparmor/main.c
++++ linux-2.6/security/apparmor/main.c
+@@ -443,7 +443,7 @@ int aa_audit(struct aaprofile *active, c
+ 	audit_log_format(ab, "%s ", logcls);	/* REJECTING/ALLOWING/etc */
+ 
+ 	if (sa->type == AA_AUDITTYPE_FILE) {
+-		int perm = audit ? sa->ival : sa->error_code;
++		int perm = audit ? sa->mask : sa->error_code;
+ 
+ 		audit_log_format(ab, "%s%s%s%s%s access to %s ",
+ 				 perm & AA_EXEC_MMAP ? "m" : "",
+@@ -456,9 +456,7 @@ int aa_audit(struct aaprofile *active, c
+ 		opspec_error = -EPERM;
+ 
+ 	} else if (sa->type == AA_AUDITTYPE_DIR) {
+-		audit_log_format(ab, "%s on %s ",
+-			sa->ival == aa_dir_mkdir ? "mkdir" : "rmdir",
+-			sa->name);
++		audit_log_format(ab, "%s on %s ", sa->operation, sa->name);
+ 
+ 	} else if (sa->type == AA_AUDITTYPE_ATTR) {
+ 		struct iattr *iattr = (struct iattr*)sa->pval;
+@@ -477,26 +475,10 @@ int aa_audit(struct aaprofile *active, c
+ 			sa->name);
+ 
+ 	} else if (sa->type == AA_AUDITTYPE_XATTR) {
+-		const char *fmt;
+-		switch (sa->ival) {
+-			case aa_xattr_get:
+-				fmt = "xattr get";
+-				break;
+-			case aa_xattr_set:
+-				fmt = "xattr set";
+-				break;
+-			case aa_xattr_list:
+-				fmt = "xattr list";
+-				break;
+-			case aa_xattr_remove:
+-				fmt = "xattr remove";
+-				break;
+-			default:
+-				fmt = "xattr <unknown>";
+-				break;
+-		}
+-
+-		audit_log_format(ab, "%s on %s ", fmt, sa->name);
++		/* FIXME: how are special characters in sa->name escaped? */
++		/* FIXME: check if this can be handled on the stack
++			  with an inline varargs function. */
++		audit_log_format(ab, "%s on %s ", sa->operation, sa->name);
+ 
+ 	} else if (sa->type == AA_AUDITTYPE_LINK) {
+ 		audit_log_format(ab,
+@@ -507,7 +489,7 @@ int aa_audit(struct aaprofile *active, c
+ 	} else if (sa->type == AA_AUDITTYPE_CAP) {
+ 		audit_log_format(ab,
+ 			"access to capability '%s' ",
+-			capability_to_name(sa->ival));
++			capability_to_name(sa->capability));
+ 
+ 		opspec_error = -EPERM;
+ 	} else if (sa->type == AA_AUDITTYPE_SYSCALL) {
+@@ -602,27 +584,24 @@ int aa_attr(struct aaprofile *active, st
+ }
+ 
+ /**
+- * aa_xattr - check whether xattr attribute change allowed
++ * aa_perm_xattr - check whether xattr attribute change allowed
+  * @active: profile to check against
+  * @dentry: file to check
+- * @xattr: xattr to check
+- * @xattroptype: type of xattr operation
++ * @mnt: mount of file to check
++ * @operation: xattr operation being done
++ * @xattr_name: name of xattr to check
++ * @mask: access mode requested
+  */
+-int aa_xattr(struct aaprofile *active, struct dentry *dentry,
+-	     struct vfsmount *mnt, const char *xattr,
+-	     enum aa_xattroptype xattroptype)
++int aa_perm_xattr(struct aaprofile *active, struct dentry *dentry,
++		  struct vfsmount *mnt, const char *operation,
++		  const char *xattr_name, int mask)
+ {
+-	int error = 0, mask = 0;
++	int error;
+ 	struct aa_audit sa;
+ 
+-	if (xattroptype == aa_xattr_get || xattroptype == aa_xattr_list)
+-		mask = MAY_READ;
+-	else if (xattroptype == aa_xattr_set || xattroptype == aa_xattr_remove)
+-		mask = MAY_WRITE;
+-
+ 	sa.type = AA_AUDITTYPE_XATTR;
+-	sa.ival = xattroptype;
+-	sa.pval = xattr;
++	sa.operation = operation;
++	sa.pval = xattr_name;
+ 	sa.flags = 0;
+ 	sa.gfp_mask = GFP_KERNEL;
+ 
+@@ -651,7 +630,7 @@ int aa_perm(struct aaprofile *active, st
+ 		goto out;
+ 
+ 	sa.type = AA_AUDITTYPE_FILE;
+-	sa.ival = mask;
++	sa.mask = mask;
+ 	sa.flags = 0;
+ 	sa.gfp_mask = GFP_KERNEL;
+ 	error = _aa_perm_vfsmount(active, dentry, mnt, &sa, mask);
+@@ -664,31 +643,25 @@ out:
+  * aa_perm_dir
+  * @active: profile to check against
+  * @dentry: requested dentry
+- * @diroptype: aa_dir_mkdir or aa_dir_rmdir
+- * @mnt: vfsmount
++ * @mnt: mount of file to check
++ * @operation: directory operation being performed
++ * @mask: access mode requested
+  *
+  * Determine if directory operation (make/remove) for dentry is authorized
+  * by @active profile.
+  * Result, %0 (success), -ve (error)
+  */
+ int aa_perm_dir(struct aaprofile *active, struct dentry *dentry,
+-		struct vfsmount *mnt, enum aa_diroptype diroptype)
++		struct vfsmount *mnt, const char *operation, int mask)
+ {
+-	int error = 0, mask;
+ 	struct aa_audit sa;
+ 
+-	WARN_ON(diroptype != aa_dir_mkdir && diroptype != aa_dir_rmdir);
+-
+-	mask = MAY_WRITE;
+-
+ 	sa.type = AA_AUDITTYPE_DIR;
+-	sa.ival = diroptype;
++	sa.operation = operation;
+ 	sa.flags = 0;
+ 	sa.gfp_mask = GFP_KERNEL;
+ 
+-	error = _aa_perm_vfsmount(active, dentry, mnt, &sa, MAY_WRITE);
+-
+-	return error;
++	return _aa_perm_vfsmount(active, dentry, mnt, &sa, mask);
+ }
+ 
+ /**
+@@ -706,7 +679,7 @@ int aa_capability(struct aaprofile *acti
+ 
+ 	sa.type = AA_AUDITTYPE_CAP;
+ 	sa.name = NULL;
+-	sa.ival = cap;
++	sa.capability = cap;
+ 	sa.flags = 0;
+ 	sa.error_code = 0;
+ 	sa.result = cap_raised(active->capabilities, cap);
+Index: linux-2.6/security/apparmor/lsm.c
+===================================================================
+--- linux-2.6.orig/security/apparmor/lsm.c
++++ linux-2.6/security/apparmor/lsm.c
+@@ -244,7 +244,7 @@ static int apparmor_inode_mkdir(struct i
+ 	active = get_active_aaprofile();
+ 
+ 	if (active)
+-		error = aa_perm_dir(active, dentry, mnt, aa_dir_mkdir);
++		error = aa_perm_dir(active, dentry, mnt, "mkdir", AA_MAY_WRITE);
+ 
+ 	put_aaprofile(active);
+ 
+@@ -264,7 +264,7 @@ static int apparmor_inode_rmdir(struct i
+ 	active = get_active_aaprofile();
+ 
+ 	if (active)
+-		error = aa_perm_dir(active, dentry, mnt, aa_dir_rmdir);
++		error = aa_perm_dir(active, dentry, mnt, "rmdir", AA_MAY_WRITE);
+ 
+ 	put_aaprofile(active);
+ 
+@@ -444,8 +444,8 @@ static int apparmor_inode_setxattr(struc
+ 
+ 	active = get_active_aaprofile();
+ 	if (active)
+-		error = aa_xattr(active, dentry, mnt, name,
+-				 aa_xattr_set);
++		error = aa_perm_xattr(active, dentry, mnt, name, "xattr set",
++				      AA_MAY_WRITE);
+ 	put_aaprofile(active);
+ 
+ out:
+@@ -464,8 +464,8 @@ static int apparmor_inode_getxattr(struc
+ 
+ 	active = get_active_aaprofile();
+ 	if (active)
+-		error = aa_xattr(active, dentry, mnt, name,
+-				 aa_xattr_get);
++		error = aa_perm_xattr(active, dentry, mnt, name, "xattr get",
++				      AA_MAY_READ);
+ 	put_aaprofile(active);
+ 
+ out:
+@@ -481,8 +481,8 @@ static int apparmor_inode_listxattr(stru
+ 
+ 	active = get_active_aaprofile();
+ 	if (active)
+-		error = aa_xattr(active, dentry, mnt, NULL,
+-				 aa_xattr_list);
++		error = aa_perm_xattr(active, dentry, mnt, NULL, "xattr list",
++				      AA_MAY_READ);
+ 	put_aaprofile(active);
+ 
+ out:
+@@ -500,8 +500,8 @@ static int apparmor_inode_removexattr(st
+ 
+ 	active = get_active_aaprofile();
+ 	if (active)
+-		error = aa_xattr(active, dentry, mnt, name,
+-				 aa_xattr_remove);
++		error = aa_perm_xattr(active, dentry, mnt, name, "xattr remove",
++				      AA_MAY_WRITE);
+ 	put_aaprofile(active);
+ 
+ out:

kernel-patches/for-mainline/apparmor-d_namespace.diff

@@ -0,0 +1,21 @@
+Index: linux-2.6/security/apparmor/main.c
+===================================================================
+--- linux-2.6.orig/security/apparmor/main.c
++++ linux-2.6/security/apparmor/main.c
+@@ -12,6 +12,7 @@
+ #include <linux/security.h>
+ #include <linux/namei.h>
+ #include <linux/audit.h>
++#include <linux/mount.h>
+ 
+ #include "apparmor.h"
+ 
+@@ -551,7 +552,7 @@ char *aa_get_name(struct dentry *dentry,
+ 		goto out;
+ 	}
+ 
+-	name = d_path(dentry, mnt, page, PAGE_SIZE);
++	name = d_namespace_path(dentry, mnt, page, PAGE_SIZE, 1);
+ 	/* check for (deleted) that d_path appends to pathnames if the dentry
+ 	 * has been removed from the cache.
+ 	 * The size > deleted_size and strcmp checks are redundant safe guards.

kernel-patches/for-mainline/apparmor-dfa.diff

@@ -1,7 +1,7 @@
-Index: linux-2.6.19.1/security/apparmor/match/Kbuild
+Index: linux-2.6/security/apparmor/match/Kbuild
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/Kbuild
+--- linux-2.6.orig/security/apparmor/match/Kbuild
-+++ linux-2.6.19.1/security/apparmor/match/Kbuild
++++ linux-2.6/security/apparmor/match/Kbuild
 @@ -1,6 +1,6 @@
  # Makefile for AppArmor aamatch submodule
  #
@@ -11,10 +11,10 @@ Index: linux-2.6.19.1/security/apparmor/match/Kbuild
  
 -aamatch_pcre-y := match_pcre.o pcre_exec.o
 +aamatch_dfa-y := match_dfa.o
-Index: linux-2.6.19.1/security/apparmor/match/match_dfa.c
+Index: linux-2.6/security/apparmor/match/match_dfa.c
 ===================================================================
 --- /dev/null
-+++ linux-2.6.19.1/security/apparmor/match/match_dfa.c
++++ linux-2.6/security/apparmor/match/match_dfa.c
 @@ -0,0 +1,398 @@
 +/*
 + *	Copyright (C) 2002-2005 Novell/SUSE
@@ -414,10 +414,10 @@ Index: linux-2.6.19.1/security/apparmor/match/match_dfa.c
 +MODULE_DESCRIPTION("AppArmor aa_match module [dfa]");
 +MODULE_AUTHOR("John Johansen <jjohansen@suse.de>");
 +MODULE_LICENSE("GPL");
-Index: linux-2.6.19.1/security/apparmor/module_interface.c
+Index: linux-2.6/security/apparmor/module_interface.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/module_interface.c
+--- linux-2.6.orig/security/apparmor/module_interface.c
-+++ linux-2.6.19.1/security/apparmor/module_interface.c
++++ linux-2.6/security/apparmor/module_interface.c
 @@ -206,6 +206,7 @@ static void aaconvert(enum aa_code code,
  		*(u16 *)dest = le16_to_cpu(get_unaligned((u16 *)src));
  		break;
@@ -465,10 +465,10 @@ Index: linux-2.6.19.1/security/apparmor/module_interface.c
  	free_aa_entry(entry);
  	return NULL;
  }
-Index: linux-2.6.19.1/security/apparmor/module_interface.h
+Index: linux-2.6/security/apparmor/module_interface.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/module_interface.h
+--- linux-2.6.orig/security/apparmor/module_interface.h
-+++ linux-2.6.19.1/security/apparmor/module_interface.h
++++ linux-2.6/security/apparmor/module_interface.h
 @@ -20,6 +20,7 @@ enum aa_code {
  	AA_LIST,
  	AA_LISTEND,
@@ -477,10 +477,10 @@ Index: linux-2.6.19.1/security/apparmor/module_interface.h
  	AA_BAD
  };
  
-Index: linux-2.6.19.1/security/apparmor/shared.h
+Index: linux-2.6/security/apparmor/shared.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/shared.h
+--- linux-2.6.orig/security/apparmor/shared.h
-+++ linux-2.6.19.1/security/apparmor/shared.h
++++ linux-2.6/security/apparmor/shared.h
 @@ -28,6 +28,9 @@
  #define POS_AA_EXEC_UNSAFE		(POS_AA_EXEC_MMAP + 1)
  #define POS_AA_FILE_MAX			POS_AA_EXEC_UNSAFE

kernel-patches/for-mainline/apparmor-minor-stuff.diff

@@ -0,0 +1,572 @@
+Don't use labels where easily avoidable.
+
+Defining and initializing a variable at the same time is okay.
+
+Rename struct task *p to <task>.
+
+Index: linux-2.6/security/apparmor/lsm.c
+===================================================================
+--- linux-2.6.orig/security/apparmor/lsm.c
++++ linux-2.6/security/apparmor/lsm.c
+@@ -66,12 +66,8 @@ MODULE_PARM_DESC(apparmor_logsyscall, "T
+ static int apparmor_ptrace(struct task_struct *parent,
+ 			    struct task_struct *child)
+ {
+-	int error;
+-	struct aaprofile *active;
+-
+-	error = cap_ptrace(parent, child);
+-
+-	active = get_task_active_aaprofile(parent);
++	struct aaprofile *active = get_task_active_aaprofile(parent);
++	int error = cap_ptrace(parent, child);
+ 
+ 	if (!error && active) {
+ 		error = aa_audit_syscallreject(active, GFP_KERNEL, "ptrace");
+@@ -116,9 +112,7 @@ static int apparmor_capable(struct task_
+ 	error = cap_capable(tsk, cap);
+ 
+ 	if (error == 0) {
+-		struct aaprofile *active;
+-
+-		active = get_task_active_aaprofile(tsk);
++		struct aaprofile *active = get_task_active_aaprofile(tsk);
+ 
+ 		if (active)
+ 			error = aa_capability(active, cap);
+@@ -132,9 +126,7 @@ static int apparmor_capable(struct task_
+ static int apparmor_sysctl(struct ctl_table *table, int op)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	active = get_active_aaprofile();
++	struct aaprofile *active = get_active_aaprofile();
+ 
+ 	if ((op & 002) && active && !capable(CAP_SYS_ADMIN)) {
+ 		error = aa_audit_syscallreject(active, GFP_KERNEL,
+@@ -196,9 +188,7 @@ static int apparmor_sb_mount(char *dev_n
+ 			      unsigned long flags, void *data)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	active = get_active_aaprofile();
++	struct aaprofile *active = get_active_aaprofile();
+ 
+ 	if (active) {
+ 		error = aa_audit_syscallreject(active, GFP_KERNEL, "mount");
+@@ -216,9 +206,7 @@ static int apparmor_sb_mount(char *dev_n
+ static int apparmor_umount(struct vfsmount *mnt, int flags)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	active = get_active_aaprofile();
++	struct aaprofile *active = get_active_aaprofile();
+ 
+ 	if (active) {
+ 		error = aa_audit_syscallreject(active, GFP_ATOMIC, "umount");
+@@ -235,60 +223,54 @@ static int apparmor_umount(struct vfsmou
+ static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry,
+ 				struct vfsmount *mnt, int mask)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+-	if (!mnt || dir->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+-
+-	active = get_active_aaprofile();
++	if (mnt && dir->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	if (active)
+-		error = aa_perm_dir(active, dentry, mnt, "mkdir", AA_MAY_WRITE);
++		if (active)
++			error = aa_perm_dir(active, dentry, mnt, "mkdir",
++					    AA_MAY_WRITE);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+ static int apparmor_inode_rmdir(struct inode *dir, struct dentry *dentry,
+ 				struct vfsmount *mnt)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+-	if (!mnt || dir->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+-
+-	active = get_active_aaprofile();
++	if (mnt && dir->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	if (active)
+-		error = aa_perm_dir(active, dentry, mnt, "rmdir", AA_MAY_WRITE);
++		if (active)
++			error = aa_perm_dir(active, dentry, mnt, "rmdir",
++					    AA_MAY_WRITE);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+ static int apparmor_inode_create(struct inode *inode, struct dentry *dentry,
+ 				 struct vfsmount *mnt, int mask)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+-	if (!mnt)
+-		goto out;
++	if (mnt) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
++		/* At a minimum, need write perm to create */
++		if (active)
++			error = aa_perm(active, dentry, mnt, MAY_WRITE);
+ 
+-	/* At a minimum, need write perm to create */
+-	if (active)
+-		error = aa_perm(active, dentry, mnt, MAY_WRITE);
++		put_aaprofile(active);
++	}
+ 
+-	put_aaprofile(active);
+-out:
+ 	return error;
+ }
+ 
+@@ -298,20 +280,17 @@ static int apparmor_inode_link(struct de
+ 			       struct vfsmount *new_mnt)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+ 
+-	if (!old_mnt || !new_mnt || dir->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
++	if (old_mnt && new_mnt && dir->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+-
+-	if (active)
+-		error = aa_link(active, new_dentry, new_mnt,
+-				old_dentry, old_mnt);
++		if (active)
++			error = aa_link(active, new_dentry, new_mnt,
++					old_dentry, old_mnt);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+@@ -319,40 +298,34 @@ static int apparmor_inode_unlink(struct 
+ 				 struct dentry *dentry,
+ 				 struct vfsmount *mnt)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+-
+-	if (active)
+-		error = aa_perm(active, dentry, mnt, MAY_WRITE);
++		if (active)
++			error = aa_perm(active, dentry, mnt, MAY_WRITE);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+ static int apparmor_inode_mknod(struct inode *dir, struct dentry *dentry,
+ 				struct vfsmount *mnt, int mode, dev_t dev)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+-	if (!mnt || dir->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+-
+-	active = get_active_aaprofile();
++	if (mnt && dir->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	if (active)
+-		error = aa_perm(active, dentry, mnt, MAY_WRITE);
++		if (active)
++			error = aa_perm(active, dentry, mnt, MAY_WRITE);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+@@ -397,9 +370,8 @@ static int apparmor_inode_permission(str
+ 	 * Same as apparmor_file_permission
+ 	 */
+ 	if (nd && inode->i_sb->s_security == AA_MEDIATE_FS) {
+-		struct aaprofile *active;
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-		active = get_active_aaprofile();
+ 		if (active)
+ 			error = aa_perm(active, nd->dentry, nd->mnt, mask);
+ 		put_aaprofile(active);
+@@ -412,23 +384,20 @@ static int apparmor_inode_setattr(struct
+ 				  struct iattr *iattr)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+ 
+-	active = get_active_aaprofile();
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	/*
+-	 * Mediate any attempt to change attributes of a file
+-	 * (chmod, chown, chgrp, etc)
+-	 */
+-	if (active)
+-		error = aa_attr(active, dentry, mnt, iattr);
++		/*
++		 * Mediate any attempt to change attributes of a file
++		 * (chmod, chown, chgrp, etc)
++		 */
++		if (active)
++			error = aa_attr(active, dentry, mnt, iattr);
+ 
+-	put_aaprofile(active);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+@@ -437,18 +406,15 @@ static int apparmor_inode_setxattr(struc
+ 				   int flags)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+ 
+-	active = get_active_aaprofile();
+-	if (active)
+-		error = aa_perm_xattr(active, dentry, mnt, name, "xattr set",
+-				      AA_MAY_WRITE);
+-	put_aaprofile(active);
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
++		if (active)
++			error = aa_perm_xattr(active, dentry, mnt, name,
++					      "xattr set", AA_MAY_WRITE);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+@@ -456,36 +422,31 @@ static int apparmor_inode_getxattr(struc
+ 				   char *name)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+-
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
+ 
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+-	if (active)
+-		error = aa_perm_xattr(active, dentry, mnt, name, "xattr get",
+-				      AA_MAY_READ);
+-	put_aaprofile(active);
++		if (active)
++			error = aa_perm_xattr(active, dentry, mnt, name,
++					      "xattr get", AA_MAY_READ);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ static int apparmor_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+ 
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+-	if (active)
+-		error = aa_perm_xattr(active, dentry, mnt, NULL, "xattr list",
+-				      AA_MAY_READ);
+-	put_aaprofile(active);
++		if (active)
++			error = aa_perm_xattr(active, dentry, mnt, NULL,
++					      "xattr list", AA_MAY_READ);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+@@ -493,29 +454,28 @@ static int apparmor_inode_removexattr(st
+ 				      struct vfsmount *mnt, char *name)
+ {
+ 	int error = 0;
+-	struct aaprofile *active;
+ 
+-	if (!mnt || dentry->d_inode->i_sb->s_security != AA_MEDIATE_FS)
+-		goto out;
++	if (mnt && dentry->d_inode->i_sb->s_security == AA_MEDIATE_FS) {
++		struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+-	if (active)
+-		error = aa_perm_xattr(active, dentry, mnt, name, "xattr remove",
+-				      AA_MAY_WRITE);
+-	put_aaprofile(active);
++		if (active)
++			error = aa_perm_xattr(active, dentry, mnt, name,
++					      "xattr remove", AA_MAY_WRITE);
++		put_aaprofile(active);
++	}
+ 
+-out:
+ 	return error;
+ }
+ 
+ static int apparmor_file_permission(struct file *file, int mask)
+ {
+-	struct aaprofile *active;
+ 	int error = 0;
+ 
+ 	if (file->f_vfsmnt->mnt_sb->s_security == AA_MEDIATE_FS &&
+ 	    file->f_security) {
+-		active = get_active_aaprofile();
++		struct aaprofile *active = get_active_aaprofile();
++
++		/* FIXME: Q: what's going on here? */
+ 		if (active && (struct aaprofile*)file->f_security != active)
+ 			error = aa_perm(active, file->f_dentry, file->f_vfsmnt,
+ 					mask & (MAY_EXEC|MAY_WRITE|MAY_READ));
+@@ -527,9 +487,8 @@ static int apparmor_file_permission(stru
+ 
+ static int apparmor_file_alloc_security(struct file *file)
+ {
+-	struct aaprofile *active;
++	struct aaprofile *active = get_active_aaprofile();
+ 
+-	active = get_active_aaprofile();
+ 	if (active)
+ 		file->f_security = get_aaprofile(active);
+ 
+@@ -549,23 +508,23 @@ static inline int aa_mmap(struct file *f
+ 	int error = 0, mask = 0;
+ 	struct aaprofile *active;
+ 
++	if (!file || file->f_vfsmnt->mnt_sb->s_security != AA_MEDIATE_FS)
++		goto out;
+ 	active = get_active_aaprofile();
+-	if (!active || !file ||
+-	    file->f_vfsmnt->mnt_sb->s_security != AA_MEDIATE_FS)
++	if (!active)
+ 		goto out;
+ 
+ 	if (prot & PROT_READ)
+ 		mask |= MAY_READ;
+-
+-	/* Private mappings don't require write perms since they don't
+-	 * write back to the files */
+-	if (prot & PROT_WRITE && !(flags & MAP_PRIVATE))
++	/*
++	 *Private mappings don't require write perms since they don't
++	 * write back to the files.
++	 */
++	if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
+ 		mask |= MAY_WRITE;
+ 	if (prot & PROT_EXEC)
+ 		mask |= AA_EXEC_MMAP;
+ 
+-	AA_DEBUG("%s: 0x%x\n", __FUNCTION__, mask);
+-
+ 	if (mask)
+ 		error = aa_perm(active, file->f_dentry, file->f_vfsmnt, mask);
+ 
+@@ -588,14 +547,14 @@ static int apparmor_file_mprotect(struct
+ 		       !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
+-static int apparmor_task_alloc_security(struct task_struct *p)
++static int apparmor_task_alloc_security(struct task_struct *task)
+ {
+-	return aa_fork(p);
++	return aa_fork(task);
+ }
+ 
+-static void apparmor_task_free_security(struct task_struct *p)
++static void apparmor_task_free_security(struct task_struct *task)
+ {
+-	aa_release(p);
++	aa_release(task);
+ }
+ 
+ static int apparmor_task_post_setuid(uid_t id0, uid_t id1, uid_t id2,
+@@ -604,41 +563,33 @@ static int apparmor_task_post_setuid(uid
+ 	return cap_task_post_setuid(id0, id1, id2, flags);
+ }
+ 
+-static void apparmor_task_reparent_to_init(struct task_struct *p)
++static void apparmor_task_reparent_to_init(struct task_struct *task)
+ {
+-	cap_task_reparent_to_init(p);
++	cap_task_reparent_to_init(task);
+ 	return;
+ }
+ 
+-static int apparmor_getprocattr(struct task_struct *p, char *name, void *value,
+-				size_t size)
++static int apparmor_getprocattr(struct task_struct *task, char *name,
++				void *value, size_t size)
+ {
+ 	int error;
+-	struct aaprofile *active;
+-	char *str = value;
+ 
+ 	/* AppArmor only supports the "current" process attribute */
+-	if (strcmp(name, "current") != 0) {
+-		error = -EINVAL;
+-		goto out;
+-	}
++	if (strcmp(name, "current") != 0)
++		return -EINVAL;
+ 
+-	/* must be task querying itself or admin */
+-	if (current != p && !capable(CAP_SYS_ADMIN)) {
+-		error = -EPERM;
+-		goto out;
++	error = -EPERM;
++	if (task == current || capable(CAP_SYS_ADMIN)) {
++		struct aaprofile *active = get_task_active_aaprofile(task);
++		error = aa_getprocattr(active, (char *) value, size);
++		put_aaprofile(active);
+ 	}
+ 
+-	active = get_task_active_aaprofile(p);
+-	error = aa_getprocattr(active, str, size);
+-	put_aaprofile(active);
+-
+-out:
+ 	return error;
+ }
+ 
+-static int apparmor_setprocattr(struct task_struct *p, char *name, void *value,
+-				 size_t size)
++static int apparmor_setprocattr(struct task_struct *task, char *name,
++				void *value, size_t size)
+ {
+ 	const char *cmd_changehat = "changehat ",
+ 		   *cmd_setprofile = "setprofile ";
+@@ -664,15 +615,15 @@ static int apparmor_setprocattr(struct t
+ 		size_t infosize = size - strlen(cmd_changehat);
+ 
+ 		/* Only the current process may change it's hat */
+-		if (current != p) {
++		if (current != task) {
+ 			AA_WARN("%s: Attempt by foreign task %s(%d) "
+ 				"[user %d] to changehat of task %s(%d)\n",
+ 				__FUNCTION__,
+ 				current->comm,
+ 				current->pid,
+ 				current->uid,
+-				p->comm,
+-				p->pid);
++				task->comm,
++				task->pid);
+ 
+ 			error = -EACCES;
+ 			goto out;
+@@ -699,8 +650,8 @@ static int apparmor_setprocattr(struct t
+ 				current->comm,
+ 				current->pid,
+ 				current->uid,
+-				p->comm,
+-				p->pid);
++				task->comm,
++				task->pid);
+ 			error = -EACCES;
+ 			goto out;
+ 		}
+@@ -710,7 +661,7 @@ static int apparmor_setprocattr(struct t
+ 			char *profile = cmd + strlen(cmd_setprofile);
+ 			size_t profilesize = size - strlen(cmd_setprofile);
+ 
+-			error = aa_setprocattr_setprofile(p, profile, profilesize);
++			error = aa_setprocattr_setprofile(task, profile, profilesize);
+ 			if (error == 0)
+ 				/* success,
+ 				 * set return to #bytes in orig request
+@@ -723,8 +674,8 @@ static int apparmor_setprocattr(struct t
+ 				current->comm,
+ 				current->pid,
+ 				current->uid,
+-				p->comm,
+-				p->pid);
++				task->comm,
++				task->pid);
+ 
+ 			error = -EACCES;
+ 		}
+@@ -739,8 +690,8 @@ static int apparmor_setprocattr(struct t
+ 			current->comm,
+ 			current->pid,
+ 			current->uid,
+-			p->comm,
+-			p->pid);
++			task->comm,
++			task->pid);
+ 
+ 		error = -EINVAL;
+ 	}

kernel-patches/for-mainline/apparmor-path_resize.diff

@@ -1,7 +1,7 @@
-Index: linux-2.6.19.1/security/apparmor/apparmor.h
+Index: linux-2.6/security/apparmor/apparmor.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/apparmor.h
+--- linux-2.6.orig/security/apparmor/apparmor.h
-+++ linux-2.6.19.1/security/apparmor/apparmor.h
++++ linux-2.6/security/apparmor/apparmor.h
 @@ -218,7 +218,8 @@ extern int aa_audit_message(struct aapro
  extern int aa_audit_syscallreject(struct aaprofile *active, gfp_t gfp,
  				  const char *);
@@ -12,10 +12,10 @@ Index: linux-2.6.19.1/security/apparmor/apparmor.h
  
  extern int aa_attr(struct aaprofile *active, struct dentry *dentry,
  		   struct vfsmount *mnt, struct iattr *iattr);
-Index: linux-2.6.19.1/security/apparmor/inline.h
+Index: linux-2.6/security/apparmor/inline.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/inline.h
+--- linux-2.6.orig/security/apparmor/inline.h
-+++ linux-2.6.19.1/security/apparmor/inline.h
++++ linux-2.6/security/apparmor/inline.h
 @@ -214,9 +214,12 @@ static inline struct aaprofile *alloc_aa
   * Release space (free_page) allocated to hold pathname
   * name may be NULL (checked for by free_page)
@@ -31,10 +31,10 @@ Index: linux-2.6.19.1/security/apparmor/inline.h
  }
  
  /** __aa_find_profile
-Index: linux-2.6.19.1/security/apparmor/main.c
+Index: linux-2.6/security/apparmor/main.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/main.c
+--- linux-2.6.orig/security/apparmor/main.c
-+++ linux-2.6.19.1/security/apparmor/main.c
++++ linux-2.6/security/apparmor/main.c
 @@ -318,8 +318,9 @@ static int _aa_perm_vfsmount(struct aapr
                        struct vfsmount *mnt, struct aa_audit *sa, int mask)
  {

kernel-patches/for-mainline/apparmor-percpu_path_cache.diff

@@ -1,7 +1,7 @@
-Index: linux-2.6.19.1/security/apparmor/apparmor.h
+Index: linux-2.6/security/apparmor/apparmor.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/apparmor.h
+--- linux-2.6.orig/security/apparmor/apparmor.h
-+++ linux-2.6.19.1/security/apparmor/apparmor.h
++++ linux-2.6/security/apparmor/apparmor.h
 @@ -197,7 +197,19 @@ enum aa_xattroptype {
  #define BASE_PROFILE(p) ((p)->parent ? (p)->parent : (p))
  #define IN_SUBPROFILE(p) ((p)->parent)
@@ -22,10 +22,10 @@ Index: linux-2.6.19.1/security/apparmor/apparmor.h
  extern int alloc_null_complain_profile(void);
  extern void free_null_complain_profile(void);
  extern int attach_nullprofile(struct aaprofile *profile);
-Index: linux-2.6.19.1/security/apparmor/inline.h
+Index: linux-2.6/security/apparmor/inline.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/inline.h
+--- linux-2.6.orig/security/apparmor/inline.h
-+++ linux-2.6.19.1/security/apparmor/inline.h
++++ linux-2.6/security/apparmor/inline.h
 @@ -216,7 +216,7 @@ static inline struct aaprofile *alloc_aa
   */
  static inline void aa_put_name(const char *name)
@@ -35,11 +35,11 @@ Index: linux-2.6.19.1/security/apparmor/inline.h
  }
  
  /** __aa_find_profile
-Index: linux-2.6.19.1/security/apparmor/lsm.c
+Index: linux-2.6/security/apparmor/lsm.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/lsm.c
+--- linux-2.6.orig/security/apparmor/lsm.c
-+++ linux-2.6.19.1/security/apparmor/lsm.c
++++ linux-2.6/security/apparmor/lsm.c
-@@ -814,6 +814,11 @@ static int __init apparmor_init(void)
+@@ -816,6 +816,11 @@ static int __init apparmor_init(void)
  		goto alloc_out;
  	}
  
@@ -51,7 +51,7 @@ Index: linux-2.6.19.1/security/apparmor/lsm.c
  	if ((error = register_security(&apparmor_ops))) {
  		AA_ERROR("Unable to load AppArmor\n");
  		goto register_security_out;
-@@ -828,6 +833,9 @@ static int __init apparmor_init(void)
+@@ -830,6 +835,9 @@ static int __init apparmor_init(void)
  	return error;
  
  register_security_out:
@@ -61,10 +61,10 @@ Index: linux-2.6.19.1/security/apparmor/lsm.c
  	free_null_complain_profile();
  
  alloc_out:
-Index: linux-2.6.19.1/security/apparmor/main.c
+Index: linux-2.6/security/apparmor/main.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/main.c
+--- linux-2.6.orig/security/apparmor/main.c
-+++ linux-2.6.19.1/security/apparmor/main.c
++++ linux-2.6/security/apparmor/main.c
 @@ -12,11 +12,132 @@
  #include <linux/security.h>
  #include <linux/namei.h>

kernel-patches/for-mainline/apparmor-setprocattr.diff

@@ -0,0 +1,44 @@
+The -EACCESS error code set at the top never survives to the bottom
+of the function.
+
+I'm not sure we need all the syslogging going on here.
+
+There are some self-explanatory comments (not only here).
+
+Index: linux-2.6-apparmor/security/apparmor/lsm.c
+===================================================================
+--- linux-2.6-apparmor.orig/security/apparmor/lsm.c
++++ linux-2.6-apparmor/security/apparmor/lsm.c
+@@ -594,19 +594,15 @@ static int apparmor_setprocattr(struct t
+ 	const char *cmd_changehat = "changehat ",
+ 		   *cmd_setprofile = "setprofile ";
+ 
+-	int error = -EACCES;	/* default to a perm denied */
++	int error;
+ 	char *cmd = (char *)value;
+ 
+-	/* only support messages to current */
+-	if (strcmp(name, "current") != 0) {
+-		error = -EINVAL;
++	error = -EINVAL;
++	if (strcmp(name, "current") != 0)
+ 		goto out;
+-	}
+-
+-	if (!size) {
+-		error = -ERANGE;
++	error = -ERANGE;
++	if (!size)
+ 		goto out;
+-	}
+ 
+ 	/* CHANGE HAT -- switch task into a subhat (subprofile) if defined */
+ 	if (size > strlen(cmd_changehat) &&
+@@ -631,7 +627,6 @@ static int apparmor_setprocattr(struct t
+ 
+ 		error = aa_setprocattr_changehat(hatinfo, infosize);
+ 		if (error == 0)
+-			/* success, set return to #bytes in orig request */
+ 			error = size;
+ 
+ 	/* SET NEW PROFILE */

kernel-patches/for-mainline/apparmor-single_module.diff

@@ -1,7 +1,7 @@
-Index: linux-2.6.19.1/security/apparmor/Makefile
+Index: linux-2.6/security/apparmor/Makefile
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/Makefile
+--- linux-2.6.orig/security/apparmor/Makefile
-+++ linux-2.6.19.1/security/apparmor/Makefile
++++ linux-2.6/security/apparmor/Makefile
 @@ -1,6 +1,6 @@
  # Makefile for AppArmor Linux Security Module
  #
@@ -11,10 +11,10 @@ Index: linux-2.6.19.1/security/apparmor/Makefile
  apparmor-y := main.o list.o procattr.o lsm.o apparmorfs.o capabilities.o \
 -	      module_interface.o
 +	      module_interface.o match.o
-Index: linux-2.6.19.1/security/apparmor/apparmor.h
+Index: linux-2.6/security/apparmor/apparmor.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/apparmor.h
+--- linux-2.6.orig/security/apparmor/apparmor.h
-+++ linux-2.6.19.1/security/apparmor/apparmor.h
++++ linux-2.6/security/apparmor/apparmor.h
 @@ -17,6 +17,7 @@
  #include <linux/rcupdate.h>
  
@@ -115,10 +115,10 @@ Index: linux-2.6.19.1/security/apparmor/apparmor.h
 +unsigned int aamatch(struct aa_dfa *dfa, const char *pathname);
 +
  #endif				/* __APPARMOR_H */
-Index: linux-2.6.19.1/security/apparmor/inline.h
+Index: linux-2.6/security/apparmor/inline.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/inline.h
+--- linux-2.6.orig/security/apparmor/inline.h
-+++ linux-2.6.19.1/security/apparmor/inline.h
++++ linux-2.6/security/apparmor/inline.h
 @@ -199,14 +199,8 @@ static inline struct aaprofile *alloc_aa
  					      GFP_KERNEL);
  	AA_DEBUG("%s(%p)\n", __FUNCTION__, profile);
@@ -134,10 +134,10 @@ Index: linux-2.6.19.1/security/apparmor/inline.h
  		INIT_RCU_HEAD(&profile->rcu);
  		kref_init(&profile->count);
  	}
-Index: linux-2.6.19.1/security/apparmor/main.c
+Index: linux-2.6/security/apparmor/main.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/main.c
+--- linux-2.6.orig/security/apparmor/main.c
-+++ linux-2.6.19.1/security/apparmor/main.c
++++ linux-2.6/security/apparmor/main.c
 @@ -14,7 +14,6 @@
  #include <linux/audit.h>
  
@@ -349,9 +349,9 @@ Index: linux-2.6.19.1/security/apparmor/main.c
  		case AA_EXEC_INHERIT:
  			/* do nothing - setting of profile
  			 * already handed in aa_fork
-Index: linux-2.6.19.1/security/apparmor/match/Kbuild
+Index: linux-2.6/security/apparmor/match/Kbuild
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/Kbuild
+--- linux-2.6.orig/security/apparmor/match/Kbuild
 +++ /dev/null
 @@ -1,6 +0,0 @@
 -# Makefile for AppArmor aamatch submodule
@@ -360,9 +360,9 @@ Index: linux-2.6.19.1/security/apparmor/match/Kbuild
 -obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_dfa.o
 -
 -aamatch_dfa-y := match_dfa.o
-Index: linux-2.6.19.1/security/apparmor/match/Makefile
+Index: linux-2.6/security/apparmor/match/Makefile
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/Makefile
+--- linux-2.6.orig/security/apparmor/match/Makefile
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -# Makefile for AppArmor aamatch submodule
@@ -370,9 +370,9 @@ Index: linux-2.6.19.1/security/apparmor/match/Makefile
 -obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_pcre.o
 -
 -aamatch_pcre-y := match_pcre.o pcre_exec.o
-Index: linux-2.6.19.1/security/apparmor/match/match.h
+Index: linux-2.6/security/apparmor/match/match.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/match.h
+--- linux-2.6.orig/security/apparmor/match/match.h
 +++ /dev/null
 @@ -1,126 +0,0 @@
 -/*
@@ -501,9 +501,9 @@ Index: linux-2.6.19.1/security/apparmor/match/match.h
 -}
 -
 -#endif /* __MATCH_H */
-Index: linux-2.6.19.1/security/apparmor/match/match_default.c
+Index: linux-2.6/security/apparmor/match/match_default.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/match_default.c
+--- linux-2.6.orig/security/apparmor/match/match_default.c
 +++ /dev/null
 @@ -1,56 +0,0 @@
 -/*
@@ -562,9 +562,9 @@ Index: linux-2.6.19.1/security/apparmor/match/match_default.c
 -MODULE_DESCRIPTION("AppArmor match module (aamatch) [default]");
 -MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
 -MODULE_LICENSE("GPL");
-Index: linux-2.6.19.1/security/apparmor/match/match_dfa.c
+Index: linux-2.6/security/apparmor/match/match_dfa.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/match_dfa.c
+--- linux-2.6.orig/security/apparmor/match/match_dfa.c
 +++ /dev/null
 @@ -1,398 +0,0 @@
 -/*
@@ -965,9 +965,9 @@ Index: linux-2.6.19.1/security/apparmor/match/match_dfa.c
 -MODULE_DESCRIPTION("AppArmor aa_match module [dfa]");
 -MODULE_AUTHOR("John Johansen <jjohansen@suse.de>");
 -MODULE_LICENSE("GPL");
-Index: linux-2.6.19.1/security/apparmor/match/match_pcre.c
+Index: linux-2.6/security/apparmor/match/match_pcre.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/match_pcre.c
+--- linux-2.6.orig/security/apparmor/match/match_pcre.c
 +++ /dev/null
 @@ -1,168 +0,0 @@
 -/*
@@ -1138,9 +1138,9 @@ Index: linux-2.6.19.1/security/apparmor/match/match_pcre.c
 -MODULE_DESCRIPTION("AppArmor aa_match module [pcre]");
 -MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
 -MODULE_LICENSE("GPL");
-Index: linux-2.6.19.1/security/apparmor/match/pcre_exec.c
+Index: linux-2.6/security/apparmor/match/pcre_exec.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/pcre_exec.c
+--- linux-2.6.orig/security/apparmor/match/pcre_exec.c
 +++ /dev/null
 @@ -1,1945 +0,0 @@
 -/*
@@ -3088,9 +3088,9 @@ Index: linux-2.6.19.1/security/apparmor/match/pcre_exec.c
 -}
 -
 -/* End of pcre.c */
-Index: linux-2.6.19.1/security/apparmor/match/pcre_exec.h
+Index: linux-2.6/security/apparmor/match/pcre_exec.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/pcre_exec.h
+--- linux-2.6.orig/security/apparmor/match/pcre_exec.h
 +++ /dev/null
 @@ -1,308 +0,0 @@
 -/*
@@ -3401,9 +3401,9 @@ Index: linux-2.6.19.1/security/apparmor/match/pcre_exec.h
 -
 -#endif // _PCRE_H
 - /* End of pcre.h */
-Index: linux-2.6.19.1/security/apparmor/match/pcre_tables.h
+Index: linux-2.6/security/apparmor/match/pcre_tables.h
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/match/pcre_tables.h
+--- linux-2.6.orig/security/apparmor/match/pcre_tables.h
 +++ /dev/null
 @@ -1,184 +0,0 @@
 -
@@ -3590,10 +3590,10 @@ Index: linux-2.6.19.1/security/apparmor/match/pcre_tables.h
 -  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};/* 248-255 */
 -
 -/* End of chartables.c */
-Index: linux-2.6.19.1/security/apparmor/module_interface.c
+Index: linux-2.6/security/apparmor/module_interface.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/module_interface.c
+--- linux-2.6.orig/security/apparmor/module_interface.c
-+++ linux-2.6.19.1/security/apparmor/module_interface.c
++++ linux-2.6/security/apparmor/module_interface.c
 @@ -14,7 +14,6 @@
  #include "apparmor.h"
  #include "inline.h"
@@ -3862,10 +3862,10 @@ Index: linux-2.6.19.1/security/apparmor/module_interface.c
  
  	/* use free_aaprofile instead of put_aaprofile to destroy the
  	 * null_profile, because the null_profile use the same reference
-Index: linux-2.6.19.1/security/apparmor/apparmorfs.c
+Index: linux-2.6/security/apparmor/apparmorfs.c
 ===================================================================
---- linux-2.6.19.1.orig/security/apparmor/apparmorfs.c
+--- linux-2.6.orig/security/apparmor/apparmorfs.c
-+++ linux-2.6.19.1/security/apparmor/apparmorfs.c
++++ linux-2.6/security/apparmor/apparmorfs.c
 @@ -17,7 +17,6 @@
  
  #include "apparmor.h"
@@ -3874,10 +3874,10 @@ Index: linux-2.6.19.1/security/apparmor/apparmorfs.c
  
  #define SECFS_AA "apparmor"
  static struct dentry *aafs_dentry = NULL;
-Index: linux-2.6.19.1/security/apparmor/match.c
+Index: linux-2.6/security/apparmor/match.c
 ===================================================================
 --- /dev/null
-+++ linux-2.6.19.1/security/apparmor/match.c
++++ linux-2.6/security/apparmor/match.c
 @@ -0,0 +1,274 @@
 +/*
 + *	Copyright (C) 2002-2005 Novell/SUSE
@@ -4153,10 +4153,10 @@ Index: linux-2.6.19.1/security/apparmor/match.c
 +
 +	return 0;
 +}
-Index: linux-2.6.19.1/security/apparmor/match.h
+Index: linux-2.6/security/apparmor/match.h
 ===================================================================
 --- /dev/null
-+++ linux-2.6.19.1/security/apparmor/match.h
++++ linux-2.6/security/apparmor/match.h
 @@ -0,0 +1,80 @@
 +/*
 + *	Copyright (C) 2002-2005 Novell/SUSE

kernel-patches/for-mainline/d_namespace_path.diff

@@ -0,0 +1,72 @@
+Index: linux-2.6/include/linux/dcache.h
+===================================================================
+--- linux-2.6.orig/include/linux/dcache.h
++++ linux-2.6/include/linux/dcache.h
+@@ -293,6 +293,8 @@ extern struct dentry * d_hash_and_lookup
+ /* validate "insecure" dentry pointer */
+ extern int d_validate(struct dentry *, struct dentry *);
+ 
++extern char *__d_path(struct dentry *, struct vfsmount *, struct dentry *,
++		      struct vfsmount *, char *, int, int);
+ extern char * d_path(struct dentry *, struct vfsmount *, char *, int);
+   
+ /* Allocation counts.. */
+Index: linux-2.6/fs/dcache.c
+===================================================================
+--- linux-2.6.orig/fs/dcache.c
++++ linux-2.6/fs/dcache.c
+@@ -1747,9 +1747,9 @@ shouldnt_be_hashed:
+  *
+  * Returns the buffer or an error code.
+  */
+-static char *__d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
+-		      struct dentry *root, struct vfsmount *rootmnt,
+-		      char *buffer, int buflen, int fail_deleted)
++char *__d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
++	       struct dentry *root, struct vfsmount *rootmnt,
++	       char *buffer, int buflen, int fail_deleted)
+ {
+ 	char *end = buffer + buflen - 1;
+ 	int namelen;
+Index: linux-2.6/fs/namespace.c
+===================================================================
+--- linux-2.6.orig/fs/namespace.c
++++ linux-2.6/fs/namespace.c
+@@ -1878,3 +1878,25 @@ void __put_mnt_ns(struct mnt_namespace *
+ 	release_mounts(&umount_list);
+ 	kfree(ns);
+ }
++
++char *d_namespace_path(struct dentry *dentry, struct vfsmount *vfsmnt,
++		       char *buf, int buflen, int fail_deleted)
++{
++	char *res;
++	struct vfsmount *rootmnt, *nsrootmnt;
++	struct dentry *root;
++
++	read_lock(&current->fs->lock);
++	rootmnt = mntget(current->fs->rootmnt);
++	read_unlock(&current->fs->lock);
++	spin_lock(&vfsmount_lock);
++	nsrootmnt = mntget(rootmnt->mnt_ns->root);
++	root = dget(nsrootmnt->mnt_root);
++	spin_unlock(&vfsmount_lock);
++	mntput(rootmnt);
++	res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen, 0);
++	dput(root);
++	mntput(nsrootmnt);
++	return res;
++}
++EXPORT_SYMBOL(d_namespace_path);
+Index: linux-2.6/include/linux/mount.h
+===================================================================
+--- linux-2.6.orig/include/linux/mount.h
++++ linux-2.6/include/linux/mount.h
+@@ -97,5 +97,7 @@ extern void shrink_submounts(struct vfsm
+ extern spinlock_t vfsmount_lock;
+ extern dev_t name_to_dev_t(char *name);
+ 
++extern char *d_namespace_path(struct dentry *, struct vfsmount *, char *, int, int);
++
+ #endif
+ #endif /* _LINUX_MOUNT_H */

kernel-patches/for-mainline/d_path-lazy-unmounts.diff

@@ -0,0 +1,206 @@
+Index: linux-2.6/fs/dcache.c
+===================================================================
+--- linux-2.6.orig/fs/dcache.c
++++ linux-2.6/fs/dcache.c
+@@ -1739,45 +1739,43 @@ shouldnt_be_hashed:
+  * @rootmnt: vfsmnt to which the root dentry belongs
+  * @buffer: buffer to return value in
+  * @buflen: buffer length
++ * @fail_deleted: what to return when hitting a deleted dentry
+  *
+- * Convert a dentry into an ASCII path name. If the entry has been deleted
+- * the string " (deleted)" is appended. Note that this is ambiguous.
++ * Convert a dentry into an ASCII path name. If the entry has been deleted,
++ * then if @fail_deleted is true, ERR_PTR(-ENOENT) is returned. Otherwise,
++ * the the string " (deleted)" is appended. Note that this is ambiguous.
+  *
+- * Returns the buffer or an error code if the path was too long.
+- *
+- * "buflen" should be positive. Caller holds the dcache_lock.
++ * Returns the buffer or an error code.
+  */
+-static char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
+-			struct dentry *root, struct vfsmount *rootmnt,
+-			char *buffer, int buflen)
++static char *__d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
++		      struct dentry *root, struct vfsmount *rootmnt,
++		      char *buffer, int buflen, int fail_deleted)
+ {
+-	char * end = buffer+buflen;
+-	char * retval;
++	char *end = buffer + buflen - 1;
+ 	int namelen;
+ 
+-	*--end = '\0';
++	buffer = end;
++	if (buflen < 2)
++		return ERR_PTR(-ENAMETOOLONG);
++	*end = '\0';
+ 	buflen--;
++
++	spin_lock(&dcache_lock);
+ 	if (!IS_ROOT(dentry) && d_unhashed(dentry)) {
+-		buflen -= 10;
+-		end -= 10;
+-		if (buflen < 0)
++		if (fail_deleted) {
++			buffer = ERR_PTR(-ENOENT);
++			goto out;
++		}
++		if (buflen < 10)
+ 			goto Elong;
+-		memcpy(end, " (deleted)", 10);
++		buflen -= 10;
++		buffer -= 10;
++		memcpy(buffer, " (deleted)", 10);
+ 	}
+-
+-	if (buflen < 1)
+-		goto Elong;
+-	/* Get '/' right */
+-	retval = end-1;
+-	*retval = '/';
+-
+-	for (;;) {
++	while (dentry != root || vfsmnt != rootmnt) {
+ 		struct dentry * parent;
+ 
+-		if (dentry == root && vfsmnt == rootmnt)
+-			break;
+ 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+-			/* Global root? */
+ 			spin_lock(&vfsmount_lock);
+ 			if (vfsmnt->mnt_parent == vfsmnt) {
+ 				spin_unlock(&vfsmount_lock);
+@@ -1791,33 +1789,49 @@ static char * __d_path( struct dentry *d
+ 		parent = dentry->d_parent;
+ 		prefetch(parent);
+ 		namelen = dentry->d_name.len;
+-		buflen -= namelen + 1;
+-		if (buflen < 0)
++		if (buflen <= namelen)
+ 			goto Elong;
+-		end -= namelen;
+-		memcpy(end, dentry->d_name.name, namelen);
+-		*--end = '/';
+-		retval = end;
++		buflen -= namelen + 1;
++		buffer -= namelen;
++		memcpy(buffer, dentry->d_name.name, namelen);
++		*--buffer = '/';
+ 		dentry = parent;
+ 	}
++	/* Get '/' right */
++	if (buffer == end)
++		*--buffer = '/';
+ 
+-	return retval;
++out:
++	spin_unlock(&dcache_lock);
++	return buffer;
+ 
+ global_root:
++	/*
++	 * We went past the (vfsmount, dentry) we were loking for and have
++	 * either hit a root dentry, a lazily unmounted dentry, or an
++	 * unconnected dentry. Make sure we won't return a pathname rooted
++	 * in '/'.
++	 */
+ 	namelen = dentry->d_name.len;
+-	buflen -= namelen;
+-	if (buflen < 0)
+-		goto Elong;
+-	retval -= namelen-1;	/* hit the slash */
+-	memcpy(retval, dentry->d_name.name, namelen);
+-	return retval;
++	if (namelen == 1 && *dentry->d_name.name == '/') {
++		if (buffer != end)
++			buffer++;
++	} else {
++		if (buflen < namelen)
++			goto Elong;
++		buffer -= namelen;
++		memcpy(buffer, dentry->d_name.name, namelen);
++	}
++	goto out;
++
+ Elong:
+-	return ERR_PTR(-ENAMETOOLONG);
++	buffer = ERR_PTR(-ENAMETOOLONG);
++	goto out;
+ }
+ 
+ /* write full pathname into buffer and return start of pathname */
+-char * d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
+-				char *buf, int buflen)
++char *d_path(struct dentry *dentry, struct vfsmount *vfsmnt, char *buf,
++	     int buflen)
+ {
+ 	char *res;
+ 	struct vfsmount *rootmnt;
+@@ -1827,9 +1841,7 @@ char * d_path(struct dentry *dentry, str
+ 	rootmnt = mntget(current->fs->rootmnt);
+ 	root = dget(current->fs->root);
+ 	read_unlock(&current->fs->lock);
+-	spin_lock(&dcache_lock);
+-	res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
+-	spin_unlock(&dcache_lock);
++	res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen, 0);
+ 	dput(root);
+ 	mntput(rootmnt);
+ 	return res;
+@@ -1855,10 +1867,10 @@ char * d_path(struct dentry *dentry, str
+  */
+ asmlinkage long sys_getcwd(char __user *buf, unsigned long size)
+ {
+-	int error;
++	int error, len;
+ 	struct vfsmount *pwdmnt, *rootmnt;
+ 	struct dentry *pwd, *root;
+-	char *page = (char *) __get_free_page(GFP_USER);
++	char *page = (char *) __get_free_page(GFP_USER), *cwd;
+ 
+ 	if (!page)
+ 		return -ENOMEM;
+@@ -1870,29 +1882,18 @@ asmlinkage long sys_getcwd(char __user *
+ 	root = dget(current->fs->root);
+ 	read_unlock(&current->fs->lock);
+ 
+-	error = -ENOENT;
+-	/* Has the current directory has been unlinked? */
+-	spin_lock(&dcache_lock);
+-	if (pwd->d_parent == pwd || !d_unhashed(pwd)) {
+-		unsigned long len;
+-		char * cwd;
+-
+-		cwd = __d_path(pwd, pwdmnt, root, rootmnt, page, PAGE_SIZE);
+-		spin_unlock(&dcache_lock);
+-
+-		error = PTR_ERR(cwd);
+-		if (IS_ERR(cwd))
+-			goto out;
+-
+-		error = -ERANGE;
+-		len = PAGE_SIZE + page - cwd;
+-		if (len <= size) {
+-			error = len;
+-			if (copy_to_user(buf, cwd, len))
+-				error = -EFAULT;
+-		}
+-	} else
+-		spin_unlock(&dcache_lock);
++	cwd = __d_path(pwd, pwdmnt, root, rootmnt, page, PAGE_SIZE, 1);
++	error = PTR_ERR(cwd);
++	if (IS_ERR(cwd))
++		goto out;
++
++	error = -ERANGE;
++	len = PAGE_SIZE + page - cwd;
++	if (len <= size) {
++		error = len;
++		if (copy_to_user(buf, cwd, len))
++			error = -EFAULT;
++	}
+ 
+ out:
+ 	dput(pwd);

kernel-patches/for-mainline/series

@@ -26,21 +26,29 @@ vfs-listxattr.diff
 security-listxattr.diff
 vfs-removexattr.diff
 security-removexattr.diff
-d_path_flags.diff
+d_path-lazy-unmounts.diff
-d_path_namespace_root.diff
+d_namespace_path.diff
-d_path_return_flags.diff
+# d_path_flags.diff
-security_chroot.diff
+# d_path_namespace_root.diff
+# d_path_return_flags.diff
+# security_chroot.diff
 apparmor-audit.diff
 apparmor-intree.diff
 apparmor.diff
 apparmor-vfsmnt.diff
 apparmor-builtinonly.diff
 apparmor-bootdisable.diff
-# apparmor-twophaseinit.diff
 apparmor-novalidfstype.diff
 apparmor-match_perms.diff
 apparmor-dfa.diff
 apparmor-single_module.diff
-apparmor-percpu_path_cache.diff
+apparmor-d_namespace.diff
-apparmor-path_resize.diff
+apparmor-audit-cleanup.diff
-apparmor-d_path_flags.diff
+apparmor-minor-stuff.diff
+apparmor-setprocattr.diff
+apparmor-cleanup-aa.diff
+apparmor-aa_-to-aa.diff
+# apparmor-twophaseinit.diff
+# apparmor-percpu_path_cache.diff
+# apparmor-path_resize.diff
+# apparmor-d_path_flags.diff