Bump libapparmor's AA_LIB_REVISION in preparation for 2.8.1 release.

prepare for 2.8.1 release
Subject: profiles - adjust pulseaudio in abstraction
2025-08-31 14:25:52 +00:00 · 2013-01-09 16:23:51 -08:00 · 2013-01-09 15:36:12 -08:00 · 2013-01-09 15:15:59 -08:00 · 2013-01-08 12:51:07 -08:00 · 2013-01-04 15:06:47 -08:00
187 changed files with 12790 additions and 807 deletions
--- a/4
+++ b/4
@@ -7,12 +7,12 @@ include common/Make.rules
 DIRS=parser \
     profiles \
     utils \
-     changehat/libapparmor \
+     libraries/libapparmor \
     changehat/mod_apparmor \
     changehat/pam_apparmor \
     tests

-REPO_URL?=lp:apparmor
+REPO_URL?=lp:apparmor/2.8
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
--- a/14
+++ b/14
@@ -146,6 +146,20 @@ For details on structure and adding tests, see libraries/libapparmor/README.
 $ cd libraries/libapparmor
 $ make check

+Utils
+-----
+There are some simple tests available, including basic perl syntax
+checks for the perl modules and executables. There are also minimal
+checks on the python utilities and python-based tests in the test/
+subdirectory.
+$ cd utils
+$ make check
+
+The aa-decode utility to be tested can be overridden by
+setting up environment variable APPARMOR_DECODE; e.g.:
+
+$ APPARMOR_DECODE=/usr/bin/aa-decode make check
+
 Profile checks
 --------------
 A basic consistency check to ensure that the parser and aa-logprof parse
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -27,6 +27,11 @@
 DISTRIBUTION=AppArmor
 VERSION=$(shell cat common/Version)

+AWK:=$(shell which awk)
+ifndef AWK
+$(error awk utility required for build but not available)
+endif
+
 # OVERRIDABLE variables
 # Set these variables before including Make.rules to change its behavior
 #   SPECFILE - for packages that have a non-standard specfile name
@@ -150,6 +155,40 @@ _clean:
 	-rm -f ${NAME}-${VERSION}-*.tar.gz
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp

+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+
+.PHONY: list_capabilities
+list_capabilities: /usr/include/linux/capability.h
+	@echo "$(CAPABILITIES)"
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# These are the families that it doesn't make sense for apparmor
+# to mediate. We use PF_ here since that is what is required in
+# bits/socket.h, but we will rewrite these as AF_.
+
+FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+
+__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+
+# emits the AF names in a "AF_NAME NUMBER," pattern
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+
+.PHONY: list_af_names
+list_af_names:
+	@echo "$(AF_NAMES)"
+
 # =====================
 # manpages
 # =====================
@@ -172,29 +211,8 @@ install_manpages: $(MANPAGES)

 MAN_RELEASE="AppArmor ${VERSION}"

-%.1: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=1 > $@
-
-%.2: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=2 > $@
-
-%.3: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=3 > $@
-
-%.4: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=4 > $@
-
-%.5: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=5 > $@
-
-%.6: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=6 > $@
-
-%.7: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=7 > $@
-
-%.8: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=8 > $@
+%.1 %.2 %.3 %.4 %.5 %.6 %.7 %.8: %.pod
+	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --stderr --section=$(subst .,,$(suffix $@)) > $@

 %.1.html: %.pod
 	$(POD2HTML) --header --css apparmor.css --infile=$< --outfile=$@
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.7.99
+2.8.1
--- a/kernel-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
+++ b/kernel-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
@@ -0,0 +1,553 @@
+From 125fccb600288968aa3395883c0a394c47176fcd Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 +++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 ++++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 +++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
+				struct {
+					int type, protocol;
+					struct sock *sk;
+				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
+              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
+# Build a lower case string table of address family names.
+# Transform lines from
+# #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+# [2] = "inet",
+quiet_cmd_make-af = GEN     $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
+	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
+	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
+	echo "};" >> $@
+
+
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
+$(obj)/af_names.h : $(srctree)/include/linux/socket.h
+	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
+++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_NET_H
+#define __AA_NET_H
+
+#include <net/sock.h>
+
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+	u16 allow[AF_MAX];
+	u16 audit[AF_MAX];
+	u16 quiet[AF_MAX];
+};
+
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+		       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+	/* NOP */
+}
+
+#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
+#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
+ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
+	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3783202..7459547 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
+#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	if (kern)
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+				    NULL);
+	return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+				struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+				   struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+				   struct msghdr *msg, int size)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+				   struct msghdr *msg, int size, int flags)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+	.socket_create =		apparmor_socket_create,
+	.socket_bind =			apparmor_socket_bind,
+	.socket_connect =		apparmor_socket_connect,
+	.socket_listen =		apparmor_socket_listen,
+	.socket_accept =		apparmor_socket_accept,
+	.socket_sendmsg =		apparmor_socket_sendmsg,
+	.socket_recvmsg =		apparmor_socket_recvmsg,
+	.socket_getsockname =		apparmor_socket_getsockname,
+	.socket_getpeername =		apparmor_socket_getpeername,
+	.socket_getsockopt =		apparmor_socket_getsockopt,
+	.socket_setsockopt =		apparmor_socket_setsockopt,
+	.socket_shutdown =		apparmor_socket_shutdown,
+
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
+++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/net.h"
+#include "include/policy.h"
+
+#include "af_names.h"
+
+static const char *sock_type_names[] = {
+	"unknown(0)",
+	"stream",
+	"dgram",
+	"raw",
+	"rdm",
+	"seqpacket",
+	"dccp",
+	"unknown(7)",
+	"unknown(8)",
+	"unknown(9)",
+	"packet",
+};
+
+/* audit callback for net specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	audit_log_format(ab, " family=");
+	if (address_family_names[sa->u.net.family]) {
+		audit_log_string(ab, address_family_names[sa->u.net.family]);
+	} else {
+		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
+	}
+
+	audit_log_format(ab, " sock_type=");
+	if (sock_type_names[sa->aad.net.type]) {
+		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
+	}
+
+	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
+}
+
+/**
+ * audit_net - audit network access
+ * @profile: profile being enforced  (NOT NULL)
+ * @op: operation being checked
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ * @sk: socket auditing is being applied to
+ * @error: error code for failure else 0
+ *
+ * Returns: %0 or sa->error else other errorcode on failure
+ */
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+		     int protocol, struct sock *sk, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	if (sk) {
+		COMMON_AUDIT_DATA_INIT(&sa, NET);
+	} else {
+		COMMON_AUDIT_DATA_INIT(&sa, NONE);
+	}
+	/* todo fill in socket addr info */
+
+	sa.aad.op = op,
+	sa.u.net.family = family;
+	sa.u.net.sk = sk;
+	sa.aad.net.type = type;
+	sa.aad.net.protocol = protocol;
+	sa.aad.error = error;
+
+	if (likely(!sa.aad.error)) {
+		u16 audit_mask = profile->net.audit[sa.u.net.family];
+		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+			   !(1 << sa.aad.net.type & audit_mask)))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
+		u16 kill_mask = 0;
+		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
+
+		if (denied & kill_mask)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		if ((denied & quiet_mask) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
+	}
+
+	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+}
+
+/**
+ * aa_net_perm - very course network access check
+ * @op: operation being checked
+ * @profile: profile being enforced  (NOT NULL)
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
+		int protocol, struct sock *sk)
+{
+	u16 family_mask;
+	int error;
+
+	if ((family < 0) || (family >= AF_MAX))
+		return -EINVAL;
+
+	if ((type < 0) || (type >= SOCK_MAX))
+		return -EINVAL;
+
+	/* unix domain and netlink sockets are handled by ipc */
+	if (family == AF_UNIX || family == AF_NETLINK)
+		return 0;
+
+	family_mask = profile->net.allow[family];
+
+	error = (family_mask & (1 << type)) ? 0 : -EACCES;
+
+	return audit_net(profile, op, family, type, protocol, sk, error);
+}
+
+/**
+ * aa_revalidate_sk - Revalidate access to a sock
+ * @op: operation being checked
+ * @sk: sock being revalidated  (NOT NULL)
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_revalidate_sk(int op, struct sock *sk)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* aa_revalidate_sk should not be called from interrupt context
+	 * don't mediate these calls as they are not task related
+	 */
+	if (in_interrupt())
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+				    sk->sk_protocol, sk);
+
+	return error;
+}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
+	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
+{
+	if (unpack_nameX(e, AA_U16, name)) {
+		if (!inbounds(e, sizeof(u16)))
+			return 0;
+		if (data)
+			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
+		e->pos += sizeof(u16);
+		return 1;
+	}
+	return 0;
+}
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
+	size_t size = 0;
+	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
+	size = unpack_array(e, "net_allowed_af");
+	if (size) {
+
+		for (i = 0; i < size; i++) {
+			/* discard extraneous rules that this kernel will
+			 * never request
+			 */
+			if (i >= AF_MAX) {
+				u16 tmp;
+				if (!unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL))
+					goto fail;
+				continue;
+			}
+			if (!unpack_u16(e, &profile->net.allow[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.audit[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
+				goto fail;
+		}
+		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+		/*
+		 * allow unix domain and netlink sockets they are handled
+		 * by IPC
+		 */
+	}
+	profile->net.allow[AF_UNIX] = 0xffff;
+	profile->net.allow[AF_NETLINK] = 0xffff;
+
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch
+++ b/kernel-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch
@@ -0,0 +1,391 @@
+From 004192fb5223c7b81a949e36a080a5da56132826 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 +-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
+
+config SECURITY_APPARMOR_COMPAT_24
+	bool "Enable AppArmor 2.4 compatability"
+	depends on SECURITY_APPARMOR
+	default y
+	help
+	  This option enables compatability with AppArmor 2.4.  It is
+          recommended if compatability with older versions of AppArmor
+          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
+++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ *
+ * This file contain functions providing an interface for <= AppArmor 2.4
+ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
+ * being set (see Makefile).
+ */
+
+#include <linux/security.h>
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/policy.h"
+
+
+/* apparmor/matching */
+static ssize_t aa_matching_read(struct file *file, char __user *buf,
+				size_t size, loff_t *ppos)
+{
+	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
+	    "user::other";
+
+	return simple_read_from_buffer(buf, size, ppos, matching,
+				       sizeof(matching) - 1);
+}
+
+const struct file_operations aa_fs_matching_fops = {
+	.read = aa_matching_read,
+};
+
+/* apparmor/features */
+static ssize_t aa_features_read(struct file *file, char __user *buf,
+				size_t size, loff_t *ppos)
+{
+	const char features[] = "file=3.1 capability=2.0 network=1.0 "
+	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
+
+	return simple_read_from_buffer(buf, size, ppos, features,
+				       sizeof(features) - 1);
+}
+
+const struct file_operations aa_fs_features_fops = {
+	.read = aa_features_read,
+};
+
+/**
+ * __next_namespace - find the next namespace to list
+ * @root: root namespace to stop search at (NOT NULL)
+ * @ns: current ns position (NOT NULL)
+ *
+ * Find the next namespace from @ns under @root and handle all locking needed
+ * while switching current namespace.
+ *
+ * Returns: next namespace or NULL if at last namespace under @root
+ * NOTE: will not unlock root->lock
+ */
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+					     struct aa_namespace *ns)
+{
+	struct aa_namespace *parent;
+
+	/* is next namespace a child */
+	if (!list_empty(&ns->sub_ns)) {
+		struct aa_namespace *next;
+		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
+		read_lock(&next->lock);
+		return next;
+	}
+
+	/* check if the next ns is a sibling, parent, gp, .. */
+	parent = ns->parent;
+	while (parent) {
+		read_unlock(&ns->lock);
+		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
+			read_lock(&ns->lock);
+			return ns;
+		}
+		if (parent == root)
+			return NULL;
+		ns = parent;
+		parent = parent->parent;
+	}
+
+	return NULL;
+}
+
+/**
+ * __first_profile - find the first profile in a namespace
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
+ * @ns: namespace to start in   (NOT NULL)
+ *
+ * Returns: unrefcounted profile or NULL if no profile
+ */
+static struct aa_profile *__first_profile(struct aa_namespace *root,
+					  struct aa_namespace *ns)
+{
+	for ( ; ns; ns = __next_namespace(root, ns)) {
+		if (!list_empty(&ns->base.profiles))
+			return list_first_entry(&ns->base.profiles,
+						struct aa_profile, base.list);
+	}
+	return NULL;
+}
+
+/**
+ * __next_profile - step to the next profile in a profile tree
+ * @profile: current profile in tree (NOT NULL)
+ *
+ * Perform a depth first taversal on the profile tree in a namespace
+ *
+ * Returns: next profile or NULL if done
+ * Requires: profile->ns.lock to be held
+ */
+static struct aa_profile *__next_profile(struct aa_profile *p)
+{
+	struct aa_profile *parent;
+	struct aa_namespace *ns = p->ns;
+
+	/* is next profile a child */
+	if (!list_empty(&p->base.profiles))
+		return list_first_entry(&p->base.profiles, typeof(*p),
+					base.list);
+
+	/* is next profile a sibling, parent sibling, gp, subling, .. */
+	parent = p->parent;
+	while (parent) {
+		list_for_each_entry_continue(p, &parent->base.profiles,
+					     base.list)
+				return p;
+		p = parent;
+		parent = parent->parent;
+	}
+
+	/* is next another profile in the namespace */
+	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
+		return p;
+
+	return NULL;
+}
+
+/**
+ * next_profile - step to the next profile in where ever it may be
+ * @root: root namespace  (NOT NULL)
+ * @profile: current profile  (NOT NULL)
+ *
+ * Returns: next profile or NULL if there isn't one
+ */
+static struct aa_profile *next_profile(struct aa_namespace *root,
+				       struct aa_profile *profile)
+{
+	struct aa_profile *next = __next_profile(profile);
+	if (next)
+		return next;
+
+	/* finished all profiles in namespace move to next namespace */
+	return __first_profile(root, __next_namespace(root, profile->ns));
+}
+
+/**
+ * p_start - start a depth first traversal of profile tree
+ * @f: seq_file to fill
+ * @pos: current position
+ *
+ * Returns: first profile under current namespace or NULL if none found
+ *
+ * acquires first ns->lock
+ */
+static void *p_start(struct seq_file *f, loff_t *pos)
+	__acquires(root->lock)
+{
+	struct aa_profile *profile = NULL;
+	struct aa_namespace *root = aa_current_profile()->ns;
+	loff_t l = *pos;
+	f->private = aa_get_namespace(root);
+
+
+	/* find the first profile */
+	read_lock(&root->lock);
+	profile = __first_profile(root, root);
+
+	/* skip to position */
+	for (; profile && l > 0; l--)
+		profile = next_profile(root, profile);
+
+	return profile;
+}
+
+/**
+ * p_next - read the next profile entry
+ * @f: seq_file to fill
+ * @p: profile previously returned
+ * @pos: current position
+ *
+ * Returns: next profile after @p or NULL if none
+ *
+ * may acquire/release locks in namespace tree as necessary
+ */
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private;
+	(*pos)++;
+
+	return next_profile(root, profile);
+}
+
+/**
+ * p_stop - stop depth first traversal
+ * @f: seq_file we are filling
+ * @p: the last profile writen
+ *
+ * Release all locking done by p_start/p_next on namespace tree
+ */
+static void p_stop(struct seq_file *f, void *p)
+	__releases(root->lock)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private, *ns;
+
+	if (profile) {
+		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
+			read_unlock(&ns->lock);
+	}
+	read_unlock(&root->lock);
+	aa_put_namespace(root);
+}
+
+/**
+ * seq_show_profile - show a profile entry
+ * @f: seq_file to file
+ * @p: current position (profile)    (NOT NULL)
+ *
+ * Returns: error on failure
+ */
+static int seq_show_profile(struct seq_file *f, void *p)
+{
+	struct aa_profile *profile = (struct aa_profile *)p;
+	struct aa_namespace *root = f->private;
+
+	if (profile->ns != root)
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+	seq_printf(f, "%s (%s)\n", profile->base.hname,
+		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
+
+	return 0;
+}
+
+static const struct seq_operations aa_fs_profiles_op = {
+	.start = p_start,
+	.next = p_next,
+	.stop = p_stop,
+	.show = seq_show_profile,
+};
+
+static int profiles_open(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &aa_fs_profiles_op);
+}
+
+static int profiles_release(struct inode *inode, struct file *file)
+{
+	return seq_release(inode, file);
+}
+
+const struct file_operations aa_fs_profiles_fops = {
+	.open = profiles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = profiles_release,
+};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 69ddb47..867995c 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+		aafs_remove("profiles");
+		aafs_remove("matching");
+		aafs_remove("features");
+#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
+	if (error)
+		goto error;
+	error = aafs_create("features", 0444, &aa_fs_features_fops);
+	if (error)
+		goto error;
+#endif
+	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
+	if (error)
+		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+extern const struct file_operations aa_fs_matching_fops;
+extern const struct file_operations aa_fs_features_fops;
+extern const struct file_operations aa_fs_profiles_fops;
+#endif
+
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
+++ b/kernel-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
@@ -0,0 +1,69 @@
+From e5d90918aa31f948ecec2f3c088567dbab30c90b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
+	/* Pad table allocation for next/check by 256 entries to remain
+	 * backwards compatible with old (buggy) tools and remain safe without
+	 * run time checks
+	 */
+	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
+		tsize += 256 * th.td_flags;
+
+ 	table = kvmalloc(tsize);
+ 	if (table) {
+		/* ensure the pad is clear, else there will be errors */
+		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
+		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
+				if (warning)
+					continue;
+				printk(KERN_WARNING "AppArmor DFA next/check "
+				       "upper bounds error fixed, upgrade "
+				       "user space tools \n");
+				warning = 1;
+			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.3/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
+++ b/kernel-patches/3.3/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch
@@ -0,0 +1,553 @@
+From 1023c7c2f9d9c5707147479104312c4c3d1a2c2b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 +++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 ++++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 +++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
+				struct {
+					int type, protocol;
+					struct sock *sk;
+				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
+              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
+# Build a lower case string table of address family names.
+# Transform lines from
+# #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+# [2] = "inet",
+quiet_cmd_make-af = GEN     $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
+	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
+	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
+	echo "};" >> $@
+
+
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
+$(obj)/af_names.h : $(srctree)/include/linux/socket.h
+	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
+++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_NET_H
+#define __AA_NET_H
+
+#include <net/sock.h>
+
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+	u16 allow[AF_MAX];
+	u16 audit[AF_MAX];
+	u16 quiet[AF_MAX];
+};
+
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+		       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+	/* NOP */
+}
+
+#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
+#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
+ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
+	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 97ce8fa..a54adbc 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
+#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -620,6 +621,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	if (kern)
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+				    NULL);
+	return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+				struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+				   struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+				   struct msghdr *msg, int size)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+				   struct msghdr *msg, int size, int flags)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -651,6 +750,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+	.socket_create =		apparmor_socket_create,
+	.socket_bind =			apparmor_socket_bind,
+	.socket_connect =		apparmor_socket_connect,
+	.socket_listen =		apparmor_socket_listen,
+	.socket_accept =		apparmor_socket_accept,
+	.socket_sendmsg =		apparmor_socket_sendmsg,
+	.socket_recvmsg =		apparmor_socket_recvmsg,
+	.socket_getsockname =		apparmor_socket_getsockname,
+	.socket_getpeername =		apparmor_socket_getpeername,
+	.socket_getsockopt =		apparmor_socket_getsockopt,
+	.socket_setsockopt =		apparmor_socket_setsockopt,
+	.socket_shutdown =		apparmor_socket_shutdown,
+
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
+++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/net.h"
+#include "include/policy.h"
+
+#include "af_names.h"
+
+static const char *sock_type_names[] = {
+	"unknown(0)",
+	"stream",
+	"dgram",
+	"raw",
+	"rdm",
+	"seqpacket",
+	"dccp",
+	"unknown(7)",
+	"unknown(8)",
+	"unknown(9)",
+	"packet",
+};
+
+/* audit callback for net specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	audit_log_format(ab, " family=");
+	if (address_family_names[sa->u.net.family]) {
+		audit_log_string(ab, address_family_names[sa->u.net.family]);
+	} else {
+		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
+	}
+
+	audit_log_format(ab, " sock_type=");
+	if (sock_type_names[sa->aad.net.type]) {
+		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
+	}
+
+	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
+}
+
+/**
+ * audit_net - audit network access
+ * @profile: profile being enforced  (NOT NULL)
+ * @op: operation being checked
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ * @sk: socket auditing is being applied to
+ * @error: error code for failure else 0
+ *
+ * Returns: %0 or sa->error else other errorcode on failure
+ */
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+		     int protocol, struct sock *sk, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	if (sk) {
+		COMMON_AUDIT_DATA_INIT(&sa, NET);
+	} else {
+		COMMON_AUDIT_DATA_INIT(&sa, NONE);
+	}
+	/* todo fill in socket addr info */
+
+	sa.aad.op = op,
+	sa.u.net.family = family;
+	sa.u.net.sk = sk;
+	sa.aad.net.type = type;
+	sa.aad.net.protocol = protocol;
+	sa.aad.error = error;
+
+	if (likely(!sa.aad.error)) {
+		u16 audit_mask = profile->net.audit[sa.u.net.family];
+		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+			   !(1 << sa.aad.net.type & audit_mask)))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
+		u16 kill_mask = 0;
+		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
+
+		if (denied & kill_mask)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		if ((denied & quiet_mask) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
+	}
+
+	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+}
+
+/**
+ * aa_net_perm - very course network access check
+ * @op: operation being checked
+ * @profile: profile being enforced  (NOT NULL)
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
+		int protocol, struct sock *sk)
+{
+	u16 family_mask;
+	int error;
+
+	if ((family < 0) || (family >= AF_MAX))
+		return -EINVAL;
+
+	if ((type < 0) || (type >= SOCK_MAX))
+		return -EINVAL;
+
+	/* unix domain and netlink sockets are handled by ipc */
+	if (family == AF_UNIX || family == AF_NETLINK)
+		return 0;
+
+	family_mask = profile->net.allow[family];
+
+	error = (family_mask & (1 << type)) ? 0 : -EACCES;
+
+	return audit_net(profile, op, family, type, protocol, sk, error);
+}
+
+/**
+ * aa_revalidate_sk - Revalidate access to a sock
+ * @op: operation being checked
+ * @sk: sock being revalidated  (NOT NULL)
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_revalidate_sk(int op, struct sock *sk)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* aa_revalidate_sk should not be called from interrupt context
+	 * don't mediate these calls as they are not task related
+	 */
+	if (in_interrupt())
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+				    sk->sk_protocol, sk);
+
+	return error;
+}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
+	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
+{
+	if (unpack_nameX(e, AA_U16, name)) {
+		if (!inbounds(e, sizeof(u16)))
+			return 0;
+		if (data)
+			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
+		e->pos += sizeof(u16);
+		return 1;
+	}
+	return 0;
+}
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
+	size_t size = 0;
+	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
+	size = unpack_array(e, "net_allowed_af");
+	if (size) {
+
+		for (i = 0; i < size; i++) {
+			/* discard extraneous rules that this kernel will
+			 * never request
+			 */
+			if (i >= AF_MAX) {
+				u16 tmp;
+				if (!unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL))
+					goto fail;
+				continue;
+			}
+			if (!unpack_u16(e, &profile->net.allow[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.audit[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
+				goto fail;
+		}
+		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+		/*
+		 * allow unix domain and netlink sockets they are handled
+		 * by IPC
+		 */
+	}
+	profile->net.allow[AF_UNIX] = 0xffff;
+	profile->net.allow[AF_NETLINK] = 0xffff;
+
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.3/0002-AppArmor-compatibility-patch-for-v5-interface.patch
+++ b/kernel-patches/3.3/0002-AppArmor-compatibility-patch-for-v5-interface.patch
@@ -0,0 +1,391 @@
+From da1ce2265ebb70860b9c137a542e48b170e4606b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 +-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
+
+config SECURITY_APPARMOR_COMPAT_24
+	bool "Enable AppArmor 2.4 compatability"
+	depends on SECURITY_APPARMOR
+	default y
+	help
+	  This option enables compatability with AppArmor 2.4.  It is
+          recommended if compatability with older versions of AppArmor
+          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
+++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ *
+ * This file contain functions providing an interface for <= AppArmor 2.4
+ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
+ * being set (see Makefile).
+ */
+
+#include <linux/security.h>
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/policy.h"
+
+
+/* apparmor/matching */
+static ssize_t aa_matching_read(struct file *file, char __user *buf,
+				size_t size, loff_t *ppos)
+{
+	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
+	    "user::other";
+
+	return simple_read_from_buffer(buf, size, ppos, matching,
+				       sizeof(matching) - 1);
+}
+
+const struct file_operations aa_fs_matching_fops = {
+	.read = aa_matching_read,
+};
+
+/* apparmor/features */
+static ssize_t aa_features_read(struct file *file, char __user *buf,
+				size_t size, loff_t *ppos)
+{
+	const char features[] = "file=3.1 capability=2.0 network=1.0 "
+	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
+
+	return simple_read_from_buffer(buf, size, ppos, features,
+				       sizeof(features) - 1);
+}
+
+const struct file_operations aa_fs_features_fops = {
+	.read = aa_features_read,
+};
+
+/**
+ * __next_namespace - find the next namespace to list
+ * @root: root namespace to stop search at (NOT NULL)
+ * @ns: current ns position (NOT NULL)
+ *
+ * Find the next namespace from @ns under @root and handle all locking needed
+ * while switching current namespace.
+ *
+ * Returns: next namespace or NULL if at last namespace under @root
+ * NOTE: will not unlock root->lock
+ */
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+					     struct aa_namespace *ns)
+{
+	struct aa_namespace *parent;
+
+	/* is next namespace a child */
+	if (!list_empty(&ns->sub_ns)) {
+		struct aa_namespace *next;
+		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
+		read_lock(&next->lock);
+		return next;
+	}
+
+	/* check if the next ns is a sibling, parent, gp, .. */
+	parent = ns->parent;
+	while (parent) {
+		read_unlock(&ns->lock);
+		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
+			read_lock(&ns->lock);
+			return ns;
+		}
+		if (parent == root)
+			return NULL;
+		ns = parent;
+		parent = parent->parent;
+	}
+
+	return NULL;
+}
+
+/**
+ * __first_profile - find the first profile in a namespace
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
+ * @ns: namespace to start in   (NOT NULL)
+ *
+ * Returns: unrefcounted profile or NULL if no profile
+ */
+static struct aa_profile *__first_profile(struct aa_namespace *root,
+					  struct aa_namespace *ns)
+{
+	for ( ; ns; ns = __next_namespace(root, ns)) {
+		if (!list_empty(&ns->base.profiles))
+			return list_first_entry(&ns->base.profiles,
+						struct aa_profile, base.list);
+	}
+	return NULL;
+}
+
+/**
+ * __next_profile - step to the next profile in a profile tree
+ * @profile: current profile in tree (NOT NULL)
+ *
+ * Perform a depth first taversal on the profile tree in a namespace
+ *
+ * Returns: next profile or NULL if done
+ * Requires: profile->ns.lock to be held
+ */
+static struct aa_profile *__next_profile(struct aa_profile *p)
+{
+	struct aa_profile *parent;
+	struct aa_namespace *ns = p->ns;
+
+	/* is next profile a child */
+	if (!list_empty(&p->base.profiles))
+		return list_first_entry(&p->base.profiles, typeof(*p),
+					base.list);
+
+	/* is next profile a sibling, parent sibling, gp, subling, .. */
+	parent = p->parent;
+	while (parent) {
+		list_for_each_entry_continue(p, &parent->base.profiles,
+					     base.list)
+				return p;
+		p = parent;
+		parent = parent->parent;
+	}
+
+	/* is next another profile in the namespace */
+	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
+		return p;
+
+	return NULL;
+}
+
+/**
+ * next_profile - step to the next profile in where ever it may be
+ * @root: root namespace  (NOT NULL)
+ * @profile: current profile  (NOT NULL)
+ *
+ * Returns: next profile or NULL if there isn't one
+ */
+static struct aa_profile *next_profile(struct aa_namespace *root,
+				       struct aa_profile *profile)
+{
+	struct aa_profile *next = __next_profile(profile);
+	if (next)
+		return next;
+
+	/* finished all profiles in namespace move to next namespace */
+	return __first_profile(root, __next_namespace(root, profile->ns));
+}
+
+/**
+ * p_start - start a depth first traversal of profile tree
+ * @f: seq_file to fill
+ * @pos: current position
+ *
+ * Returns: first profile under current namespace or NULL if none found
+ *
+ * acquires first ns->lock
+ */
+static void *p_start(struct seq_file *f, loff_t *pos)
+	__acquires(root->lock)
+{
+	struct aa_profile *profile = NULL;
+	struct aa_namespace *root = aa_current_profile()->ns;
+	loff_t l = *pos;
+	f->private = aa_get_namespace(root);
+
+
+	/* find the first profile */
+	read_lock(&root->lock);
+	profile = __first_profile(root, root);
+
+	/* skip to position */
+	for (; profile && l > 0; l--)
+		profile = next_profile(root, profile);
+
+	return profile;
+}
+
+/**
+ * p_next - read the next profile entry
+ * @f: seq_file to fill
+ * @p: profile previously returned
+ * @pos: current position
+ *
+ * Returns: next profile after @p or NULL if none
+ *
+ * may acquire/release locks in namespace tree as necessary
+ */
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private;
+	(*pos)++;
+
+	return next_profile(root, profile);
+}
+
+/**
+ * p_stop - stop depth first traversal
+ * @f: seq_file we are filling
+ * @p: the last profile writen
+ *
+ * Release all locking done by p_start/p_next on namespace tree
+ */
+static void p_stop(struct seq_file *f, void *p)
+	__releases(root->lock)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private, *ns;
+
+	if (profile) {
+		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
+			read_unlock(&ns->lock);
+	}
+	read_unlock(&root->lock);
+	aa_put_namespace(root);
+}
+
+/**
+ * seq_show_profile - show a profile entry
+ * @f: seq_file to file
+ * @p: current position (profile)    (NOT NULL)
+ *
+ * Returns: error on failure
+ */
+static int seq_show_profile(struct seq_file *f, void *p)
+{
+	struct aa_profile *profile = (struct aa_profile *)p;
+	struct aa_namespace *root = f->private;
+
+	if (profile->ns != root)
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+	seq_printf(f, "%s (%s)\n", profile->base.hname,
+		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
+
+	return 0;
+}
+
+static const struct seq_operations aa_fs_profiles_op = {
+	.start = p_start,
+	.next = p_next,
+	.stop = p_stop,
+	.show = seq_show_profile,
+};
+
+static int profiles_open(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &aa_fs_profiles_op);
+}
+
+static int profiles_release(struct inode *inode, struct file *file)
+{
+	return seq_release(inode, file);
+}
+
+const struct file_operations aa_fs_profiles_fops = {
+	.open = profiles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = profiles_release,
+};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index e39df6d..235e9fa 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+		aafs_remove("profiles");
+		aafs_remove("matching");
+		aafs_remove("features");
+#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
+	if (error)
+		goto error;
+	error = aafs_create("features", 0444, &aa_fs_features_fops);
+	if (error)
+		goto error;
+#endif
+	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
+	if (error)
+		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+extern const struct file_operations aa_fs_matching_fops;
+extern const struct file_operations aa_fs_features_fops;
+extern const struct file_operations aa_fs_profiles_fops;
+#endif
+
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.3/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
+++ b/kernel-patches/3.3/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch
@@ -0,0 +1,69 @@
+From 5d05f2909c12f6f03581bca9c1fa52dafa10fb0f Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
+	/* Pad table allocation for next/check by 256 entries to remain
+	 * backwards compatible with old (buggy) tools and remain safe without
+	 * run time checks
+	 */
+	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
+		tsize += 256 * th.td_flags;
+
+ 	table = kvmalloc(tsize);
+ 	if (table) {
+		/* ensure the pad is clear, else there will be errors */
+		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
+		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
+				if (warning)
+					continue;
+				printk(KERN_WARNING "AppArmor DFA next/check "
+				       "upper bounds error fixed, upgrade "
+				       "user space tools \n");
+				warning = 1;
+			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
+++ b/kernel-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
@@ -0,0 +1,264 @@
+From 8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 22 Jul 2010 02:32:02 -0700
+Subject: [PATCH 1/3] UBUNTU: SAUCE: AppArmor: Add profile introspection file
+ to interface
+
+Add the dynamic profiles file to the interace, to allow load policy
+introspection.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+---
+ security/apparmor/apparmorfs.c |  227 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 227 insertions(+)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..89bdc62 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,232 @@ const struct file_operations aa_fs_seq_file_ops = {
+ 	.release	= single_release,
+ };
+ 
+/**
+ * __next_namespace - find the next namespace to list
+ * @root: root namespace to stop search at (NOT NULL)
+ * @ns: current ns position (NOT NULL)
+ *
+ * Find the next namespace from @ns under @root and handle all locking needed
+ * while switching current namespace.
+ *
+ * Returns: next namespace or NULL if at last namespace under @root
+ * NOTE: will not unlock root->lock
+ */
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+					     struct aa_namespace *ns)
+{
+	struct aa_namespace *parent;
+
+	/* is next namespace a child */
+	if (!list_empty(&ns->sub_ns)) {
+		struct aa_namespace *next;
+		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
+		read_lock(&next->lock);
+		return next;
+	}
+
+	/* check if the next ns is a sibling, parent, gp, .. */
+	parent = ns->parent;
+	while (parent) {
+		read_unlock(&ns->lock);
+		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
+			read_lock(&ns->lock);
+			return ns;
+		}
+		if (parent == root)
+			return NULL;
+		ns = parent;
+		parent = parent->parent;
+	}
+
+	return NULL;
+}
+
+/**
+ * __first_profile - find the first profile in a namespace
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
+ * @ns: namespace to start in   (NOT NULL)
+ *
+ * Returns: unrefcounted profile or NULL if no profile
+ */
+static struct aa_profile *__first_profile(struct aa_namespace *root,
+					  struct aa_namespace *ns)
+{
+	for ( ; ns; ns = __next_namespace(root, ns)) {
+		if (!list_empty(&ns->base.profiles))
+			return list_first_entry(&ns->base.profiles,
+						struct aa_profile, base.list);
+	}
+	return NULL;
+}
+
+/**
+ * __next_profile - step to the next profile in a profile tree
+ * @profile: current profile in tree (NOT NULL)
+ *
+ * Perform a depth first taversal on the profile tree in a namespace
+ *
+ * Returns: next profile or NULL if done
+ * Requires: profile->ns.lock to be held
+ */
+static struct aa_profile *__next_profile(struct aa_profile *p)
+{
+	struct aa_profile *parent;
+	struct aa_namespace *ns = p->ns;
+
+	/* is next profile a child */
+	if (!list_empty(&p->base.profiles))
+		return list_first_entry(&p->base.profiles, typeof(*p),
+					base.list);
+
+	/* is next profile a sibling, parent sibling, gp, subling, .. */
+	parent = p->parent;
+	while (parent) {
+		list_for_each_entry_continue(p, &parent->base.profiles,
+					     base.list)
+				return p;
+		p = parent;
+		parent = parent->parent;
+	}
+
+	/* is next another profile in the namespace */
+	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
+		return p;
+
+	return NULL;
+}
+
+/**
+ * next_profile - step to the next profile in where ever it may be
+ * @root: root namespace  (NOT NULL)
+ * @profile: current profile  (NOT NULL)
+ *
+ * Returns: next profile or NULL if there isn't one
+ */
+static struct aa_profile *next_profile(struct aa_namespace *root,
+				       struct aa_profile *profile)
+{
+	struct aa_profile *next = __next_profile(profile);
+	if (next)
+		return next;
+
+	/* finished all profiles in namespace move to next namespace */
+	return __first_profile(root, __next_namespace(root, profile->ns));
+}
+
+/**
+ * p_start - start a depth first traversal of profile tree
+ * @f: seq_file to fill
+ * @pos: current position
+ *
+ * Returns: first profile under current namespace or NULL if none found
+ *
+ * acquires first ns->lock
+ */
+static void *p_start(struct seq_file *f, loff_t *pos)
+	__acquires(root->lock)
+{
+	struct aa_profile *profile = NULL;
+	struct aa_namespace *root = aa_current_profile()->ns;
+	loff_t l = *pos;
+	f->private = aa_get_namespace(root);
+
+
+	/* find the first profile */
+	read_lock(&root->lock);
+	profile = __first_profile(root, root);
+
+	/* skip to position */
+	for (; profile && l > 0; l--)
+		profile = next_profile(root, profile);
+
+	return profile;
+}
+
+/**
+ * p_next - read the next profile entry
+ * @f: seq_file to fill
+ * @p: profile previously returned
+ * @pos: current position
+ *
+ * Returns: next profile after @p or NULL if none
+ *
+ * may acquire/release locks in namespace tree as necessary
+ */
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private;
+	(*pos)++;
+
+	return next_profile(root, profile);
+}
+
+/**
+ * p_stop - stop depth first traversal
+ * @f: seq_file we are filling
+ * @p: the last profile writen
+ *
+ * Release all locking done by p_start/p_next on namespace tree
+ */
+static void p_stop(struct seq_file *f, void *p)
+	__releases(root->lock)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private, *ns;
+
+	if (profile) {
+		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
+			read_unlock(&ns->lock);
+	}
+	read_unlock(&root->lock);
+	aa_put_namespace(root);
+}
+
+/**
+ * seq_show_profile - show a profile entry
+ * @f: seq_file to file
+ * @p: current position (profile)    (NOT NULL)
+ *
+ * Returns: error on failure
+ */
+static int seq_show_profile(struct seq_file *f, void *p)
+{
+	struct aa_profile *profile = (struct aa_profile *)p;
+	struct aa_namespace *root = f->private;
+
+	if (profile->ns != root)
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+	seq_printf(f, "%s (%s)\n", profile->base.hname,
+		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
+
+	return 0;
+}
+
+static const struct seq_operations aa_fs_profiles_op = {
+	.start = p_start,
+	.next = p_next,
+	.stop = p_stop,
+	.show = seq_show_profile,
+};
+
+static int profiles_open(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &aa_fs_profiles_op);
+}
+
+static int profiles_release(struct inode *inode, struct file *file)
+{
+	return seq_release(inode, file);
+}
+
+const struct file_operations aa_fs_profiles_fops = {
+	.open = profiles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = profiles_release,
+};
+
+ /** Base file system setup **/
+ 
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +436,7 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
+	AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
+ 	AA_FS_DIR("features", aa_fs_entry_features),
+ 	{ }
+ };
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
+++ b/kernel-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
@@ -0,0 +1,603 @@
+From 423e2cb454d75d6185eecd0c1b5cf6ccc2d8482d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 2/3] UBUNTU: SAUCE: AppArmor: basic networking rules
+
+Base support for network mediation.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/.gitignore       |    2 +-
+ security/apparmor/Makefile         |   42 +++++++++-
+ security/apparmor/apparmorfs.c     |    1 +
+ security/apparmor/include/audit.h  |    4 +
+ security/apparmor/include/net.h    |   44 ++++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++++
+ security/apparmor/net.c            |  162 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   46 ++++++++++
+ 10 files changed, 414 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 4d995ae..d5b291e 100644
+--- a/security/apparmor/.gitignore
+++ b/security/apparmor/.gitignore
+@@ -1,6 +1,6 @@
+ #
+ # Generated include files
+ #
+-af_names.h
+net_names.h
+ capability_names.h
+ rlim_names.h
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 806bd19..19daa85 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
+              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h net_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ 	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
+ 	echo "};" >> $@
+ 
+# Build a lower case string table of address family names
+# Transform lines from
+#    define AF_LOCAL	1	/* POSIX name for AF_UNIX	*/
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    [1] = "local",
+#    [2] = "inet",
+#
+# and build the securityfs entries for the mapping.
+# Transforms lines from
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    #define AA_FS_AF_MASK "local inet"
+quiet_cmd_make-af = GEN     $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
+	sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
+	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@ ;\
+	echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
+	sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
+	 $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
+# Build a lower case string table of sock type names
+# Transform lines from
+#    SOCK_STREAM	= 1,
+# to
+#    [1] = "stream",
+quiet_cmd_make-sock = GEN     $@
+cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
+	sed $^ >>$@ -r -n \
+	-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@
+ 
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ 	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+ 
+ $(obj)/capability.o : $(obj)/capability_names.h
+$(obj)/net.o : $(obj)/net_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ 			    $(src)/Makefile
+@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+ 		      $(src)/Makefile
+ 	$(call cmd,make-rlim)
+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
+		     $(srctree)/include/linux/net.h \
+		     $(src)/Makefile
+	$(call cmd,make-af)
+	$(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 89bdc62..c66315d 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -427,6 +427,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+	AA_FS_DIR("network",                    aa_fs_entry_network),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 3868b1e..c1ff09c 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -126,6 +126,10 @@ struct apparmor_audit_data {
+ 			u32 denied;
+ 			uid_t ouid;
+ 		} fs;
+		struct {
+			int type, protocol;
+			struct sock *sk;
+		} net;
+ 	};
+ };
+ 
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..cb8a121
+--- /dev/null
+++ b/security/apparmor/include/net.h
+@@ -0,0 +1,44 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_NET_H
+#define __AA_NET_H
+
+#include <net/sock.h>
+
+#include "apparmorfs.h"
+
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+	u16 allow[AF_MAX];
+	u16 audit[AF_MAX];
+	u16 quiet[AF_MAX];
+};
+
+extern struct aa_fs_entry aa_fs_entry_network[];
+
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+		       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+	/* NOP */
+}
+
+#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index bda4569..eb13a73 100644
+--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
+#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *const profile_mode_names[];
+@@ -157,6 +158,7 @@ struct aa_policydb {
+  * @policy: general match rules governing policy
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
+ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -194,6 +196,7 @@ struct aa_profile {
+ 	struct aa_policydb policy;
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
+	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index ad05d39..3cde194 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
+#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -622,6 +623,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	if (kern)
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+				    NULL);
+	return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+				struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+				   struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+				   struct msghdr *msg, int size)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+				   struct msghdr *msg, int size, int flags)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -653,6 +752,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+	.socket_create =		apparmor_socket_create,
+	.socket_bind =			apparmor_socket_bind,
+	.socket_connect =		apparmor_socket_connect,
+	.socket_listen =		apparmor_socket_listen,
+	.socket_accept =		apparmor_socket_accept,
+	.socket_sendmsg =		apparmor_socket_sendmsg,
+	.socket_recvmsg =		apparmor_socket_recvmsg,
+	.socket_getsockname =		apparmor_socket_getsockname,
+	.socket_getpeername =		apparmor_socket_getpeername,
+	.socket_getsockopt =		apparmor_socket_getsockopt,
+	.socket_setsockopt =		apparmor_socket_setsockopt,
+	.socket_shutdown =		apparmor_socket_shutdown,
+
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..084232b
+--- /dev/null
+++ b/security/apparmor/net.c
+@@ -0,0 +1,162 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/net.h"
+#include "include/policy.h"
+
+#include "net_names.h"
+
+struct aa_fs_entry aa_fs_entry_network[] = {
+	AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
+	{ }
+};
+
+/* audit callback for net specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	audit_log_format(ab, " family=");
+	if (address_family_names[sa->u.net->family]) {
+		audit_log_string(ab, address_family_names[sa->u.net->family]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
+	}
+	audit_log_format(ab, " sock_type=");
+	if (sock_type_names[sa->aad->net.type]) {
+		audit_log_string(ab, sock_type_names[sa->aad->net.type]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
+	}
+	audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
+}
+
+/**
+ * audit_net - audit network access
+ * @profile: profile being enforced  (NOT NULL)
+ * @op: operation being checked
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ * @sk: socket auditing is being applied to
+ * @error: error code for failure else 0
+ *
+ * Returns: %0 or sa->error else other errorcode on failure
+ */
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+		     int protocol, struct sock *sk, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	struct apparmor_audit_data aad = { };
+	struct lsm_network_audit net = { };
+	if (sk) {
+		COMMON_AUDIT_DATA_INIT(&sa, NET);
+	} else {
+		COMMON_AUDIT_DATA_INIT(&sa, NONE);
+	}
+	/* todo fill in socket addr info */
+	sa.aad = &aad;
+	sa.u.net = &net;
+	sa.aad->op = op,
+	sa.u.net->family = family;
+	sa.u.net->sk = sk;
+	sa.aad->net.type = type;
+	sa.aad->net.protocol = protocol;
+	sa.aad->error = error;
+
+	if (likely(!sa.aad->error)) {
+		u16 audit_mask = profile->net.audit[sa.u.net->family];
+		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+			   !(1 << sa.aad->net.type & audit_mask)))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+		u16 kill_mask = 0;
+		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
+
+		if (denied & kill_mask)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		if ((denied & quiet_mask) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
+	}
+
+	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+}
+
+/**
+ * aa_net_perm - very course network access check
+ * @op: operation being checked
+ * @profile: profile being enforced  (NOT NULL)
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
+		int protocol, struct sock *sk)
+{
+	u16 family_mask;
+	int error;
+
+	if ((family < 0) || (family >= AF_MAX))
+		return -EINVAL;
+
+	if ((type < 0) || (type >= SOCK_MAX))
+		return -EINVAL;
+
+	/* unix domain and netlink sockets are handled by ipc */
+	if (family == AF_UNIX || family == AF_NETLINK)
+		return 0;
+
+	family_mask = profile->net.allow[family];
+
+	error = (family_mask & (1 << type)) ? 0 : -EACCES;
+
+	return audit_net(profile, op, family, type, protocol, sk, error);
+}
+
+/**
+ * aa_revalidate_sk - Revalidate access to a sock
+ * @op: operation being checked
+ * @sk: sock being revalidated  (NOT NULL)
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_revalidate_sk(int op, struct sock *sk)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* aa_revalidate_sk should not be called from interrupt context
+	 * don't mediate these calls as they are not task related
+	 */
+	if (in_interrupt())
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+				    sk->sk_protocol, sk);
+
+	return error;
+}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index f1f7506..b8100a7 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
+	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index deab7c7..8f8e9c1 100644
+--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
+@@ -193,6 +193,19 @@ fail:
+ 	return 0;
+ }
+ 
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
+{
+	if (unpack_nameX(e, AA_U16, name)) {
+		if (!inbounds(e, sizeof(u16)))
+			return 0;
+		if (data)
+			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
+		e->pos += sizeof(u16);
+		return 1;
+	}
+	return 0;
+}
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+	size_t size = 0;
+ 	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
+	size = unpack_array(e, "net_allowed_af");
+	if (size) {
+
+		for (i = 0; i < size; i++) {
+			/* discard extraneous rules that this kernel will
+			 * never request
+			 */
+			if (i >= AF_MAX) {
+				u16 tmp;
+				if (!unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL))
+					goto fail;
+				continue;
+			}
+			if (!unpack_u16(e, &profile->net.allow[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.audit[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
+				goto fail;
+		}
+		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+	}
+	/*
+	 * allow unix domain and netlink sockets they are handled
+	 * by IPC
+	 */
+	profile->net.allow[AF_UNIX] = 0xffff;
+	profile->net.allow[AF_NETLINK] = 0xffff;
+
+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ 		/* generic policy dfa - optional and may be NULL */
+ 		profile->policy.dfa = unpack_dfa(e);
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
+++ b/kernel-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
@@ -0,0 +1,957 @@
+From a94d5e11c0484af59e5feebf144cc48c186892ad Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 16 May 2012 10:58:05 -0700
+Subject: [PATCH 3/3] UBUNTU: SAUCE: apparmor: Add the ability to mediate
+ mount
+
+Add the ability for apparmor to do mediation of mount operations. Mount
+rules require an updated apparmor_parser (2.8 series) for policy compilation.
+
+The basic form of the rules are.
+
+  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+  [audit] [deny] remount [conds]* [path],
+  [audit] [deny] umount [conds]* [path],
+  [audit] [deny] pivotroot [oldroot=<value>] <path>
+
+  remount is just a short cut for mount options=remount
+
+  where [conds] can be
+    fstype=<expr>
+    options=<expr>
+
+Example mount commands
+  mount,		# allow all mounts, but not umount or pivotroot
+
+  mount fstype=procfs,  # allow mounting procfs anywhere
+
+  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
+
+  mount /dev/sda -> /mnt,
+
+  mount /dev/sd** -> /mnt/**,
+
+  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+
+  umount,
+
+  umount /m*,
+
+See the apparmor userspace for full documentation
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Makefile           |    2 +-
+ security/apparmor/apparmorfs.c       |   13 +
+ security/apparmor/audit.c            |    4 +
+ security/apparmor/domain.c           |    2 +-
+ security/apparmor/include/apparmor.h |    3 +-
+ security/apparmor/include/audit.h    |   11 +
+ security/apparmor/include/domain.h   |    2 +
+ security/apparmor/include/mount.h    |   54 +++
+ security/apparmor/lsm.c              |   59 ++++
+ security/apparmor/mount.c            |  620 ++++++++++++++++++++++++++++++++++
+ 10 files changed, 767 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/mount.h
+ create mode 100644 security/apparmor/mount.c
+
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 19daa85..63e0a4c 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o net.o
+              resource.o sid.o file.o net.o mount.o
+ 
+ clean-files := capability_names.h rlim_names.h net_names.h
+ 
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index c66315d..ff19009 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -424,10 +424,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ 	{ }
+ };
+ 
+static struct aa_fs_entry aa_fs_entry_mount[] = {
+	AA_FS_FILE_STRING("mask", "mount umount"),
+	{ }
+};
+
+static struct aa_fs_entry aa_fs_entry_namespaces[] = {
+	AA_FS_FILE_BOOLEAN("profile",           1),
+	AA_FS_FILE_BOOLEAN("pivot_root",        1),
+	{ }
+};
+
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+ 	AA_FS_DIR("network",                    aa_fs_entry_network),
+	AA_FS_DIR("mount",                      aa_fs_entry_mount),
+	AA_FS_DIR("namespaces",                 aa_fs_entry_namespaces),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index cc3520d..b9f5ee9 100644
+--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
+@@ -44,6 +44,10 @@ const char *const op_table[] = {
+ 	"file_mmap",
+ 	"file_mprotect",
+ 
+	"pivotroot",
+	"mount",
+	"umount",
+
+ 	"create",
+ 	"post_create",
+ 	"bind",
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index 6327685..dfdc47b 100644
+--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
+@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name)
+  *
+  * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
+  */
+-static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+ {
+ 	struct aa_profile *new_profile = NULL;
+ 	struct aa_namespace *ns = profile->ns;
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 40aedd9..e243d96 100644
+--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
+@@ -29,8 +29,9 @@
+ #define AA_CLASS_NET		4
+ #define AA_CLASS_RLIMITS	5
+ #define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
+ 
+-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
+#define AA_CLASS_LAST		AA_CLASS_MOUNT
+ 
+ /* Control parameters settable through module/boot flags */
+ extern enum audit_mode aa_g_audit;
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index c1ff09c..7b90900c 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -73,6 +73,10 @@ enum aa_ops {
+ 	OP_FMMAP,
+ 	OP_FMPROT,
+ 
+	OP_PIVOTROOT,
+	OP_MOUNT,
+	OP_UMOUNT,
+
+ 	OP_CREATE,
+ 	OP_POST_CREATE,
+ 	OP_BIND,
+@@ -121,6 +125,13 @@ struct apparmor_audit_data {
+ 			unsigned long max;
+ 		} rlim;
+ 		struct {
+			const char *src_name;
+			const char *type;
+			const char *trans;
+			const char *data;
+			unsigned long flags;
+		} mnt;
+		struct {
+ 			const char *target;
+ 			u32 request;
+ 			u32 denied;
+diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
+index de04464..a3f70c5 100644
+--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
+@@ -23,6 +23,8 @@ struct aa_domain {
+ 	char **table;
+ };
+ 
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex);
+
+ int apparmor_bprm_set_creds(struct linux_binprm *bprm);
+ int apparmor_bprm_secureexec(struct linux_binprm *bprm);
+ void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
+diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
+new file mode 100644
+index 0000000..bc17a53
+--- /dev/null
+++ b/security/apparmor/include/mount.h
+@@ -0,0 +1,54 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor file mediation function definitions.
+ *
+ * Copyright 2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_MOUNT_H
+#define __AA_MOUNT_H
+
+#include <linux/fs.h>
+#include <linux/path.h>
+
+#include "domain.h"
+#include "policy.h"
+
+/* mount perms */
+#define AA_MAY_PIVOTROOT	0x01
+#define AA_MAY_MOUNT		0x02
+#define AA_MAY_UMOUNT		0x04
+#define AA_AUDIT_DATA		0x40
+#define AA_CONT_MATCH		0x40
+
+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data);
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name, unsigned long flags);
+
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags);
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name);
+
+int aa_new_mount(struct aa_profile *profile, const char *dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data);
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path);
+
+#endif /* __AA_MOUNT_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3cde194..4512cc6 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -36,6 +36,7 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+#include "include/mount.h"
+ 
+ /* Flag indicating whether initialization completed */
+ int apparmor_initialized __initdata;
+@@ -512,6 +513,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+ 			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
+			     unsigned long flags, void *data)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* Discard magic */
+	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
+		flags &= ~MS_MGC_MSK;
+
+	flags &= ~AA_MS_IGNORE_MASK;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile)) {
+		if (flags & MS_REMOUNT)
+			error = aa_remount(profile, path, flags, data);
+		else if (flags & MS_BIND)
+			error = aa_bind_mount(profile, path, dev_name, flags);
+		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
+				  MS_UNBINDABLE))
+			error = aa_mount_change_type(profile, path, flags);
+		else if (flags & MS_MOVE)
+			error = aa_move_mount(profile, path, dev_name);
+		else
+			error = aa_new_mount(profile, dev_name, path, type,
+					     flags, data);
+	}
+	return error;
+}
+
+static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_umount(profile, mnt, flags);
+
+	return error;
+}
+
+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_pivotroot(profile, old_path, new_path);
+
+	return error;
+}
+
+ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ 				char **value)
+ {
+@@ -729,6 +784,10 @@ static struct security_operations apparmor_ops = {
+ 	.capget =			apparmor_capget,
+ 	.capable =			apparmor_capable,
+ 
+	.sb_mount =			apparmor_sb_mount,
+	.sb_umount =			apparmor_sb_umount,
+	.sb_pivotroot =			apparmor_sb_pivotroot,
+
+ 	.path_link =			apparmor_path_link,
+ 	.path_unlink =			apparmor_path_unlink,
+ 	.path_symlink =			apparmor_path_symlink,
+diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
+new file mode 100644
+index 0000000..63d8493
+--- /dev/null
+++ b/security/apparmor/mount.c
+@@ -0,0 +1,620 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/domain.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/mount.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+
+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
+{
+	if (flags & MS_RDONLY)
+		audit_log_format(ab, "ro");
+	else
+		audit_log_format(ab, "rw");
+	if (flags & MS_NOSUID)
+		audit_log_format(ab, ", nosuid");
+	if (flags & MS_NODEV)
+		audit_log_format(ab, ", nodev");
+	if (flags & MS_NOEXEC)
+		audit_log_format(ab, ", noexec");
+	if (flags & MS_SYNCHRONOUS)
+		audit_log_format(ab, ", sync");
+	if (flags & MS_REMOUNT)
+		audit_log_format(ab, ", remount");
+	if (flags & MS_MANDLOCK)
+		audit_log_format(ab, ", mand");
+	if (flags & MS_DIRSYNC)
+		audit_log_format(ab, ", dirsync");
+	if (flags & MS_NOATIME)
+		audit_log_format(ab, ", noatime");
+	if (flags & MS_NODIRATIME)
+		audit_log_format(ab, ", nodiratime");
+	if (flags & MS_BIND)
+		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
+	if (flags & MS_MOVE)
+		audit_log_format(ab, ", move");
+	if (flags & MS_SILENT)
+		audit_log_format(ab, ", silent");
+	if (flags & MS_POSIXACL)
+		audit_log_format(ab, ", acl");
+	if (flags & MS_UNBINDABLE)
+		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
+				 ", unbindable");
+	if (flags & MS_PRIVATE)
+		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
+				 ", private");
+	if (flags & MS_SLAVE)
+		audit_log_format(ab, flags & MS_REC ? ", rslave" :
+				 ", slave");
+	if (flags & MS_SHARED)
+		audit_log_format(ab, flags & MS_REC ? ", rshared" :
+				 ", shared");
+	if (flags & MS_RELATIME)
+		audit_log_format(ab, ", relatime");
+	if (flags & MS_I_VERSION)
+		audit_log_format(ab, ", iversion");
+	if (flags & MS_STRICTATIME)
+		audit_log_format(ab, ", strictatime");
+	if (flags & MS_NOUSER)
+		audit_log_format(ab, ", nouser");
+}
+
+/**
+ * audit_cb - call back for mount specific audit fields
+ * @ab: audit_buffer  (NOT NULL)
+ * @va: audit struct to audit values of  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	if (sa->aad->mnt.type) {
+		audit_log_format(ab, " fstype=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.type);
+	}
+	if (sa->aad->mnt.src_name) {
+		audit_log_format(ab, " srcname=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.src_name);
+	}
+	if (sa->aad->mnt.trans) {
+		audit_log_format(ab, " trans=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.trans);
+	}
+	if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) {
+		audit_log_format(ab, " flags=\"");
+		audit_mnt_flags(ab, sa->aad->mnt.flags);
+		audit_log_format(ab, "\"");
+	}
+	if (sa->aad->mnt.data) {
+		audit_log_format(ab, " options=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.data);
+	}
+}
+
+/**
+ * audit_mount - handle the auditing of mount operations
+ * @profile: the profile being enforced  (NOT NULL)
+ * @gfp: allocation flags
+ * @op: operation being mediated (NOT NULL)
+ * @name: name of object being mediated (MAYBE NULL)
+ * @src_name: src_name of object being mediated (MAYBE_NULL)
+ * @type: type of filesystem (MAYBE_NULL)
+ * @trans: name of trans (MAYBE NULL)
+ * @flags: filesystem idependent mount flags
+ * @data: filesystem mount flags
+ * @request: permissions requested
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @info: extra information message (MAYBE NULL)
+ * @error: 0 if operation allowed else failure error code
+ *
+ * Returns: %0 or error on failure
+ */
+static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op,
+		       const char *name, const char *src_name,
+		       const char *type, const char *trans,
+		       unsigned long flags, const void *data, u32 request,
+		       struct file_perms *perms, const char *info, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	struct apparmor_audit_data aad = { };
+
+	if (likely(!error)) {
+		u32 mask = perms->audit;
+
+		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+			mask = 0xffff;
+
+		/* mask off perms that are not being force audited */
+		request &= mask;
+
+		if (likely(!request))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		/* only report permissions that were denied */
+		request = request & ~perms->allow;
+
+		if (request & perms->kill)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		/* quiet known rejects, assumes quiet and kill do not overlap */
+		if ((request & perms->quiet) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			request &= ~perms->quiet;
+
+		if (!request)
+			return COMPLAIN_MODE(profile) ?
+				complain_error(error) : error;
+	}
+
+	COMMON_AUDIT_DATA_INIT(&sa, NONE);
+	sa.aad = &aad;
+	sa.aad->op = op;
+	sa.aad->name = name;
+	sa.aad->mnt.src_name = src_name;
+	sa.aad->mnt.type = type;
+	sa.aad->mnt.trans = trans;
+	sa.aad->mnt.flags = flags;
+	if (data && (perms->audit & AA_AUDIT_DATA))
+		sa.aad->mnt.data = data;
+	sa.aad->info = info;
+	sa.aad->error = error;
+
+	return aa_audit(audit_type, profile, gfp, &sa, audit_cb);
+}
+
+/**
+ * match_mnt_flags - Do an ordered match on mount flags
+ * @dfa: dfa to match against
+ * @state: state to start in
+ * @flags: mount flags to match against
+ *
+ * Mount flags are encoded as an ordered match. This is done instead of
+ * checking against a simple bitmask, to allow for logical operations
+ * on the flags.
+ *
+ * Returns: next state after flags match
+ */
+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+				    unsigned long flags)
+{
+	unsigned int i;
+
+	for (i = 0; i <= 31 ; ++i) {
+		if ((1 << i) & flags)
+			state = aa_dfa_next(dfa, state, i + 1);
+	}
+
+	return state;
+}
+
+/**
+ * compute_mnt_perms - compute mount permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: mount permissions
+ */
+static struct file_perms compute_mnt_perms(struct aa_dfa *dfa,
+					   unsigned int state)
+{
+	struct file_perms perms;
+
+	perms.kill = 0;
+	perms.allow = dfa_user_allow(dfa, state);
+	perms.audit = dfa_user_audit(dfa, state);
+	perms.quiet = dfa_user_quiet(dfa, state);
+	perms.xindex = dfa_user_xindex(dfa, state);
+
+	return perms;
+}
+
+static const char const *mnt_info_table[] = {
+	"match succeeded",
+	"failed mntpnt match",
+	"failed srcname match",
+	"failed type match",
+	"failed flags match",
+	"failed data match"
+};
+
+/*
+ * Returns 0 on success else element that match failed in, this is the
+ * index into the mnt_info_table above
+ */
+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
+			const char *mntpnt, const char *devname,
+			const char *type, unsigned long flags,
+			void *data, bool binary, struct file_perms *perms)
+{
+	unsigned int state;
+
+	state = aa_dfa_match(dfa, start, mntpnt);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 1;
+
+	if (devname)
+		state = aa_dfa_match(dfa, state, devname);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 2;
+
+	if (type)
+		state = aa_dfa_match(dfa, state, type);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 3;
+
+	state = match_mnt_flags(dfa, state, flags);
+	if (!state)
+		return 4;
+	*perms = compute_mnt_perms(dfa, state);
+	if (perms->allow & AA_MAY_MOUNT)
+		return 0;
+
+	/* only match data if not binary and the DFA flags data is expected */
+	if (data && !binary && (perms->allow & AA_CONT_MATCH)) {
+		state = aa_dfa_null_transition(dfa, state);
+		if (!state)
+			return 4;
+
+		state = aa_dfa_match(dfa, state, data);
+		if (!state)
+			return 5;
+		*perms = compute_mnt_perms(dfa, state);
+		if (perms->allow & AA_MAY_MOUNT)
+			return 0;
+	}
+
+	/* failed at end of flags match */
+	return 4;
+}
+
+/**
+ * match_mnt - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpnt: string for the mntpnt (NOT NULL)
+ * @devname: string for the devname/src_name (MAYBE NULL)
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ * @perms: Returns: permission found by the match
+ * @info: Returns: infomation string about the match for logging
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt(struct aa_profile *profile, const char *mntpnt,
+		     const char *devname, const char *type,
+		     unsigned long flags, void *data, bool binary,
+		     struct file_perms *perms, const char **info)
+{
+	int pos;
+
+	if (!profile->policy.dfa)
+		return -EACCES;
+
+	pos = do_match_mnt(profile->policy.dfa,
+			   profile->policy.start[AA_CLASS_MOUNT],
+			   mntpnt, devname, type, flags, data, binary, perms);
+	if (pos) {
+		*info = mnt_info_table[pos];
+		return -EACCES;
+	}
+
+	return 0;
+}
+
+static int path_flags(struct aa_profile *profile, struct path *path)
+{
+	return profile->path_flags |
+		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
+}
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data)
+{
+	struct file_perms perms = { };
+	const char *name, *info = NULL;
+	char *buffer = NULL;
+	int binary, error;
+
+	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *dev_name, unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!dev_name || !*dev_name)
+		return -EINVAL;
+
+	flags &= MS_REC | MS_BIND;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	/* These are the flags allowed by do_change_type() */
+	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
+		  MS_UNBINDABLE);
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms,
+			  &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, NULL, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *orig_name)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!orig_name || !*orig_name)
+		return -EINVAL;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *dev_buffer = NULL;
+	const char *name = NULL, *dev_name = NULL, *info = NULL;
+	int binary = 1;
+	int error;
+
+	dev_name = orig_dev_name;
+	if (type) {
+		int requires_dev;
+		struct file_system_type *fstype = get_fs_type(type);
+		if (!fstype)
+			return -ENODEV;
+
+		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
+		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
+		put_filesystem(fstype);
+
+		if (requires_dev) {
+			struct path dev_path;
+
+			if (!dev_name || !*dev_name) {
+				error = -ENOENT;
+				goto out;
+			}
+
+			error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path);
+			if (error)
+				goto audit;
+
+			error = aa_path_name(&dev_path,
+					     path_flags(profile, &dev_path),
+					     &dev_buffer, &dev_name, &info);
+			path_put(&dev_path);
+			if (error)
+				goto audit;
+		}
+	}
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, dev_name, type, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name,  dev_name,
+			    type, NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+	kfree(dev_buffer);
+
+out:
+	return error;
+
+}
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	struct path path = { mnt, mnt->mnt_root };
+	error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	if (!error && profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_UMOUNT & ~perms.allow)
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL,
+			    NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path)
+{
+	struct file_perms perms = { };
+	struct aa_profile *target = NULL;
+	char *old_buffer = NULL, *new_buffer = NULL;
+	const char *old_name, *new_name = NULL, *info = NULL;
+	int error;
+
+	error = aa_path_name(old_path, path_flags(profile, old_path),
+			     &old_buffer, &old_name, &info);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(new_path, path_flags(profile, new_path),
+			     &new_buffer, &new_name, &info);
+	if (error)
+		goto audit;
+
+	if (profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     new_name);
+		state = aa_dfa_null_transition(profile->policy.dfa, state);
+		state = aa_dfa_match(profile->policy.dfa, state, old_name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_PIVOTROOT & perms.allow) {
+		if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
+			target = x_table_lookup(profile, perms.xindex);
+			if (!target)
+				error = -ENOENT;
+			else
+				error = aa_replace_current_profile(target);
+		}
+	} else
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name,
+			    old_name, NULL, target ? target->base.name : NULL,
+			    0, NULL,  AA_MAY_PIVOTROOT, &perms, info, error);
+	aa_put_profile(target);
+	kfree(old_buffer);
+	kfree(new_buffer);
+
+	return error;
+}
+-- 
+1.7.9.5
+
--- a/kernel-patches/3.5/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
+++ b/kernel-patches/3.5/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
@@ -0,0 +1,285 @@
+From 05bf1eb7276886a3eda0588a8e012b558b693e96 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 22 Jul 2010 02:32:02 -0700
+Subject: [PATCH 1/6] UBUNTU: SAUCE: AppArmor: Add profile introspection file
+ to interface
+
+Add the dynamic profiles file to the interace, to allow load policy
+introspection.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Kconfig      |    9 ++
+ security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+)
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
+
+config SECURITY_APPARMOR_COMPAT_24
+	bool "Enable AppArmor 2.4 compatability"
+	depends on SECURITY_APPARMOR
+	default y
+	help
+	  This option enables compatability with AppArmor 2.4.  It is
+          recommended if compatability with older versions of AppArmor
+          is desired.
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..42b7c9f 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
+ 	.release	= single_release,
+ };
+ 
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+/**
+ * __next_namespace - find the next namespace to list
+ * @root: root namespace to stop search at (NOT NULL)
+ * @ns: current ns position (NOT NULL)
+ *
+ * Find the next namespace from @ns under @root and handle all locking needed
+ * while switching current namespace.
+ *
+ * Returns: next namespace or NULL if at last namespace under @root
+ * NOTE: will not unlock root->lock
+ */
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+					     struct aa_namespace *ns)
+{
+	struct aa_namespace *parent;
+
+	/* is next namespace a child */
+	if (!list_empty(&ns->sub_ns)) {
+		struct aa_namespace *next;
+		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
+		read_lock(&next->lock);
+		return next;
+	}
+
+	/* check if the next ns is a sibling, parent, gp, .. */
+	parent = ns->parent;
+	while (parent) {
+		read_unlock(&ns->lock);
+		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
+			read_lock(&ns->lock);
+			return ns;
+		}
+		if (parent == root)
+			return NULL;
+		ns = parent;
+		parent = parent->parent;
+	}
+
+	return NULL;
+}
+
+/**
+ * __first_profile - find the first profile in a namespace
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
+ * @ns: namespace to start in   (NOT NULL)
+ *
+ * Returns: unrefcounted profile or NULL if no profile
+ */
+static struct aa_profile *__first_profile(struct aa_namespace *root,
+					  struct aa_namespace *ns)
+{
+	for ( ; ns; ns = __next_namespace(root, ns)) {
+		if (!list_empty(&ns->base.profiles))
+			return list_first_entry(&ns->base.profiles,
+						struct aa_profile, base.list);
+	}
+	return NULL;
+}
+
+/**
+ * __next_profile - step to the next profile in a profile tree
+ * @profile: current profile in tree (NOT NULL)
+ *
+ * Perform a depth first taversal on the profile tree in a namespace
+ *
+ * Returns: next profile or NULL if done
+ * Requires: profile->ns.lock to be held
+ */
+static struct aa_profile *__next_profile(struct aa_profile *p)
+{
+	struct aa_profile *parent;
+	struct aa_namespace *ns = p->ns;
+
+	/* is next profile a child */
+	if (!list_empty(&p->base.profiles))
+		return list_first_entry(&p->base.profiles, typeof(*p),
+					base.list);
+
+	/* is next profile a sibling, parent sibling, gp, subling, .. */
+	parent = p->parent;
+	while (parent) {
+		list_for_each_entry_continue(p, &parent->base.profiles,
+					     base.list)
+				return p;
+		p = parent;
+		parent = parent->parent;
+	}
+
+	/* is next another profile in the namespace */
+	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
+		return p;
+
+	return NULL;
+}
+
+/**
+ * next_profile - step to the next profile in where ever it may be
+ * @root: root namespace  (NOT NULL)
+ * @profile: current profile  (NOT NULL)
+ *
+ * Returns: next profile or NULL if there isn't one
+ */
+static struct aa_profile *next_profile(struct aa_namespace *root,
+				       struct aa_profile *profile)
+{
+	struct aa_profile *next = __next_profile(profile);
+	if (next)
+		return next;
+
+	/* finished all profiles in namespace move to next namespace */
+	return __first_profile(root, __next_namespace(root, profile->ns));
+}
+
+/**
+ * p_start - start a depth first traversal of profile tree
+ * @f: seq_file to fill
+ * @pos: current position
+ *
+ * Returns: first profile under current namespace or NULL if none found
+ *
+ * acquires first ns->lock
+ */
+static void *p_start(struct seq_file *f, loff_t *pos)
+	__acquires(root->lock)
+{
+	struct aa_profile *profile = NULL;
+	struct aa_namespace *root = aa_current_profile()->ns;
+	loff_t l = *pos;
+	f->private = aa_get_namespace(root);
+
+
+	/* find the first profile */
+	read_lock(&root->lock);
+	profile = __first_profile(root, root);
+
+	/* skip to position */
+	for (; profile && l > 0; l--)
+		profile = next_profile(root, profile);
+
+	return profile;
+}
+
+/**
+ * p_next - read the next profile entry
+ * @f: seq_file to fill
+ * @p: profile previously returned
+ * @pos: current position
+ *
+ * Returns: next profile after @p or NULL if none
+ *
+ * may acquire/release locks in namespace tree as necessary
+ */
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private;
+	(*pos)++;
+
+	return next_profile(root, profile);
+}
+
+/**
+ * p_stop - stop depth first traversal
+ * @f: seq_file we are filling
+ * @p: the last profile writen
+ *
+ * Release all locking done by p_start/p_next on namespace tree
+ */
+static void p_stop(struct seq_file *f, void *p)
+	__releases(root->lock)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private, *ns;
+
+	if (profile) {
+		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
+			read_unlock(&ns->lock);
+	}
+	read_unlock(&root->lock);
+	aa_put_namespace(root);
+}
+
+/**
+ * seq_show_profile - show a profile entry
+ * @f: seq_file to file
+ * @p: current position (profile)    (NOT NULL)
+ *
+ * Returns: error on failure
+ */
+static int seq_show_profile(struct seq_file *f, void *p)
+{
+	struct aa_profile *profile = (struct aa_profile *)p;
+	struct aa_namespace *root = f->private;
+
+	if (profile->ns != root)
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+	seq_printf(f, "%s (%s)\n", profile->base.hname,
+		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
+
+	return 0;
+}
+
+static const struct seq_operations aa_fs_profiles_op = {
+	.start = p_start,
+	.next = p_next,
+	.stop = p_stop,
+	.show = seq_show_profile,
+};
+
+static int profiles_open(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &aa_fs_profiles_op);
+}
+
+static int profiles_release(struct inode *inode, struct file *file)
+{
+	return seq_release(inode, file);
+}
+
+const struct file_operations aa_fs_profiles_fops = {
+	.open = profiles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = profiles_release,
+};
+#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
+
+ /** Base file system setup **/
+ 
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+	AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
+#endif
+ 	AA_FS_DIR("features", aa_fs_entry_features),
+ 	{ }
+ };
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.5/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
+++ b/kernel-patches/3.5/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
@@ -0,0 +1,603 @@
+From 4facdf9db37c12ff655c91270d9030e2ed805ca2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 2/6] UBUNTU: SAUCE: AppArmor: basic networking rules
+
+Base support for network mediation.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/.gitignore       |    2 +-
+ security/apparmor/Makefile         |   42 +++++++++-
+ security/apparmor/apparmorfs.c     |    1 +
+ security/apparmor/include/audit.h  |    4 +
+ security/apparmor/include/net.h    |   44 ++++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++++
+ security/apparmor/net.c            |  162 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   46 ++++++++++
+ 10 files changed, 414 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 4d995ae..d5b291e 100644
+--- a/security/apparmor/.gitignore
+++ b/security/apparmor/.gitignore
+@@ -1,6 +1,6 @@
+ #
+ # Generated include files
+ #
+-af_names.h
+net_names.h
+ capability_names.h
+ rlim_names.h
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 806bd19..19daa85 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
+              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h net_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ 	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
+ 	echo "};" >> $@
+ 
+# Build a lower case string table of address family names
+# Transform lines from
+#    define AF_LOCAL	1	/* POSIX name for AF_UNIX	*/
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    [1] = "local",
+#    [2] = "inet",
+#
+# and build the securityfs entries for the mapping.
+# Transforms lines from
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    #define AA_FS_AF_MASK "local inet"
+quiet_cmd_make-af = GEN     $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
+	sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
+	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@ ;\
+	echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
+	sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
+	 $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
+# Build a lower case string table of sock type names
+# Transform lines from
+#    SOCK_STREAM	= 1,
+# to
+#    [1] = "stream",
+quiet_cmd_make-sock = GEN     $@
+cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
+	sed $^ >>$@ -r -n \
+	-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@
+ 
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ 	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+ 
+ $(obj)/capability.o : $(obj)/capability_names.h
+$(obj)/net.o : $(obj)/net_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ 			    $(src)/Makefile
+@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+ 		      $(src)/Makefile
+ 	$(call cmd,make-rlim)
+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
+		     $(srctree)/include/linux/net.h \
+		     $(src)/Makefile
+	$(call cmd,make-af)
+	$(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 42b7c9f..114fb23 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -429,6 +429,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+	AA_FS_DIR("network",                    aa_fs_entry_network),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 4b7e189..17734f9 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -127,6 +127,10 @@ struct apparmor_audit_data {
+ 			u32 denied;
+ 			uid_t ouid;
+ 		} fs;
+		struct {
+			int type, protocol;
+			struct sock *sk;
+		} net;
+ 	};
+ };
+ 
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..cb8a121
+--- /dev/null
+++ b/security/apparmor/include/net.h
+@@ -0,0 +1,44 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_NET_H
+#define __AA_NET_H
+
+#include <net/sock.h>
+
+#include "apparmorfs.h"
+
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+	u16 allow[AF_MAX];
+	u16 audit[AF_MAX];
+	u16 quiet[AF_MAX];
+};
+
+extern struct aa_fs_entry aa_fs_entry_network[];
+
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+		       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+	/* NOP */
+}
+
+#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index bda4569..eb13a73 100644
+--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
+#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *const profile_mode_names[];
+@@ -157,6 +158,7 @@ struct aa_policydb {
+  * @policy: general match rules governing policy
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
+ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -194,6 +196,7 @@ struct aa_profile {
+ 	struct aa_policydb policy;
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
+	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 8ea39aa..f628734 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
+#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -614,6 +615,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	if (kern)
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+				    NULL);
+	return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+				struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+				   struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+				   struct msghdr *msg, int size)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+				   struct msghdr *msg, int size, int flags)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -646,6 +745,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+	.socket_create =		apparmor_socket_create,
+	.socket_bind =			apparmor_socket_bind,
+	.socket_connect =		apparmor_socket_connect,
+	.socket_listen =		apparmor_socket_listen,
+	.socket_accept =		apparmor_socket_accept,
+	.socket_sendmsg =		apparmor_socket_sendmsg,
+	.socket_recvmsg =		apparmor_socket_recvmsg,
+	.socket_getsockname =		apparmor_socket_getsockname,
+	.socket_getpeername =		apparmor_socket_getpeername,
+	.socket_getsockopt =		apparmor_socket_getsockopt,
+	.socket_setsockopt =		apparmor_socket_setsockopt,
+	.socket_shutdown =		apparmor_socket_shutdown,
+
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..003dd18
+--- /dev/null
+++ b/security/apparmor/net.c
+@@ -0,0 +1,162 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/net.h"
+#include "include/policy.h"
+
+#include "net_names.h"
+
+struct aa_fs_entry aa_fs_entry_network[] = {
+	AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
+	{ }
+};
+
+/* audit callback for net specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	audit_log_format(ab, " family=");
+	if (address_family_names[sa->u.net->family]) {
+		audit_log_string(ab, address_family_names[sa->u.net->family]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
+	}
+	audit_log_format(ab, " sock_type=");
+	if (sock_type_names[sa->aad->net.type]) {
+		audit_log_string(ab, sock_type_names[sa->aad->net.type]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
+	}
+	audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
+}
+
+/**
+ * audit_net - audit network access
+ * @profile: profile being enforced  (NOT NULL)
+ * @op: operation being checked
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ * @sk: socket auditing is being applied to
+ * @error: error code for failure else 0
+ *
+ * Returns: %0 or sa->error else other errorcode on failure
+ */
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+		     int protocol, struct sock *sk, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	struct apparmor_audit_data aad = { };
+	struct lsm_network_audit net = { };
+	if (sk) {
+		sa.type = LSM_AUDIT_DATA_NET;
+	} else {
+		sa.type = LSM_AUDIT_DATA_NONE;
+	}
+	/* todo fill in socket addr info */
+	sa.aad = &aad;
+	sa.u.net = &net;
+	sa.aad->op = op,
+	sa.u.net->family = family;
+	sa.u.net->sk = sk;
+	sa.aad->net.type = type;
+	sa.aad->net.protocol = protocol;
+	sa.aad->error = error;
+
+	if (likely(!sa.aad->error)) {
+		u16 audit_mask = profile->net.audit[sa.u.net->family];
+		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+			   !(1 << sa.aad->net.type & audit_mask)))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+		u16 kill_mask = 0;
+		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
+
+		if (denied & kill_mask)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		if ((denied & quiet_mask) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
+	}
+
+	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+}
+
+/**
+ * aa_net_perm - very course network access check
+ * @op: operation being checked
+ * @profile: profile being enforced  (NOT NULL)
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
+		int protocol, struct sock *sk)
+{
+	u16 family_mask;
+	int error;
+
+	if ((family < 0) || (family >= AF_MAX))
+		return -EINVAL;
+
+	if ((type < 0) || (type >= SOCK_MAX))
+		return -EINVAL;
+
+	/* unix domain and netlink sockets are handled by ipc */
+	if (family == AF_UNIX || family == AF_NETLINK)
+		return 0;
+
+	family_mask = profile->net.allow[family];
+
+	error = (family_mask & (1 << type)) ? 0 : -EACCES;
+
+	return audit_net(profile, op, family, type, protocol, sk, error);
+}
+
+/**
+ * aa_revalidate_sk - Revalidate access to a sock
+ * @op: operation being checked
+ * @sk: sock being revalidated  (NOT NULL)
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_revalidate_sk(int op, struct sock *sk)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* aa_revalidate_sk should not be called from interrupt context
+	 * don't mediate these calls as they are not task related
+	 */
+	if (in_interrupt())
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+				    sk->sk_protocol, sk);
+
+	return error;
+}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index cf5fd22..27c8161 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
+	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 329b1fd..1b90dfa 100644
+--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
+@@ -193,6 +193,19 @@ fail:
+ 	return 0;
+ }
+ 
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
+{
+	if (unpack_nameX(e, AA_U16, name)) {
+		if (!inbounds(e, sizeof(u16)))
+			return 0;
+		if (data)
+			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
+		e->pos += sizeof(u16);
+		return 1;
+	}
+	return 0;
+}
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+	size_t size = 0;
+ 	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
+	size = unpack_array(e, "net_allowed_af");
+	if (size) {
+
+		for (i = 0; i < size; i++) {
+			/* discard extraneous rules that this kernel will
+			 * never request
+			 */
+			if (i >= AF_MAX) {
+				u16 tmp;
+				if (!unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL))
+					goto fail;
+				continue;
+			}
+			if (!unpack_u16(e, &profile->net.allow[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.audit[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
+				goto fail;
+		}
+		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+	}
+	/*
+	 * allow unix domain and netlink sockets they are handled
+	 * by IPC
+	 */
+	profile->net.allow[AF_UNIX] = 0xffff;
+	profile->net.allow[AF_NETLINK] = 0xffff;
+
+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ 		/* generic policy dfa - optional and may be NULL */
+ 		profile->policy.dfa = unpack_dfa(e);
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.5/0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
+++ b/kernel-patches/3.5/0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
@@ -0,0 +1,38 @@
+From 4b25e62dc1e8d81d80f778e1e57b7c38ba4fd901 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 29 Jun 2012 17:34:00 -0700
+Subject: [PATCH 3/6] apparmor: Fix quieting of audit messages for network
+ mediation
+
+If a profile specified a quieting of network denials for a given rule by
+either the quiet or deny rule qualifiers, the resultant quiet mask for
+denied requests was applied incorrectly, resulting in two potential bugs.
+1. The misapplied quiet mask would prevent denials from being correctly
+   tested against the kill mask/mode. Thus network access requests that
+   should have resulted in the application being killed did not.
+
+2. The actual quieting of the denied network request was not being applied.
+   This would result in network rejections always being logged even when
+   they had been specifically marked as quieted.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/net.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 003dd18..6e6e5c9 100644
+--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
+@@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+ 	} else {
+ 		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+ 		u16 kill_mask = 0;
+-		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
+		u16 denied = (1 << sa.aad->net.type);
+ 
+ 		if (denied & kill_mask)
+ 			audit_type = AUDIT_APPARMOR_KILL;
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.5/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
+++ b/kernel-patches/3.5/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
@@ -0,0 +1,98 @@
+From e2d745442133f625e715f713c0441f0f2a7ea6ad Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 29 Jun 2012 17:34:01 -0700
+Subject: [PATCH 4/6] apparmor: Ensure apparmor does not mediate kernel based
+ sockets
+
+Currently apparmor makes the assumption that kernel sockets are unmediated
+because mediation is only done against tasks that have a profile attached.
+Ensure we never get in a situation where a kernel socket is being mediated
+by tagging the sk_security field for kernel sockets.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/include/net.h |    2 ++
+ security/apparmor/lsm.c         |   18 ++++++++++++++++++
+ security/apparmor/net.c         |    3 +++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+index cb8a121..bc8198b 100644
+--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
+@@ -19,6 +19,8 @@
+ 
+ #include "apparmorfs.h"
+ 
+#define AA_SOCK_KERN 0xAA
+
+ /* struct aa_net - network confinement data
+  * @allowed: basic network families permissions
+  * @audit_network: which network permissions to force audit
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index f628734..a172d01 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -630,6 +630,16 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
+ 	return error;
+ }
+ 
+static int apparmor_socket_post_create(struct socket *sock, int family,
+				       int type, int protocol, int kern)
+{
+	if (kern)
+		/* tag kernel sockets so we don't mediate them later */
+		sock->sk->sk_security = (void *) AA_SOCK_KERN;
+
+	return 0;
+}
+
+ static int apparmor_socket_bind(struct socket *sock,
+ 				struct sockaddr *address, int addrlen)
+ {
+@@ -713,6 +723,12 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
+ 	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+ }
+ 
+static void apparmor_sk_clone_security(const struct sock *sk,
+				       struct sock *newsk)
+{
+	newsk->sk_security = sk->sk_security;
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -746,6 +762,7 @@ static struct security_operations apparmor_ops = {
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+ 	.socket_create =		apparmor_socket_create,
+	.socket_post_create =		apparmor_socket_post_create,
+ 	.socket_bind =			apparmor_socket_bind,
+ 	.socket_connect =		apparmor_socket_connect,
+ 	.socket_listen =		apparmor_socket_listen,
+@@ -757,6 +774,7 @@ static struct security_operations apparmor_ops = {
+ 	.socket_getsockopt =		apparmor_socket_getsockopt,
+ 	.socket_setsockopt =		apparmor_socket_setsockopt,
+ 	.socket_shutdown =		apparmor_socket_shutdown,
+	.sk_clone_security =		apparmor_sk_clone_security,
+ 
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 6e6e5c9..baa4df1 100644
+--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
+@@ -153,6 +153,9 @@ int aa_revalidate_sk(int op, struct sock *sk)
+ 	if (in_interrupt())
+ 		return 0;
+ 
+	if (sk->sk_security == (void *) AA_SOCK_KERN)
+		return 0;
+
+ 	profile = __aa_current_profile();
+ 	if (!unconfined(profile))
+ 		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.5/0005-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
+++ b/kernel-patches/3.5/0005-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
@@ -0,0 +1,957 @@
+From 272431fc90fab50ea9593d969d3ab8d98f03627c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 16 May 2012 10:58:05 -0700
+Subject: [PATCH 5/6] UBUNTU: SAUCE: apparmor: Add the ability to mediate
+ mount
+
+Add the ability for apparmor to do mediation of mount operations. Mount
+rules require an updated apparmor_parser (2.8 series) for policy compilation.
+
+The basic form of the rules are.
+
+  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+  [audit] [deny] remount [conds]* [path],
+  [audit] [deny] umount [conds]* [path],
+  [audit] [deny] pivotroot [oldroot=<value>] <path>
+
+  remount is just a short cut for mount options=remount
+
+  where [conds] can be
+    fstype=<expr>
+    options=<expr>
+
+Example mount commands
+  mount,		# allow all mounts, but not umount or pivotroot
+
+  mount fstype=procfs,  # allow mounting procfs anywhere
+
+  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
+
+  mount /dev/sda -> /mnt,
+
+  mount /dev/sd** -> /mnt/**,
+
+  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+
+  umount,
+
+  umount /m*,
+
+See the apparmor userspace for full documentation
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Makefile           |    2 +-
+ security/apparmor/apparmorfs.c       |   13 +
+ security/apparmor/audit.c            |    4 +
+ security/apparmor/domain.c           |    2 +-
+ security/apparmor/include/apparmor.h |    3 +-
+ security/apparmor/include/audit.h    |   11 +
+ security/apparmor/include/domain.h   |    2 +
+ security/apparmor/include/mount.h    |   54 +++
+ security/apparmor/lsm.c              |   59 ++++
+ security/apparmor/mount.c            |  620 ++++++++++++++++++++++++++++++++++
+ 10 files changed, 767 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/mount.h
+ create mode 100644 security/apparmor/mount.c
+
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 19daa85..63e0a4c 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o net.o
+              resource.o sid.o file.o net.o mount.o
+ 
+ clean-files := capability_names.h rlim_names.h net_names.h
+ 
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 114fb23..ee77ec9 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -426,10 +426,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ 	{ }
+ };
+ 
+static struct aa_fs_entry aa_fs_entry_mount[] = {
+	AA_FS_FILE_STRING("mask", "mount umount"),
+	{ }
+};
+
+static struct aa_fs_entry aa_fs_entry_namespaces[] = {
+	AA_FS_FILE_BOOLEAN("profile",           1),
+	AA_FS_FILE_BOOLEAN("pivot_root",        1),
+	{ }
+};
+
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+ 	AA_FS_DIR("network",                    aa_fs_entry_network),
+	AA_FS_DIR("mount",                      aa_fs_entry_mount),
+	AA_FS_DIR("namespaces",                 aa_fs_entry_namespaces),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index 3ae28db..e267963 100644
+--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
+@@ -44,6 +44,10 @@ const char *const op_table[] = {
+ 	"file_mmap",
+ 	"file_mprotect",
+ 
+	"pivotroot",
+	"mount",
+	"umount",
+
+ 	"create",
+ 	"post_create",
+ 	"bind",
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index b81ea10..afa8671 100644
+--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
+@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name)
+  *
+  * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
+  */
+-static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+ {
+ 	struct aa_profile *new_profile = NULL;
+ 	struct aa_namespace *ns = profile->ns;
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 40aedd9..e243d96 100644
+--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
+@@ -29,8 +29,9 @@
+ #define AA_CLASS_NET		4
+ #define AA_CLASS_RLIMITS	5
+ #define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
+ 
+-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
+#define AA_CLASS_LAST		AA_CLASS_MOUNT
+ 
+ /* Control parameters settable through module/boot flags */
+ extern enum audit_mode aa_g_audit;
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 17734f9..66a738c 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -73,6 +73,10 @@ enum aa_ops {
+ 	OP_FMMAP,
+ 	OP_FMPROT,
+ 
+	OP_PIVOTROOT,
+	OP_MOUNT,
+	OP_UMOUNT,
+
+ 	OP_CREATE,
+ 	OP_POST_CREATE,
+ 	OP_BIND,
+@@ -122,6 +126,13 @@ struct apparmor_audit_data {
+ 			unsigned long max;
+ 		} rlim;
+ 		struct {
+			const char *src_name;
+			const char *type;
+			const char *trans;
+			const char *data;
+			unsigned long flags;
+		} mnt;
+		struct {
+ 			const char *target;
+ 			u32 request;
+ 			u32 denied;
+diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
+index de04464..a3f70c5 100644
+--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
+@@ -23,6 +23,8 @@ struct aa_domain {
+ 	char **table;
+ };
+ 
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex);
+
+ int apparmor_bprm_set_creds(struct linux_binprm *bprm);
+ int apparmor_bprm_secureexec(struct linux_binprm *bprm);
+ void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
+diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
+new file mode 100644
+index 0000000..bc17a53
+--- /dev/null
+++ b/security/apparmor/include/mount.h
+@@ -0,0 +1,54 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor file mediation function definitions.
+ *
+ * Copyright 2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_MOUNT_H
+#define __AA_MOUNT_H
+
+#include <linux/fs.h>
+#include <linux/path.h>
+
+#include "domain.h"
+#include "policy.h"
+
+/* mount perms */
+#define AA_MAY_PIVOTROOT	0x01
+#define AA_MAY_MOUNT		0x02
+#define AA_MAY_UMOUNT		0x04
+#define AA_AUDIT_DATA		0x40
+#define AA_CONT_MATCH		0x40
+
+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data);
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name, unsigned long flags);
+
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags);
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name);
+
+int aa_new_mount(struct aa_profile *profile, const char *dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data);
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path);
+
+#endif /* __AA_MOUNT_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index a172d01..5da8af9 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -36,6 +36,7 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+#include "include/mount.h"
+ 
+ /* Flag indicating whether initialization completed */
+ int apparmor_initialized __initdata;
+@@ -504,6 +505,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+ 			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
+			     unsigned long flags, void *data)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* Discard magic */
+	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
+		flags &= ~MS_MGC_MSK;
+
+	flags &= ~AA_MS_IGNORE_MASK;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile)) {
+		if (flags & MS_REMOUNT)
+			error = aa_remount(profile, path, flags, data);
+		else if (flags & MS_BIND)
+			error = aa_bind_mount(profile, path, dev_name, flags);
+		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
+				  MS_UNBINDABLE))
+			error = aa_mount_change_type(profile, path, flags);
+		else if (flags & MS_MOVE)
+			error = aa_move_mount(profile, path, dev_name);
+		else
+			error = aa_new_mount(profile, dev_name, path, type,
+					     flags, data);
+	}
+	return error;
+}
+
+static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_umount(profile, mnt, flags);
+
+	return error;
+}
+
+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_pivotroot(profile, old_path, new_path);
+
+	return error;
+}
+
+ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ 				char **value)
+ {
+@@ -737,6 +792,10 @@ static struct security_operations apparmor_ops = {
+ 	.capget =			apparmor_capget,
+ 	.capable =			apparmor_capable,
+ 
+	.sb_mount =			apparmor_sb_mount,
+	.sb_umount =			apparmor_sb_umount,
+	.sb_pivotroot =			apparmor_sb_pivotroot,
+
+ 	.path_link =			apparmor_path_link,
+ 	.path_unlink =			apparmor_path_unlink,
+ 	.path_symlink =			apparmor_path_symlink,
+diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
+new file mode 100644
+index 0000000..478aa4d
+--- /dev/null
+++ b/security/apparmor/mount.c
+@@ -0,0 +1,620 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/domain.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/mount.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+
+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
+{
+	if (flags & MS_RDONLY)
+		audit_log_format(ab, "ro");
+	else
+		audit_log_format(ab, "rw");
+	if (flags & MS_NOSUID)
+		audit_log_format(ab, ", nosuid");
+	if (flags & MS_NODEV)
+		audit_log_format(ab, ", nodev");
+	if (flags & MS_NOEXEC)
+		audit_log_format(ab, ", noexec");
+	if (flags & MS_SYNCHRONOUS)
+		audit_log_format(ab, ", sync");
+	if (flags & MS_REMOUNT)
+		audit_log_format(ab, ", remount");
+	if (flags & MS_MANDLOCK)
+		audit_log_format(ab, ", mand");
+	if (flags & MS_DIRSYNC)
+		audit_log_format(ab, ", dirsync");
+	if (flags & MS_NOATIME)
+		audit_log_format(ab, ", noatime");
+	if (flags & MS_NODIRATIME)
+		audit_log_format(ab, ", nodiratime");
+	if (flags & MS_BIND)
+		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
+	if (flags & MS_MOVE)
+		audit_log_format(ab, ", move");
+	if (flags & MS_SILENT)
+		audit_log_format(ab, ", silent");
+	if (flags & MS_POSIXACL)
+		audit_log_format(ab, ", acl");
+	if (flags & MS_UNBINDABLE)
+		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
+				 ", unbindable");
+	if (flags & MS_PRIVATE)
+		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
+				 ", private");
+	if (flags & MS_SLAVE)
+		audit_log_format(ab, flags & MS_REC ? ", rslave" :
+				 ", slave");
+	if (flags & MS_SHARED)
+		audit_log_format(ab, flags & MS_REC ? ", rshared" :
+				 ", shared");
+	if (flags & MS_RELATIME)
+		audit_log_format(ab, ", relatime");
+	if (flags & MS_I_VERSION)
+		audit_log_format(ab, ", iversion");
+	if (flags & MS_STRICTATIME)
+		audit_log_format(ab, ", strictatime");
+	if (flags & MS_NOUSER)
+		audit_log_format(ab, ", nouser");
+}
+
+/**
+ * audit_cb - call back for mount specific audit fields
+ * @ab: audit_buffer  (NOT NULL)
+ * @va: audit struct to audit values of  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	if (sa->aad->mnt.type) {
+		audit_log_format(ab, " fstype=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.type);
+	}
+	if (sa->aad->mnt.src_name) {
+		audit_log_format(ab, " srcname=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.src_name);
+	}
+	if (sa->aad->mnt.trans) {
+		audit_log_format(ab, " trans=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.trans);
+	}
+	if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) {
+		audit_log_format(ab, " flags=\"");
+		audit_mnt_flags(ab, sa->aad->mnt.flags);
+		audit_log_format(ab, "\"");
+	}
+	if (sa->aad->mnt.data) {
+		audit_log_format(ab, " options=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.data);
+	}
+}
+
+/**
+ * audit_mount - handle the auditing of mount operations
+ * @profile: the profile being enforced  (NOT NULL)
+ * @gfp: allocation flags
+ * @op: operation being mediated (NOT NULL)
+ * @name: name of object being mediated (MAYBE NULL)
+ * @src_name: src_name of object being mediated (MAYBE_NULL)
+ * @type: type of filesystem (MAYBE_NULL)
+ * @trans: name of trans (MAYBE NULL)
+ * @flags: filesystem idependent mount flags
+ * @data: filesystem mount flags
+ * @request: permissions requested
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @info: extra information message (MAYBE NULL)
+ * @error: 0 if operation allowed else failure error code
+ *
+ * Returns: %0 or error on failure
+ */
+static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op,
+		       const char *name, const char *src_name,
+		       const char *type, const char *trans,
+		       unsigned long flags, const void *data, u32 request,
+		       struct file_perms *perms, const char *info, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa = { };
+	struct apparmor_audit_data aad = { };
+
+	if (likely(!error)) {
+		u32 mask = perms->audit;
+
+		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+			mask = 0xffff;
+
+		/* mask off perms that are not being force audited */
+		request &= mask;
+
+		if (likely(!request))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		/* only report permissions that were denied */
+		request = request & ~perms->allow;
+
+		if (request & perms->kill)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		/* quiet known rejects, assumes quiet and kill do not overlap */
+		if ((request & perms->quiet) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			request &= ~perms->quiet;
+
+		if (!request)
+			return COMPLAIN_MODE(profile) ?
+				complain_error(error) : error;
+	}
+
+	sa.type = LSM_AUDIT_DATA_NONE;
+	sa.aad = &aad;
+	sa.aad->op = op;
+	sa.aad->name = name;
+	sa.aad->mnt.src_name = src_name;
+	sa.aad->mnt.type = type;
+	sa.aad->mnt.trans = trans;
+	sa.aad->mnt.flags = flags;
+	if (data && (perms->audit & AA_AUDIT_DATA))
+		sa.aad->mnt.data = data;
+	sa.aad->info = info;
+	sa.aad->error = error;
+
+	return aa_audit(audit_type, profile, gfp, &sa, audit_cb);
+}
+
+/**
+ * match_mnt_flags - Do an ordered match on mount flags
+ * @dfa: dfa to match against
+ * @state: state to start in
+ * @flags: mount flags to match against
+ *
+ * Mount flags are encoded as an ordered match. This is done instead of
+ * checking against a simple bitmask, to allow for logical operations
+ * on the flags.
+ *
+ * Returns: next state after flags match
+ */
+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+				    unsigned long flags)
+{
+	unsigned int i;
+
+	for (i = 0; i <= 31 ; ++i) {
+		if ((1 << i) & flags)
+			state = aa_dfa_next(dfa, state, i + 1);
+	}
+
+	return state;
+}
+
+/**
+ * compute_mnt_perms - compute mount permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: mount permissions
+ */
+static struct file_perms compute_mnt_perms(struct aa_dfa *dfa,
+					   unsigned int state)
+{
+	struct file_perms perms;
+
+	perms.kill = 0;
+	perms.allow = dfa_user_allow(dfa, state);
+	perms.audit = dfa_user_audit(dfa, state);
+	perms.quiet = dfa_user_quiet(dfa, state);
+	perms.xindex = dfa_user_xindex(dfa, state);
+
+	return perms;
+}
+
+static const char const *mnt_info_table[] = {
+	"match succeeded",
+	"failed mntpnt match",
+	"failed srcname match",
+	"failed type match",
+	"failed flags match",
+	"failed data match"
+};
+
+/*
+ * Returns 0 on success else element that match failed in, this is the
+ * index into the mnt_info_table above
+ */
+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
+			const char *mntpnt, const char *devname,
+			const char *type, unsigned long flags,
+			void *data, bool binary, struct file_perms *perms)
+{
+	unsigned int state;
+
+	state = aa_dfa_match(dfa, start, mntpnt);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 1;
+
+	if (devname)
+		state = aa_dfa_match(dfa, state, devname);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 2;
+
+	if (type)
+		state = aa_dfa_match(dfa, state, type);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 3;
+
+	state = match_mnt_flags(dfa, state, flags);
+	if (!state)
+		return 4;
+	*perms = compute_mnt_perms(dfa, state);
+	if (perms->allow & AA_MAY_MOUNT)
+		return 0;
+
+	/* only match data if not binary and the DFA flags data is expected */
+	if (data && !binary && (perms->allow & AA_CONT_MATCH)) {
+		state = aa_dfa_null_transition(dfa, state);
+		if (!state)
+			return 4;
+
+		state = aa_dfa_match(dfa, state, data);
+		if (!state)
+			return 5;
+		*perms = compute_mnt_perms(dfa, state);
+		if (perms->allow & AA_MAY_MOUNT)
+			return 0;
+	}
+
+	/* failed at end of flags match */
+	return 4;
+}
+
+/**
+ * match_mnt - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpnt: string for the mntpnt (NOT NULL)
+ * @devname: string for the devname/src_name (MAYBE NULL)
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ * @perms: Returns: permission found by the match
+ * @info: Returns: infomation string about the match for logging
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt(struct aa_profile *profile, const char *mntpnt,
+		     const char *devname, const char *type,
+		     unsigned long flags, void *data, bool binary,
+		     struct file_perms *perms, const char **info)
+{
+	int pos;
+
+	if (!profile->policy.dfa)
+		return -EACCES;
+
+	pos = do_match_mnt(profile->policy.dfa,
+			   profile->policy.start[AA_CLASS_MOUNT],
+			   mntpnt, devname, type, flags, data, binary, perms);
+	if (pos) {
+		*info = mnt_info_table[pos];
+		return -EACCES;
+	}
+
+	return 0;
+}
+
+static int path_flags(struct aa_profile *profile, struct path *path)
+{
+	return profile->path_flags |
+		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
+}
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data)
+{
+	struct file_perms perms = { };
+	const char *name, *info = NULL;
+	char *buffer = NULL;
+	int binary, error;
+
+	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *dev_name, unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!dev_name || !*dev_name)
+		return -EINVAL;
+
+	flags &= MS_REC | MS_BIND;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	/* These are the flags allowed by do_change_type() */
+	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
+		  MS_UNBINDABLE);
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms,
+			  &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, NULL, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *orig_name)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!orig_name || !*orig_name)
+		return -EINVAL;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *dev_buffer = NULL;
+	const char *name = NULL, *dev_name = NULL, *info = NULL;
+	int binary = 1;
+	int error;
+
+	dev_name = orig_dev_name;
+	if (type) {
+		int requires_dev;
+		struct file_system_type *fstype = get_fs_type(type);
+		if (!fstype)
+			return -ENODEV;
+
+		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
+		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
+		put_filesystem(fstype);
+
+		if (requires_dev) {
+			struct path dev_path;
+
+			if (!dev_name || !*dev_name) {
+				error = -ENOENT;
+				goto out;
+			}
+
+			error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path);
+			if (error)
+				goto audit;
+
+			error = aa_path_name(&dev_path,
+					     path_flags(profile, &dev_path),
+					     &dev_buffer, &dev_name, &info);
+			path_put(&dev_path);
+			if (error)
+				goto audit;
+		}
+	}
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, dev_name, type, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name,  dev_name,
+			    type, NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+	kfree(dev_buffer);
+
+out:
+	return error;
+
+}
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	struct path path = { mnt, mnt->mnt_root };
+	error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	if (!error && profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_UMOUNT & ~perms.allow)
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL,
+			    NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path)
+{
+	struct file_perms perms = { };
+	struct aa_profile *target = NULL;
+	char *old_buffer = NULL, *new_buffer = NULL;
+	const char *old_name, *new_name = NULL, *info = NULL;
+	int error;
+
+	error = aa_path_name(old_path, path_flags(profile, old_path),
+			     &old_buffer, &old_name, &info);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(new_path, path_flags(profile, new_path),
+			     &new_buffer, &new_name, &info);
+	if (error)
+		goto audit;
+
+	if (profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     new_name);
+		state = aa_dfa_null_transition(profile->policy.dfa, state);
+		state = aa_dfa_match(profile->policy.dfa, state, old_name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_PIVOTROOT & perms.allow) {
+		if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
+			target = x_table_lookup(profile, perms.xindex);
+			if (!target)
+				error = -ENOENT;
+			else
+				error = aa_replace_current_profile(target);
+		}
+	} else
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name,
+			    old_name, NULL, target ? target->base.name : NULL,
+			    0, NULL,  AA_MAY_PIVOTROOT, &perms, info, error);
+	aa_put_profile(target);
+	kfree(old_buffer);
+	kfree(new_buffer);
+
+	return error;
+}
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.5/0006-apparmor-fix-IRQ-stack-overflow-during-free_profile.patch
+++ b/kernel-patches/3.5/0006-apparmor-fix-IRQ-stack-overflow-during-free_profile.patch
@@ -0,0 +1,70 @@
+From f58c91bc1871d604f88d0056099dc34f8ce3ae21 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 24 Oct 2012 06:27:32 -0700
+Subject: [PATCH 6/6] apparmor: fix IRQ stack overflow during free_profile
+
+BugLink: http://bugs.launchpad.net/bugs/1056078
+
+Profile replacement can cause long chains of profiles to build up when
+the profile being replaced is pinned. When the pinned profile is finally
+freed, it puts the reference to its replacement, which may in turn nest
+another call to free_profile on the stack. Because this may happen for
+each profile in the replacedby chain this can result in a recusion that
+causes the stack to overflow.
+
+Break this nesting by directly walking the chain of replacedby profiles
+(ie. use iteration instead of recursion to free the list). This results
+in at most 2 levels of free_profile being called, while freeing a
+replacedby chain.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/apparmor/policy.c |   24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 27c8161..56e5304 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -724,6 +724,8 @@ fail:
+  */
+ static void free_profile(struct aa_profile *profile)
+ {
+	struct aa_profile *p;
+
+ 	AA_DEBUG("%s(%p)\n", __func__, profile);
+ 
+ 	if (!profile)
+@@ -752,7 +754,27 @@ static void free_profile(struct aa_profile *profile)
+ 	aa_put_dfa(profile->xmatch);
+ 	aa_put_dfa(profile->policy.dfa);
+ 
+-	aa_put_profile(profile->replacedby);
+	/* put the profile reference for replacedby, but not via
+	 * put_profile(kref_put).
+	 * replacedby can form a long chain that can result in cascading
+	 * frees that blows the stack because kref_put makes a nested fn
+	 * call (it looks like recursion, with free_profile calling
+	 * free_profile) for each profile in the chain lp#1056078.
+	 */
+	for (p = profile->replacedby; p; ) {
+		if (atomic_dec_and_test(&p->base.count.refcount)) {
+			/* no more refs on p, grab its replacedby */
+			struct aa_profile *next = p->replacedby;
+			/* break the chain */
+			p->replacedby = NULL;
+			/* now free p, chain is broken */
+			free_profile(p);
+
+			/* follow up with next profile in the chain */
+			p = next;
+		} else
+			break;
+	}
+ 
+ 	kzfree(profile);
+ }
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
+++ b/kernel-patches/3.6/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch
@@ -0,0 +1,285 @@
+From 259cf7251194d81a4a3c4e6d76c2cf9e38d5647d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 22 Jul 2010 02:32:02 -0700
+Subject: [PATCH 1/6] UBUNTU: SAUCE: AppArmor: Add profile introspection file
+ to interface
+
+Add the dynamic profiles file to the interace, to allow load policy
+introspection.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Kconfig      |    9 ++
+ security/apparmor/apparmorfs.c |  231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+)
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
+
+config SECURITY_APPARMOR_COMPAT_24
+	bool "Enable AppArmor 2.4 compatability"
+	depends on SECURITY_APPARMOR
+	default y
+	help
+	  This option enables compatability with AppArmor 2.4.  It is
+          recommended if compatability with older versions of AppArmor
+          is desired.
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..42b7c9f 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
+ 	.release	= single_release,
+ };
+ 
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+/**
+ * __next_namespace - find the next namespace to list
+ * @root: root namespace to stop search at (NOT NULL)
+ * @ns: current ns position (NOT NULL)
+ *
+ * Find the next namespace from @ns under @root and handle all locking needed
+ * while switching current namespace.
+ *
+ * Returns: next namespace or NULL if at last namespace under @root
+ * NOTE: will not unlock root->lock
+ */
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
+					     struct aa_namespace *ns)
+{
+	struct aa_namespace *parent;
+
+	/* is next namespace a child */
+	if (!list_empty(&ns->sub_ns)) {
+		struct aa_namespace *next;
+		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
+		read_lock(&next->lock);
+		return next;
+	}
+
+	/* check if the next ns is a sibling, parent, gp, .. */
+	parent = ns->parent;
+	while (parent) {
+		read_unlock(&ns->lock);
+		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
+			read_lock(&ns->lock);
+			return ns;
+		}
+		if (parent == root)
+			return NULL;
+		ns = parent;
+		parent = parent->parent;
+	}
+
+	return NULL;
+}
+
+/**
+ * __first_profile - find the first profile in a namespace
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
+ * @ns: namespace to start in   (NOT NULL)
+ *
+ * Returns: unrefcounted profile or NULL if no profile
+ */
+static struct aa_profile *__first_profile(struct aa_namespace *root,
+					  struct aa_namespace *ns)
+{
+	for ( ; ns; ns = __next_namespace(root, ns)) {
+		if (!list_empty(&ns->base.profiles))
+			return list_first_entry(&ns->base.profiles,
+						struct aa_profile, base.list);
+	}
+	return NULL;
+}
+
+/**
+ * __next_profile - step to the next profile in a profile tree
+ * @profile: current profile in tree (NOT NULL)
+ *
+ * Perform a depth first taversal on the profile tree in a namespace
+ *
+ * Returns: next profile or NULL if done
+ * Requires: profile->ns.lock to be held
+ */
+static struct aa_profile *__next_profile(struct aa_profile *p)
+{
+	struct aa_profile *parent;
+	struct aa_namespace *ns = p->ns;
+
+	/* is next profile a child */
+	if (!list_empty(&p->base.profiles))
+		return list_first_entry(&p->base.profiles, typeof(*p),
+					base.list);
+
+	/* is next profile a sibling, parent sibling, gp, subling, .. */
+	parent = p->parent;
+	while (parent) {
+		list_for_each_entry_continue(p, &parent->base.profiles,
+					     base.list)
+				return p;
+		p = parent;
+		parent = parent->parent;
+	}
+
+	/* is next another profile in the namespace */
+	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
+		return p;
+
+	return NULL;
+}
+
+/**
+ * next_profile - step to the next profile in where ever it may be
+ * @root: root namespace  (NOT NULL)
+ * @profile: current profile  (NOT NULL)
+ *
+ * Returns: next profile or NULL if there isn't one
+ */
+static struct aa_profile *next_profile(struct aa_namespace *root,
+				       struct aa_profile *profile)
+{
+	struct aa_profile *next = __next_profile(profile);
+	if (next)
+		return next;
+
+	/* finished all profiles in namespace move to next namespace */
+	return __first_profile(root, __next_namespace(root, profile->ns));
+}
+
+/**
+ * p_start - start a depth first traversal of profile tree
+ * @f: seq_file to fill
+ * @pos: current position
+ *
+ * Returns: first profile under current namespace or NULL if none found
+ *
+ * acquires first ns->lock
+ */
+static void *p_start(struct seq_file *f, loff_t *pos)
+	__acquires(root->lock)
+{
+	struct aa_profile *profile = NULL;
+	struct aa_namespace *root = aa_current_profile()->ns;
+	loff_t l = *pos;
+	f->private = aa_get_namespace(root);
+
+
+	/* find the first profile */
+	read_lock(&root->lock);
+	profile = __first_profile(root, root);
+
+	/* skip to position */
+	for (; profile && l > 0; l--)
+		profile = next_profile(root, profile);
+
+	return profile;
+}
+
+/**
+ * p_next - read the next profile entry
+ * @f: seq_file to fill
+ * @p: profile previously returned
+ * @pos: current position
+ *
+ * Returns: next profile after @p or NULL if none
+ *
+ * may acquire/release locks in namespace tree as necessary
+ */
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private;
+	(*pos)++;
+
+	return next_profile(root, profile);
+}
+
+/**
+ * p_stop - stop depth first traversal
+ * @f: seq_file we are filling
+ * @p: the last profile writen
+ *
+ * Release all locking done by p_start/p_next on namespace tree
+ */
+static void p_stop(struct seq_file *f, void *p)
+	__releases(root->lock)
+{
+	struct aa_profile *profile = p;
+	struct aa_namespace *root = f->private, *ns;
+
+	if (profile) {
+		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
+			read_unlock(&ns->lock);
+	}
+	read_unlock(&root->lock);
+	aa_put_namespace(root);
+}
+
+/**
+ * seq_show_profile - show a profile entry
+ * @f: seq_file to file
+ * @p: current position (profile)    (NOT NULL)
+ *
+ * Returns: error on failure
+ */
+static int seq_show_profile(struct seq_file *f, void *p)
+{
+	struct aa_profile *profile = (struct aa_profile *)p;
+	struct aa_namespace *root = f->private;
+
+	if (profile->ns != root)
+		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+	seq_printf(f, "%s (%s)\n", profile->base.hname,
+		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
+
+	return 0;
+}
+
+static const struct seq_operations aa_fs_profiles_op = {
+	.start = p_start,
+	.next = p_next,
+	.stop = p_stop,
+	.show = seq_show_profile,
+};
+
+static int profiles_open(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &aa_fs_profiles_op);
+}
+
+static int profiles_release(struct inode *inode, struct file *file)
+{
+	return seq_release(inode, file);
+}
+
+const struct file_operations aa_fs_profiles_fops = {
+	.open = profiles_open,
+	.read = seq_read,
+	.llseek = seq_lseek,
+	.release = profiles_release,
+};
+#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
+
+ /** Base file system setup **/
+ 
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
+	AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
+#endif
+ 	AA_FS_DIR("features", aa_fs_entry_features),
+ 	{ }
+ };
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
+++ b/kernel-patches/3.6/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch
@@ -0,0 +1,603 @@
+From 0317e6ba6aa4adc71f645b7da5318f4caa69267e Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 2/6] UBUNTU: SAUCE: AppArmor: basic networking rules
+
+Base support for network mediation.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/.gitignore       |    2 +-
+ security/apparmor/Makefile         |   42 +++++++++-
+ security/apparmor/apparmorfs.c     |    1 +
+ security/apparmor/include/audit.h  |    4 +
+ security/apparmor/include/net.h    |   44 ++++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++++
+ security/apparmor/net.c            |  162 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   46 ++++++++++
+ 10 files changed, 414 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 4d995ae..d5b291e 100644
+--- a/security/apparmor/.gitignore
+++ b/security/apparmor/.gitignore
+@@ -1,6 +1,6 @@
+ #
+ # Generated include files
+ #
+-af_names.h
+net_names.h
+ capability_names.h
+ rlim_names.h
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 806bd19..19daa85 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
+              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
+clean-files := capability_names.h rlim_names.h net_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ 	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
+ 	echo "};" >> $@
+ 
+# Build a lower case string table of address family names
+# Transform lines from
+#    define AF_LOCAL	1	/* POSIX name for AF_UNIX	*/
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    [1] = "local",
+#    [2] = "inet",
+#
+# and build the securityfs entries for the mapping.
+# Transforms lines from
+#    #define AF_INET		2	/* Internet IP Protocol 	*/
+# to
+#    #define AA_FS_AF_MASK "local inet"
+quiet_cmd_make-af = GEN     $@
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
+	sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
+	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@ ;\
+	echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
+	sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
+	 $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
+# Build a lower case string table of sock type names
+# Transform lines from
+#    SOCK_STREAM	= 1,
+# to
+#    [1] = "stream",
+quiet_cmd_make-sock = GEN     $@
+cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
+	sed $^ >>$@ -r -n \
+	-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
+	echo "};" >> $@
+ 
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ 	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+ 
+ $(obj)/capability.o : $(obj)/capability_names.h
+$(obj)/net.o : $(obj)/net_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ 			    $(src)/Makefile
+@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+ 		      $(src)/Makefile
+ 	$(call cmd,make-rlim)
+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
+		     $(srctree)/include/linux/net.h \
+		     $(src)/Makefile
+	$(call cmd,make-af)
+	$(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 42b7c9f..114fb23 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -429,6 +429,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+	AA_FS_DIR("network",                    aa_fs_entry_network),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 4b7e189..17734f9 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -127,6 +127,10 @@ struct apparmor_audit_data {
+ 			u32 denied;
+ 			uid_t ouid;
+ 		} fs;
+		struct {
+			int type, protocol;
+			struct sock *sk;
+		} net;
+ 	};
+ };
+ 
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..cb8a121
+--- /dev/null
+++ b/security/apparmor/include/net.h
+@@ -0,0 +1,44 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_NET_H
+#define __AA_NET_H
+
+#include <net/sock.h>
+
+#include "apparmorfs.h"
+
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+	u16 allow[AF_MAX];
+	u16 audit[AF_MAX];
+	u16 quiet[AF_MAX];
+};
+
+extern struct aa_fs_entry aa_fs_entry_network[];
+
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+		       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+	/* NOP */
+}
+
+#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index bda4569..eb13a73 100644
+--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
+#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *const profile_mode_names[];
+@@ -157,6 +158,7 @@ struct aa_policydb {
+  * @policy: general match rules governing policy
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
+ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -194,6 +196,7 @@ struct aa_profile {
+ 	struct aa_policydb policy;
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
+	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 8ea39aa..f628734 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
+#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -614,6 +615,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	if (kern)
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
+				    NULL);
+	return error;
+}
+
+static int apparmor_socket_bind(struct socket *sock,
+				struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_BIND, sk);
+}
+
+static int apparmor_socket_connect(struct socket *sock,
+				   struct sockaddr *address, int addrlen)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_CONNECT, sk);
+}
+
+static int apparmor_socket_listen(struct socket *sock, int backlog)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_LISTEN, sk);
+}
+
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_ACCEPT, sk);
+}
+
+static int apparmor_socket_sendmsg(struct socket *sock,
+				   struct msghdr *msg, int size)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SENDMSG, sk);
+}
+
+static int apparmor_socket_recvmsg(struct socket *sock,
+				   struct msghdr *msg, int size, int flags)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_RECVMSG, sk);
+}
+
+static int apparmor_socket_getsockname(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
+}
+
+static int apparmor_socket_getpeername(struct socket *sock)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETPEERNAME, sk);
+}
+
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
+}
+
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
+				      int optname)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
+}
+
+static int apparmor_socket_shutdown(struct socket *sock, int how)
+{
+	struct sock *sk = sock->sk;
+
+	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -646,6 +745,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+	.socket_create =		apparmor_socket_create,
+	.socket_bind =			apparmor_socket_bind,
+	.socket_connect =		apparmor_socket_connect,
+	.socket_listen =		apparmor_socket_listen,
+	.socket_accept =		apparmor_socket_accept,
+	.socket_sendmsg =		apparmor_socket_sendmsg,
+	.socket_recvmsg =		apparmor_socket_recvmsg,
+	.socket_getsockname =		apparmor_socket_getsockname,
+	.socket_getpeername =		apparmor_socket_getpeername,
+	.socket_getsockopt =		apparmor_socket_getsockopt,
+	.socket_setsockopt =		apparmor_socket_setsockopt,
+	.socket_shutdown =		apparmor_socket_shutdown,
+
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..003dd18
+--- /dev/null
+++ b/security/apparmor/net.c
+@@ -0,0 +1,162 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/net.h"
+#include "include/policy.h"
+
+#include "net_names.h"
+
+struct aa_fs_entry aa_fs_entry_network[] = {
+	AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
+	{ }
+};
+
+/* audit callback for net specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	audit_log_format(ab, " family=");
+	if (address_family_names[sa->u.net->family]) {
+		audit_log_string(ab, address_family_names[sa->u.net->family]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
+	}
+	audit_log_format(ab, " sock_type=");
+	if (sock_type_names[sa->aad->net.type]) {
+		audit_log_string(ab, sock_type_names[sa->aad->net.type]);
+	} else {
+		audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
+	}
+	audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
+}
+
+/**
+ * audit_net - audit network access
+ * @profile: profile being enforced  (NOT NULL)
+ * @op: operation being checked
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ * @sk: socket auditing is being applied to
+ * @error: error code for failure else 0
+ *
+ * Returns: %0 or sa->error else other errorcode on failure
+ */
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+		     int protocol, struct sock *sk, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa;
+	struct apparmor_audit_data aad = { };
+	struct lsm_network_audit net = { };
+	if (sk) {
+		sa.type = LSM_AUDIT_DATA_NET;
+	} else {
+		sa.type = LSM_AUDIT_DATA_NONE;
+	}
+	/* todo fill in socket addr info */
+	sa.aad = &aad;
+	sa.u.net = &net;
+	sa.aad->op = op,
+	sa.u.net->family = family;
+	sa.u.net->sk = sk;
+	sa.aad->net.type = type;
+	sa.aad->net.protocol = protocol;
+	sa.aad->error = error;
+
+	if (likely(!sa.aad->error)) {
+		u16 audit_mask = profile->net.audit[sa.u.net->family];
+		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+			   !(1 << sa.aad->net.type & audit_mask)))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+		u16 kill_mask = 0;
+		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
+
+		if (denied & kill_mask)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		if ((denied & quiet_mask) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
+	}
+
+	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+}
+
+/**
+ * aa_net_perm - very course network access check
+ * @op: operation being checked
+ * @profile: profile being enforced  (NOT NULL)
+ * @family: network family
+ * @type:   network type
+ * @protocol: network protocol
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
+		int protocol, struct sock *sk)
+{
+	u16 family_mask;
+	int error;
+
+	if ((family < 0) || (family >= AF_MAX))
+		return -EINVAL;
+
+	if ((type < 0) || (type >= SOCK_MAX))
+		return -EINVAL;
+
+	/* unix domain and netlink sockets are handled by ipc */
+	if (family == AF_UNIX || family == AF_NETLINK)
+		return 0;
+
+	family_mask = profile->net.allow[family];
+
+	error = (family_mask & (1 << type)) ? 0 : -EACCES;
+
+	return audit_net(profile, op, family, type, protocol, sk, error);
+}
+
+/**
+ * aa_revalidate_sk - Revalidate access to a sock
+ * @op: operation being checked
+ * @sk: sock being revalidated  (NOT NULL)
+ *
+ * Returns: %0 else error if permission denied
+ */
+int aa_revalidate_sk(int op, struct sock *sk)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* aa_revalidate_sk should not be called from interrupt context
+	 * don't mediate these calls as they are not task related
+	 */
+	if (in_interrupt())
+		return 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+				    sk->sk_protocol, sk);
+
+	return error;
+}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index cf5fd22..27c8161 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
+	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 329b1fd..1b90dfa 100644
+--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
+@@ -193,6 +193,19 @@ fail:
+ 	return 0;
+ }
+ 
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
+{
+	if (unpack_nameX(e, AA_U16, name)) {
+		if (!inbounds(e, sizeof(u16)))
+			return 0;
+		if (data)
+			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
+		e->pos += sizeof(u16);
+		return 1;
+	}
+	return 0;
+}
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+	size_t size = 0;
+ 	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
+	size = unpack_array(e, "net_allowed_af");
+	if (size) {
+
+		for (i = 0; i < size; i++) {
+			/* discard extraneous rules that this kernel will
+			 * never request
+			 */
+			if (i >= AF_MAX) {
+				u16 tmp;
+				if (!unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL) ||
+				    !unpack_u16(e, &tmp, NULL))
+					goto fail;
+				continue;
+			}
+			if (!unpack_u16(e, &profile->net.allow[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.audit[i], NULL))
+				goto fail;
+			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
+				goto fail;
+		}
+		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+	}
+	/*
+	 * allow unix domain and netlink sockets they are handled
+	 * by IPC
+	 */
+	profile->net.allow[AF_UNIX] = 0xffff;
+	profile->net.allow[AF_NETLINK] = 0xffff;
+
+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ 		/* generic policy dfa - optional and may be NULL */
+ 		profile->policy.dfa = unpack_dfa(e);
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
+++ b/kernel-patches/3.6/0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
@@ -0,0 +1,38 @@
+From b1cb9d1b4f0d585c271c584da954d9eb2e347b40 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 29 Jun 2012 17:34:00 -0700
+Subject: [PATCH 3/6] apparmor: Fix quieting of audit messages for network
+ mediation
+
+If a profile specified a quieting of network denials for a given rule by
+either the quiet or deny rule qualifiers, the resultant quiet mask for
+denied requests was applied incorrectly, resulting in two potential bugs.
+1. The misapplied quiet mask would prevent denials from being correctly
+   tested against the kill mask/mode. Thus network access requests that
+   should have resulted in the application being killed did not.
+
+2. The actual quieting of the denied network request was not being applied.
+   This would result in network rejections always being logged even when
+   they had been specifically marked as quieted.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/net.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 003dd18..6e6e5c9 100644
+--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
+@@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
+ 	} else {
+ 		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+ 		u16 kill_mask = 0;
+-		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
+		u16 denied = (1 << sa.aad->net.type);
+ 
+ 		if (denied & kill_mask)
+ 			audit_type = AUDIT_APPARMOR_KILL;
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
+++ b/kernel-patches/3.6/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
@@ -0,0 +1,98 @@
+From f284c9554341aded2d599e9355574cac36c2dd23 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 29 Jun 2012 17:34:01 -0700
+Subject: [PATCH 4/6] apparmor: Ensure apparmor does not mediate kernel based
+ sockets
+
+Currently apparmor makes the assumption that kernel sockets are unmediated
+because mediation is only done against tasks that have a profile attached.
+Ensure we never get in a situation where a kernel socket is being mediated
+by tagging the sk_security field for kernel sockets.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/include/net.h |    2 ++
+ security/apparmor/lsm.c         |   18 ++++++++++++++++++
+ security/apparmor/net.c         |    3 +++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+index cb8a121..bc8198b 100644
+--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
+@@ -19,6 +19,8 @@
+ 
+ #include "apparmorfs.h"
+ 
+#define AA_SOCK_KERN 0xAA
+
+ /* struct aa_net - network confinement data
+  * @allowed: basic network families permissions
+  * @audit_network: which network permissions to force audit
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index f628734..a172d01 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -630,6 +630,16 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
+ 	return error;
+ }
+ 
+static int apparmor_socket_post_create(struct socket *sock, int family,
+				       int type, int protocol, int kern)
+{
+	if (kern)
+		/* tag kernel sockets so we don't mediate them later */
+		sock->sk->sk_security = (void *) AA_SOCK_KERN;
+
+	return 0;
+}
+
+ static int apparmor_socket_bind(struct socket *sock,
+ 				struct sockaddr *address, int addrlen)
+ {
+@@ -713,6 +723,12 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
+ 	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+ }
+ 
+static void apparmor_sk_clone_security(const struct sock *sk,
+				       struct sock *newsk)
+{
+	newsk->sk_security = sk->sk_security;
+}
+
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -746,6 +762,7 @@ static struct security_operations apparmor_ops = {
+ 	.setprocattr =			apparmor_setprocattr,
+ 
+ 	.socket_create =		apparmor_socket_create,
+	.socket_post_create =		apparmor_socket_post_create,
+ 	.socket_bind =			apparmor_socket_bind,
+ 	.socket_connect =		apparmor_socket_connect,
+ 	.socket_listen =		apparmor_socket_listen,
+@@ -757,6 +774,7 @@ static struct security_operations apparmor_ops = {
+ 	.socket_getsockopt =		apparmor_socket_getsockopt,
+ 	.socket_setsockopt =		apparmor_socket_setsockopt,
+ 	.socket_shutdown =		apparmor_socket_shutdown,
+	.sk_clone_security =		apparmor_sk_clone_security,
+ 
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 6e6e5c9..baa4df1 100644
+--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
+@@ -153,6 +153,9 @@ int aa_revalidate_sk(int op, struct sock *sk)
+ 	if (in_interrupt())
+ 		return 0;
+ 
+	if (sk->sk_security == (void *) AA_SOCK_KERN)
+		return 0;
+
+ 	profile = __aa_current_profile();
+ 	if (!unconfined(profile))
+ 		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0005-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
+++ b/kernel-patches/3.6/0005-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
@@ -0,0 +1,957 @@
+From f5e962d77f98deab3461404567abd4759f5445a7 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 16 May 2012 10:58:05 -0700
+Subject: [PATCH 5/6] UBUNTU: SAUCE: apparmor: Add the ability to mediate
+ mount
+
+Add the ability for apparmor to do mediation of mount operations. Mount
+rules require an updated apparmor_parser (2.8 series) for policy compilation.
+
+The basic form of the rules are.
+
+  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+  [audit] [deny] remount [conds]* [path],
+  [audit] [deny] umount [conds]* [path],
+  [audit] [deny] pivotroot [oldroot=<value>] <path>
+
+  remount is just a short cut for mount options=remount
+
+  where [conds] can be
+    fstype=<expr>
+    options=<expr>
+
+Example mount commands
+  mount,		# allow all mounts, but not umount or pivotroot
+
+  mount fstype=procfs,  # allow mounting procfs anywhere
+
+  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
+
+  mount /dev/sda -> /mnt,
+
+  mount /dev/sd** -> /mnt/**,
+
+  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+
+  umount,
+
+  umount /m*,
+
+See the apparmor userspace for full documentation
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Makefile           |    2 +-
+ security/apparmor/apparmorfs.c       |   13 +
+ security/apparmor/audit.c            |    4 +
+ security/apparmor/domain.c           |    2 +-
+ security/apparmor/include/apparmor.h |    3 +-
+ security/apparmor/include/audit.h    |   11 +
+ security/apparmor/include/domain.h   |    2 +
+ security/apparmor/include/mount.h    |   54 +++
+ security/apparmor/lsm.c              |   59 ++++
+ security/apparmor/mount.c            |  620 ++++++++++++++++++++++++++++++++++
+ 10 files changed, 767 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/mount.h
+ create mode 100644 security/apparmor/mount.c
+
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 19daa85..63e0a4c 100644
+--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
+@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o net.o
+              resource.o sid.o file.o net.o mount.o
+ 
+ clean-files := capability_names.h rlim_names.h net_names.h
+ 
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 114fb23..ee77ec9 100644
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -426,10 +426,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ 	{ }
+ };
+ 
+static struct aa_fs_entry aa_fs_entry_mount[] = {
+	AA_FS_FILE_STRING("mask", "mount umount"),
+	{ }
+};
+
+static struct aa_fs_entry aa_fs_entry_namespaces[] = {
+	AA_FS_FILE_BOOLEAN("profile",           1),
+	AA_FS_FILE_BOOLEAN("pivot_root",        1),
+	{ }
+};
+
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+ 	AA_FS_DIR("network",                    aa_fs_entry_network),
+	AA_FS_DIR("mount",                      aa_fs_entry_mount),
+	AA_FS_DIR("namespaces",                 aa_fs_entry_namespaces),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index 3ae28db..e267963 100644
+--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
+@@ -44,6 +44,10 @@ const char *const op_table[] = {
+ 	"file_mmap",
+ 	"file_mprotect",
+ 
+	"pivotroot",
+	"mount",
+	"umount",
+
+ 	"create",
+ 	"post_create",
+ 	"bind",
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index b81ea10..afa8671 100644
+--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
+@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name)
+  *
+  * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
+  */
+-static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+ {
+ 	struct aa_profile *new_profile = NULL;
+ 	struct aa_namespace *ns = profile->ns;
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 40aedd9..e243d96 100644
+--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
+@@ -29,8 +29,9 @@
+ #define AA_CLASS_NET		4
+ #define AA_CLASS_RLIMITS	5
+ #define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
+ 
+-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
+#define AA_CLASS_LAST		AA_CLASS_MOUNT
+ 
+ /* Control parameters settable through module/boot flags */
+ extern enum audit_mode aa_g_audit;
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 17734f9..66a738c 100644
+--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
+@@ -73,6 +73,10 @@ enum aa_ops {
+ 	OP_FMMAP,
+ 	OP_FMPROT,
+ 
+	OP_PIVOTROOT,
+	OP_MOUNT,
+	OP_UMOUNT,
+
+ 	OP_CREATE,
+ 	OP_POST_CREATE,
+ 	OP_BIND,
+@@ -122,6 +126,13 @@ struct apparmor_audit_data {
+ 			unsigned long max;
+ 		} rlim;
+ 		struct {
+			const char *src_name;
+			const char *type;
+			const char *trans;
+			const char *data;
+			unsigned long flags;
+		} mnt;
+		struct {
+ 			const char *target;
+ 			u32 request;
+ 			u32 denied;
+diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
+index de04464..a3f70c5 100644
+--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
+@@ -23,6 +23,8 @@ struct aa_domain {
+ 	char **table;
+ };
+ 
+struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex);
+
+ int apparmor_bprm_set_creds(struct linux_binprm *bprm);
+ int apparmor_bprm_secureexec(struct linux_binprm *bprm);
+ void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
+diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
+new file mode 100644
+index 0000000..bc17a53
+--- /dev/null
+++ b/security/apparmor/include/mount.h
+@@ -0,0 +1,54 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor file mediation function definitions.
+ *
+ * Copyright 2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#ifndef __AA_MOUNT_H
+#define __AA_MOUNT_H
+
+#include <linux/fs.h>
+#include <linux/path.h>
+
+#include "domain.h"
+#include "policy.h"
+
+/* mount perms */
+#define AA_MAY_PIVOTROOT	0x01
+#define AA_MAY_MOUNT		0x02
+#define AA_MAY_UMOUNT		0x04
+#define AA_AUDIT_DATA		0x40
+#define AA_CONT_MATCH		0x40
+
+#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data);
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name, unsigned long flags);
+
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags);
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *old_name);
+
+int aa_new_mount(struct aa_profile *profile, const char *dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data);
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path);
+
+#endif /* __AA_MOUNT_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index a172d01..5da8af9 100644
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -36,6 +36,7 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+#include "include/mount.h"
+ 
+ /* Flag indicating whether initialization completed */
+ int apparmor_initialized __initdata;
+@@ -504,6 +505,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+ 			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
+static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
+			     unsigned long flags, void *data)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	/* Discard magic */
+	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
+		flags &= ~MS_MGC_MSK;
+
+	flags &= ~AA_MS_IGNORE_MASK;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile)) {
+		if (flags & MS_REMOUNT)
+			error = aa_remount(profile, path, flags, data);
+		else if (flags & MS_BIND)
+			error = aa_bind_mount(profile, path, dev_name, flags);
+		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
+				  MS_UNBINDABLE))
+			error = aa_mount_change_type(profile, path, flags);
+		else if (flags & MS_MOVE)
+			error = aa_move_mount(profile, path, dev_name);
+		else
+			error = aa_new_mount(profile, dev_name, path, type,
+					     flags, data);
+	}
+	return error;
+}
+
+static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_umount(profile, mnt, flags);
+
+	return error;
+}
+
+static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = __aa_current_profile();
+	if (!unconfined(profile))
+		error = aa_pivotroot(profile, old_path, new_path);
+
+	return error;
+}
+
+ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ 				char **value)
+ {
+@@ -737,6 +792,10 @@ static struct security_operations apparmor_ops = {
+ 	.capget =			apparmor_capget,
+ 	.capable =			apparmor_capable,
+ 
+	.sb_mount =			apparmor_sb_mount,
+	.sb_umount =			apparmor_sb_umount,
+	.sb_pivotroot =			apparmor_sb_pivotroot,
+
+ 	.path_link =			apparmor_path_link,
+ 	.path_unlink =			apparmor_path_unlink,
+ 	.path_symlink =			apparmor_path_symlink,
+diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
+new file mode 100644
+index 0000000..478aa4d
+--- /dev/null
+++ b/security/apparmor/mount.c
+@@ -0,0 +1,620 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor mediation of files
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/context.h"
+#include "include/domain.h"
+#include "include/file.h"
+#include "include/match.h"
+#include "include/mount.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+
+static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
+{
+	if (flags & MS_RDONLY)
+		audit_log_format(ab, "ro");
+	else
+		audit_log_format(ab, "rw");
+	if (flags & MS_NOSUID)
+		audit_log_format(ab, ", nosuid");
+	if (flags & MS_NODEV)
+		audit_log_format(ab, ", nodev");
+	if (flags & MS_NOEXEC)
+		audit_log_format(ab, ", noexec");
+	if (flags & MS_SYNCHRONOUS)
+		audit_log_format(ab, ", sync");
+	if (flags & MS_REMOUNT)
+		audit_log_format(ab, ", remount");
+	if (flags & MS_MANDLOCK)
+		audit_log_format(ab, ", mand");
+	if (flags & MS_DIRSYNC)
+		audit_log_format(ab, ", dirsync");
+	if (flags & MS_NOATIME)
+		audit_log_format(ab, ", noatime");
+	if (flags & MS_NODIRATIME)
+		audit_log_format(ab, ", nodiratime");
+	if (flags & MS_BIND)
+		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
+	if (flags & MS_MOVE)
+		audit_log_format(ab, ", move");
+	if (flags & MS_SILENT)
+		audit_log_format(ab, ", silent");
+	if (flags & MS_POSIXACL)
+		audit_log_format(ab, ", acl");
+	if (flags & MS_UNBINDABLE)
+		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
+				 ", unbindable");
+	if (flags & MS_PRIVATE)
+		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
+				 ", private");
+	if (flags & MS_SLAVE)
+		audit_log_format(ab, flags & MS_REC ? ", rslave" :
+				 ", slave");
+	if (flags & MS_SHARED)
+		audit_log_format(ab, flags & MS_REC ? ", rshared" :
+				 ", shared");
+	if (flags & MS_RELATIME)
+		audit_log_format(ab, ", relatime");
+	if (flags & MS_I_VERSION)
+		audit_log_format(ab, ", iversion");
+	if (flags & MS_STRICTATIME)
+		audit_log_format(ab, ", strictatime");
+	if (flags & MS_NOUSER)
+		audit_log_format(ab, ", nouser");
+}
+
+/**
+ * audit_cb - call back for mount specific audit fields
+ * @ab: audit_buffer  (NOT NULL)
+ * @va: audit struct to audit values of  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+	struct common_audit_data *sa = va;
+
+	if (sa->aad->mnt.type) {
+		audit_log_format(ab, " fstype=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.type);
+	}
+	if (sa->aad->mnt.src_name) {
+		audit_log_format(ab, " srcname=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.src_name);
+	}
+	if (sa->aad->mnt.trans) {
+		audit_log_format(ab, " trans=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.trans);
+	}
+	if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) {
+		audit_log_format(ab, " flags=\"");
+		audit_mnt_flags(ab, sa->aad->mnt.flags);
+		audit_log_format(ab, "\"");
+	}
+	if (sa->aad->mnt.data) {
+		audit_log_format(ab, " options=");
+		audit_log_untrustedstring(ab, sa->aad->mnt.data);
+	}
+}
+
+/**
+ * audit_mount - handle the auditing of mount operations
+ * @profile: the profile being enforced  (NOT NULL)
+ * @gfp: allocation flags
+ * @op: operation being mediated (NOT NULL)
+ * @name: name of object being mediated (MAYBE NULL)
+ * @src_name: src_name of object being mediated (MAYBE_NULL)
+ * @type: type of filesystem (MAYBE_NULL)
+ * @trans: name of trans (MAYBE NULL)
+ * @flags: filesystem idependent mount flags
+ * @data: filesystem mount flags
+ * @request: permissions requested
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @info: extra information message (MAYBE NULL)
+ * @error: 0 if operation allowed else failure error code
+ *
+ * Returns: %0 or error on failure
+ */
+static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op,
+		       const char *name, const char *src_name,
+		       const char *type, const char *trans,
+		       unsigned long flags, const void *data, u32 request,
+		       struct file_perms *perms, const char *info, int error)
+{
+	int audit_type = AUDIT_APPARMOR_AUTO;
+	struct common_audit_data sa = { };
+	struct apparmor_audit_data aad = { };
+
+	if (likely(!error)) {
+		u32 mask = perms->audit;
+
+		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+			mask = 0xffff;
+
+		/* mask off perms that are not being force audited */
+		request &= mask;
+
+		if (likely(!request))
+			return 0;
+		audit_type = AUDIT_APPARMOR_AUDIT;
+	} else {
+		/* only report permissions that were denied */
+		request = request & ~perms->allow;
+
+		if (request & perms->kill)
+			audit_type = AUDIT_APPARMOR_KILL;
+
+		/* quiet known rejects, assumes quiet and kill do not overlap */
+		if ((request & perms->quiet) &&
+		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+		    AUDIT_MODE(profile) != AUDIT_ALL)
+			request &= ~perms->quiet;
+
+		if (!request)
+			return COMPLAIN_MODE(profile) ?
+				complain_error(error) : error;
+	}
+
+	sa.type = LSM_AUDIT_DATA_NONE;
+	sa.aad = &aad;
+	sa.aad->op = op;
+	sa.aad->name = name;
+	sa.aad->mnt.src_name = src_name;
+	sa.aad->mnt.type = type;
+	sa.aad->mnt.trans = trans;
+	sa.aad->mnt.flags = flags;
+	if (data && (perms->audit & AA_AUDIT_DATA))
+		sa.aad->mnt.data = data;
+	sa.aad->info = info;
+	sa.aad->error = error;
+
+	return aa_audit(audit_type, profile, gfp, &sa, audit_cb);
+}
+
+/**
+ * match_mnt_flags - Do an ordered match on mount flags
+ * @dfa: dfa to match against
+ * @state: state to start in
+ * @flags: mount flags to match against
+ *
+ * Mount flags are encoded as an ordered match. This is done instead of
+ * checking against a simple bitmask, to allow for logical operations
+ * on the flags.
+ *
+ * Returns: next state after flags match
+ */
+static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+				    unsigned long flags)
+{
+	unsigned int i;
+
+	for (i = 0; i <= 31 ; ++i) {
+		if ((1 << i) & flags)
+			state = aa_dfa_next(dfa, state, i + 1);
+	}
+
+	return state;
+}
+
+/**
+ * compute_mnt_perms - compute mount permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: mount permissions
+ */
+static struct file_perms compute_mnt_perms(struct aa_dfa *dfa,
+					   unsigned int state)
+{
+	struct file_perms perms;
+
+	perms.kill = 0;
+	perms.allow = dfa_user_allow(dfa, state);
+	perms.audit = dfa_user_audit(dfa, state);
+	perms.quiet = dfa_user_quiet(dfa, state);
+	perms.xindex = dfa_user_xindex(dfa, state);
+
+	return perms;
+}
+
+static const char const *mnt_info_table[] = {
+	"match succeeded",
+	"failed mntpnt match",
+	"failed srcname match",
+	"failed type match",
+	"failed flags match",
+	"failed data match"
+};
+
+/*
+ * Returns 0 on success else element that match failed in, this is the
+ * index into the mnt_info_table above
+ */
+static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
+			const char *mntpnt, const char *devname,
+			const char *type, unsigned long flags,
+			void *data, bool binary, struct file_perms *perms)
+{
+	unsigned int state;
+
+	state = aa_dfa_match(dfa, start, mntpnt);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 1;
+
+	if (devname)
+		state = aa_dfa_match(dfa, state, devname);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 2;
+
+	if (type)
+		state = aa_dfa_match(dfa, state, type);
+	state = aa_dfa_null_transition(dfa, state);
+	if (!state)
+		return 3;
+
+	state = match_mnt_flags(dfa, state, flags);
+	if (!state)
+		return 4;
+	*perms = compute_mnt_perms(dfa, state);
+	if (perms->allow & AA_MAY_MOUNT)
+		return 0;
+
+	/* only match data if not binary and the DFA flags data is expected */
+	if (data && !binary && (perms->allow & AA_CONT_MATCH)) {
+		state = aa_dfa_null_transition(dfa, state);
+		if (!state)
+			return 4;
+
+		state = aa_dfa_match(dfa, state, data);
+		if (!state)
+			return 5;
+		*perms = compute_mnt_perms(dfa, state);
+		if (perms->allow & AA_MAY_MOUNT)
+			return 0;
+	}
+
+	/* failed at end of flags match */
+	return 4;
+}
+
+/**
+ * match_mnt - handle path matching for mount
+ * @profile: the confining profile
+ * @mntpnt: string for the mntpnt (NOT NULL)
+ * @devname: string for the devname/src_name (MAYBE NULL)
+ * @type: string for the dev type (MAYBE NULL)
+ * @flags: mount flags to match
+ * @data: fs mount data (MAYBE NULL)
+ * @binary: whether @data is binary
+ * @perms: Returns: permission found by the match
+ * @info: Returns: infomation string about the match for logging
+ *
+ * Returns: 0 on success else error
+ */
+static int match_mnt(struct aa_profile *profile, const char *mntpnt,
+		     const char *devname, const char *type,
+		     unsigned long flags, void *data, bool binary,
+		     struct file_perms *perms, const char **info)
+{
+	int pos;
+
+	if (!profile->policy.dfa)
+		return -EACCES;
+
+	pos = do_match_mnt(profile->policy.dfa,
+			   profile->policy.start[AA_CLASS_MOUNT],
+			   mntpnt, devname, type, flags, data, binary, perms);
+	if (pos) {
+		*info = mnt_info_table[pos];
+		return -EACCES;
+	}
+
+	return 0;
+}
+
+static int path_flags(struct aa_profile *profile, struct path *path)
+{
+	return profile->path_flags |
+		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
+}
+
+int aa_remount(struct aa_profile *profile, struct path *path,
+	       unsigned long flags, void *data)
+{
+	struct file_perms perms = { };
+	const char *name, *info = NULL;
+	char *buffer = NULL;
+	int binary, error;
+
+	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_bind_mount(struct aa_profile *profile, struct path *path,
+		  const char *dev_name, unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!dev_name || !*dev_name)
+		return -EINVAL;
+
+	flags &= MS_REC | MS_BIND;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+			 unsigned long flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	/* These are the flags allowed by do_change_type() */
+	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
+		  MS_UNBINDABLE);
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms,
+			  &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
+			    NULL, flags, NULL, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_move_mount(struct aa_profile *profile, struct path *path,
+		  const char *orig_name)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *old_buffer = NULL;
+	const char *name, *old_name = NULL, *info = NULL;
+	struct path old_path;
+	int error;
+
+	if (!orig_name || !*orig_name)
+		return -EINVAL;
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(&old_path, path_flags(profile, &old_path),
+			     &old_buffer, &old_name, &info);
+	path_put(&old_path);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
+			    NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms,
+			    info, error);
+	kfree(buffer);
+	kfree(old_buffer);
+
+	return error;
+}
+
+int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
+		 struct path *path, const char *type, unsigned long flags,
+		 void *data)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL, *dev_buffer = NULL;
+	const char *name = NULL, *dev_name = NULL, *info = NULL;
+	int binary = 1;
+	int error;
+
+	dev_name = orig_dev_name;
+	if (type) {
+		int requires_dev;
+		struct file_system_type *fstype = get_fs_type(type);
+		if (!fstype)
+			return -ENODEV;
+
+		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
+		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
+		put_filesystem(fstype);
+
+		if (requires_dev) {
+			struct path dev_path;
+
+			if (!dev_name || !*dev_name) {
+				error = -ENOENT;
+				goto out;
+			}
+
+			error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path);
+			if (error)
+				goto audit;
+
+			error = aa_path_name(&dev_path,
+					     path_flags(profile, &dev_path),
+					     &dev_buffer, &dev_name, &info);
+			path_put(&dev_path);
+			if (error)
+				goto audit;
+		}
+	}
+
+	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	error = match_mnt(profile, name, dev_name, type, flags, data, binary,
+			  &perms, &info);
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name,  dev_name,
+			    type, NULL, flags, data, AA_MAY_MOUNT, &perms, info,
+			    error);
+	kfree(buffer);
+	kfree(dev_buffer);
+
+out:
+	return error;
+
+}
+
+int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
+{
+	struct file_perms perms = { };
+	char *buffer = NULL;
+	const char *name, *info = NULL;
+	int error;
+
+	struct path path = { mnt, mnt->mnt_root };
+	error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name,
+			     &info);
+	if (error)
+		goto audit;
+
+	if (!error && profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_UMOUNT & ~perms.allow)
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL,
+			    NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error);
+	kfree(buffer);
+
+	return error;
+}
+
+int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+		  struct path *new_path)
+{
+	struct file_perms perms = { };
+	struct aa_profile *target = NULL;
+	char *old_buffer = NULL, *new_buffer = NULL;
+	const char *old_name, *new_name = NULL, *info = NULL;
+	int error;
+
+	error = aa_path_name(old_path, path_flags(profile, old_path),
+			     &old_buffer, &old_name, &info);
+	if (error)
+		goto audit;
+
+	error = aa_path_name(new_path, path_flags(profile, new_path),
+			     &new_buffer, &new_name, &info);
+	if (error)
+		goto audit;
+
+	if (profile->policy.dfa) {
+		unsigned int state;
+		state = aa_dfa_match(profile->policy.dfa,
+				     profile->policy.start[AA_CLASS_MOUNT],
+				     new_name);
+		state = aa_dfa_null_transition(profile->policy.dfa, state);
+		state = aa_dfa_match(profile->policy.dfa, state, old_name);
+		perms = compute_mnt_perms(profile->policy.dfa, state);
+	}
+
+	if (AA_MAY_PIVOTROOT & perms.allow) {
+		if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
+			target = x_table_lookup(profile, perms.xindex);
+			if (!target)
+				error = -ENOENT;
+			else
+				error = aa_replace_current_profile(target);
+		}
+	} else
+		error = -EACCES;
+
+audit:
+	error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name,
+			    old_name, NULL, target ? target->base.name : NULL,
+			    0, NULL,  AA_MAY_PIVOTROOT, &perms, info, error);
+	aa_put_profile(target);
+	kfree(old_buffer);
+	kfree(new_buffer);
+
+	return error;
+}
+-- 
+1.7.10.4
+
--- a/kernel-patches/3.6/0006-apparmor-fix-IRQ-stack-overflow-during-free_profile.patch
+++ b/kernel-patches/3.6/0006-apparmor-fix-IRQ-stack-overflow-during-free_profile.patch
@@ -0,0 +1,70 @@
+From 663d5bbe6197bf990721c37ec877ea8ba5840202 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 24 Oct 2012 06:27:32 -0700
+Subject: [PATCH 6/6] apparmor: fix IRQ stack overflow during free_profile
+
+BugLink: http://bugs.launchpad.net/bugs/1056078
+
+Profile replacement can cause long chains of profiles to build up when
+the profile being replaced is pinned. When the pinned profile is finally
+freed, it puts the reference to its replacement, which may in turn nest
+another call to free_profile on the stack. Because this may happen for
+each profile in the replacedby chain this can result in a recusion that
+causes the stack to overflow.
+
+Break this nesting by directly walking the chain of replacedby profiles
+(ie. use iteration instead of recursion to free the list). This results
+in at most 2 levels of free_profile being called, while freeing a
+replacedby chain.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/apparmor/policy.c |   24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 27c8161..56e5304 100644
+--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
+@@ -724,6 +724,8 @@ fail:
+  */
+ static void free_profile(struct aa_profile *profile)
+ {
+	struct aa_profile *p;
+
+ 	AA_DEBUG("%s(%p)\n", __func__, profile);
+ 
+ 	if (!profile)
+@@ -752,7 +754,27 @@ static void free_profile(struct aa_profile *profile)
+ 	aa_put_dfa(profile->xmatch);
+ 	aa_put_dfa(profile->policy.dfa);
+ 
+-	aa_put_profile(profile->replacedby);
+	/* put the profile reference for replacedby, but not via
+	 * put_profile(kref_put).
+	 * replacedby can form a long chain that can result in cascading
+	 * frees that blows the stack because kref_put makes a nested fn
+	 * call (it looks like recursion, with free_profile calling
+	 * free_profile) for each profile in the chain lp#1056078.
+	 */
+	for (p = profile->replacedby; p; ) {
+		if (atomic_dec_and_test(&p->base.count.refcount)) {
+			/* no more refs on p, grab its replacedby */
+			struct aa_profile *next = p->replacedby;
+			/* break the chain */
+			p->replacedby = NULL;
+			/* now free p, chain is broken */
+			free_profile(p);
+
+			/* follow up with next profile in the chain */
+			p = next;
+		} else
+			break;
+	}
+ 
+ 	kzfree(profile);
+ }
+-- 
+1.7.10.4
+
--- a/libraries/libapparmor/configure.in
+++ b/libraries/libapparmor/configure.in
@@ -10,6 +10,7 @@ AM_INIT_AUTOMAKE(libapparmor1, apparmor_version)
 AM_PROG_LEX
 AC_PROG_YACC
 AC_PROG_SED
+PKG_PROG_PKG_CONFIG

 AC_PATH_PROG([SWIG], [swig])

--- a/libraries/libapparmor/doc/aa_change_hat.pod
+++ b/libraries/libapparmor/doc/aa_change_hat.pod
@@ -99,16 +99,25 @@ Insufficient kernel memory was available.

 =item B<EPERM>

-The calling application is not confined by apparmor.
+The calling application is not confined by apparmor, the specified
+I<subprofile> is not a I<hat profile>, the task is being ptraced and the
+tracing task does not have permission to trace the specified I<subprofile> or the no_new_privs execution bit is
+enabled.

 =item B<ECHILD>

 The application's profile has no hats defined for it.

+=item B<ENOENT>
+
+The specified I<subprofile> does not exist in this profile but other hats
+are defined.
+
 =item B<EACCES>

-The specified I<subprofile> does not exist in this profile or the
-process tried to change another process's domain.
+The specified magic token did not match, and permissions to change to
+the specified I<subprofile> has been denied. This will in most situations
+also result in the task being killed, to prevent brute force attacks.

 =back 

--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -74,8 +74,9 @@ errno(3) is set appropriately.

 =item B<EINVAL>

-The apparmor kernel module is not loaded or the communication via the
-F</proc/*/attr/current> file did not conform to protocol.
+The apparmor kernel module is not loaded, neither a profile nor a namespace
+was specified, or the communication via the F</proc/*/attr/current> file did
+not conform to protocol.

 =item B<ENOMEM>

@@ -83,12 +84,18 @@ Insufficient kernel memory was available.

 =item B<EPERM>

-The calling application is not confined by apparmor.
+The calling application is not confined by apparmor, or the no_new_privs
+bit is set.

 =item B<EACCES>

 The task does not have sufficient permissions to change its domain.

+=item B<ENOENT>
+
+The specified profile does not exist, or is not visible from the current
+Namespace.
+
 =back

 =head1 EXAMPLE
--- a/libraries/libapparmor/doc/aa_getcon.pod
+++ b/libraries/libapparmor/doc/aa_getcon.pod
@@ -69,7 +69,8 @@ does not handle buffer allocation.

 =head1 RETURN VALUE

-On success zero is returned. On error, -1 is returned, and
+On success size of data placed in the buffer is returned, this includes the
+mode if present and any terminating characters. On error, -1 is returned, and
 errno(3) is set appropriately.

 =head1 ERRORS
--- a/libraries/libapparmor/m4/ac_python_devel.m4
+++ b/libraries/libapparmor/m4/ac_python_devel.m4
@@ -158,6 +158,8 @@ $ac_distutils_result])
        AC_MSG_CHECKING([consistency of all components of python development environment])
        AC_LANG_PUSH([C])
        # save current global flags
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
        CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
        AC_TRY_LINK([
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -1,9 +1,34 @@
 INCLUDES = $(all_includes)

+# variables to set the library versions used by libtool
+# Use these rules to update the library version.
+# 1. Update the version information only immediately before a public release
+#    of your software. More frequent updates are unnecessary, and only
+#    guarantee that the current interface number gets larger faster.
+# 2. If the library source code has changed at all since the last update,
+#    then
+#    - increment AA_LIB_REVISION
+# 3. If any interfaces have been added, removed, or changed since the last
+#    update,
+#    - increment AA_LIB_CURRENT
+#    - set AA_LIB_REVISION to 0.
+# 4. If any interfaces have been added since the last public release, then
+#    - increment AA_LIB_AGE.
+# 5. If any interfaces have been removed or changed since the last public
+#    release, then
+#    - set AA_LIB_AGE to 0.
+#
+AA_LIB_CURRENT = 1
+AA_LIB_REVISION = 3
+AA_LIB_AGE = 0
+
+SUFFIXES = .pc.in .pc
+
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
+AM_CFLAGS = -Wall
+AM_CPPFLAGS = -D_GNU_SOURCE
 scanner.h: scanner.l
 	$(LEX) -v $<

@@ -22,15 +47,24 @@ lib_LTLIBRARIES = libapparmor.la libimmunix.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h

 libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel_interface.c scanner.c
-libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
+libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic \
 	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libapparmor.so.1

 libimmunix_la_SOURCES = kernel_interface.c libimmunix_warning.c
-libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libimmunix.so.1
+libimmunix_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -Wl,--version-script=$(top_srcdir)/src/libapparmor.map -Wl,-soname=libimmunix.so.1
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libapparmor.pc
+
+CLEANFILES = libapparmor.pc
+
+%.pc: %.pc.in $(top_builddir)/config.status
+	$(AM_V_GEN)cd "$(top_builddir)" && \
+	$(SHELL) ./config.status --file="src/$@"

 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 check_PROGRAMS = tst_aalogmisc
 TESTS = $(check_PROGRAMS)

-EXTRA_DIST = grammar.y scanner.l libapparmor.map
+EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc
--- a/libraries/libapparmor/src/aalogparse.h
+++ b/libraries/libapparmor/src/aalogparse.h
@@ -141,6 +141,10 @@ typedef struct
 	char *net_family;
 	char *net_protocol;
 	char *net_sock_type;
+	char *net_local_addr;
+	unsigned long net_local_port;
+	char *net_foreign_addr;
+	unsigned long net_foreign_port;
 } aa_log_record;

 /**
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -81,8 +81,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %type <t_str> safe_string protocol
 %token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
 %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
-%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
+%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE TOK_TIME
 %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR

 %token TOK_EQUALS
 %token TOK_COLON
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_CAPNAME
 %token TOK_KEY_OFFSET
 %token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT

 %token TOK_SYSLOG_KERNEL

@@ -198,7 +203,8 @@ audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS
 		free($7);
 	} ;

-syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
+syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_TIME { /* do nothing? */ }
+	| TOK_DATE TOK_TIME { /* do nothing */ }
 	;

 key_list: key
@@ -268,6 +274,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ /* target was always name2 in the past */
 	  ret_record->name2 = $3;
 	}
+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_local_addr = $3;}
+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_foreign_addr = $3;}
+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_local_port = $3;}
+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_foreign_port = $3;}
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -278,11 +278,12 @@ int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)

 	if (rc == -1) {
 		free(buffer);
-		size = -1;
+		*buf = NULL;
+		*mode = NULL;
 	} else
 		*buf = buffer;

-	return size;
+	return rc;
 }

 static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
@@ -617,6 +618,7 @@ int aa_getpeercon(int fd, char **con)

 	if (rc == -1) {
 		free(buffer);
+		*con = NULL;
 		size = -1;
 	} else
 		*con = buffer;
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -1,3 +1,5 @@
+#If you update this file please update the library version in Makefile.am
+
 IMMUNIX_1.0 {
  global:
        change_hat;
--- a/libraries/libapparmor/src/libapparmor.pc.in
+++ b/libraries/libapparmor/src/libapparmor.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: libapparmor
+Description: AppArmor library for for utility functions
+Version: @VERSION@
+Cflags: -I${includedir}
+Libs: -L${libdir} -lapparmor
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -75,10 +75,12 @@ void string_buf_append(unsigned int length, char *text)
 ws		[ \t\r\n]

 equals		"="
-digits		[0-9]+
+digit		[[:digit:]]
+digits		{digit}+
 hex		[A-F0-9]
 colon		":"
 minus		"-"
+plus		"+"
 open_paren	"("
 close_paren	")"
 ID		[^ \t\n\(\)="'!]
@@ -133,12 +135,23 @@ key_capability		"capability"
 key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
+key_laddr		"laddr"
+key_faddr		"faddr"
+key_lport		"lport"
+key_fport		"fport"
 audit			"audit"

+/* network addrs */
+ip_addr			[a-f[:digit:].:]{3,}
+
 /* syslog tokens */
 syslog_kernel		kernel{colon}
+syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
+syslog_date		{syslog_yyyymmdd}
 syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
-syslog_time 		{digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
+hhmmss			{digit}{2}{colon}{digit}{2}{colon}{digit}{2}
+timezone		({plus}|{minus}){digit}{2}{colon}{digit}{2}
+syslog_time 		{hhmmss}({period}{digits})?{timezone}?
 syslog_hostname		[[:alnum:]_-]+
 dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]

@@ -149,6 +162,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x dmesg_timestamp
 %x safe_string
 %x audit_types
+%x ip_addr
 %x other_audit
 %x unknown_message

@@ -201,6 +215,12 @@ yy_flex_debug = 0;
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
 	}

+<ip_addr>{
+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
 <audit_types>{
 	{equals}	{ return(TOK_EQUALS); }
 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
@@ -270,10 +290,16 @@ yy_flex_debug = 0;
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport}		{ return(TOK_KEY_LPORT); }
+{key_fport}		{ return(TOK_KEY_FPORT); }

 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
-{syslog_time}		{ yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
+{syslog_date}		{ yylval->t_str = strdup(yytext); return(TOK_DATE); }
+{syslog_date}T/{syslog_time}	{ yylval->t_str = strndup(yytext, strlen(yytext)-1); return(TOK_DATE); }
+{syslog_time}		{ yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_TIME); }

 {audit}			{ yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }

--- a/libraries/libapparmor/swig/perl/Makefile.PL.in
+++ b/libraries/libapparmor/swig/perl/Makefile.PL.in
@@ -10,7 +10,7 @@ WriteMakefile(
 	'FIRST_MAKEFILE' => 'Makefile.perl',
 	'ABSTRACT' => q[Perl interface to AppArmor] ,
 	'VERSION' => q[@VERSION@],
-	'INC' => q[-I@top_srcdir@/src @CFLAGS@],
+	'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
 	'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
 	'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
 ) ;
--- a/libraries/libapparmor/testsuite/Makefile.am
+++ b/libraries/libapparmor/testsuite/Makefile.am
@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
 noinst_PROGRAMS = test_multi.multi

 test_multi_multi_SOURCES	= test_multi.c
-test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS	= $(LDFLAGS)
+test_multi_multi_CFLAGS		= -Wall
 test_multi_multi_LDADD		= -L../src/.libs -lapparmor

 clean-local:
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@@ -51,6 +51,18 @@ int main(int argc, char **argv)
 	return ret;
 }

+#define print_string(description, var) \
+	if ((var) != NULL) { \
+		printf("%s: %s\n", (description), (var)); \
+	}
+
+/* unset is the value that the library sets to the var to indicate
+   that it is unset */
+#define print_long(description, var, unset) \
+	if ((var) != (unsigned long) (unset)) { \
+		printf("%s: %ld\n", (description), (var)); \
+	}
+
 int print_results(aa_log_record *record)
 {
 		printf("Event type: ");
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
 		{
 			printf("Protocol: %s\n", record->net_protocol);
 		}
+		print_string("Local addr", record->net_local_addr);
+		print_string("Foreign addr", record->net_foreign_addr);
+		print_long("Local port", record->net_local_port, 0);
+		print_long("Foreign port", record->net_foreign_port, 0);
+
 		printf("Epoch: %lu\n", record->epoch);
 		printf("Audit subid: %u\n", record->audit_sub_id);
 	return(0);
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.in
@@ -0,0 +1 @@
+Jan  1 15:09:04 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_01.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_01.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.in
@@ -0,0 +1 @@
+Jan  1 15:09:04+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_02.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.in
@@ -0,0 +1 @@
+Jan  1 15:09:04.562575 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_03.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.in
@@ -0,0 +1 @@
+Jan  1 15:09:04.562575+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_04.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_04.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.in
@@ -0,0 +1 @@
+Jan  1 15:09:04-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_05.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_05.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.in
@@ -0,0 +1 @@
+Jan  1 15:09:04.562575-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_06.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_06.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_07.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_07.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_08.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_08.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04.562575 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_09.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_09.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04.562575+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_10.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_10.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_11.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_11.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.in
@@ -0,0 +1 @@
+2013-01-01 15:09:04.562575-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_12.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_12.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_13.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_13.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_14.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_14.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04.562575 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_15.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_15.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04.562575+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_16.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_16.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_17.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_17.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.in
@@ -0,0 +1 @@
+2013-01-01T15:09:04.562575-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_datetime_18.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/syslog_datetime_18.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1357024144.556:6368
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/lib/virtualbox/VBoxSVC//null-2d
+Name: /sys/class/power_supply/
+Command: ACPI Poller
+Parent: 5390
+PID: 5457
+Epoch: 1357024144
+Audit subid: 6368
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_01.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.in
@@ -0,0 +1 @@
+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_01.out
@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_02.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.in
@@ -0,0 +1 @@
+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
--- a/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_network_02.out
@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .7.99
 .8.1
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04.562575 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04.562575+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`Jan 1 15:09:04.562575-08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`2013-01-01 15:09:04 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`2013-01-01 15:09:04+08:00 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
				`@@ -0,0 +1 @@`
				`2013-01-01 15:09:04.562575 localhost kernel: [ 1911.569682] type=1400 audit(1357024144.556:6368): apparmor="ALLOWED" operation="open" parent=5390 profile="/usr/lib/virtualbox/VBoxSVC//null-2d" name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`