mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v4.0.0-beta2
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:apparmor-2.1
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

31 Commits
v4.0.0-bet ... apparmor-2

Author SHA1 Message Date
John Johansen
2d31f4dbc4 merge -r 1158 - fix fatal errors so that they have an exit with an exit code 
of 127
 2008-03-28 07:19:57 +00:00
John Johansen
ee8e0b66bc merge over -r 1156 update of the ptrace regression tests 2008-03-27 17:30:09 +00:00
John Johansen
bbe9d667f7 Merge over r1117 making the longpath test a default test done 2008-03-27 01:22:28 +00:00
John Johansen
10edcd1a70 merge over r1151 - fix to exex.sh test to allow it to run on 64 bit 
platforms where there is a /lib64
 2008-03-27 01:15:20 +00:00
John Johansen
8ce5b856e4 Backport setattr fix that fixes a bug where fuse unconditionally uses 
the ia_file if present, which is a problem for special files.
 2008-03-19 15:47:34 +00:00
John Johansen
ad02836ede merge over revision 1115 - add missing sysctl files 2008-03-08 03:07:56 +00:00
John Johansen
d6c3414323 Fix bug where log parsing could not handle append (a) and lock (k) perms. 
Also rework mode parsing to include x modifier placement restrictions
 2008-02-26 04:43:55 +00:00
John Johansen
ee16add79d update base opera profile 2008-02-19 10:30:52 +00:00
John Johansen
3fbbd135a6 merge over fix from r1075 - fix init script so that it doesn't result in a regex with a null alternation ie. |apparmor 2008-02-19 10:15:30 +00:00
John Johansen
cd18ed811b merge over fix from r1074 - update init functions to work with the apparmor module being a built in to the kernel 2008-02-19 10:13:24 +00:00
John Johansen
0a41b283f2 add missing link_subset test 2008-02-18 11:20:41 +00:00
John Johansen
a01af6df93 bump release version to 2.1.2 2008-02-15 06:17:57 +00:00
John Johansen
fb27600681 add patches to support unionfs in apparmor 2.1 kernel 2008-02-15 06:14:01 +00:00
John Johansen
74dfd04db2 Update profiles for bugs that have been reported by various people 2008-02-15 05:44:35 +00:00
John Johansen
004a646010 Fix setting the apparmor enabled flag at boot. 2008-02-15 05:37:07 +00:00
John Johansen
5d90f3763e Add patch from S.Çağlar Onur, to enable apparmor_status to work when module is 
built into kernel
 2008-02-15 04:50:48 +00:00
John Johansen
6263944095 Add descriptive of append, lock and network rules to man page 2008-02-15 04:49:14 +00:00
John Johansen
ad6613c960 Add patch series for 2.6.24 kernel, remove old for-mainline series 
Patch series refreshed against 2.6.24 +
- fix-rcu-deref.diff: change way rcu cast is done
- fix-name-errorpath.diff: fix bug in failed pathname reporting
- fix-net.diff: fix bug in network mediation
- apparmor-fix-sysctl-refcount.diff - fix ref count bug in sysctl mediation
- apparmor-bootdisable.diff - allow apparmor to be disabled at boot
- apparmor-builtin-only.diff - apparmor as a builtin only
- split_init.diff - split apparmor initialization into early & apparmorfs
 2008-02-08 06:11:09 +00:00
John Johansen
7fd451d28b Make rpc-xml optional (only needed if repository is used) 2008-01-30 00:03:31 +00:00
John Johansen
81dd6df013 update .spec %changes 2008-01-25 09:35:09 +00:00
John Johansen
31c01e7af3 update parser .spec change log 2008-01-25 00:50:25 +00:00
John Johansen
108fd60aad bump revision to 2.1.1 2008-01-24 23:40:19 +00:00
John Johansen
76d1e01919 Fix parser to be able to load policy for multiple versions of AppArmor. 
2_0 AppArmor before match string (pcre)
2_0 AppArmor with match string (pcre & dfa)
2_1 AppArmor with match string (dfa)
   - includes SLES10-SP2 variant with 2_0 semantics
 2008-01-24 23:38:55 +00:00
John Johansen
c35a417dee copy updated 2_1 tests over from main branch 2007-12-23 01:19:21 +00:00
John Johansen
50d62e88a5 remove the tests from 2_1 branch as they were not properly updated for 2_1 2007-12-23 01:18:25 +00:00
John Johansen
b6eaf32985 Move deprecated code into the deprecated branch 2007-11-13 08:33:09 +00:00
Dominic Reynolds
804e4b424c (Merged from trunk -r1015) 
Added handling to correctly check the result of the profile development
run and reset the profile mode to enforce when the profile development
run exits without an error.
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328045
 2007-11-06 18:24:32 +00:00
Dominic Reynolds
5ea383712c (Merged from trunk -r1014) 
Ignore complain flags when up|down loading profiles to|from the
repository. This makes the repository agnostic to profile mode
(complain/enforce) - users must manage this locally via
aa-complain/aa-enforce.
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328033
 2007-11-06 18:23:30 +00:00
Dominic Reynolds
47bb365c0a (Merged from trunk -r 1013) 
Modified code to check the repository for new profile when:
   - processing an unknown hat/execute rejection if its not already in
     the profile
   - at the start of processing all the remain events for the profile
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328707
 2007-11-06 18:22:03 +00:00
Dominic Reynolds
bf10352fad (Merged from trunk) 
Updated regex used to detect syslog messages (from bug reported against
Ubuntu gutsy)
 2007-11-06 18:10:21 +00:00
Dominic Reynolds
03e0d482d3 Maintenance branch for AppArmor 2.1 2007-10-18 02:41:45 +00:00
333 changed files with 4288 additions and 34212 deletions
Expand all files Collapse all files

504
changehat/libapparmor-deprecated/COPYING.LGPL
View File

@@ -1,504 +0,0 @@
GNU LESSER GENERAL PUBLIC LICENSE
Version 2.1, February 1999
Copyright (C) 1991, 1999 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
[This is the first released version of the Lesser GPL. It also counts
as the successor of the GNU Library Public License, version 2, hence
the version number 2.1.]
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.
This license, the Lesser General Public License, applies to some
specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it. You
can use it too, but we suggest you first think carefully about whether
this license or the ordinary General Public License is the better
strategy to use in any particular case, based on the explanations below.
When we speak of free software, we are referring to freedom of use,
not price. Our General Public Licenses are designed to make sure that
you have the freedom to distribute copies of free software (and charge
for this service if you wish); that you receive source code or can get
it if you want it; that you can change the software and use pieces of
it in new free programs; and that you are informed that you can do
these things.
To protect your rights, we need to make restrictions that forbid
distributors to deny you these rights or to ask you to surrender these
rights. These restrictions translate to certain responsibilities for
you if you distribute copies of the library or if you modify it.
For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you. You must make sure that they, too, receive or can get the source
code. If you link other code with the library, you must provide
complete object files to the recipients, so that they can relink them
with the library after making changes to the library and recompiling
it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the
library, and (2) we offer you this license, which gives you legal
permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that
there is no warranty for the free library. Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.
Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
restrictive license from a patent holder. Therefore, we insist that
any patent license obtained for a version of the library must be
consistent with the full freedom of use specified in this license.
Most GNU software, including some libraries, is covered by the
ordinary GNU General Public License. This license, the GNU Lesser
General Public License, applies to certain designated libraries, and
is quite different from the ordinary General Public License. We use
this license for certain libraries in order to permit linking those
libraries into non-free programs.
When a program is linked with a library, whether statically or using
a shared library, the combination of the two is legally speaking a
combined work, a derivative of the original library. The ordinary
General Public License therefore permits such linking only if the
entire combination fits its criteria of freedom. The Lesser General
Public License permits more lax criteria for linking other code with
the library.
We call this license the "Lesser" General Public License because it
does Less to protect the user's freedom than the ordinary General
Public License. It also provides other free software developers Less
of an advantage over competing non-free programs. These disadvantages
are the reason we use the ordinary General Public License for many
libraries. However, the Lesser license provides advantages in certain
special circumstances.
For example, on rare occasions, there may be a special need to
encourage the widest possible use of a certain library, so that it becomes
a de-facto standard. To achieve this, non-free programs must be
allowed to use the library. A more frequent case is that a free
library does the same job as widely used non-free libraries. In this
case, there is little to gain by limiting the free library to free
software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of
free software. For example, permission to use the GNU C Library in
non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating
system.
Although the Lesser General Public License is Less protective of the
users' freedom, it does ensure that the user of a program that is
linked with the Library has the freedom and the wherewithal to run
that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and
modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other
program which contains a notice placed by the copyright holder or
other authorized party saying it may be distributed under the terms of
this Lesser General Public License (also called "this License").
Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.
The "Library", below, refers to any such software library or work
which has been distributed under these terms. A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language. (Hereinafter, translation is
included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for
making modifications to it. For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.
You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
(For example, a function in a library to compute square roots has
a purpose that is entirely well-defined independent of the
application. Therefore, Subsection 2d requires that any
application-supplied function or table used by this function must
be optional: if the application does not supply it, the square
root function must still compute square roots.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.
In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in
these notices.
Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.
This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.
4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.
If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library". Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library. The
threshold for this to be true is not precisely defined by law.
If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work. (Executables containing this object code plus portions of the
Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License. You must supply a copy of this License. If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License. Also, you must do one
of these things:
a) Accompany the work with the complete corresponding
machine-readable source code for the Library including whatever
changes were used in the work (which must be distributed under
Sections 1 and 2 above); and, if the work is an executable linked
with the Library, with the complete machine-readable "work that
uses the Library", as object code and/or source code, so that the
user can modify the Library and then relink to produce a modified
executable containing the modified Library. (It is understood
that the user who changes the contents of definitions files in the
Library will not necessarily be able to recompile the application
to use the modified definitions.)
b) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (1) uses at run time a
copy of the library already present on the user's computer system,
rather than copying library functions into the executable, and (2)
will operate properly with a modified version of the library, if
the user installs one, as long as the modified version is
interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at
least three years, to give the same user the materials
specified in Subsection 6a, above, for a charge no more
than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy
from a designated place, offer equivalent access to copy the above
specified materials from the same place.
e) Verify that the user has already received a copy of these
materials or that you have already sent this user a copy.
For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it. However, as a special exception,
the materials to be distributed need not include anything that is
normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.
It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work
based on the Library, uncombined with any other library
facilities. This must be distributed under the terms of the
Sections above.
b) Give prominent notice with the combined library of the fact
that part of it is a work based on the Library, and explaining
where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License. Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Library or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.
11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all. For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if
written in the body of this License.
13. The Free Software Foundation may publish revised and/or new
versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this. Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change. You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).
To apply these terms, attach the following notices to the library. It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.
<one line to give the library's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Also add information on how to contact you by electronic and paper mail.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the
library `Frob' (a library for tweaking knobs) written by James Random Hacker.
<signature of Ty Coon>, 1 April 1990
Ty Coon, President of Vice
That's all there is to it!

119
changehat/libapparmor-deprecated/Makefile
View File

@@ -1,119 +0,0 @@
# $Id$
# ----------------------------------------------------------------------
# Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2.1 of the GNU Lesser
# General Public License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
NAME := libapparmor
all:
COMMONDIR:=$(strip $(shell if [ -d "../common/" ] ; then \
echo "../common/" ; \
elif [ -d "../../common/" ] ; then \
echo "../../common/" ; \
else \
echo "/common_dir_not_found" ; \
fi))
include common/Make.rules
COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
ifeq ($(COMMONDIR_EXISTS), true)
common/Make.rules: $(COMMONDIR)/Make.rules
ln -sf $(COMMONDIR) .
endif
SO_VERS = 1
DESTDIR =
LIB = lib/
LIBDIR = /usr/${LIB}
MANPAGES = change_hat.2
TARGET=libapparmor
TARGETS=${TARGET}.so ${TARGET}.a
OLDTARGET=libimmunix.so.1
OBJECTS=change_hat.o
TESTS=tst-sgdh tst-cdh tst-sgkey tst-sgdh-static tst-cdh-static tst-sgkey-static
CFLAGS=-g -O2 -Wall -Wstrict-prototypes -pipe
EXTRA_CFLAGS=$(CFLAGS) -fpic -D_REENTRANT
ARFLAGS=-rcs
TEST_CFLAGS=$(CFLAGS) $(CANARY_FLAG) $(FORMATGUARD_FLAG)
TEST_LDFLAGS= -L. -limmunix
all: ${TARGETS} ${OLDTARGET} ${MANPAGES} ${HTMLMANPAGES}
%.o: %.c
$(CC) ${EXTRA_CFLAGS} -c -shared -o $@ $<
${TARGET}.so: ${OBJECTS}
${CC} ${EXTRA_CFLAGS} -o $@.$(SO_VERS) -Wl,-soname,$@.$(SO_VERS) -Wl,--version-script=${TARGET}.map -W,-z,defs -shared -dynamic $^
ln -fs $@.$(SO_VERS) $@
${OLDTARGET}: ${OBJECTS} libimmunix_warning.o
${CC} ${EXTRA_CFLAGS} -o $@ -Wl,-soname,$@ -Wl,--version-script=${TARGET}.map -W,-z,defs -shared -dynamic $^
${TARGET}.a: ${OBJECTS}
ar ${ARFLAGS} $@ $^
${POSTINSTALLBIN}: ${POSTINSTALLBIN}.c
$(CC) -static -Os -o $@ $(CANARY_FLAG) $(FORMATGUARD_FLAG) $^
# Ugh, dunno how to do an auto rule for the TESTS
tst-sgdh: tst-sgdh.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
tst-cdh: tst-cdh.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
tst-sgkey: tst-sgkey.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
tst-sgdh-static: tst-sgdh.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
tst-cdh-static: tst-cdh.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
tst-sgkey-static: tst-sgkey.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o $@ $< ${TEST_LDFLAGS}
check: $(TESTS)
-LD_LIBRARY_PATH=. ./tst-sgdh
-LD_LIBRARY_PATH=. ./tst-cdh
-LD_LIBRARY_PATH=. ./tst-sgkey
-./tst-sgdh-static
-./tst-cdh-static
-./tst-sgkey-static
.PHONY: install
install: $(SPECFILE) $(TARGETS) $(OLDTARGET)
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}
install -d ${DESTDIR}/usr/include/sys
mv -f $(TARGET).so.$(SO_VERS) $(TARGET)-$(VERSION)-$(RELEASE).so.$(SO_VERS)
install -m 755 $(TARGET)-$(VERSION)-$(RELEASE).so.$(SO_VERS) ${DESTDIR}/${LIB}
${LDCONFIG} -n ${DESTDIR}/${LIB}
install -m 755 $(TARGET).a ${DESTDIR}${LIBDIR}
install -m 644 apparmor.h ${DESTDIR}/usr/include/sys
ln -sf /${LIB}/$(TARGET).so.$(SO_VERS) ${DESTDIR}${LIBDIR}/$(TARGET).so
# compatability with old libimmunix
install -m 755 $(OLDTARGET) ${DESTDIR}/${LIB}
ln -sf apparmor.h ${DESTDIR}/usr/include/sys/immunix.h
make install_manpages DESTDIR=${DESTDIR}
.PHONY: clean
clean: _clean
rm -f *.o $(TARGET)*.so* ${TARGETS} ${OLDTARGET} Make.rules
rm -f ${TESTS} ${SPECFILE}

23
changehat/libapparmor-deprecated/apparmor.h
View File

@@ -1,23 +0,0 @@
/* $Id$
Copyright (c) 2003, 2004, 2005, 2006 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#ifndef _SYS_APPARMOR_H_
#define _SYS_APPARMOR_H 1
__BEGIN_DECLS
/* Prototype for change_hat as defined by the AppArmor project
<http://forge.novell.com/modules/xfmod/project/?apparmor>
Please see the change_hat(2) manpage for information. */
extern int change_hat(const char *subprofile, unsigned int magic_token);
__END_DECLS
#endif /* sys/apparmor.h */

85
changehat/libapparmor-deprecated/change_hat.c
View File

@@ -1,85 +0,0 @@
/* $Id$
Copyright (c) 2003, 2004, 2005, 2006 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#define _GNU_SOURCE /* for asprintf */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <errno.h>
#include <limits.h>
int change_hat(char *subprofile, unsigned int token)
{
int rc = -1;
int fd, ret, len = 0, ctlerr = 0;
char *buf = NULL;
const char *cmd = "changehat";
char *ctl = NULL;
pid_t tid = syscall(SYS_gettid);
/* both may not be null */
if (!(token || subprofile)) {
errno = EINVAL;
goto out;
}
if (subprofile && strnlen(subprofile, PATH_MAX + 1) > PATH_MAX) {
errno = EPROTO;
goto out;
}
len = asprintf(&buf, "%s %08x^%s", cmd, token,
subprofile ? subprofile : "");
if (len < 0) {
goto out;
}
ctlerr = asprintf(&ctl, "/proc/%d/attr/current", tid);
if (ctlerr < 0) {
goto out;
}
fd = open(ctl, O_WRONLY);
if (fd == -1) {
goto out;
}
ret = write(fd, buf, len);
if (ret != len) {
int saved;
if (ret != -1) {
errno = EPROTO;
}
saved = errno;
(void)close(fd);
errno = saved;
goto out;
}
rc = 0;
(void)close(fd);
out:
if (buf) {
/* clear local copy of magic token before freeing */
memset(buf, '\0', len);
free(buf);
}
if (ctl) {
free(ctl);
}
return rc;
}

233
changehat/libapparmor-deprecated/change_hat.pod
View File

@@ -1,233 +0,0 @@
# $Id$
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
=pod
=head1 NAME
change_hat - change to or from a "hat" within a AppArmor profile
=head1 SYNOPSIS
B<#include E<lt>sys/apparmor.hE<gt>>
B<int change_hat (char *subprofile, unsigned int magic_token);>
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
An AppArmor profile applies to an executable program; if a portion of
the program needs different access permissions than other portions,
the program can "change hats" to a different role, also known as a
subprofile. To change into a new hat, it calls the change_hat() function
to do so. It passes in a pointer to the I<subprofile> which it wants to
change into, and a 32bit I<magic_token>. The I<magic_token> is used to
return out of the subprofile at a later time.
If a program wants to return out of the current subprofile to the
original profile, it calls change_hat() with a pointer to NULL as
the I<subprofile>, and the original I<magic_token> value. If the
I<magic_token> does not match the original I<magic_token> passed into the
kernel when the program entered the subprofile, the change back to the
original profile will not happen, and the current task will be killed.
If the I<magic_token> matches the original token, then the process will
change back to the original profile.
If the program wants to change to a subprofile that it can never
change back out of, the application should call change_hat() with a
I<magic_token> of I<0>.
As both read(2) and write(2) are mediated, a file must be listed in a
subprofile definition if the file is to be accessed while the process
is in a "hat".
=head1 RETURN VALUE
On success zero is returned. On error, -1 is returned, and
errno(3) is set appropriately.
=head1 ERRORS
=over 4
=item B<EINVAL>
The apparmor kernel module is not loaded or the communication via the
F</proc/*/attr/current> file did not conform to protocol.
=item B<ENOMEM>
Insufficient kernel memory was available.
=item B<EPERM>
The calling application is not confined by apparmor.
=item B<ECHILD>
The application's profile has no hats defined for it.
=item B<EACCES>
The specified I<subprofile> does not exist in this profile or the
process tried to change another process's domain.
=back
=head1 EXAMPLE
The following code examples shows simple, if contrived, uses of
change_hat(); a typical use of change_hat() will separate privileged
portions of a process from unprivileged portions of a process, such as
keeping unauthenticated network traffic handling separate from
authenticated network traffic handling in OpenSSH or executing
user-supplied CGI scripts in apache.
The use of random(3) is simply illustrative. Use of F</dev/urandom> is
recommended.
First, a simple high-level overview of change_hat() use:
void foo (void) {
int magic_token;
/* get a random magic token value
from our huge entropy pool */
magic_token = random_function();
/* change into the subprofile while
* we do stuff we don't trust */
change_hat ("stuff_we_dont_trust", magic_token);
/* Go do stuff we don't trust -- this is all
* done in *this* process space, no separate
* fork()/exec()'s are done. */
interpret_perl_stuff(stuff_from_user);
/* now change back to our original profile */
change_hat (NULL, magic_token);
}
Second, an example to show that files not listed in a subprofile
("hat") aren't accessible after a change_hat() call:
#include <stdlib.h>
#include <string.h>
#include <sys/apparmor.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int fd;
int tok;
char buf[10];
/* random() is a poor choice */
tok = random();
/* open /etc/passwd outside of any hat */
if ((fd=open("/etc/passwd", O_RDONLY)) < 0)
perror("Failure opening /etc/passwd");
/* confirm for ourselves that we can really read /etc/passwd */
memset(&buf, 0, 10);
if (read(fd, &buf, 10) == -1) {
perror("Failure reading /etc/passwd pre-hat");
_exit(1);
}
buf[9] = '\0';
printf("/etc/passwd: %s\n", buf);
/* change hat to the "hat" subprofile, which should not have
* read access to /etc/passwd -- even though we have a valid
* file descriptor at the time of the change_hat() call. */
if (change_hat("hat", tok)) {
perror("Failure changing hat -- aborting");
_exit(1);
}
/* confirm that we cannot read /etc/passwd */
lseek(fd,0,SEEK_SET);
memset(&buf, 0, 10);
if (read(fd, &buf, 10) == -1)
perror("Failure reading /etc/passwd post-hat");
buf[9] = '\0';
printf("/etc/passwd: %s\n", buf);
return 0;
}
This code example requires the following profile to be loaded with
apparmor_parser(8):
/tmp/ch {
/etc/ld.so.cache mr,
/etc/locale/** r,
/etc/localtime r,
/usr/share/locale/** r,
/usr/share/zoneinfo/** r,
/usr/lib/locale/** mr,
/usr/lib/gconv/*.so mr,
/usr/lib/gconv/gconv-modules* mr,
/lib/ld-*.so* mrix,
/lib/libc*.so* mr,
/lib/libapparmor*.so* mr,
/dev/pts/* rw,
/tmp/ch mr,
/etc/passwd r,
^hat {
/dev/pts/* rw,
}
}
The output when run:
$ /tmp/ch
/etc/passwd: root:x:0:
Failure reading /etc/passwd post-hat: Permission denied
/etc/passwd:
$
=head1 BUGS
None known. If you find any, please report them to bugzilla at
L<http://bugzilla.novell.com>. Note that change_hat(2) provides no
memory barriers between different areas of a program; if address space
separation is required, then separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), and
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
=cut

13
changehat/libapparmor-deprecated/libapparmor.map
View File

@@ -1,13 +0,0 @@
IMMUNIX_1.0 {
global:
change_hat;
local:
*;
};
APPARMOR_1.0 {
global:
change_hat;
local:
*;
};

196
changehat/libapparmor-deprecated/libapparmor.spec.in
View File

@@ -1,196 +0,0 @@
# $Id$
# ----------------------------------------------------------------------
# Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
#
# This software is licensed under the terms of the GNU Lesser General
# Public License, version 2.1. Please see the file COPYING.LGPL.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
#
# norootforbuild
#
# Check first to see if distro is already defined. It should be defined
# by our makefile
%if ! %{?distro:1}0
%define distro suse
%endif
# Check to see what architecture we are building on so we know where
# the lib should be installed.
# Note: alpha and ia64 are 64bit systems but they have no 32 bit userland
# so they install their libs to /lib instead of /lib64
# FIXME: will see what happens when we need to do a 64bit build on RHEL
%ifarch x86_64 mips64 ppc64 sparc64 s390x
%define build64 1
%endif
# else anything that doesn't specifically have a lib64 dir
# i386 i686 mips ppc sparc arm alpha ia64
Name: libapparmor
Summary: Library to provide key AppArmor symbols
Version: @@immunix_version@@
Release: @@repo_version@@
%if %distro == "suse"
Group: System/Libraries
%else
Group: System Environment/Libraries
%endif
Source: %{name}-%{version}-@@repo_version@@.tar.gz
License: LGPL
BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
URL: http://forge.novell.com/modules/xfmod/project/?apparmor
BuildRequires: glibc-devel
%if %{?build64:1}0
#BuildRequires: linux32
%endif
Obsoletes: libimmunix
Provides: libimmunix
%description
This package provides the libapparmor library, which contains the change_hat(2)
symbol, used for sub-process confinement by AppArmor. Applications that
wish to make use of change_hat(2) need to link against this library.
This package is part of a suite of tools that used to be named SubDomain.
%prep
%if %{?build64:1}0
%setup -q -c -n %{name}32
%setup -D -q
%else
%setup -q
%endif
%build
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%if %{?build64:1}0
# build 32 bit version first
%define CFLAGS32 "-g -O2 -Wall -Wstrict-prototypes -pipe -fpic -m32"
%ifarch x86_64
%define env32 linux32
%endif
%ifarch mips64
# FIXME don't know what's supposed to be here
%define env32 mips32
%endif
%ifarch ppc64
%define env32 powerpc32
%endif
%ifarch sparc64
%define env32 sparc32
%endif
%ifarch s390x
%define env32 s390
# s390 isn't actually 32bit it an odd ball 31bit machine
%undefine CFLAGS32
%define CFLAGS32 "-g -O2 -Wall -Wstrict-prototypes -pipe -fpic -m31"
%endif
# FIXME - disabled 32bit builds on 64bit platforms
echo "FIXME - disabled 32bit builds on 64bit platforms"
#%{env32} make CFLAGS=%{CFLAGS32} -C ../%{name}32/%{name}-%{version}
%endif
make CFLAGS="${RPM_OPT_FLAGS}"
%install
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%if %{?build64:1}0
# FIXME - disabled 32bit builds on 64bit platforms
echo "FIXME - disabled 32bit installs on 64bit platforms"
#make install DESTDIR=${RPM_BUILD_ROOT} LIB=lib -C ../%{name}32/%{name}-%{version}
%endif
make install DESTDIR=${RPM_BUILD_ROOT} LIB=%{_lib} VERSION=%{version} \
RELEASE=%{release} MANDIR=%{_mandir}
%clean
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
# don't use -p here, breaks slackware package builds
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%files
%defattr (-,root,root)
%if %{?build64:1}0
# FIXME - disabled 32bit builds on 64bit platforms
#/lib/lib*
#/usr/lib/lib*
%endif
/%{_lib}/lib*
%{_libdir}/lib*
%{_prefix}/include/sys/*.h
%doc COPYING.LGPL
%{_mandir}/man*/*
%doc *.[0-9].html
%doc common/apparmor.css
%changelog
* Tue Apr 7 2007 - sbeattie@suse.de
- Add change_hat manpage to package
* Thu Jan 18 2007 - sbeattie@suse.de
- Add a clean stage to remove buildroot to specfile
* Fri Feb 17 2006 Seth Arnold <seth.arnold@suse.de> 2.0-4.1
- use gettid() instead of /proc/self
* Fri Feb 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.2
- Use RPM_OPT_FLAGS
- Fix installed library version to match specfile version
* Wed Feb 1 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.1
- Fix prototype to match change_hat(2) manpage
* Mon Jan 23 2006 Steve Beattie <sbeattie@suse.de> 2.0-3
- Rename to libapparmor.so and apparmor.h
* Thu Jan 5 2006 Steve Beattie <sbeattie@suse.de> 2.0-2
- Add svn repo number to tarball
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 2.0-1
- Reset version for inclusion is SUSE autobuild
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 1.99-8
- Disable 32bit builds on 64bit platforms for now
* Mon Dec 5 2005 Steve Beattie <sbeattie@suse.de> 1.99-7
- Rename package to libapparmor
* Wed Aug 10 2005 Steve Beattie <sbeattie@suse.de> 1.99-6_imnx
- Cleanup some of the deprecated exported symbols
* Thu Aug 4 2005 John Johansen <jjohansen@novell.com> 1.99-5_imnx
- and -m31 flag for s390
* Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-4_imnx
- get rid of libimmunix_post_upgrade
- Re-license to LGPL
- update description
* Fri May 27 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
- Clear token buffer before freeing.
- Error handling cleanup.
* Fri Feb 18 2005 Steve Beattie <steve@immunix.com> 1.99-2_imnx
- Use the right command for the 32bit env on 64bit platforms
- Support for 64bit builds on systems with combined 32/64 support
* Fri Feb 4 2005 Seth Arnold <sarnold@immunix.com> 1.99-1_imnx
- Reversion to 1.99
* Mon Nov 8 2004 Steve Beattie <steve@immunix.com> 1.2-3_imnx
- Finish conversion to slack-capable infrastructure.
* Thu Oct 28 2004 Steve Beattie <steve@immunix.com> 1.2-2_imnx
- Added a 'make install' target for prelim slack support
* Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
- Bump version after shass-1.1 branched off
* Thu Sep 23 2004 Steve Beattie <steve@immunix.com> 1.0-13_imnx
- Vastly simplify the string handling in change_hat().
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-12_imnx
- Conditionalize group the package shows up in.
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-11_imnx
- Fix so change_hat functions correctly even when the token is zero.
* Thu Sep 2 2004 Steve Beattie <steve@immunix.com> 1.0-10_imnx
- Added that it provides %{_prefix}/sbin/libimmunix_post_upgrade, this
was somehow breaking yast.
* Mon Aug 30 2004 Steve Beattie <steve@immunix.com> 1.0-9_imnx
- Copyright cleanups.
* Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-8_imnx
- add basis for conditional distro support
* Thu May 28 2004 Tony Jons <tony@immunix.com> 1.0-7_imnx
- Add "changehat" command word to start of string written to /proc/pid/attr

23
changehat/libapparmor-deprecated/libimmunix_warning.c
View File

@@ -1,23 +0,0 @@
/* $Id$
Copyright (c) 2006 Novell, Inc. (All rights reserved)
The libimmunix library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#include <syslog.h>
void __libimmunix_warning(void) __attribute__ ((constructor));
void __libimmunix_warning(void)
{
extern const char *__progname; /* global from linux crt0 */
openlog (__progname, LOG_PID|LOG_PERROR, LOG_USER);
syslog(LOG_NOTICE,
"%s links against libimmunix.so, which is deprecated. "
"Please link against libapparmor instead\n",
__progname);
closelog();
}

5
changehat/libapparmor/src/scanner.l
View File

@@ -41,7 +41,8 @@ ID [^ \t\n\(\)="'!]
path "/"{ID}*
hexstring ({hex}{hex})+
period "\."
modes [RrWwXxIiLlUuPpMm]
mode_chars ([RrWwLalMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])
modes {mode_chars}+
/* New message types */
@@ -263,7 +264,7 @@ char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
{old_link} { return(TOK_OLD_LINK); }
{old_fork} { return(TOK_OLD_FORK); }
{old_child} { return(TOK_OLD_CHILD); }
{modes}+ { yylval->t_str = strdup(yytext); return(TOK_MODE); }
{modes} { yylval->t_str = strdup(yytext); return(TOK_MODE); }
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
{key_msg} { return(TOK_KEY_MSG); }

2
common/Make.rules
View File

@@ -25,7 +25,7 @@
# directories
DISTRIBUTION=AppArmor
VERSION=2.1
VERSION=2.1.2
# OVERRIDABLE variables
# Set these variables before including Make.rules to change its behavior

58
kernel-patches/2.6.16/patches/apparmor_audit.patch
View File

@@ -1,58 +0,0 @@
From: tonyj@suse.de
Subject: Export audit subsystem for use by modules
Patch-mainline: no
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
Index: linux-2.6.14/include/linux/audit.h
===================================================================
--- linux-2.6.14.orig/include/linux/audit.h
+++ linux-2.6.14/include/linux/audit.h
@@ -73,6 +73,8 @@
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
@@ -265,6 +267,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern void audit_log_vformat(struct audit_buffer *ab,
+ const char *fmt, va_list args)
+ __attribute__((format(printf,2,0)));
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
__attribute__((format(printf,2,3)));
Index: linux-2.6.14/kernel/audit.c
===================================================================
--- linux-2.6.14.orig/kernel/audit.c
+++ linux-2.6.14/kernel/audit.c
@@ -733,8 +733,8 @@ static inline int audit_expand(struct au
* room in the audit buffer, more room will be allocated and vsnprint
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either. */
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
- va_list args)
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
+ va_list args)
{
int len, avail;
struct sk_buff *skb;
@@ -895,3 +895,11 @@ void audit_log(struct audit_context *ctx
audit_log_end(ab);
}
}
+
+EXPORT_SYMBOL_GPL(audit_log_start);
+EXPORT_SYMBOL_GPL(audit_log_vformat);
+EXPORT_SYMBOL_GPL(audit_log_format);
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
+EXPORT_SYMBOL_GPL(audit_log_d_path);
+EXPORT_SYMBOL_GPL(audit_log_end);
+EXPORT_SYMBOL_GPL(audit_log);

36
kernel-patches/2.6.16/patches/apparmor_namespacesem.patch
View File

@@ -1,36 +0,0 @@
From: tonyj@suse.de
Subject: Export namespace semaphore
Patch-mainline: no
Export global namespace_sem (this used to be a per namespace semaphore).
Alas, this isn't going to win _any_ points for style.
Patch is not in mainline -- pending AppArmor code submission to lkml
Index: linux-2.6.15/fs/namespace.c
===================================================================
--- linux-2.6.15.orig/fs/namespace.c
+++ linux-2.6.15/fs/namespace.c
@@ -46,7 +46,8 @@ static int event;
static struct list_head *mount_hashtable;
static int hash_mask __read_mostly, hash_bits __read_mostly;
static kmem_cache_t *mnt_cache;
-static struct rw_semaphore namespace_sem;
+struct rw_semaphore namespace_sem;
+EXPORT_SYMBOL_GPL(namespace_sem);
/* /sys/fs */
decl_subsys(fs, NULL, NULL);
Index: linux-2.6.15/include/linux/namespace.h
===================================================================
--- linux-2.6.15.orig/include/linux/namespace.h
+++ linux-2.6.15/include/linux/namespace.h
@@ -5,6 +5,9 @@
#include <linux/mount.h>
#include <linux/sched.h>
+/* exported for AppArmor (SubDomain) */
+extern struct rw_semaphore namespace_sem;
+
struct namespace {
atomic_t count;
struct vfsmount * root;

24
kernel-patches/2.6.16/patches/apparmor_security.patch
View File

@@ -1,24 +0,0 @@
Index: b/security/Makefile
===================================================================
--- a/security/Makefile
+++ b/security/Makefile
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
Index: b/security/Kconfig
===================================================================
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -100,6 +100,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/apparmor/Kconfig
endmenu

3
kernel-patches/2.6.16/patches/series
View File

@@ -1,3 +0,0 @@
apparmor_audit.patch
apparmor_namespacesem.patch
apparmor_security.patch

1
kernel-patches/2.6.16/postapply/module-deprecated/series
View File

@@ -1 +0,0 @@
undo_netlinkrecv.patch

14
kernel-patches/2.6.16/postapply/module-deprecated/undo_netlinkrecv.patch
View File

@@ -1,14 +0,0 @@
--- linux-2.6.18.orig/security/apparmor/lsm.c
+++ linux-2.6.18/security/apparmor/lsm.c
@@ -199,9 +199,9 @@
return cap_netlink_send(sk, skb);
}
-static int subdomain_netlink_recv(struct sk_buff *skb, int cap)
+static int subdomain_netlink_recv(struct sk_buff *skb)
{
- return cap_netlink_recv(skb, cap);
+ return cap_netlink_recv(skb);
}
static void subdomain_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)

2
kernel-patches/2.6.16/postapply/module/series
View File

@@ -1,2 +0,0 @@
undo_2.6.20_mnt_namespace.patch
undo_netlinkrecv.patch

37
kernel-patches/2.6.16/postapply/module/undo_2.6.20_mnt_namespace.patch
View File

@@ -1,37 +0,0 @@
Index: linux-2.6.18.6/security/apparmor/apparmor.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/apparmor.h
+++ linux-2.6.18.6/security/apparmor/apparmor.h
@@ -210,7 +210,7 @@ typedef int (*aa_iter) (struct subdomain
*/
struct aa_path_data {
struct dentry *root, *dentry;
- struct mnt_namespace *mnt_namespace;
+ struct namespace *namespace;
struct list_head *head, *pos;
int errno;
};
Index: linux-2.6.18.6/security/apparmor/inline.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/inline.h
+++ linux-2.6.18.6/security/apparmor/inline.h
@@ -10,7 +10,7 @@
#ifndef __INLINE_H
#define __INLINE_H
-#include <linux/mnt_namespace.h>
+#include <linux/namespace.h>
static inline int __aa_is_confined(struct subdomain *sd)
{
@@ -323,8 +323,8 @@ static inline void __aa_path_begin(struc
{
data->dentry = dentry;
data->root = dget(rdentry->d_sb->s_root);
- data->mnt_namespace = current->nsproxy->mnt_ns;
- data->head = &data->mnt_namespace->list;
+ data->namespace = current->namespace;
+ data->head = &data->namespace->list;
data->pos = data->head->next;
prefetch(data->pos->next);
data->errno = 0;

16
kernel-patches/2.6.16/postapply/module/undo_netlinkrecv.patch
View File

@@ -1,16 +0,0 @@
Index: linux-2.6.16.29/security/apparmor/lsm.c
===================================================================
--- linux-2.6.16.29.orig/security/apparmor/lsm.c
+++ linux-2.6.16.29/security/apparmor/lsm.c
@@ -176,9 +176,9 @@ static int apparmor_netlink_send(struct
return cap_netlink_send(sk, skb);
}
-static int apparmor_netlink_recv(struct sk_buff *skb, int cap)
+static int apparmor_netlink_recv(struct sk_buff *skb)
{
- return cap_netlink_recv(skb, cap);
+ return cap_netlink_recv(skb);
}
static void apparmor_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)

58
kernel-patches/2.6.17/patches/apparmor_audit.patch
View File

@@ -1,58 +0,0 @@
From: tonyj@suse.de
Subject: Export audit subsystem for use by modules
Patch-mainline: no
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 6 ++++--
2 files changed, 9 insertions(+), 2 deletions(-)
Index: linux-2.6.17.9/include/linux/audit.h
===================================================================
--- linux-2.6.17.9.orig/include/linux/audit.h
+++ linux-2.6.17.9/include/linux/audit.h
@@ -96,6 +96,8 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
@@ -357,6 +359,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern void audit_log_vformat(struct audit_buffer *ab,
+ const char *fmt, va_list args)
+ __attribute__((format(printf,2,0)));
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
__attribute__((format(printf,2,3)));
Index: linux-2.6.17.9/kernel/audit.c
===================================================================
--- linux-2.6.17.9.orig/kernel/audit.c
+++ linux-2.6.17.9/kernel/audit.c
@@ -893,8 +893,7 @@ static inline int audit_expand(struct au
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either.
*/
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
- va_list args)
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
{
int len, avail;
struct sk_buff *skb;
@@ -1096,3 +1095,6 @@ EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);
+EXPORT_SYMBOL_GPL(audit_log_vformat);
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
+EXPORT_SYMBOL_GPL(audit_log_d_path);

42
kernel-patches/2.6.17/patches/apparmor_namespacesem.patch
View File

@@ -1,42 +0,0 @@
From: tonyj@suse.de
Subject: Export namespace semaphore
Patch-mainline: no
Export global namespace_sem (this used to be a per namespace semaphore).
Alas, this isn't going to win _any_ points for style.
Patch is not in mainline -- pending AppArmor code submission to lkml
---
fs/namespace.c | 3 ++-
include/linux/namespace.h | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
Index: linux-2.6.17.9/fs/namespace.c
===================================================================
--- linux-2.6.17.9.orig/fs/namespace.c
+++ linux-2.6.17.9/fs/namespace.c
@@ -46,7 +46,8 @@ static int event;
static struct list_head *mount_hashtable __read_mostly;
static int hash_mask __read_mostly, hash_bits __read_mostly;
static kmem_cache_t *mnt_cache __read_mostly;
-static struct rw_semaphore namespace_sem;
+struct rw_semaphore namespace_sem;
+EXPORT_SYMBOL_GPL(namespace_sem);
/* /sys/fs */
decl_subsys(fs, NULL, NULL);
Index: linux-2.6.17.9/include/linux/namespace.h
===================================================================
--- linux-2.6.17.9.orig/include/linux/namespace.h
+++ linux-2.6.17.9/include/linux/namespace.h
@@ -5,6 +5,9 @@
#include <linux/mount.h>
#include <linux/sched.h>
+/* exported for AppArmor (SubDomain) */
+extern struct rw_semaphore namespace_sem;
+
struct namespace {
atomic_t count;
struct vfsmount * root;

24
kernel-patches/2.6.17/patches/apparmor_security.patch
View File

@@ -1,24 +0,0 @@
Index: linux-2.6.17.9/security/Makefile
===================================================================
--- linux-2.6.17.9.orig/security/Makefile
+++ linux-2.6.17.9/security/Makefile
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
Index: linux-2.6.17.9/security/Kconfig
===================================================================
--- linux-2.6.17.9.orig/security/Kconfig
+++ linux-2.6.17.9/security/Kconfig
@@ -100,6 +100,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/apparmor/Kconfig
endmenu

3
kernel-patches/2.6.17/patches/series
View File

@@ -1,3 +0,0 @@
apparmor_audit.patch
apparmor_namespacesem.patch
apparmor_security.patch

1
kernel-patches/2.6.17/postapply/module-deprecated/series
View File

@@ -1 +0,0 @@
undo_netlinkrecv.patch

14
kernel-patches/2.6.17/postapply/module-deprecated/undo_netlinkrecv.patch
View File

@@ -1,14 +0,0 @@
--- linux-2.6.18.orig/security/apparmor/lsm.c
+++ linux-2.6.18/security/apparmor/lsm.c
@@ -199,9 +199,9 @@
return cap_netlink_send(sk, skb);
}
-static int subdomain_netlink_recv(struct sk_buff *skb, int cap)
+static int subdomain_netlink_recv(struct sk_buff *skb)
{
- return cap_netlink_recv(skb, cap);
+ return cap_netlink_recv(skb);
}
static void subdomain_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)

2
kernel-patches/2.6.17/postapply/module/series
View File

@@ -1,2 +0,0 @@
undo_2.6.20_mnt_namespace.patch
undo_netlinkrecv.patch

37
kernel-patches/2.6.17/postapply/module/undo_2.6.20_mnt_namespace.patch
View File

@@ -1,37 +0,0 @@
Index: linux-2.6.18.6/security/apparmor/apparmor.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/apparmor.h
+++ linux-2.6.18.6/security/apparmor/apparmor.h
@@ -210,7 +210,7 @@ typedef int (*aa_iter) (struct subdomain
*/
struct aa_path_data {
struct dentry *root, *dentry;
- struct mnt_namespace *mnt_namespace;
+ struct namespace *namespace;
struct list_head *head, *pos;
int errno;
};
Index: linux-2.6.18.6/security/apparmor/inline.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/inline.h
+++ linux-2.6.18.6/security/apparmor/inline.h
@@ -10,7 +10,7 @@
#ifndef __INLINE_H
#define __INLINE_H
-#include <linux/mnt_namespace.h>
+#include <linux/namespace.h>
static inline int __aa_is_confined(struct subdomain *sd)
{
@@ -323,8 +323,8 @@ static inline void __aa_path_begin(struc
{
data->dentry = dentry;
data->root = dget(rdentry->d_sb->s_root);
- data->mnt_namespace = current->nsproxy->mnt_ns;
- data->head = &data->mnt_namespace->list;
+ data->namespace = current->namespace;
+ data->head = &data->namespace->list;
data->pos = data->head->next;
prefetch(data->pos->next);
data->errno = 0;

16
kernel-patches/2.6.17/postapply/module/undo_netlinkrecv.patch
View File

@@ -1,16 +0,0 @@
Index: linux-2.6.16.29/security/apparmor/lsm.c
===================================================================
--- linux-2.6.16.29.orig/security/apparmor/lsm.c
+++ linux-2.6.16.29/security/apparmor/lsm.c
@@ -176,9 +176,9 @@ static int apparmor_netlink_send(struct
return cap_netlink_send(sk, skb);
}
-static int apparmor_netlink_recv(struct sk_buff *skb, int cap)
+static int apparmor_netlink_recv(struct sk_buff *skb)
{
- return cap_netlink_recv(skb, cap);
+ return cap_netlink_recv(skb);
}
static void apparmor_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)

54
kernel-patches/2.6.18/patches/apparmor_audit.patch
View File

@@ -1,54 +0,0 @@
From: tonyj@suse.de
Subject: Export audit subsystem for use by modules
Patch-mainline: no
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 6 ++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- linux-2.6.18.orig/include/linux/audit.h
+++ linux-2.6.18/include/linux/audit.h
@@ -100,6 +100,8 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
@@ -466,6 +468,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern void audit_log_vformat(struct audit_buffer *ab,
+ const char *fmt, va_list args)
+ __attribute__((format(printf,2,0)));
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
__attribute__((format(printf,2,3)));
--- linux-2.6.18.orig/kernel/audit.c
+++ linux-2.6.18/kernel/audit.c
@@ -954,8 +954,7 @@ static inline int audit_expand(struct au
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either.
*/
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
- va_list args)
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
{
int len, avail;
struct sk_buff *skb;
@@ -1211,3 +1210,6 @@ EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);
+EXPORT_SYMBOL_GPL(audit_log_vformat);
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
+EXPORT_SYMBOL_GPL(audit_log_d_path);

38
kernel-patches/2.6.18/patches/apparmor_namespacesem.patch
View File

@@ -1,38 +0,0 @@
From: tonyj@suse.de
Subject: Export namespace semaphore
Patch-mainline: no
Export global namespace_sem (this used to be a per namespace semaphore).
Alas, this isn't going to win _any_ points for style.
Patch is not in mainline -- pending AppArmor code submission to lkml
---
fs/namespace.c | 3 ++-
include/linux/namespace.h | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
--- linux-2.6.18.orig/fs/namespace.c
+++ linux-2.6.18/fs/namespace.c
@@ -45,7 +45,8 @@ static int event;
static struct list_head *mount_hashtable __read_mostly;
static int hash_mask __read_mostly, hash_bits __read_mostly;
static kmem_cache_t *mnt_cache __read_mostly;
-static struct rw_semaphore namespace_sem;
+struct rw_semaphore namespace_sem;
+EXPORT_SYMBOL_GPL(namespace_sem);
/* /sys/fs */
decl_subsys(fs, NULL, NULL);
--- linux-2.6.18.orig/include/linux/namespace.h
+++ linux-2.6.18/include/linux/namespace.h
@@ -5,6 +5,9 @@
#include <linux/mount.h>
#include <linux/sched.h>
+/* exported for AppArmor (SubDomain) */
+extern struct rw_semaphore namespace_sem;
+
struct namespace {
atomic_t count;
struct vfsmount * root;

22
kernel-patches/2.6.18/patches/apparmor_security.patch
View File

@@ -1,22 +0,0 @@
Index: linux-2.6.18/security/Makefile
===================================================================
--- linux-2.6.18.orig/security/Makefile
+++ linux-2.6.18/security/Makefile
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
--- linux-2.6.17.orig/security/Kconfig
+++ linux-2.6.17/security/Kconfig
@@ -106,6 +106,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/apparmor/Kconfig
endmenu

3
kernel-patches/2.6.18/patches/series
View File

@@ -1,3 +0,0 @@
apparmor_audit.patch
apparmor_namespacesem.patch
apparmor_security.patch

1
kernel-patches/2.6.18/postapply/module/series
View File

@@ -1 +0,0 @@
undo_2.6.20_mnt_namespace.patch

37
kernel-patches/2.6.18/postapply/module/undo_2.6.20_mnt_namespace.patch
View File

@@ -1,37 +0,0 @@
Index: linux-2.6.18.6/security/apparmor/apparmor.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/apparmor.h
+++ linux-2.6.18.6/security/apparmor/apparmor.h
@@ -210,7 +210,7 @@ typedef int (*aa_iter) (struct subdomain
*/
struct aa_path_data {
struct dentry *root, *dentry;
- struct mnt_namespace *mnt_namespace;
+ struct namespace *namespace;
struct list_head *head, *pos;
int errno;
};
Index: linux-2.6.18.6/security/apparmor/inline.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/inline.h
+++ linux-2.6.18.6/security/apparmor/inline.h
@@ -10,7 +10,7 @@
#ifndef __INLINE_H
#define __INLINE_H
-#include <linux/mnt_namespace.h>
+#include <linux/namespace.h>
static inline int __aa_is_confined(struct subdomain *sd)
{
@@ -323,8 +323,8 @@ static inline void __aa_path_begin(struc
{
data->dentry = dentry;
data->root = dget(rdentry->d_sb->s_root);
- data->mnt_namespace = current->nsproxy->mnt_ns;
- data->head = &data->mnt_namespace->list;
+ data->namespace = current->namespace;
+ data->head = &data->namespace->list;
data->pos = data->head->next;
prefetch(data->pos->next);
data->errno = 0;

54
kernel-patches/2.6.19/patches/apparmor_audit.patch
View File

@@ -1,54 +0,0 @@
From: tonyj@suse.de
Subject: Export audit subsystem for use by modules
Patch-mainline: no
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 6 ++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- linux-2.6.18.orig/include/linux/audit.h
+++ linux-2.6.18/include/linux/audit.h
@@ -100,6 +100,8 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
@@ -466,6 +468,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern void audit_log_vformat(struct audit_buffer *ab,
+ const char *fmt, va_list args)
+ __attribute__((format(printf,2,0)));
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
__attribute__((format(printf,2,3)));
--- linux-2.6.18.orig/kernel/audit.c
+++ linux-2.6.18/kernel/audit.c
@@ -954,8 +954,7 @@ static inline int audit_expand(struct au
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either.
*/
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
- va_list args)
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
{
int len, avail;
struct sk_buff *skb;
@@ -1211,3 +1210,6 @@ EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);
+EXPORT_SYMBOL_GPL(audit_log_vformat);
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
+EXPORT_SYMBOL_GPL(audit_log_d_path);

38
kernel-patches/2.6.19/patches/apparmor_namespacesem.patch
View File

@@ -1,38 +0,0 @@
From: tonyj@suse.de
Subject: Export namespace semaphore
Patch-mainline: no
Export global namespace_sem (this used to be a per namespace semaphore).
Alas, this isn't going to win _any_ points for style.
Patch is not in mainline -- pending AppArmor code submission to lkml
---
fs/namespace.c | 3 ++-
include/linux/namespace.h | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
--- linux-2.6.18.orig/fs/namespace.c
+++ linux-2.6.18/fs/namespace.c
@@ -45,7 +45,8 @@ static int event;
static struct list_head *mount_hashtable __read_mostly;
static int hash_mask __read_mostly, hash_bits __read_mostly;
static kmem_cache_t *mnt_cache __read_mostly;
-static struct rw_semaphore namespace_sem;
+struct rw_semaphore namespace_sem;
+EXPORT_SYMBOL_GPL(namespace_sem);
/* /sys/fs */
decl_subsys(fs, NULL, NULL);
--- linux-2.6.18.orig/include/linux/namespace.h
+++ linux-2.6.18/include/linux/namespace.h
@@ -5,6 +5,9 @@
#include <linux/mount.h>
#include <linux/sched.h>
+/* exported for AppArmor (SubDomain) */
+extern struct rw_semaphore namespace_sem;
+
struct namespace {
atomic_t count;
struct vfsmount * root;

22
kernel-patches/2.6.19/patches/apparmor_security.patch
View File

@@ -1,22 +0,0 @@
Index: linux-2.6.18/security/Makefile
===================================================================
--- linux-2.6.18.orig/security/Makefile
+++ linux-2.6.18/security/Makefile
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
--- linux-2.6.17.orig/security/Kconfig
+++ linux-2.6.17/security/Kconfig
@@ -106,6 +106,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/apparmor/Kconfig
endmenu

3
kernel-patches/2.6.19/patches/series
View File

@@ -1,3 +0,0 @@
apparmor_audit.patch
apparmor_namespacesem.patch
apparmor_security.patch

1
kernel-patches/2.6.19/postapply/module/series
View File

@@ -1 +0,0 @@
undo_2.6.20_mnt_namespace.patch

37
kernel-patches/2.6.19/postapply/module/undo_2.6.20_mnt_namespace.patch
View File

@@ -1,37 +0,0 @@
Index: linux-2.6.18.6/security/apparmor/apparmor.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/apparmor.h
+++ linux-2.6.18.6/security/apparmor/apparmor.h
@@ -210,7 +210,7 @@ typedef int (*aa_iter) (struct subdomain
*/
struct aa_path_data {
struct dentry *root, *dentry;
- struct mnt_namespace *mnt_namespace;
+ struct namespace *namespace;
struct list_head *head, *pos;
int errno;
};
Index: linux-2.6.18.6/security/apparmor/inline.h
===================================================================
--- linux-2.6.18.6.orig/security/apparmor/inline.h
+++ linux-2.6.18.6/security/apparmor/inline.h
@@ -10,7 +10,7 @@
#ifndef __INLINE_H
#define __INLINE_H
-#include <linux/mnt_namespace.h>
+#include <linux/namespace.h>
static inline int __aa_is_confined(struct subdomain *sd)
{
@@ -323,8 +323,8 @@ static inline void __aa_path_begin(struc
{
data->dentry = dentry;
data->root = dget(rdentry->d_sb->s_root);
- data->mnt_namespace = current->nsproxy->mnt_ns;
- data->head = &data->mnt_namespace->list;
+ data->namespace = current->namespace;
+ data->head = &data->namespace->list;
data->pos = data->head->next;
prefetch(data->pos->next);
data->errno = 0;

54
kernel-patches/2.6.20/patches/apparmor_audit.patch
View File

@@ -1,54 +0,0 @@
From: tonyj@suse.de
Subject: Export audit subsystem for use by modules
Patch-mainline: no
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 6 ++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- linux-2.6.18.orig/include/linux/audit.h
+++ linux-2.6.18/include/linux/audit.h
@@ -100,6 +100,8 @@
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
@@ -466,6 +468,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern void audit_log_vformat(struct audit_buffer *ab,
+ const char *fmt, va_list args)
+ __attribute__((format(printf,2,0)));
extern void audit_log_format(struct audit_buffer *ab,
const char *fmt, ...)
__attribute__((format(printf,2,3)));
--- linux-2.6.18.orig/kernel/audit.c
+++ linux-2.6.18/kernel/audit.c
@@ -954,8 +954,7 @@ static inline int audit_expand(struct au
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either.
*/
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
- va_list args)
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
{
int len, avail;
struct sk_buff *skb;
@@ -1211,3 +1210,6 @@ EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);
+EXPORT_SYMBOL_GPL(audit_log_vformat);
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
+EXPORT_SYMBOL_GPL(audit_log_d_path);

38
kernel-patches/2.6.20/patches/apparmor_namespacesem.patch
View File

@@ -1,38 +0,0 @@
From: tonyj@suse.de
Subject: Export namespace semaphore
Patch-mainline: no
Export global namespace_sem (this used to be a per namespace semaphore).
Alas, this isn't going to win _any_ points for style.
Patch is not in mainline -- pending AppArmor code submission to lkml
---
fs/namespace.c | 3 ++-
include/linux/mnt_namespace.h | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
--- linux-2.6.19.orig/fs/namespace.c
+++ linux-2.6.19/fs/namespace.c
@@ -37,7 +37,8 @@ static int event;
static struct list_head *mount_hashtable __read_mostly;
static int hash_mask __read_mostly, hash_bits __read_mostly;
static struct kmem_cache *mnt_cache __read_mostly;
-static struct rw_semaphore namespace_sem;
+struct rw_semaphore namespace_sem;
+EXPORT_SYMBOL_GPL(namespace_sem);
/* /sys/fs */
decl_subsys(fs, NULL, NULL);
--- linux-2.6.19.orig/include/linux/mnt_namespace.h
+++ linux-2.6.19/include/linux/mnt_namespace.h
@@ -6,6 +6,9 @@
#include <linux/sched.h>
#include <linux/nsproxy.h>
+/* exported for AppArmor (SubDomain) */
+extern struct rw_semaphore namespace_sem;
+
struct mnt_namespace {
atomic_t count;
struct vfsmount * root;

22
kernel-patches/2.6.20/patches/apparmor_security.patch
View File

@@ -1,22 +0,0 @@
Index: linux-2.6.18/security/Makefile
===================================================================
--- linux-2.6.18.orig/security/Makefile
+++ linux-2.6.18/security/Makefile
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
--- linux-2.6.17.orig/security/Kconfig
+++ linux-2.6.17/security/Kconfig
@@ -106,6 +106,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/apparmor/Kconfig
endmenu

3
kernel-patches/2.6.20/patches/series
View File

@@ -1,3 +0,0 @@
apparmor_audit.patch
apparmor_namespacesem.patch
apparmor_security.patch

12
kernel-patches/for-mainline/apparmor-audit.diff → kernel-patches/2.6.24/apparmor-audit.diff
View File

@@ -27,9 +27,9 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
* 1800 - 1999 future kernel use (maybe integrity labels and related events)
@@ -109,6 +109,13 @@
#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */
#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */
@@ -116,6 +116,13 @@
#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
+#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
+#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
@@ -41,7 +41,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
@@ -499,6 +506,9 @@ extern void audit_log(struct audit_
@@ -513,6 +520,9 @@ extern void audit_log(struct audit_
__attribute__((format(printf,4,5)));
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
@@ -53,7 +53,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
__attribute__((format(printf,2,3)));
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1054,8 +1054,7 @@ static inline int audit_expand(struct au
@@ -1215,8 +1215,7 @@ static inline int audit_expand(struct au
* will be called a second time. Currently, we assume that a printk
* can't format message larger than 1024 bytes, so we don't either.
*/
@@ -63,7 +63,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int len, avail;
struct sk_buff *skb;
@@ -1311,3 +1310,6 @@ EXPORT_SYMBOL(audit_log_start);
@@ -1471,3 +1470,6 @@ EXPORT_SYMBOL(audit_log_start);
EXPORT_SYMBOL(audit_log_end);
EXPORT_SYMBOL(audit_log_format);
EXPORT_SYMBOL(audit_log);

61
kernel-patches/2.6.24/apparmor-bootdisable.diff Normal file
View File

@@ -0,0 +1,61 @@
---
security/apparmor/Kconfig | 17 +++++++++++++++++
security/apparmor/lsm.c | 16 ++++++++++++++++
2 files changed, 33 insertions(+)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -7,4 +7,21 @@ config SECURITY_APPARMOR
Required userspace tools (if they are not included in your
distribution) and further information may be found at
<http://forge.novell.com/modules/xfmod/project/?apparmor>
+
If you are unsure how to answer this question, answer N.
+
+config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ int "AppArmor boot parameter default value"
+ depends on SECURITY_APPARMOR
+ range 0 1
+ default 1
+ help
+ This option sets the default value for the kernel parameter
+ 'apparmor', which allows AppArmor to be enabled or disabled
+ at boot. If this option is set to 0 (zero), the AppArmor
+ kernel parameter will default to 0, disabling AppArmor at
+ bootup. If this option is set to 1 (one), the AppArmor
+ kernel parameter will default to 1, enabling AppArmor at
+ bootup.
+
+ If you are unsure how to answer this question, answer 1.
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -23,6 +23,17 @@
#include "apparmor.h"
#include "inline.h"
+/* Boot time disable flag */
+int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
+
+static int __init apparmor_enabled_setup(char *str)
+{
+ apparmor_enabled = simple_strtol(str, NULL, 0);
+ return 1;
+}
+__setup("apparmor=", apparmor_enabled_setup);
+
+
static int param_set_aabool(const char *val, struct kernel_param *kp);
static int param_get_aabool(char *buffer, struct kernel_param *kp);
#define param_check_aabool(name, p) __param_check(name, p, int)
@@ -883,6 +894,11 @@ static int __init apparmor_init(void)
{
int error;
+ if (!apparmor_enabled) {
+ info_message("AppArmor disabled by boottime parameter\n");
+ return 0;
+ }
+
if ((error = create_apparmorfs())) {
AA_ERROR("Unable to activate AppArmor filesystem\n");
goto createfs_out;

66
kernel-patches/2.6.24/apparmor-builtin-only.diff Normal file
View File

@@ -0,0 +1,66 @@
---
security/apparmor/Kconfig | 2 +-
security/apparmor/lsm.c | 42 ------------------------------------------
2 files changed, 1 insertion(+), 43 deletions(-)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -1,5 +1,5 @@
config SECURITY_APPARMOR
- tristate "AppArmor support"
+ bool "AppArmor support"
depends on SECURITY
select AUDIT
help
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -932,49 +932,7 @@ createfs_out:
}
-static void __exit apparmor_exit(void)
-{
- /* Remove and release all the profiles on the profile list. */
- mutex_lock(&aa_interface_lock);
- write_lock(&profile_list_lock);
- while (!list_empty(&profile_list)) {
- struct aa_profile *profile =
- list_entry(profile_list.next, struct aa_profile, list);
-
- /* Remove the profile from each task context it is on. */
- lock_profile(profile);
- profile->isstale = 1;
- aa_unconfine_tasks(profile);
- unlock_profile(profile);
-
- /* Release the profile itself. */
- list_del_init(&profile->list);
- aa_put_profile(profile);
- }
- write_unlock(&profile_list_lock);
-
- /* FIXME: cleanup profiles references on files */
-
- free_null_complain_profile();
-
- /*
- * Delay for an rcu cycle to make sure that all active task
- * context readers have finished, and all profiles have been
- * freed by their rcu callbacks.
- */
- synchronize_rcu();
-
- destroy_apparmorfs();
- mutex_unlock(&aa_interface_lock);
-
- if (unregister_security(&apparmor_ops))
- info_message("Unable to properly unregister AppArmor");
-
- info_message("AppArmor protection removed");
-}
-
module_init(apparmor_init);
-module_exit(apparmor_exit);
MODULE_DESCRIPTION("AppArmor process confinement");
MODULE_AUTHOR("Novell/Immunix, http://bugs.opensuse.org");

14
kernel-patches/2.6.24/apparmor-fix-sysctl-refcount.diff Normal file
View File

@@ -0,0 +1,14 @@
---
security/apparmor/lsm.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -205,6 +205,7 @@ static int apparmor_sysctl(struct ctl_ta
}
out:
+ aa_put_profile(profile);
return error;
}

2
kernel-patches/for-mainline/apparmor-intree.diff → kernel-patches/2.6.24/apparmor-intree.diff
View File

@@ -12,7 +12,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -94,6 +94,7 @@ config SECURITY_ROOTPLUG
@@ -104,6 +104,7 @@ config SECURITY_ROOTPLUG
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig

0
kernel-patches/for-mainline/apparmor-lsm.diff → kernel-patches/2.6.24/apparmor-lsm.diff
View File

0
kernel-patches/for-mainline/apparmor-main.diff → kernel-patches/2.6.24/apparmor-main.diff
View File

0
kernel-patches/for-mainline/apparmor-misc.diff → kernel-patches/2.6.24/apparmor-misc.diff
View File

0
kernel-patches/for-mainline/apparmor-module_interface.diff → kernel-patches/2.6.24/apparmor-module_interface.diff
View File

0
kernel-patches/for-mainline/apparmor-network.diff → kernel-patches/2.6.24/apparmor-network.diff
View File

6
kernel-patches/for-mainline/d_namespace_path.diff → kernel-patches/2.6.24/d_namespace_path.diff
View File

@@ -17,7 +17,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1784,9 +1784,9 @@ shouldnt_be_hashed:
@@ -1782,9 +1782,9 @@ shouldnt_be_hashed:
*
* Returns the buffer or an error code.
*/
@@ -32,7 +32,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1863,3 +1863,30 @@ void __put_mnt_ns(struct mnt_namespace *
@@ -1883,3 +1883,30 @@ void __put_mnt_ns(struct mnt_namespace *
release_mounts(&umount_list);
kfree(ns);
}
@@ -65,7 +65,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+EXPORT_SYMBOL(d_namespace_path);
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -299,6 +299,8 @@ extern int d_validate(struct dentry *, s
@@ -300,6 +300,8 @@ extern int d_validate(struct dentry *, s
*/
extern char *dynamic_dname(struct dentry *, char *, int, const char *, ...);

2
kernel-patches/for-mainline/do_path_lookup-nameidata.diff → kernel-patches/2.6.24/do_path_lookup-nameidata.diff
View File

@@ -13,7 +13,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1132,25 +1132,24 @@ static int fastcall do_path_lookup(int d
@@ -1147,25 +1147,24 @@ static int fastcall do_path_lookup(int d
nd->dentry = dget(fs->pwd);
read_unlock(&fs->lock);
} else {

130
kernel-patches/2.6.24/fgetattr.diff Normal file
View File

@@ -0,0 +1,130 @@
From: Miklos Szeredi <mszeredi@suse.cz>
Add a new file operation: f_op->fgetattr(), that is invoked by
fstat(). Fall back to i_op->getattr() if it is not defined.
We need this because fstat() semantics can in some cases be better
implemented if the filesystem has the open file available.
Let's take the following example: we have a network filesystem, with
the server implemented as an unprivileged userspace process running on
a UNIX system (this is basically what sshfs does).
We want the filesystem to follow the familiar UNIX file semantics as
closely as possible. If for example we have this sequence of events,
we still would like fstat to work correctly:
1) file X is opened on client
2) file X is renamed to Y on server
3) fstat() is performed on open file descriptor on client
This is only possible if the filesystem server acutally uses fstat()
on a file descriptor obtained when the file was opened. Which means,
the filesystem client needs a way to get this information from the
VFS.
Even if we assume, that the remote filesystem never changes, it is
difficult to implement open-unlink-fstat semantics correctly in the
client, without having this information.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: John Johansen <jjohansen@suse.de>
---
---
fs/fuse/file.c | 13 +++++++++++++
fs/stat.c | 29 ++++++++++++++++++++++++++++-
include/linux/fs.h | 1 +
3 files changed, 42 insertions(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -871,6 +871,17 @@ static int fuse_file_flock(struct file *
return err;
}
+static int fuse_file_fgetattr(struct file *file, struct kstat *stat)
+{
+ struct inode *inode = file->f_dentry->d_inode;
+ struct fuse_conn *fc = get_fuse_conn(inode);
+
+ if (!fuse_allow_task(fc, current))
+ return -EACCES;
+
+ return fuse_update_attributes(inode, stat, file, NULL);
+}
+
static sector_t fuse_bmap(struct address_space *mapping, sector_t block)
{
struct inode *inode = mapping->host;
@@ -920,6 +931,7 @@ static const struct file_operations fuse
.fsync = fuse_fsync,
.lock = fuse_file_lock,
.flock = fuse_file_flock,
+ .fgetattr = fuse_file_fgetattr,
.splice_read = generic_file_splice_read,
};
@@ -933,6 +945,7 @@ static const struct file_operations fuse
.fsync = fuse_fsync,
.lock = fuse_file_lock,
.flock = fuse_file_flock,
+ .fgetattr = fuse_file_fgetattr,
/* no mmap and splice_read */
};
--- a/fs/stat.c
+++ b/fs/stat.c
@@ -55,6 +55,33 @@ int vfs_getattr(struct vfsmount *mnt, st
EXPORT_SYMBOL(vfs_getattr);
+/*
+ * Perform getattr on an open file
+ *
+ * Fall back to i_op->getattr (or generic_fillattr) if the filesystem
+ * doesn't define an f_op->fgetattr operation.
+ */
+static int vfs_fgetattr(struct file *file, struct kstat *stat)
+{
+ struct vfsmount *mnt = file->f_path.mnt;
+ struct dentry *dentry = file->f_path.dentry;
+ struct inode *inode = dentry->d_inode;
+ int retval;
+
+ retval = security_inode_getattr(mnt, dentry);
+ if (retval)
+ return retval;
+
+ if (file->f_op && file->f_op->fgetattr) {
+ return file->f_op->fgetattr(file, stat);
+ } else if (inode->i_op->getattr) {
+ return inode->i_op->getattr(mnt, dentry, stat);
+ } else {
+ generic_fillattr(inode, stat);
+ return 0;
+ }
+}
+
int vfs_stat_fd(int dfd, char __user *name, struct kstat *stat)
{
struct nameidata nd;
@@ -101,7 +128,7 @@ int vfs_fstat(unsigned int fd, struct ks
int error = -EBADF;
if (f) {
- error = vfs_getattr(f->f_path.mnt, f->f_path.dentry, stat);
+ error = vfs_fgetattr(f, stat);
fput(f);
}
return error;
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1188,6 +1188,7 @@ struct file_operations {
ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
int (*setlease)(struct file *, long, struct file_lock **);
+ int (*fgetattr)(struct file *, struct kstat *);
};
struct inode_operations {

83
kernel-patches/2.6.24/file-handle-ops.diff Normal file
View File

@@ -0,0 +1,83 @@
From: Andreas Gruenbacher <agruen@suse.de>
Subject: Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows LSMs to distinguish
operations on file descriptors from operations on paths.
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>
Cc: Miklos Szeredi <mszeredi@suse.cz>
---
fs/nfsd/vfs.c | 12 +++++++-----
fs/open.c | 4 +++-
2 files changed, 10 insertions(+), 6 deletions(-)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -413,7 +413,7 @@ static ssize_t nfsd_getxattr(struct dent
{
ssize_t buflen;
- buflen = vfs_getxattr(dentry, mnt, key, NULL, 0);
+ buflen = vfs_getxattr(dentry, mnt, key, NULL, 0, NULL);
if (buflen <= 0)
return buflen;
@@ -421,7 +421,7 @@ static ssize_t nfsd_getxattr(struct dent
if (!*buf)
return -ENOMEM;
- return vfs_getxattr(dentry, mnt, key, *buf, buflen);
+ return vfs_getxattr(dentry, mnt, key, *buf, buflen, NULL);
}
#endif
@@ -447,7 +447,7 @@ set_nfsv4_acl_one(struct dentry *dentry,
goto out;
}
- error = vfs_setxattr(dentry, mnt, key, buf, len, 0);
+ error = vfs_setxattr(dentry, mnt, key, buf, len, 0, NULL);
out:
kfree(buf);
return error;
@@ -2051,12 +2051,14 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
mnt = fhp->fh_export->ex_mnt;
if (size)
- error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size,0);
+ error = vfs_setxattr(fhp->fh_dentry, mnt, name, value, size, 0,
+ NULL);
else {
if (!S_ISDIR(inode->i_mode) && type == ACL_TYPE_DEFAULT)
error = 0;
else {
- error = vfs_removexattr(fhp->fh_dentry, mnt, name);
+ error = vfs_removexattr(fhp->fh_dentry, mnt, name,
+ NULL);
if (error == -ENODATA)
error = 0;
}
--- a/fs/open.c
+++ b/fs/open.c
@@ -581,7 +581,7 @@ asmlinkage long sys_fchmod(unsigned int
if (mode == (mode_t) -1)
mode = inode->i_mode;
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
- newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME | ATTR_FILE;
err = fnotify_change(dentry, file->f_path.mnt, &newattrs, file);
mutex_unlock(&inode->i_mutex);
@@ -661,6 +661,8 @@ static int chown_common(struct dentry *
if (!S_ISDIR(inode->i_mode))
newattrs.ia_valid |=
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
+ if (file)
+ newattrs.ia_valid |= ATTR_FILE;
mutex_lock(&inode->i_mutex);
error = fnotify_change(dentry, mnt, &newattrs, file);
mutex_unlock(&inode->i_mutex);

2
kernel-patches/for-mainline/file_permission-nameidata.diff → kernel-patches/2.6.24/file_permission-nameidata.diff
View File

@@ -14,7 +14,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -298,7 +298,13 @@ int vfs_permission(struct nameidata *nd,
@@ -313,7 +313,13 @@ int vfs_permission(struct nameidata *nd,
*/
int file_permission(struct file *file, int mask)
{

22
kernel-patches/2.6.24/fix-name-errorpath.diff Normal file
View File

@@ -0,0 +1,22 @@
fix bug where the error code and mask are not being set correctly
when pathname lookup fails.
---
security/apparmor/main.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -191,8 +191,10 @@ static int aa_perm_dentry(struct aa_prof
*/
if (PTR_ERR(sa->name) == -ENOENT && (check & AA_CHECK_FD))
sa->denied_mask = 0;
- else
- sa->denied_mask = PTR_ERR(sa->name);
+ else {
+ sa->denied_mask = sa->requested_mask;
+ sa->error_code = PTR_ERR(sa->name);
+ }
sa->name = NULL;
} else
sa->denied_mask = aa_file_denied(profile, sa->name,

38
kernel-patches/2.6.24/fix-net.diff Normal file
View File

@@ -0,0 +1,38 @@
---
security/apparmor/lsm.c | 18 ------------------
1 file changed, 18 deletions(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -717,22 +717,6 @@ static int apparmor_socket_shutdown(stru
return aa_revalidate_sk(sk, "socket_shutdown");
}
-static int apparmor_socket_getpeersec_stream(struct socket *sock,
- char __user *optval, int __user *optlen, unsigned len)
-{
- struct sock *sk = sock->sk;
-
- return aa_revalidate_sk(sk, "socket_getpeersec_stream");
-}
-
-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
-{
- struct sock *sk = sock->sk;
-
- return aa_revalidate_sk(sk, "socket_getpeersec_dgram");
-}
-
static int apparmor_getprocattr(struct task_struct *task, char *name,
char **value)
{
@@ -882,8 +866,6 @@ struct security_operations apparmor_ops
.socket_getsockopt = apparmor_socket_getsockopt,
.socket_setsockopt = apparmor_socket_setsockopt,
.socket_shutdown = apparmor_socket_shutdown,
- .socket_getpeersec_stream = apparmor_socket_getpeersec_stream,
- .socket_getpeersec_dgram = apparmor_socket_getpeersec_dgram,
};
static void info_message(const char *str)

18
kernel-patches/2.6.24/fix-rcu-deref.diff Normal file
View File

@@ -0,0 +1,18 @@
The old style of casting in the rcu_dereference fails to compile with
the newer rcu_dereference macro.
---
security/apparmor/inline.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/apparmor/inline.h
+++ b/security/apparmor/inline.h
@@ -19,7 +19,7 @@ static inline int mediated_filesystem(st
static inline struct aa_task_context *aa_task_context(struct task_struct *task)
{
- return rcu_dereference((struct aa_task_context *)task->security);
+ return (struct aa_task_context *) rcu_dereference(task->security);
}
/**

4
kernel-patches/for-mainline/fix-vfs_rmdir.diff → kernel-patches/2.6.24/fix-vfs_rmdir.diff
View File

@@ -15,7 +15,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2067,6 +2067,10 @@ int vfs_rmdir(struct inode *dir, struct
@@ -2097,6 +2097,10 @@ int vfs_rmdir(struct inode *dir, struct
if (!dir->i_op || !dir->i_op->rmdir)
return -EPERM;
@@ -26,7 +26,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
DQUOT_INIT(dir);
mutex_lock(&dentry->d_inode->i_mutex);
@@ -2074,12 +2078,9 @@ int vfs_rmdir(struct inode *dir, struct
@@ -2104,12 +2108,9 @@ int vfs_rmdir(struct inode *dir, struct
if (d_mountpoint(dentry))
error = -EBUSY;
else {

27
kernel-patches/2.6.24/fsetattr-reintro-ATTR_FILE.diff Normal file
View File

@@ -0,0 +1,27 @@
---
fs/open.c | 3 +++
include/linux/fs.h | 1 +
2 files changed, 4 insertions(+)
--- a/fs/open.c
+++ b/fs/open.c
@@ -207,6 +207,9 @@ int do_truncate(struct dentry *dentry, s
newattrs.ia_size = length;
newattrs.ia_valid = ATTR_SIZE | time_attrs;
+ if (filp)
+ newattrs.ia_valid |= ATTR_FILE;
+
/* Remove suid/sgid on truncate too */
newattrs.ia_valid |= should_remove_suid(dentry);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -329,6 +329,7 @@ typedef void (dio_iodone_t)(struct kiocb
#define ATTR_ATTR_FLAG 1024
#define ATTR_KILL_SUID 2048
#define ATTR_KILL_SGID 4096
+#define ATTR_FILE 8192
#define ATTR_KILL_PRIV 16384
#define ATTR_OPEN 32768 /* Truncating from open(O_TRUNC) */

392
kernel-patches/2.6.24/fsetattr.diff Normal file
View File

@@ -0,0 +1,392 @@
Subject: VFS: new fsetattr() file operation
From: Miklos Szeredi <mszeredi@suse.cz>
Add a new file operation: f_op->fsetattr(), that is invoked by
ftruncate, fchmod, fchown and utimensat. Fall back to i_op->setattr()
if it is not defined.
For the reasons why we need this, see patch adding fgetattr().
ftruncate() already passed the open file to the filesystem via the
ia_file member of struct iattr. However it is cleaner to have a
separate file operation for this, so remove ia_file, ATTR_FILE and
convert existing users: fuse and AFS.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> ---
Signed-off-by: John Johansen <jjohansen@suse.de> ---
---
fs/afs/dir.c | 1 +
fs/afs/file.c | 1 +
fs/afs/inode.c | 19 +++++++++++++++----
fs/afs/internal.h | 1 +
fs/attr.c | 18 ++++++++++++++----
fs/fuse/dir.c | 20 +++++++++-----------
fs/fuse/file.c | 7 +++++++
fs/fuse/fuse_i.h | 4 ++++
fs/open.c | 20 ++++++++------------
fs/utimes.c | 2 +-
include/linux/fs.h | 10 ++--------
11 files changed, 63 insertions(+), 40 deletions(-)
--- a/fs/afs/dir.c
+++ b/fs/afs/dir.c
@@ -45,6 +45,7 @@ const struct file_operations afs_dir_fil
.release = afs_release,
.readdir = afs_readdir,
.lock = afs_lock,
+ .fsetattr = afs_fsetattr,
};
const struct inode_operations afs_dir_inode_operations = {
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -36,6 +36,7 @@ const struct file_operations afs_file_op
.fsync = afs_fsync,
.lock = afs_lock,
.flock = afs_flock,
+ .fsetattr = afs_fsetattr,
};
const struct inode_operations afs_file_inode_operations = {
--- a/fs/afs/inode.c
+++ b/fs/afs/inode.c
@@ -360,7 +360,8 @@ void afs_clear_inode(struct inode *inode
/*
* set the attributes of an inode
*/
-int afs_setattr(struct dentry *dentry, struct iattr *attr)
+static int afs_do_setattr(struct dentry *dentry, struct iattr *attr,
+ struct file *file)
{
struct afs_vnode *vnode = AFS_FS_I(dentry->d_inode);
struct key *key;
@@ -382,8 +383,8 @@ int afs_setattr(struct dentry *dentry, s
afs_writeback_all(vnode);
}
- if (attr->ia_valid & ATTR_FILE) {
- key = attr->ia_file->private_data;
+ if (file) {
+ key = file->private_data;
} else {
key = afs_request_key(vnode->volume->cell);
if (IS_ERR(key)) {
@@ -393,10 +394,20 @@ int afs_setattr(struct dentry *dentry, s
}
ret = afs_vnode_setattr(vnode, key, attr);
- if (!(attr->ia_valid & ATTR_FILE))
+ if (!file)
key_put(key);
error:
_leave(" = %d", ret);
return ret;
}
+
+int afs_setattr(struct dentry *dentry, struct iattr *attr)
+{
+ return afs_do_setattr(dentry, attr, NULL);
+}
+
+int afs_fsetattr(struct file *file, struct iattr *attr)
+{
+ return afs_do_setattr(file->f_path.dentry, attr, file);
+}
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -550,6 +550,7 @@ extern void afs_zap_data(struct afs_vnod
extern int afs_validate(struct afs_vnode *, struct key *);
extern int afs_getattr(struct vfsmount *, struct dentry *, struct kstat *);
extern int afs_setattr(struct dentry *, struct iattr *);
+extern int afs_fsetattr(struct file *, struct iattr *);
extern void afs_clear_inode(struct inode *);
/*
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -100,8 +100,8 @@ int inode_setattr(struct inode * inode,
}
EXPORT_SYMBOL(inode_setattr);
-int notify_change(struct dentry *dentry, struct vfsmount *mnt,
- struct iattr *attr)
+int fnotify_change(struct dentry *dentry, struct vfsmount *mnt,
+ struct iattr *attr, struct file *file)
{
struct inode *inode = dentry->d_inode;
mode_t mode = inode->i_mode;
@@ -160,8 +160,12 @@ int notify_change(struct dentry *dentry,
if (inode->i_op && inode->i_op->setattr) {
error = security_inode_setattr(dentry, mnt, attr);
- if (!error)
- error = inode->i_op->setattr(dentry, attr);
+ if (!error) {
+ if (file && file->f_op && file->f_op->fsetattr)
+ error = file->f_op->fsetattr(file, attr);
+ else
+ error = inode->i_op->setattr(dentry, attr);
+ }
} else {
error = inode_change_ok(inode, attr);
if (!error)
@@ -184,4 +188,10 @@ int notify_change(struct dentry *dentry,
return error;
}
+int notify_change(struct dentry *dentry, struct vfsmount *mnt,
+ struct iattr *attr)
+{
+ return fnotify_change(dentry, mnt, attr, NULL);
+}
+
EXPORT_SYMBOL(notify_change);
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1032,21 +1032,22 @@ static int fuse_dir_fsync(struct file *f
return file ? fuse_fsync_common(file, de, datasync, 1) : 0;
}
-static bool update_mtime(unsigned ivalid)
+static bool update_mtime(unsigned ivalid, bool have_file)
{
/* Always update if mtime is explicitly set */
if (ivalid & ATTR_MTIME_SET)
return true;
/* If it's an open(O_TRUNC) or an ftruncate(), don't update */
- if ((ivalid & ATTR_SIZE) && (ivalid & (ATTR_OPEN | ATTR_FILE)))
+ if ((ivalid & ATTR_SIZE) && ((ivalid & ATTR_OPEN) || have_file))
return false;
/* In all other cases update */
return true;
}
-static void iattr_to_fattr(struct iattr *iattr, struct fuse_setattr_in *arg)
+static void iattr_to_fattr(struct iattr *iattr, struct fuse_setattr_in *arg,
+ bool have_file)
{
unsigned ivalid = iattr->ia_valid;
@@ -1065,7 +1066,7 @@ static void iattr_to_fattr(struct iattr
if (!(ivalid & ATTR_ATIME_SET))
arg->valid |= FATTR_ATIME_NOW;
}
- if ((ivalid & ATTR_MTIME) && update_mtime(ivalid)) {
+ if ((ivalid & ATTR_MTIME) && update_mtime(ivalid, have_file)) {
arg->valid |= FATTR_MTIME;
arg->mtime = iattr->ia_mtime.tv_sec;
arg->mtimensec = iattr->ia_mtime.tv_nsec;
@@ -1082,8 +1083,8 @@ static void iattr_to_fattr(struct iattr
* vmtruncate() doesn't allow for this case, so do the rlimit checking
* and the actual truncation by hand.
*/
-static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
- struct file *file)
+int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
+ struct file *file)
{
struct inode *inode = entry->d_inode;
struct fuse_conn *fc = get_fuse_conn(inode);
@@ -1121,7 +1122,7 @@ static int fuse_do_setattr(struct dentry
memset(&inarg, 0, sizeof(inarg));
memset(&outarg, 0, sizeof(outarg));
- iattr_to_fattr(attr, &inarg);
+ iattr_to_fattr(attr, &inarg, file != NULL);
if (file) {
struct fuse_file *ff = file->private_data;
inarg.valid |= FATTR_FH;
@@ -1163,10 +1164,7 @@ static int fuse_do_setattr(struct dentry
static int fuse_setattr(struct dentry *entry, struct iattr *attr)
{
- if (attr->ia_valid & ATTR_FILE)
- return fuse_do_setattr(entry, attr, attr->ia_file);
- else
- return fuse_do_setattr(entry, attr, NULL);
+ return fuse_do_setattr(entry, attr, NULL);
}
static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -894,6 +894,11 @@ static sector_t fuse_bmap(struct address
return err ? 0 : outarg.block;
}
+static int fuse_fsetattr(struct file *file, struct iattr *attr)
+{
+ return fuse_do_setattr(file->f_path.dentry, attr, file);
+}
+
static const struct file_operations fuse_file_operations = {
.llseek = generic_file_llseek,
.read = do_sync_read,
@@ -908,6 +913,7 @@ static const struct file_operations fuse
.lock = fuse_file_lock,
.flock = fuse_file_flock,
.fgetattr = fuse_file_fgetattr,
+ .fsetattr = fuse_fsetattr,
.splice_read = generic_file_splice_read,
};
@@ -922,6 +928,7 @@ static const struct file_operations fuse
.lock = fuse_file_lock,
.flock = fuse_file_flock,
.fgetattr = fuse_file_fgetattr,
+ .fsetattr = fuse_fsetattr,
/* no mmap and splice_read */
};
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -505,6 +505,10 @@ void fuse_change_attributes(struct inode
*/
int fuse_dev_init(void);
+
+int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
+ struct file *file);
+
/**
* Cleanup the client device
*/
--- a/fs/open.c
+++ b/fs/open.c
@@ -206,16 +206,12 @@ int do_truncate(struct dentry *dentry, s
newattrs.ia_size = length;
newattrs.ia_valid = ATTR_SIZE | time_attrs;
- if (filp) {
- newattrs.ia_file = filp;
- newattrs.ia_valid |= ATTR_FILE;
- }
/* Remove suid/sgid on truncate too */
newattrs.ia_valid |= should_remove_suid(dentry);
mutex_lock(&dentry->d_inode->i_mutex);
- err = notify_change(dentry, mnt, &newattrs);
+ err = fnotify_change(dentry, mnt, &newattrs, filp);
mutex_unlock(&dentry->d_inode->i_mutex);
return err;
}
@@ -583,7 +579,7 @@ asmlinkage long sys_fchmod(unsigned int
mode = inode->i_mode;
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
- err = notify_change(dentry, file->f_path.mnt, &newattrs);
+ err = fnotify_change(dentry, file->f_path.mnt, &newattrs, file);
mutex_unlock(&inode->i_mutex);
out_putf:
@@ -633,7 +629,7 @@ asmlinkage long sys_chmod(const char __u
}
static int chown_common(struct dentry * dentry, struct vfsmount *mnt,
- uid_t user, gid_t group)
+ uid_t user, gid_t group, struct file *file)
{
struct inode * inode;
int error;
@@ -663,7 +659,7 @@ static int chown_common(struct dentry *
newattrs.ia_valid |=
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
mutex_lock(&inode->i_mutex);
- error = notify_change(dentry, mnt, &newattrs);
+ error = fnotify_change(dentry, mnt, &newattrs, file);
mutex_unlock(&inode->i_mutex);
out:
return error;
@@ -677,7 +673,7 @@ asmlinkage long sys_chown(const char __u
error = user_path_walk(filename, &nd);
if (error)
goto out;
- error = chown_common(nd.dentry, nd.mnt, user, group);
+ error = chown_common(nd.dentry, nd.mnt, user, group, NULL);
path_release(&nd);
out:
return error;
@@ -697,7 +693,7 @@ asmlinkage long sys_fchownat(int dfd, co
error = __user_walk_fd(dfd, filename, follow, &nd);
if (error)
goto out;
- error = chown_common(nd.dentry, nd.mnt, user, group);
+ error = chown_common(nd.dentry, nd.mnt, user, group, NULL);
path_release(&nd);
out:
return error;
@@ -711,7 +707,7 @@ asmlinkage long sys_lchown(const char __
error = user_path_walk_link(filename, &nd);
if (error)
goto out;
- error = chown_common(nd.dentry, nd.mnt, user, group);
+ error = chown_common(nd.dentry, nd.mnt, user, group, NULL);
path_release(&nd);
out:
return error;
@@ -730,7 +726,7 @@ asmlinkage long sys_fchown(unsigned int
dentry = file->f_path.dentry;
audit_inode(NULL, dentry);
- error = chown_common(dentry, file->f_path.mnt, user, group);
+ error = chown_common(dentry, file->f_path.mnt, user, group, file);
fput(file);
out:
return error;
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -132,7 +132,7 @@ long do_utimes(int dfd, char __user *fil
}
}
mutex_lock(&inode->i_mutex);
- error = notify_change(path.dentry, path.mnt, &newattrs);
+ error = fnotify_change(path.dentry, path.mnt, &newattrs, f);
mutex_unlock(&inode->i_mutex);
dput_and_out:
if (f)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -329,7 +329,6 @@ typedef void (dio_iodone_t)(struct kiocb
#define ATTR_ATTR_FLAG 1024
#define ATTR_KILL_SUID 2048
#define ATTR_KILL_SGID 4096
-#define ATTR_FILE 8192
#define ATTR_KILL_PRIV 16384
#define ATTR_OPEN 32768 /* Truncating from open(O_TRUNC) */
@@ -351,13 +350,6 @@ struct iattr {
struct timespec ia_atime;
struct timespec ia_mtime;
struct timespec ia_ctime;
-
- /*
- * Not an attribute, but an auxilary info for filesystems wanting to
- * implement an ftruncate() like method. NOTE: filesystem should
- * check for (ia_valid & ATTR_FILE), and not for (ia_file != NULL).
- */
- struct file *ia_file;
};
/*
@@ -1189,6 +1181,7 @@ struct file_operations {
ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
int (*setlease)(struct file *, long, struct file_lock **);
int (*fgetattr)(struct file *, struct kstat *);
+ int (*fsetattr)(struct file *, struct iattr *);
};
struct inode_operations {
@@ -1695,6 +1688,7 @@ extern int do_remount_sb(struct super_bl
extern sector_t bmap(struct inode *, sector_t);
#endif
extern int notify_change(struct dentry *, struct vfsmount *, struct iattr *);
+extern int fnotify_change(struct dentry *, struct vfsmount *, struct iattr *, struct file *);
extern int permission(struct inode *, int, struct nameidata *);
extern int generic_permission(struct inode *, int,
int (*check_acl)(struct inode *, int));

6
kernel-patches/for-mainline/mount-consistent-__d_path.diff → kernel-patches/2.6.24/mount-consistent-__d_path.diff
View File

@@ -20,7 +20,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1788,7 +1788,7 @@ static char *__d_path(struct dentry *den
@@ -1786,7 +1786,7 @@ static char *__d_path(struct dentry *den
struct dentry *root, struct vfsmount *rootmnt,
char *buffer, int buflen, int fail_deleted)
{
@@ -29,7 +29,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (buflen < 2)
return ERR_PTR(-ENAMETOOLONG);
@@ -1811,14 +1811,14 @@ static char *__d_path(struct dentry *den
@@ -1809,14 +1809,14 @@ static char *__d_path(struct dentry *den
struct dentry * parent;
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
@@ -49,7 +49,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
continue;
}
parent = dentry->d_parent;
@@ -1837,6 +1837,8 @@ static char *__d_path(struct dentry *den
@@ -1835,6 +1835,8 @@ static char *__d_path(struct dentry *den
*--buffer = '/';
out:

6
kernel-patches/for-mainline/parent-permission.diff → kernel-patches/2.6.24/parent-permission.diff
View File

@@ -13,9 +13,9 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1442,6 +1442,10 @@ static int may_delete(struct inode *dir,
@@ -1471,6 +1471,10 @@ static int may_delete(struct inode *dir,
BUG_ON(victim->d_parent->d_inode != dir);
audit_inode_child(victim->d_name.name, victim->d_inode, dir);
audit_inode_child(victim->d_name.name, victim, dir);
+#if 0
+ if (nd)
@@ -24,7 +24,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
error = permission(dir,MAY_WRITE | MAY_EXEC, NULL);
if (error)
return error;
@@ -1479,6 +1483,8 @@ static inline int may_create(struct inod
@@ -1508,6 +1512,8 @@ static inline int may_create(struct inod
return -EEXIST;
if (IS_DEADDIR(dir))
return -ENOENT;

65
kernel-patches/for-mainline/remove_suid.diff → kernel-patches/2.6.24/remove_suid.diff
View File

@@ -9,19 +9,19 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/ntfs/file.c | 2 +-
fs/reiserfs/file.c | 2 +-
fs/splice.c | 4 ++--
fs/xfs/linux-2.6/xfs_lrw.c | 2 +-
include/linux/fs.h | 4 ++--
mm/filemap.c | 12 ++++++------
mm/filemap.c | 16 ++++++++--------
mm/filemap_xip.c | 2 +-
mm/shmem.c | 2 +-
8 files changed, 15 insertions(+), 15 deletions(-)
7 files changed, 16 insertions(+), 16 deletions(-)
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
@@ -2122,7 +2122,7 @@ static ssize_t ntfs_file_aio_write_noloc
@@ -2120,7 +2120,7 @@ static ssize_t ntfs_file_aio_write_noloc
goto out;
if (!count)
goto out;
@@ -30,20 +30,9 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (err)
goto out;
file_update_time(file);
--- a/fs/reiserfs/file.c
+++ b/fs/reiserfs/file.c
@@ -1334,7 +1334,7 @@ static ssize_t reiserfs_file_write(struc
if (count == 0)
goto out;
- res = remove_suid(file->f_path.dentry);
+ res = remove_suid(&file->f_path);
if (res)
goto out;
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -830,7 +830,7 @@ generic_file_splice_write_nolock(struct
@@ -775,7 +775,7 @@ generic_file_splice_write_nolock(struct
ssize_t ret;
int err;
@@ -52,18 +41,18 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (unlikely(err))
return err;
@@ -885,7 +885,7 @@ generic_file_splice_write(struct pipe_in
err = should_remove_suid(out->f_path.dentry);
if (unlikely(err)) {
mutex_lock(&inode->i_mutex);
- err = __remove_suid(out->f_path.dentry, err);
+ err = __remove_suid(&out->f_path, err);
@@ -835,7 +835,7 @@ generic_file_splice_write(struct pipe_in
if (killpriv)
err = security_inode_killpriv(out->f_path.dentry);
if (!err && killsuid)
- err = __remove_suid(out->f_path.dentry, killsuid);
+ err = __remove_suid(&out->f_path, killsuid);
mutex_unlock(&inode->i_mutex);
if (err)
return err;
--- a/fs/xfs/linux-2.6/xfs_lrw.c
+++ b/fs/xfs/linux-2.6/xfs_lrw.c
@@ -754,7 +754,7 @@ start:
@@ -727,7 +727,7 @@ start:
!capable(CAP_FSETID)) {
error = xfs_write_clear_setuid(xip);
if (likely(!error))
@@ -74,7 +63,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1634,9 +1634,9 @@ extern void __iget(struct inode * inode)
@@ -1766,9 +1766,9 @@ extern void __iget(struct inode * inode)
extern void clear_inode(struct inode *);
extern void destroy_inode(struct inode *);
extern struct inode *new_inode(struct super_block *);
@@ -88,7 +77,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
extern void remove_inode_hash(struct inode *);
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1691,20 +1691,20 @@ int should_remove_suid(struct dentry *de
@@ -1622,26 +1622,26 @@ int should_remove_suid(struct dentry *de
}
EXPORT_SYMBOL(should_remove_suid);
@@ -105,16 +94,24 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
-int remove_suid(struct dentry *dentry)
+int remove_suid(struct path *path)
{
- int kill = should_remove_suid(dentry);
+ int kill = should_remove_suid(path->dentry);
- int killsuid = should_remove_suid(dentry);
- int killpriv = security_inode_need_killpriv(dentry);
+ int killsuid = should_remove_suid(path->dentry);
+ int killpriv = security_inode_need_killpriv(path->dentry);
int error = 0;
if (unlikely(kill))
- return __remove_suid(dentry, kill);
+ return __remove_suid(path, kill);
if (killpriv < 0)
return killpriv;
if (killpriv)
- error = security_inode_killpriv(dentry);
+ error = security_inode_killpriv(path->dentry);
if (!error && killsuid)
- error = __remove_suid(dentry, killsuid);
+ error = __remove_suid(path, killsuid);
return 0;
return error;
}
@@ -2053,7 +2053,7 @@ __generic_file_aio_write_nolock(struct k
@@ -2354,7 +2354,7 @@ __generic_file_aio_write_nolock(struct k
if (count == 0)
goto out;
@@ -125,7 +122,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/mm/filemap_xip.c
+++ b/mm/filemap_xip.c
@@ -381,7 +381,7 @@ xip_file_write(struct file *filp, const
@@ -379,7 +379,7 @@ xip_file_write(struct file *filp, const
if (count == 0)
goto out_backing;
@@ -136,7 +133,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1488,7 +1488,7 @@ shmem_file_write(struct file *file, cons
@@ -1526,7 +1526,7 @@ shmem_file_write(struct file *file, cons
if (err || !count)
goto out;

56
kernel-patches/for-mainline/security-create.diff → kernel-patches/2.6.24/security-create.diff
View File

@@ -11,12 +11,13 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/namei.c | 2 +-
include/linux/security.h | 9 ++++++---
security/dummy.c | 2 +-
security/security.c | 5 +++--
security/selinux/hooks.c | 3 ++-
4 files changed, 10 insertions(+), 6 deletions(-)
5 files changed, 13 insertions(+), 8 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1554,7 +1554,7 @@ int vfs_create(struct inode *dir, struct
@@ -1583,7 +1583,7 @@ int vfs_create(struct inode *dir, struct
return -EACCES; /* shouldn't it be ENOSYS? */
mode &= S_IALLUGO;
mode |= S_IFREG;
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
DQUOT_INIT(dir);
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -284,6 +284,7 @@ struct request_sock;
@@ -297,6 +297,7 @@ struct request_sock;
* Check permission to create a regular file.
* @dir contains inode structure of the parent of the new file.
* @dentry contains the dentry structure for the file to be created.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @mode contains the file mode of the file to be created.
* Return 0 if permission is granted.
* @inode_link:
@@ -1205,8 +1206,8 @@ struct security_operations {
@@ -1247,8 +1248,8 @@ struct security_operations {
void (*inode_free_security) (struct inode *inode);
int (*inode_init_security) (struct inode *inode, struct inode *dir,
char **name, void **value, size_t *len);
@@ -46,21 +47,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_link) (struct dentry *old_dentry,
struct inode *dir, struct dentry *new_dentry);
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
@@ -1613,11 +1614,12 @@ static inline int security_inode_init_se
static inline int security_inode_create (struct inode *dir,
struct dentry *dentry,
+ struct vfsmount *mnt,
int mode)
{
if (unlikely (IS_PRIVATE (dir)))
return 0;
- return security_ops->inode_create (dir, dentry, mode);
+ return security_ops->inode_create (dir, dentry, mnt, mode);
}
static inline int security_inode_link (struct dentry *old_dentry,
@@ -2343,6 +2345,7 @@ static inline int security_inode_init_se
@@ -1503,7 +1504,8 @@ int security_inode_alloc(struct inode *i
void security_inode_free(struct inode *inode);
int security_inode_init_security(struct inode *inode, struct inode *dir,
char **name, void **value, size_t *len);
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
+int security_inode_create(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode);
int security_inode_link(struct dentry *old_dentry, struct inode *dir,
struct dentry *new_dentry);
int security_inode_unlink(struct inode *dir, struct dentry *dentry);
@@ -1813,6 +1815,7 @@ static inline int security_inode_init_se
static inline int security_inode_create (struct inode *dir,
struct dentry *dentry,
@@ -70,7 +67,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return 0;
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -265,7 +265,7 @@ static int dummy_inode_init_security (st
@@ -262,7 +262,7 @@ static int dummy_inode_init_security (st
}
static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
@@ -79,9 +76,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -328,11 +328,12 @@ int security_inode_init_security(struct
}
EXPORT_SYMBOL(security_inode_init_security);
-int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
+int security_inode_create(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_create(dir, dentry, mode);
+ return security_ops->inode_create(dir, dentry, mnt, mode);
}
int security_inode_link(struct dentry *old_dentry, struct inode *dir,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2177,7 +2177,8 @@ static int selinux_inode_init_security(s
@@ -2184,7 +2184,8 @@ static int selinux_inode_init_security(s
return 0;
}

59
kernel-patches/for-mainline/security-getxattr.diff → kernel-patches/2.6.24/security-getxattr.diff
View File

@@ -9,10 +9,11 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/xattr.c | 2 +-
include/linux/security.h | 13 ++++++++-----
include/linux/security.h | 11 +++++++----
security/dummy.c | 3 ++-
security/security.c | 5 +++--
security/selinux/hooks.c | 3 ++-
4 files changed, 13 insertions(+), 8 deletions(-)
5 files changed, 15 insertions(+), 9 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -392,7 +392,7 @@ struct request_sock;
@@ -405,7 +405,7 @@ struct request_sock;
* @value identified by @name for @dentry and @mnt.
* @inode_getxattr:
* Check permission before obtaining the extended attributes
@@ -36,7 +37,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_listxattr:
* Check permission before obtaining the list of extended attribute
@@ -1249,7 +1249,8 @@ struct security_operations {
@@ -1291,7 +1291,8 @@ struct security_operations {
struct vfsmount *mnt,
char *name, void *value,
size_t size, int flags);
@@ -45,23 +46,18 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+ char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, char *name);
const char *(*inode_xattr_getsuffix) (void);
@@ -1784,11 +1785,12 @@ static inline void security_inode_post_s
security_ops->inode_post_setxattr (dentry, mnt, name, value, size, flags);
}
-static inline int security_inode_getxattr (struct dentry *dentry, char *name)
+static inline int security_inode_getxattr (struct dentry *dentry,
+ struct vfsmount *mnt, char *name)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr (dentry, name);
+ return security_ops->inode_getxattr (dentry, mnt, name);
}
static inline int security_inode_listxattr (struct dentry *dentry)
@@ -2492,7 +2494,8 @@ static inline void security_inode_post_s
int (*inode_need_killpriv) (struct dentry *dentry);
@@ -1554,7 +1555,8 @@ int security_inode_setxattr(struct dentr
void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
char *name, void *value, size_t size,
int flags);
-int security_inode_getxattr(struct dentry *dentry, char *name);
+int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name);
int security_inode_listxattr(struct dentry *dentry);
int security_inode_removexattr(struct dentry *dentry, char *name);
int security_inode_need_killpriv(struct dentry *dentry);
@@ -1954,7 +1956,8 @@ static inline void security_inode_post_s
int flags)
{ }
@@ -73,7 +69,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -368,7 +368,8 @@ static void dummy_inode_post_setxattr (s
@@ -365,7 +365,8 @@ static void dummy_inode_post_setxattr (s
{
}
@@ -83,9 +79,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -458,11 +458,12 @@ void security_inode_post_setxattr(struct
security_ops->inode_post_setxattr(dentry, mnt, name, value, size, flags);
}
-int security_inode_getxattr(struct dentry *dentry, char *name)
+int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr(dentry, name);
+ return security_ops->inode_getxattr(dentry, mnt, name);
}
int security_inode_listxattr(struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2394,7 +2394,8 @@ static void selinux_inode_post_setxattr(
@@ -2409,7 +2409,8 @@ static void selinux_inode_post_setxattr(
return;
}

67
kernel-patches/for-mainline/security-link.diff → kernel-patches/2.6.24/security-link.diff
View File

@@ -9,14 +9,15 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/namei.c | 3 ++-
include/linux/security.h | 18 +++++++++++++-----
include/linux/security.h | 16 +++++++++++-----
security/dummy.c | 6 ++++--
security/security.c | 8 +++++---
security/selinux/hooks.c | 9 +++++++--
4 files changed, 26 insertions(+), 10 deletions(-)
5 files changed, 29 insertions(+), 13 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2326,7 +2326,8 @@ int vfs_link(struct dentry *old_dentry,
@@ -2356,7 +2356,8 @@ int vfs_link(struct dentry *old_dentry,
if (S_ISDIR(old_dentry->d_inode->i_mode))
return -EPERM;
@@ -28,7 +29,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -290,8 +290,10 @@ struct request_sock;
@@ -303,8 +303,10 @@ struct request_sock;
* @inode_link:
* Check permission before creating a new hard link to a file.
* @old_dentry contains the dentry structure for an existing link to the file.
@@ -39,7 +40,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_unlink:
* Check the permission to remove a hard link to a file.
@@ -1213,8 +1215,9 @@ struct security_operations {
@@ -1255,8 +1257,9 @@ struct security_operations {
char **name, void **value, size_t *len);
int (*inode_create) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
@@ -51,25 +52,19 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
int (*inode_symlink) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, const char *old_name);
@@ -1630,12 +1633,15 @@ static inline int security_inode_create
}
static inline int security_inode_link (struct dentry *old_dentry,
+ struct vfsmount *old_mnt,
struct inode *dir,
- struct dentry *new_dentry)
+ struct dentry *new_dentry,
+ struct vfsmount *new_mnt)
{
if (unlikely (IS_PRIVATE (old_dentry->d_inode)))
return 0;
- return security_ops->inode_link (old_dentry, dir, new_dentry);
+ return security_ops->inode_link (old_dentry, old_mnt, dir,
+ new_dentry, new_mnt);
}
static inline int security_inode_unlink (struct inode *dir,
@@ -2364,8 +2370,10 @@ static inline int security_inode_create
@@ -1513,8 +1516,9 @@ int security_inode_init_security(struct
char **name, void **value, size_t *len);
int security_inode_create(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
-int security_inode_link(struct dentry *old_dentry, struct inode *dir,
- struct dentry *new_dentry);
+int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
+ struct inode *dir, struct dentry *new_dentry,
+ struct vfsmount *new_mnt);
int security_inode_unlink(struct inode *dir, struct dentry *dentry);
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, const char *old_name);
@@ -1832,8 +1836,10 @@ static inline int security_inode_create
}
static inline int security_inode_link (struct dentry *old_dentry,
@@ -83,7 +78,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -270,8 +270,10 @@ static int dummy_inode_create (struct in
@@ -267,8 +267,10 @@ static int dummy_inode_create (struct in
return 0;
}
@@ -96,9 +91,29 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -336,12 +336,14 @@ int security_inode_create(struct inode *
return security_ops->inode_create(dir, dentry, mnt, mode);
}
-int security_inode_link(struct dentry *old_dentry, struct inode *dir,
- struct dentry *new_dentry)
+int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
+ struct inode *dir, struct dentry *new_dentry,
+ struct vfsmount *new_mnt)
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->inode_link(old_dentry, dir, new_dentry);
+ return security_ops->inode_link(old_dentry, old_mnt, dir,
+ new_dentry, new_mnt);
}
int security_inode_unlink(struct inode *dir, struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2183,11 +2183,16 @@ static int selinux_inode_create(struct i
@@ -2190,11 +2190,16 @@ static int selinux_inode_create(struct i
return may_create(dir, dentry, SECCLASS_FILE);
}

59
kernel-patches/for-mainline/security-listxattr.diff → kernel-patches/2.6.24/security-listxattr.diff
View File

@@ -9,10 +9,11 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/xattr.c | 2 +-
include/linux/security.h | 12 +++++++-----
include/linux/security.h | 9 +++++----
security/dummy.c | 2 +-
security/security.c | 4 ++--
security/selinux/hooks.c | 2 +-
4 files changed, 10 insertions(+), 8 deletions(-)
5 files changed, 10 insertions(+), 9 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
error = -EOPNOTSUPP;
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -396,7 +396,7 @@ struct request_sock;
@@ -409,7 +409,7 @@ struct request_sock;
* Return 0 if permission is granted.
* @inode_listxattr:
* Check permission before obtaining the list of extended attribute
@@ -36,31 +37,25 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_removexattr:
* Check permission before removing the extended attribute
@@ -1251,7 +1251,7 @@ struct security_operations {
@@ -1293,7 +1293,7 @@ struct security_operations {
size_t size, int flags);
int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
char *name);
- int (*inode_listxattr) (struct dentry *dentry);
+ int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
int (*inode_removexattr) (struct dentry *dentry, char *name);
const char *(*inode_xattr_getsuffix) (void);
int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
@@ -1793,11 +1793,12 @@ static inline int security_inode_getxatt
return security_ops->inode_getxattr (dentry, mnt, name);
}
-static inline int security_inode_listxattr (struct dentry *dentry)
+static inline int security_inode_listxattr (struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr (dentry);
+ return security_ops->inode_listxattr (dentry, mnt);
}
static inline int security_inode_removexattr (struct dentry *dentry, char *name)
@@ -2500,7 +2501,8 @@ static inline int security_inode_getxatt
int (*inode_need_killpriv) (struct dentry *dentry);
int (*inode_killpriv) (struct dentry *dentry);
@@ -1557,7 +1557,7 @@ void security_inode_post_setxattr(struct
int flags);
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
char *name);
-int security_inode_listxattr(struct dentry *dentry);
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
int security_inode_removexattr(struct dentry *dentry, char *name);
int security_inode_need_killpriv(struct dentry *dentry);
int security_inode_killpriv(struct dentry *dentry);
@@ -1962,7 +1962,8 @@ static inline int security_inode_getxatt
return 0;
}
@@ -72,7 +67,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -374,7 +374,7 @@ static int dummy_inode_getxattr (struct
@@ -371,7 +371,7 @@ static int dummy_inode_getxattr (struct
return 0;
}
@@ -81,9 +76,25 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -466,11 +466,11 @@ int security_inode_getxattr(struct dentr
return security_ops->inode_getxattr(dentry, mnt, name);
}
-int security_inode_listxattr(struct dentry *dentry)
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr(dentry);
+ return security_ops->inode_listxattr(dentry, mnt);
}
int security_inode_removexattr(struct dentry *dentry, char *name)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2400,7 +2400,7 @@ static int selinux_inode_getxattr (struc
@@ -2415,7 +2415,7 @@ static int selinux_inode_getxattr (struc
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}

56
kernel-patches/for-mainline/security-mkdir.diff → kernel-patches/2.6.24/security-mkdir.diff
View File

@@ -11,12 +11,13 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/namei.c | 2 +-
include/linux/security.h | 8 ++++++--
security/dummy.c | 2 +-
security/security.c | 5 +++--
security/selinux/hooks.c | 3 ++-
4 files changed, 10 insertions(+), 5 deletions(-)
5 files changed, 13 insertions(+), 7 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1979,7 +1979,7 @@ int vfs_mkdir(struct inode *dir, struct
@@ -2009,7 +2009,7 @@ int vfs_mkdir(struct inode *dir, struct
return -EPERM;
mode &= (S_IRWXUGO|S_ISVTX);
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -309,6 +309,7 @@ struct request_sock;
@@ -322,6 +322,7 @@ struct request_sock;
* associated with inode strcture @dir.
* @dir containst the inode structure of parent of the directory to be created.
* @dentry contains the dentry structure of new directory.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @mode contains the mode of new directory.
* Return 0 if permission is granted.
* @inode_rmdir:
@@ -1214,7 +1215,8 @@ struct security_operations {
@@ -1256,7 +1257,8 @@ struct security_operations {
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
int (*inode_symlink) (struct inode *dir,
struct dentry *dentry, const char *old_name);
@@ -45,21 +46,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
int mode, dev_t dev);
@@ -1652,11 +1654,12 @@ static inline int security_inode_symlink
static inline int security_inode_mkdir (struct inode *dir,
struct dentry *dentry,
+ struct vfsmount *mnt,
int mode)
{
if (unlikely (IS_PRIVATE (dir)))
return 0;
- return security_ops->inode_mkdir (dir, dentry, mode);
+ return security_ops->inode_mkdir (dir, dentry, mnt, mode);
}
static inline int security_inode_rmdir (struct inode *dir,
@@ -2376,6 +2379,7 @@ static inline int security_inode_symlink
@@ -1513,7 +1515,8 @@ int security_inode_link(struct dentry *o
int security_inode_unlink(struct inode *dir, struct dentry *dentry);
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
const char *old_name);
-int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode);
+int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode);
int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -1846,6 +1849,7 @@ static inline int security_inode_symlink
static inline int security_inode_mkdir (struct inode *dir,
struct dentry *dentry,
@@ -69,7 +66,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return 0;
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -288,7 +288,7 @@ static int dummy_inode_symlink (struct i
@@ -285,7 +285,7 @@ static int dummy_inode_symlink (struct i
}
static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
@@ -78,9 +75,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -359,11 +359,12 @@ int security_inode_symlink(struct inode
return security_ops->inode_symlink(dir, dentry, old_name);
}
-int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
+int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mkdir(dir, dentry, mode);
+ return security_ops->inode_mkdir(dir, dentry, mnt, mode);
}
int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2208,7 +2208,8 @@ static int selinux_inode_symlink(struct
@@ -2215,7 +2215,8 @@ static int selinux_inode_symlink(struct
return may_create(dir, dentry, SECCLASS_LNK_FILE);
}

56
kernel-patches/for-mainline/security-mknod.diff → kernel-patches/2.6.24/security-mknod.diff
View File

@@ -11,12 +11,13 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/namei.c | 2 +-
include/linux/security.h | 7 +++++--
security/dummy.c | 2 +-
security/security.c | 5 +++--
security/selinux/hooks.c | 5 +++--
4 files changed, 10 insertions(+), 6 deletions(-)
5 files changed, 13 insertions(+), 8 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1902,7 +1902,7 @@ int vfs_mknod(struct inode *dir, struct
@@ -1932,7 +1932,7 @@ int vfs_mknod(struct inode *dir, struct
if (!dir->i_op || !dir->i_op->mknod)
return -EPERM;
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -324,6 +324,7 @@ struct request_sock;
@@ -337,6 +337,7 @@ struct request_sock;
* and not this hook.
* @dir contains the inode structure of parent of the new file.
* @dentry contains the dentry structure of the new file.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @mode contains the mode of the new file.
* @dev contains the device number.
* Return 0 if permission is granted.
@@ -1219,7 +1220,7 @@ struct security_operations {
@@ -1261,7 +1262,7 @@ struct security_operations {
struct vfsmount *mnt, int mode);
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
@@ -44,21 +45,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
int (*inode_readlink) (struct dentry *dentry);
@@ -1672,11 +1673,12 @@ static inline int security_inode_rmdir (
static inline int security_inode_mknod (struct inode *dir,
struct dentry *dentry,
+ struct vfsmount *mnt,
int mode, dev_t dev)
{
if (unlikely (IS_PRIVATE (dir)))
return 0;
- return security_ops->inode_mknod (dir, dentry, mode, dev);
+ return security_ops->inode_mknod (dir, dentry, mnt, mode, dev);
}
static inline int security_inode_rename (struct inode *old_dir,
@@ -2393,6 +2395,7 @@ static inline int security_inode_rmdir (
@@ -1518,7 +1519,8 @@ int security_inode_symlink(struct inode
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode, dev_t dev);
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
int security_inode_readlink(struct dentry *dentry);
@@ -1863,6 +1865,7 @@ static inline int security_inode_rmdir (
static inline int security_inode_mknod (struct inode *dir,
struct dentry *dentry,
@@ -68,7 +65,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return 0;
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -299,7 +299,7 @@ static int dummy_inode_rmdir (struct ino
@@ -296,7 +296,7 @@ static int dummy_inode_rmdir (struct ino
}
static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
@@ -77,9 +74,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -374,11 +374,12 @@ int security_inode_rmdir(struct inode *d
return security_ops->inode_rmdir(dir, dentry);
}
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt, int mode, dev_t dev)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mknod(dir, dentry, mode, dev);
+ return security_ops->inode_mknod(dir, dentry, mnt, mode, dev);
}
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2219,11 +2219,12 @@ static int selinux_inode_rmdir(struct in
@@ -2226,11 +2226,12 @@ static int selinux_inode_rmdir(struct in
return may_link(dir, dentry, MAY_RMDIR);
}

57
kernel-patches/for-mainline/security-readlink.diff → kernel-patches/2.6.24/security-readlink.diff
View File

@@ -9,10 +9,11 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/stat.c | 2 +-
include/linux/security.h | 11 +++++++----
include/linux/security.h | 8 +++++---
security/dummy.c | 2 +-
security/security.c | 4 ++--
security/selinux/hooks.c | 2 +-
4 files changed, 10 insertions(+), 7 deletions(-)
5 files changed, 10 insertions(+), 8 deletions(-)
--- a/fs/stat.c
+++ b/fs/stat.c
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
error = inode->i_op->readlink(nd.dentry, buf, bufsiz);
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -339,6 +339,7 @@ struct request_sock;
@@ -352,6 +352,7 @@ struct request_sock;
* @inode_readlink:
* Check the permission to read the symbolic link.
* @dentry contains the dentry structure for the file link.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_follow_link:
* Check permission to follow a symbolic link when looking up a pathname.
@@ -1224,7 +1225,7 @@ struct security_operations {
@@ -1266,7 +1267,7 @@ struct security_operations {
struct vfsmount *mnt, int mode, dev_t dev);
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
@@ -44,34 +45,28 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
int (*inode_setattr) (struct dentry *dentry, struct vfsmount *mnt,
@@ -1695,11 +1696,12 @@ static inline int security_inode_rename
new_dir, new_dentry);
}
-static inline int security_inode_readlink (struct dentry *dentry)
+static inline int security_inode_readlink (struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_readlink (dentry);
+ return security_ops->inode_readlink (dentry, mnt);
}
static inline int security_inode_follow_link (struct dentry *dentry,
@@ -2412,7 +2414,8 @@ static inline int security_inode_rename
@@ -1524,7 +1525,7 @@ int security_inode_mknod(struct inode *d
struct vfsmount *mnt, int mode, dev_t dev);
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
-int security_inode_readlink(struct dentry *dentry);
+int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt);
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd);
int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
@@ -1881,7 +1882,8 @@ static inline int security_inode_rename
return 0;
}
-static inline int security_inode_readlink (struct dentry *dentry)
+static inline int security_inode_readlink (struct dentry *dentry,
+static inline int security_inode_readlink(struct dentry *dentry,
+ struct vfsmount *mnt)
{
return 0;
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -312,7 +312,7 @@ static int dummy_inode_rename (struct in
@@ -309,7 +309,7 @@ static int dummy_inode_rename (struct in
return 0;
}
@@ -80,9 +75,25 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -392,11 +392,11 @@ int security_inode_rename(struct inode *
new_dir, new_dentry);
}
-int security_inode_readlink(struct dentry *dentry)
+int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_readlink(dentry);
+ return security_ops->inode_readlink(dentry, mnt);
}
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2238,7 +2238,7 @@ static int selinux_inode_rename(struct i
@@ -2245,7 +2245,7 @@ static int selinux_inode_rename(struct i
return may_rename(old_inode, old_dentry, new_inode, new_dentry);
}

77
kernel-patches/for-mainline/security-removexattr.diff → kernel-patches/2.6.24/security-removexattr.diff
View File

@@ -9,11 +9,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/xattr.c | 2 +-
include/linux/security.h | 15 +++++++++------
include/linux/security.h | 13 ++++++++-----
security/commoncap.c | 3 ++-
security/dummy.c | 3 ++-
security/security.c | 5 +++--
security/selinux/hooks.c | 3 ++-
5 files changed, 16 insertions(+), 10 deletions(-)
6 files changed, 18 insertions(+), 11 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -28,41 +29,36 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -50,7 +50,7 @@ extern int cap_bprm_set_security (struct
@@ -57,7 +57,7 @@ extern int cap_bprm_set_security (struct
extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe);
extern int cap_bprm_secureexec(struct linux_binprm *bprm);
extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, char *name, void *value, size_t size, int flags);
-extern int cap_inode_removexattr(struct dentry *dentry, char *name);
+extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, char *name);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
extern void cap_task_reparent_to_init (struct task_struct *p);
extern int cap_syslog (int type);
@@ -1252,7 +1252,8 @@ struct security_operations {
@@ -1294,7 +1294,8 @@ struct security_operations {
int (*inode_getxattr) (struct dentry *dentry, struct vfsmount *mnt,
char *name);
int (*inode_listxattr) (struct dentry *dentry, struct vfsmount *mnt);
- int (*inode_removexattr) (struct dentry *dentry, char *name);
+ int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
+ char *name);
const char *(*inode_xattr_getsuffix) (void);
int (*inode_need_killpriv) (struct dentry *dentry);
int (*inode_killpriv) (struct dentry *dentry);
int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
@@ -1801,11 +1802,12 @@ static inline int security_inode_listxat
return security_ops->inode_listxattr (dentry, mnt);
}
-static inline int security_inode_removexattr (struct dentry *dentry, char *name)
+static inline int security_inode_removexattr (struct dentry *dentry,
+ struct vfsmount *mnt, char *name)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_removexattr (dentry, name);
+ return security_ops->inode_removexattr (dentry, mnt, name);
}
static inline const char *security_inode_xattr_getsuffix(void)
@@ -2507,9 +2509,10 @@ static inline int security_inode_listxat
@@ -1558,7 +1559,8 @@ void security_inode_post_setxattr(struct
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
char *name);
int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
-int security_inode_removexattr(struct dentry *dentry, char *name);
+int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name);
int security_inode_need_killpriv(struct dentry *dentry);
int security_inode_killpriv(struct dentry *dentry);
int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
@@ -1968,9 +1970,10 @@ static inline int security_inode_listxat
return 0;
}
@@ -74,10 +70,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+ return cap_inode_removexattr(dentry, mnt, name);
}
static inline const char *security_inode_xattr_getsuffix (void)
static inline int security_inode_need_killpriv(struct dentry *dentry)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -200,7 +200,8 @@ int cap_inode_setxattr(struct dentry *de
@@ -389,7 +389,8 @@ int cap_inode_setxattr(struct dentry *de
return 0;
}
@@ -85,11 +81,11 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name)
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -379,7 +379,8 @@ static int dummy_inode_listxattr (struct
@@ -376,7 +376,8 @@ static int dummy_inode_listxattr (struct
return 0;
}
@@ -99,9 +95,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
--- a/security/security.c
+++ b/security/security.c
@@ -473,11 +473,12 @@ int security_inode_listxattr(struct dent
return security_ops->inode_listxattr(dentry, mnt);
}
-int security_inode_removexattr(struct dentry *dentry, char *name)
+int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_removexattr(dentry, name);
+ return security_ops->inode_removexattr(dentry, mnt, name);
}
int security_inode_need_killpriv(struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2405,7 +2405,8 @@ static int selinux_inode_listxattr (stru
@@ -2420,7 +2420,8 @@ static int selinux_inode_listxattr (stru
return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
}
@@ -109,5 +122,5 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+static int selinux_inode_removexattr (struct dentry *dentry,
+ struct vfsmount *mnt, char *name)
{
if (strcmp(name, XATTR_NAME_SELINUX)) {
if (!strncmp(name, XATTR_SECURITY_PREFIX,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);

69
kernel-patches/for-mainline/security-rename.diff → kernel-patches/2.6.24/security-rename.diff
View File

@@ -9,14 +9,15 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/namei.c | 6 ++++--
include/linux/security.h | 18 +++++++++++++-----
include/linux/security.h | 13 ++++++++++---
security/dummy.c | 4 +++-
security/security.c | 7 ++++---
security/selinux/hooks.c | 8 ++++++--
4 files changed, 26 insertions(+), 10 deletions(-)
5 files changed, 27 insertions(+), 11 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2450,7 +2450,8 @@ static int vfs_rename_dir(struct inode *
@@ -2480,7 +2480,8 @@ static int vfs_rename_dir(struct inode *
return error;
}
@@ -26,7 +27,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (error)
return error;
@@ -2484,7 +2485,8 @@ static int vfs_rename_other(struct inode
@@ -2514,7 +2515,8 @@ static int vfs_rename_other(struct inode
struct inode *target;
int error;
@@ -38,7 +39,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -337,8 +337,10 @@ struct request_sock;
@@ -350,8 +350,10 @@ struct request_sock;
* Check for permission to rename a file or directory.
* @old_dir contains the inode structure for parent of the old link.
* @old_dentry contains the dentry structure of the old link.
@@ -49,7 +50,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_readlink:
* Check the permission to read the symbolic link.
@@ -1231,7 +1233,9 @@ struct security_operations {
@@ -1273,7 +1275,9 @@ struct security_operations {
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode, dev_t dev);
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
@@ -60,27 +61,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_readlink) (struct dentry *dentry, struct vfsmount *mnt);
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
@@ -1698,14 +1702,16 @@ static inline int security_inode_mknod (
static inline int security_inode_rename (struct inode *old_dir,
struct dentry *old_dentry,
+ struct vfsmount *old_mnt,
struct inode *new_dir,
- struct dentry *new_dentry)
+ struct dentry *new_dentry,
+ struct vfsmount *new_mnt)
{
if (unlikely (IS_PRIVATE (old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode))))
return 0;
- return security_ops->inode_rename (old_dir, old_dentry,
- new_dir, new_dentry);
+ return security_ops->inode_rename (old_dir, old_dentry, old_mnt,
+ new_dir, new_dentry, new_mnt);
}
static inline int security_inode_readlink (struct dentry *dentry,
@@ -2424,8 +2430,10 @@ static inline int security_inode_mknod (
@@ -1534,7 +1538,8 @@ int security_inode_rmdir(struct inode *d
int security_inode_mknod(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode, dev_t dev);
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
- struct inode *new_dir, struct dentry *new_dentry);
+ struct vfsmount *old_mnt, struct inode *new_dir,
+ struct dentry *new_dentry, struct vfsmount *new_mnt);
int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt);
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd);
@@ -1890,8 +1895,10 @@ static inline int security_inode_mknod (
static inline int security_inode_rename (struct inode *old_dir,
struct dentry *old_dentry,
@@ -94,7 +85,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -310,8 +310,10 @@ static int dummy_inode_mknod (struct ino
@@ -307,8 +307,10 @@ static int dummy_inode_mknod (struct ino
static int dummy_inode_rename (struct inode *old_inode,
struct dentry *old_dentry,
@@ -106,9 +97,29 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -387,13 +387,14 @@ int security_inode_mknod(struct inode *d
}
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
- struct inode *new_dir, struct dentry *new_dentry)
+ struct vfsmount *old_mnt, struct inode *new_dir,
+ struct dentry *new_dentry, struct vfsmount *new_mnt)
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->inode_rename(old_dir, old_dentry,
- new_dir, new_dentry);
+ return security_ops->inode_rename(old_dir, old_dentry, old_mnt,
+ new_dir, new_dentry, new_mnt);
}
int security_inode_readlink(struct dentry *dentry, struct vfsmount *mnt)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2239,8 +2239,12 @@ static int selinux_inode_mknod(struct in
@@ -2246,8 +2246,12 @@ static int selinux_inode_mknod(struct in
return may_create(dir, dentry, inode_mode_to_security_class(mode));
}

59
kernel-patches/for-mainline/security-rmdir.diff → kernel-patches/2.6.24/security-rmdir.diff
View File

@@ -9,14 +9,15 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/namei.c | 2 +-
include/linux/security.h | 12 ++++++++----
include/linux/security.h | 10 +++++++---
security/dummy.c | 3 ++-
security/security.c | 5 +++--
security/selinux/hooks.c | 3 ++-
4 files changed, 13 insertions(+), 7 deletions(-)
5 files changed, 15 insertions(+), 8 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2074,7 +2074,7 @@ int vfs_rmdir(struct inode *dir, struct
@@ -2104,7 +2104,7 @@ int vfs_rmdir(struct inode *dir, struct
if (d_mountpoint(dentry))
error = -EBUSY;
else {
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (!error)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -319,6 +319,7 @@ struct request_sock;
@@ -332,6 +332,7 @@ struct request_sock;
* Check the permission to remove a directory.
* @dir contains the inode structure of parent of the directory to be removed.
* @dentry contains the dentry structure of directory to be removed.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_mknod:
* Check permissions when creating a special file (or a socket or a fifo
@@ -1223,7 +1224,8 @@ struct security_operations {
@@ -1265,7 +1266,8 @@ struct security_operations {
struct vfsmount *mnt, const char *old_name);
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
@@ -45,22 +46,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode, dev_t dev);
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
@@ -1673,11 +1675,12 @@ static inline int security_inode_mkdir (
}
static inline int security_inode_rmdir (struct inode *dir,
- struct dentry *dentry)
+ struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_rmdir (dir, dentry);
+ return security_ops->inode_rmdir (dir, dentry, mnt);
}
static inline int security_inode_mknod (struct inode *dir,
@@ -2401,7 +2404,8 @@ static inline int security_inode_mkdir (
@@ -1524,7 +1526,8 @@ int security_inode_symlink(struct inode
struct vfsmount *mnt, const char *old_name);
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
-int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
+int security_inode_rmdir(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt);
int security_inode_mknod(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode, dev_t dev);
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -1867,7 +1870,8 @@ static inline int security_inode_mkdir (
}
static inline int security_inode_rmdir (struct inode *dir,
@@ -72,7 +68,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -295,7 +295,8 @@ static int dummy_inode_mkdir (struct ino
@@ -292,7 +292,8 @@ static int dummy_inode_mkdir (struct ino
return 0;
}
@@ -82,9 +78,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -369,11 +369,12 @@ int security_inode_mkdir(struct inode *d
return security_ops->inode_mkdir(dir, dentry, mnt, mode);
}
-int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
+int security_inode_rmdir(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_rmdir(dir, dentry);
+ return security_ops->inode_rmdir(dir, dentry, mnt);
}
int security_inode_mknod(struct inode *dir, struct dentry *dentry,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2220,7 +2220,8 @@ static int selinux_inode_mkdir(struct in
@@ -2227,7 +2227,8 @@ static int selinux_inode_mkdir(struct in
return may_create(dir, dentry, SECCLASS_DIR);
}

56
kernel-patches/for-mainline/security-setattr.diff → kernel-patches/2.6.24/security-setattr.diff
View File

@@ -11,12 +11,13 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/attr.c | 4 ++--
include/linux/security.h | 8 ++++++--
security/dummy.c | 3 ++-
security/security.c | 5 +++--
security/selinux/hooks.c | 5 +++--
4 files changed, 13 insertions(+), 7 deletions(-)
5 files changed, 16 insertions(+), 9 deletions(-)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -144,13 +144,13 @@ int notify_change(struct dentry *dentry,
@@ -159,13 +159,13 @@ int notify_change(struct dentry *dentry,
down_write(&dentry->d_inode->i_alloc_sem);
if (inode->i_op && inode->i_op->setattr) {
@@ -34,7 +35,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
(ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid))
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -359,6 +359,7 @@ struct request_sock;
@@ -372,6 +372,7 @@ struct request_sock;
* file attributes change (such as when a file is truncated, chown/chmod
* operations, transferring disk quotas, etc).
* @dentry contains the dentry structure for the file.
@@ -42,7 +43,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @attr is the iattr structure containing the new file attributes.
* Return 0 if permission is granted.
* @inode_getattr:
@@ -1222,7 +1223,8 @@ struct security_operations {
@@ -1264,7 +1265,8 @@ struct security_operations {
int (*inode_readlink) (struct dentry *dentry);
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
@@ -52,21 +53,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
void (*inode_delete) (struct inode *inode);
int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
@@ -1710,11 +1712,12 @@ static inline int security_inode_permiss
}
static inline int security_inode_setattr (struct dentry *dentry,
+ struct vfsmount *mnt,
struct iattr *attr)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_setattr (dentry, attr);
+ return security_ops->inode_setattr (dentry, mnt, attr);
}
static inline int security_inode_getattr (struct vfsmount *mnt,
@@ -2417,6 +2420,7 @@ static inline int security_inode_permiss
@@ -1519,7 +1521,8 @@ int security_inode_rename(struct inode *
int security_inode_readlink(struct dentry *dentry);
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd);
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
+int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
+ struct iattr *attr);
int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
void security_inode_delete(struct inode *inode);
int security_inode_setxattr(struct dentry *dentry, char *name,
@@ -1887,6 +1890,7 @@ static inline int security_inode_permiss
}
static inline int security_inode_setattr (struct dentry *dentry,
@@ -76,7 +73,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return 0;
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -328,7 +328,8 @@ static int dummy_inode_permission (struc
@@ -325,7 +325,8 @@ static int dummy_inode_permission (struc
return 0;
}
@@ -86,9 +83,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -411,11 +411,12 @@ int security_inode_permission(struct ino
return security_ops->inode_permission(inode, mask, nd);
}
-int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
+int security_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
+ struct iattr *attr)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_setattr(dentry, attr);
+ return security_ops->inode_setattr(dentry, mnt, attr);
}
int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2268,11 +2268,12 @@ static int selinux_inode_permission(stru
@@ -2275,11 +2275,12 @@ static int selinux_inode_permission(stru
file_mask_to_av(inode->i_mode, mask), NULL);
}

110
kernel-patches/for-mainline/security-setxattr.diff → kernel-patches/2.6.24/security-setxattr.diff
View File

@@ -9,11 +9,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/xattr.c | 4 ++--
include/linux/security.h | 40 +++++++++++++++++++++++++---------------
include/linux/security.h | 35 +++++++++++++++++++++--------------
security/commoncap.c | 4 ++--
security/dummy.c | 9 ++++++---
security/security.c | 14 ++++++++------
security/selinux/hooks.c | 8 ++++++--
5 files changed, 41 insertions(+), 24 deletions(-)
6 files changed, 45 insertions(+), 29 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -37,16 +38,16 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -49,7 +49,7 @@ extern void cap_capset_set (struct task_
@@ -56,7 +56,7 @@ extern void cap_capset_set (struct task_
extern int cap_bprm_set_security (struct linux_binprm *bprm);
extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe);
extern int cap_bprm_secureexec(struct linux_binprm *bprm);
-extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags);
+extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, char *name, void *value, size_t size, int flags);
extern int cap_inode_removexattr(struct dentry *dentry, char *name);
extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
extern void cap_task_reparent_to_init (struct task_struct *p);
@@ -385,11 +385,11 @@ struct request_sock;
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
@@ -398,11 +398,11 @@ struct request_sock;
* inode.
* @inode_setxattr:
* Check permission before setting the extended attributes
@@ -60,7 +61,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @inode_getxattr:
* Check permission before obtaining the extended attributes
* identified by @name for @dentry.
@@ -1243,9 +1243,11 @@ struct security_operations {
@@ -1285,9 +1285,11 @@ struct security_operations {
struct iattr *attr);
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
void (*inode_delete) (struct inode *inode);
@@ -75,37 +76,23 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
size_t size, int flags);
int (*inode_getxattr) (struct dentry *dentry, char *name);
int (*inode_listxattr) (struct dentry *dentry);
@@ -1762,20 +1764,24 @@ static inline void security_inode_delete
security_ops->inode_delete (inode);
}
-static inline int security_inode_setxattr (struct dentry *dentry, char *name,
+static inline int security_inode_setxattr (struct dentry *dentry,
+ struct vfsmount *mnt, char *name,
void *value, size_t size, int flags)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_setxattr (dentry, name, value, size, flags);
+ return security_ops->inode_setxattr (dentry, mnt, name, value, size,
+ flags);
}
-static inline void security_inode_post_setxattr (struct dentry *dentry, char *name,
- void *value, size_t size, int flags)
+static inline void security_inode_post_setxattr (struct dentry *dentry,
+ struct vfsmount *mnt,
+ char *name, void *value,
+ size_t size, int flags)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return;
- security_ops->inode_post_setxattr (dentry, name, value, size, flags);
+ security_ops->inode_post_setxattr (dentry, mnt, name, value, size, flags);
}
static inline int security_inode_getxattr (struct dentry *dentry, char *name)
@@ -2472,14 +2478,18 @@ static inline int security_inode_getattr
@@ -1547,10 +1549,11 @@ int security_inode_setattr(struct dentry
struct iattr *attr);
int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
void security_inode_delete(struct inode *inode);
-int security_inode_setxattr(struct dentry *dentry, char *name,
- void *value, size_t size, int flags);
-void security_inode_post_setxattr(struct dentry *dentry, char *name,
- void *value, size_t size, int flags);
+int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name, void *value, size_t size, int flags);
+void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name, void *value, size_t size,
+ int flags);
int security_inode_getxattr(struct dentry *dentry, char *name);
int security_inode_listxattr(struct dentry *dentry);
int security_inode_removexattr(struct dentry *dentry, char *name);
@@ -1937,14 +1940,18 @@ static inline int security_inode_getattr
static inline void security_inode_delete (struct inode *inode)
{ }
@@ -130,7 +117,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
static inline int security_inode_getxattr (struct dentry *dentry, char *name)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -190,8 +190,8 @@ int cap_bprm_secureexec (struct linux_bi
@@ -375,8 +375,8 @@ int cap_bprm_secureexec (struct linux_bi
current->egid != current->gid);
}
@@ -139,11 +126,11 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, char *name,
+ void *value, size_t size, int flags)
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -350,8 +350,9 @@ static void dummy_inode_delete (struct i
@@ -347,8 +347,9 @@ static void dummy_inode_delete (struct i
return;
}
@@ -155,7 +142,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
@@ -360,7 +361,9 @@ static int dummy_inode_setxattr (struct
@@ -357,7 +358,9 @@ static int dummy_inode_setxattr (struct
return 0;
}
@@ -166,10 +153,41 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
size_t size, int flags)
{
}
--- a/security/security.c
+++ b/security/security.c
@@ -440,20 +440,22 @@ void security_inode_delete(struct inode
security_ops->inode_delete(inode);
}
-int security_inode_setxattr(struct dentry *dentry, char *name,
- void *value, size_t size, int flags)
+int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name, void *value, size_t size, int flags)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_setxattr(dentry, name, value, size, flags);
+ return security_ops->inode_setxattr(dentry, mnt, name, value, size,
+ flags);
}
-void security_inode_post_setxattr(struct dentry *dentry, char *name,
- void *value, size_t size, int flags)
+void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
+ char *name, void *value, size_t size,
+ int flags)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
- security_ops->inode_post_setxattr(dentry, name, value, size, flags);
+ security_ops->inode_post_setxattr(dentry, mnt, name, value, size, flags);
}
int security_inode_getxattr(struct dentry *dentry, char *name)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2306,7 +2306,9 @@ static int selinux_inode_getattr(struct
return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
@@ -2332,7 +2332,9 @@ static int selinux_inode_setotherxattr(s
return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
}
-static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
@@ -179,7 +197,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
struct task_security_struct *tsec = current->security;
struct inode *inode = dentry->d_inode;
@@ -2366,7 +2368,9 @@ static int selinux_inode_setxattr(struct
@@ -2381,7 +2383,9 @@ static int selinux_inode_setxattr(struct
&ad);
}

56
kernel-patches/for-mainline/security-symlink.diff → kernel-patches/2.6.24/security-symlink.diff
View File

@@ -9,14 +9,15 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/namei.c | 2 +-
include/linux/security.h | 9 ++++++---
include/linux/security.h | 8 +++++---
security/dummy.c | 2 +-
security/security.c | 4 ++--
security/selinux/hooks.c | 3 ++-
4 files changed, 10 insertions(+), 6 deletions(-)
5 files changed, 11 insertions(+), 8 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2247,7 +2247,7 @@ int vfs_symlink(struct inode *dir, struc
@@ -2277,7 +2277,7 @@ int vfs_symlink(struct inode *dir, struc
if (!dir->i_op || !dir->i_op->symlink)
return -EPERM;
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -302,6 +302,7 @@ struct request_sock;
@@ -315,6 +315,7 @@ struct request_sock;
* Check the permission to create a symbolic link to a file.
* @dir contains the inode structure of parent directory of the symbolic link.
* @dentry contains the dentry structure of the symbolic link.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* @old_name contains the pathname of file.
* Return 0 if permission is granted.
* @inode_mkdir:
@@ -1214,8 +1215,8 @@ struct security_operations {
@@ -1256,8 +1257,8 @@ struct security_operations {
int (*inode_link) (struct dentry *old_dentry,
struct inode *dir, struct dentry *new_dentry);
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
@@ -46,21 +47,16 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
@@ -1646,11 +1647,12 @@ static inline int security_inode_unlink
static inline int security_inode_symlink (struct inode *dir,
struct dentry *dentry,
+ struct vfsmount *mnt,
const char *old_name)
{
if (unlikely (IS_PRIVATE (dir)))
return 0;
- return security_ops->inode_symlink (dir, dentry, old_name);
+ return security_ops->inode_symlink (dir, dentry, mnt, old_name);
}
static inline int security_inode_mkdir (struct inode *dir,
@@ -2374,6 +2376,7 @@ static inline int security_inode_unlink
@@ -1515,7 +1516,7 @@ int security_inode_link(struct dentry *o
struct dentry *new_dentry);
int security_inode_unlink(struct inode *dir, struct dentry *dentry);
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
- const char *old_name);
+ struct vfsmount *mnt, const char *old_name);
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, int mode);
int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
@@ -1844,6 +1845,7 @@ static inline int security_inode_unlink
static inline int security_inode_symlink (struct inode *dir,
struct dentry *dentry,
@@ -70,7 +66,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return 0;
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -282,7 +282,7 @@ static int dummy_inode_unlink (struct in
@@ -279,7 +279,7 @@ static int dummy_inode_unlink (struct in
}
static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
@@ -79,9 +75,25 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -352,11 +352,11 @@ int security_inode_unlink(struct inode *
}
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
- const char *old_name)
+ struct vfsmount *mnt, const char *old_name)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_symlink(dir, dentry, old_name);
+ return security_ops->inode_symlink(dir, dentry, mnt, old_name);
}
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2203,7 +2203,8 @@ static int selinux_inode_unlink(struct i
@@ -2210,7 +2210,8 @@ static int selinux_inode_unlink(struct i
return may_link(dir, dentry, MAY_UNLINK);
}

59
kernel-patches/for-mainline/security-unlink.diff → kernel-patches/2.6.24/security-unlink.diff
View File

@@ -9,14 +9,15 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/namei.c | 2 +-
include/linux/security.h | 12 ++++++++----
include/linux/security.h | 10 +++++++---
security/dummy.c | 3 ++-
security/security.c | 5 +++--
security/selinux/hooks.c | 5 +++--
4 files changed, 14 insertions(+), 8 deletions(-)
5 files changed, 16 insertions(+), 9 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2154,7 +2154,7 @@ int vfs_unlink(struct inode *dir, struct
@@ -2184,7 +2184,7 @@ int vfs_unlink(struct inode *dir, struct
if (d_mountpoint(dentry))
error = -EBUSY;
else {
@@ -27,7 +28,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -299,6 +299,7 @@ struct request_sock;
@@ -312,6 +312,7 @@ struct request_sock;
* Check the permission to remove a hard link to a file.
* @dir contains the inode structure of parent directory of the file.
* @dentry contains the dentry structure for file to be unlinked.
@@ -35,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
* Return 0 if permission is granted.
* @inode_symlink:
* Check the permission to create a symbolic link to a file.
@@ -1219,7 +1220,8 @@ struct security_operations {
@@ -1261,7 +1262,8 @@ struct security_operations {
int (*inode_link) (struct dentry *old_dentry, struct vfsmount *old_mnt,
struct inode *dir, struct dentry *new_dentry,
struct vfsmount *new_mnt);
@@ -45,22 +46,17 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_symlink) (struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, const char *old_name);
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry,
@@ -1647,11 +1649,12 @@ static inline int security_inode_link (s
}
static inline int security_inode_unlink (struct inode *dir,
- struct dentry *dentry)
+ struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_unlink (dir, dentry);
+ return security_ops->inode_unlink (dir, dentry, mnt);
}
static inline int security_inode_symlink (struct inode *dir,
@@ -2382,7 +2385,8 @@ static inline int security_inode_link (s
@@ -1521,7 +1523,8 @@ int security_inode_create(struct inode *
int security_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
struct inode *dir, struct dentry *new_dentry,
struct vfsmount *new_mnt);
-int security_inode_unlink(struct inode *dir, struct dentry *dentry);
+int security_inode_unlink(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt);
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
struct vfsmount *mnt, const char *old_name);
int security_inode_mkdir(struct inode *dir, struct dentry *dentry,
@@ -1848,7 +1851,8 @@ static inline int security_inode_link (s
}
static inline int security_inode_unlink (struct inode *dir,
@@ -72,7 +68,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -278,7 +278,8 @@ static int dummy_inode_link (struct dent
@@ -275,7 +275,8 @@ static int dummy_inode_link (struct dent
return 0;
}
@@ -82,9 +78,26 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
return 0;
}
--- a/security/security.c
+++ b/security/security.c
@@ -346,11 +346,12 @@ int security_inode_link(struct dentry *o
new_dentry, new_mnt);
}
-int security_inode_unlink(struct inode *dir, struct dentry *dentry)
+int security_inode_unlink(struct inode *dir, struct dentry *dentry,
+ struct vfsmount *mnt)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_unlink(dir, dentry);
+ return security_ops->inode_unlink(dir, dentry, mnt);
}
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2198,11 +2198,12 @@ static int selinux_inode_link(struct den
@@ -2205,11 +2205,12 @@ static int selinux_inode_link(struct den
return may_link(dir, old_dentry, MAY_LINK);
}

206
kernel-patches/for-mainline/security-xattr-file.diff → kernel-patches/2.6.24/security-xattr-file.diff
View File

@@ -10,12 +10,13 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
---
fs/xattr.c | 58 ++++++++++++++++++++++++-----------------------
include/linux/security.h | 53 +++++++++++++++++++++++++-----------------
include/linux/security.h | 40 +++++++++++++++++++-------------
include/linux/xattr.h | 8 +++---
security/commoncap.c | 4 +--
security/dummy.c | 10 ++++----
security/security.c | 21 +++++++++--------
security/selinux/hooks.c | 10 ++++----
6 files changed, 80 insertions(+), 63 deletions(-)
7 files changed, 84 insertions(+), 67 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -128,7 +129,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -271,7 +272,7 @@ sys_fsetxattr(int fd, char __user *name,
return error;
dentry = f->f_path.dentry;
audit_inode(NULL, dentry->d_inode);
audit_inode(NULL, dentry);
- error = setxattr(dentry, f->f_vfsmnt, name, value, size, flags);
+ error = setxattr(dentry, f->f_vfsmnt, name, value, size, flags, f);
fput(f);
@@ -173,7 +174,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -354,7 +355,7 @@ sys_fgetxattr(int fd, char __user *name,
if (!f)
return error;
audit_inode(NULL, f->f_path.dentry->d_inode);
audit_inode(NULL, f->f_path.dentry);
- error = getxattr(f->f_path.dentry, f->f_path.mnt, name, value, size);
+ error = getxattr(f->f_path.dentry, f->f_path.mnt, name, value, size, f);
fput(f);
@@ -218,7 +219,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -428,7 +429,7 @@ sys_flistxattr(int fd, char __user *list
if (!f)
return error;
audit_inode(NULL, f->f_path.dentry->d_inode);
audit_inode(NULL, f->f_path.dentry);
- error = listxattr(f->f_path.dentry, f->f_path.mnt, list, size);
+ error = listxattr(f->f_path.dentry, f->f_path.mnt, list, size, f);
fput(f);
@@ -264,7 +265,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -491,7 +493,7 @@ sys_fremovexattr(int fd, char __user *na
return error;
dentry = f->f_path.dentry;
audit_inode(NULL, dentry->d_inode);
audit_inode(NULL, dentry);
- error = removexattr(dentry, f->f_path.mnt, name);
+ error = removexattr(dentry, f->f_path.mnt, name, f);
fput(f);
@@ -272,7 +273,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -49,8 +49,8 @@ extern void cap_capset_set (struct task_
@@ -56,8 +56,8 @@ extern void cap_capset_set (struct task_
extern int cap_bprm_set_security (struct linux_binprm *bprm);
extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe);
extern int cap_bprm_secureexec(struct linux_binprm *bprm);
@@ -280,10 +281,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
-extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, char *name);
+extern int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, char *name, void *value, size_t size, int flags, struct file *file);
+extern int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt, char *name, struct file *file);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
extern void cap_task_reparent_to_init (struct task_struct *p);
extern int cap_syslog (int type);
@@ -1244,16 +1244,18 @@ struct security_operations {
@@ -1286,16 +1286,18 @@ struct security_operations {
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
void (*inode_delete) (struct inode *inode);
int (*inode_setxattr) (struct dentry *dentry, struct vfsmount *mnt,
@@ -303,69 +304,32 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*inode_removexattr) (struct dentry *dentry, struct vfsmount *mnt,
- char *name);
+ char *name, struct file *file);
const char *(*inode_xattr_getsuffix) (void);
int (*inode_need_killpriv) (struct dentry *dentry);
int (*inode_killpriv) (struct dentry *dentry);
int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
@@ -1768,12 +1770,13 @@ static inline void security_inode_delete
static inline int security_inode_setxattr (struct dentry *dentry,
struct vfsmount *mnt, char *name,
- void *value, size_t size, int flags)
+ void *value, size_t size, int flags,
+ struct file *file)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
return security_ops->inode_setxattr (dentry, mnt, name, value, size,
- flags);
+ flags, file);
}
static inline void security_inode_post_setxattr (struct dentry *dentry,
@@ -1783,31 +1786,35 @@ static inline void security_inode_post_s
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return;
- security_ops->inode_post_setxattr (dentry, mnt, name, value, size, flags);
+ security_ops->inode_post_setxattr (dentry, mnt, name, value, size,
+ flags);
}
static inline int security_inode_getxattr (struct dentry *dentry,
- struct vfsmount *mnt, char *name)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr (dentry, mnt, name);
+ return security_ops->inode_getxattr (dentry, mnt, name, file);
}
static inline int security_inode_listxattr (struct dentry *dentry,
- struct vfsmount *mnt)
+ struct vfsmount *mnt,
+ struct file *file)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr (dentry, mnt);
+ return security_ops->inode_listxattr (dentry, mnt, file);
}
static inline int security_inode_removexattr (struct dentry *dentry,
- struct vfsmount *mnt, char *name)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
{
if (unlikely (IS_PRIVATE (dentry->d_inode)))
return 0;
- return security_ops->inode_removexattr (dentry, mnt, name);
+ return security_ops->inode_removexattr (dentry, mnt, name, file);
}
static inline const char *security_inode_xattr_getsuffix(void)
@@ -2485,9 +2492,10 @@ static inline void security_inode_delete
@@ -1552,15 +1554,17 @@ int security_inode_setattr(struct dentry
int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
void security_inode_delete(struct inode *inode);
int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name, void *value, size_t size, int flags);
+ char *name, void *value, size_t size, int flags,
+ struct file *file);
void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
char *name, void *value, size_t size,
int flags);
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name);
-int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt);
+ char *name, struct file *file);
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
+ struct file *file);
int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name);
+ char *name, struct file *file);
int security_inode_need_killpriv(struct dentry *dentry);
int security_inode_killpriv(struct dentry *dentry);
int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
@@ -1946,9 +1950,10 @@ static inline void security_inode_delete
static inline int security_inode_setxattr (struct dentry *dentry,
struct vfsmount *mnt, char *name,
@@ -378,35 +342,35 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
static inline void security_inode_post_setxattr (struct dentry *dentry,
@@ -2498,21 +2506,24 @@ static inline void security_inode_post_s
@@ -1959,21 +1964,24 @@ static inline void security_inode_post_s
{ }
static inline int security_inode_getxattr (struct dentry *dentry,
- struct vfsmount *mnt, char *name)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
{
return 0;
}
static inline int security_inode_listxattr (struct dentry *dentry,
- struct vfsmount *mnt)
+ struct vfsmount *mnt,
+ struct file *file)
+ struct vfsmount *mnt,
+ struct file *file)
{
return 0;
}
static inline int security_inode_removexattr (struct dentry *dentry,
- struct vfsmount *mnt, char *name)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
+ struct vfsmount *mnt, char *name,
+ struct file *file)
{
- return cap_inode_removexattr(dentry, mnt, name);
+ return cap_inode_removexattr(dentry, mnt, name, file);
}
static inline const char *security_inode_xattr_getsuffix (void)
static inline int security_inode_need_killpriv(struct dentry *dentry)
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -47,12 +47,12 @@ struct xattr_handler {
@@ -428,27 +392,27 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size);
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -191,7 +191,7 @@ int cap_bprm_secureexec (struct linux_bi
@@ -376,7 +376,7 @@ int cap_bprm_secureexec (struct linux_bi
}
int cap_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt, char *name,
- void *value, size_t size, int flags)
+ void *value, size_t size, int flags, struct file *file)
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
@@ -201,7 +201,7 @@ int cap_inode_setxattr(struct dentry *de
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
@@ -390,7 +390,7 @@ int cap_inode_setxattr(struct dentry *de
}
int cap_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name)
+ char *name, struct file *file)
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
if (!strcmp(name, XATTR_NAME_CAPS)) {
if (!capable(CAP_SETFCAP))
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -352,7 +352,7 @@ static void dummy_inode_delete (struct i
@@ -349,7 +349,7 @@ static void dummy_inode_delete (struct i
static int dummy_inode_setxattr (struct dentry *dentry, struct vfsmount *mnt,
char *name, void *value, size_t size,
@@ -457,7 +421,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
@@ -369,18 +369,20 @@ static void dummy_inode_post_setxattr (s
@@ -366,18 +366,20 @@ static void dummy_inode_post_setxattr (s
}
static int dummy_inode_getxattr (struct dentry *dentry,
@@ -481,9 +445,67 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
--- a/security/security.c
+++ b/security/security.c
@@ -441,12 +441,13 @@ void security_inode_delete(struct inode
}
int security_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name, void *value, size_t size, int flags)
+ char *name, void *value, size_t size, int flags,
+ struct file *file)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
return security_ops->inode_setxattr(dentry, mnt, name, value, size,
- flags);
+ flags, file);
}
void security_inode_post_setxattr(struct dentry *dentry, struct vfsmount *mnt,
@@ -455,30 +456,32 @@ void security_inode_post_setxattr(struct
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
- security_ops->inode_post_setxattr(dentry, mnt, name, value, size, flags);
+ security_ops->inode_post_setxattr(dentry, mnt, name, value, size,
+ flags);
}
int security_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name)
+ char *name, struct file *file)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr(dentry, mnt, name);
+ return security_ops->inode_getxattr(dentry, mnt, name, file);
}
-int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
+int security_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt,
+ struct file *file)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr(dentry, mnt);
+ return security_ops->inode_listxattr(dentry, mnt, file);
}
int security_inode_removexattr(struct dentry *dentry, struct vfsmount *mnt,
- char *name)
+ char *name, struct file *file)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_removexattr(dentry, mnt, name);
+ return security_ops->inode_removexattr(dentry, mnt, name, file);
}
int security_inode_need_killpriv(struct dentry *dentry)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2308,7 +2308,7 @@ static int selinux_inode_getattr(struct
@@ -2334,7 +2334,7 @@ static int selinux_inode_setotherxattr(s
static int selinux_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
char *name, void *value, size_t size,
@@ -492,7 +514,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
struct task_security_struct *tsec = current->security;
struct inode *inode = dentry->d_inode;
@@ -2395,18 +2395,20 @@ static void selinux_inode_post_setxattr(
@@ -2410,18 +2410,20 @@ static void selinux_inode_post_setxattr(
}
static int selinux_inode_getxattr (struct dentry *dentry, struct vfsmount *mnt,
@@ -514,5 +536,5 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+ struct vfsmount *mnt, char *name,
+ struct file *file)
{
if (strcmp(name, XATTR_NAME_SELINUX)) {
if (!strncmp(name, XATTR_SECURITY_PREFIX,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);

40
kernel-patches/for-mainline/series → kernel-patches/2.6.24/series
View File

@@ -30,10 +30,16 @@ security-removexattr.diff
unambiguous-__d_path.diff
mount-consistent-__d_path.diff
d_namespace_path.diff
fgetattr.diff
fsetattr.diff
fsetattr-reintro-ATTR_FILE.diff
file-handle-ops.diff
security-xattr-file.diff
sysctl-pathname.diff
parent-permission.diff
do_path_lookup-nameidata.diff
sys_fchdir-nameidata.diff
file_permission-nameidata.diff
apparmor-audit.diff
apparmor-main.diff
apparmor-lsm.diff
@@ -41,30 +47,10 @@ apparmor-module_interface.diff
apparmor-misc.diff
apparmor-intree.diff
apparmor-network.diff
do_path_lookup-nameidata.diff
sys_fchdir-nameidata.diff
file_permission-nameidata.diff
#foobar.diff
# # NOT YET
# ecryptfs-d_revalidate.diff
# nfs-nameidata-check.diff
# # statvfs.diff
# # statvfs-2.diff
# # fix-getcwd.diff
# # proc-mounts-cleanup.diff
# # proc-mounts-check-d_path-result.diff
# # fix-d_path.diff
##split-up-nameidata.diff
##vfs_create-nameidata.diff
##xattr_permission.diff
##nfsd_permission-nameidata.diff
# vfs_create-args.diff
# vfs_mknod-args.diff
# vfs_mkdir-args.diff
# vfs_symlink-args.diff
# vfs_link-args.diff
# vfs_rename-args.diff
# may_create-args.diff
# vfs_rmdir-args.diff
# vfs_unlink-args.diff
# may_delete-args.diff
fix-rcu-deref.diff
fix-name-errorpath.diff
fix-net.diff
apparmor-fix-sysctl-refcount.diff
apparmor-bootdisable.diff
apparmor-builtin-only.diff
split_init.diff

230
kernel-patches/2.6.24/split_init.diff Normal file
View File

@@ -0,0 +1,230 @@
---
security/apparmor/Kconfig | 15 +++++
security/apparmor/apparmor.h | 5 +
security/apparmor/apparmorfs.c | 8 ++
security/apparmor/lsm.c | 110 +++++++++++++++++++++++++++++++++++------
4 files changed, 124 insertions(+), 14 deletions(-)
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -25,3 +25,18 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
bootup.
If you are unsure how to answer this question, answer 1.
+
+config SECURITY_APPARMOR_DISABLE
+ bool "AppArmor runtime disable"
+ depends on SECURITY_APPARMOR
+ default n
+ help
+ This option enables writing to a apparmorfs node 'disable', which
+ allows AppArmor to be disabled at runtime prior to the policy load.
+ AppArmor will then remain disabled until the next boot.
+ This option is similar to the apparmor.enabled=0 boot parameter,
+ but is to support runtime disabling of AppArmor, e.g. from
+ /sbin/init, for portability across platforms where boot
+ parameters are difficult to employ.
+
+ If you are unsure how to answer this question, answer N.
--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -231,6 +231,11 @@ extern int aa_net_perm(struct aa_profile
int family, int type, int protocol);
extern int aa_revalidate_sk(struct sock *sk, char *operation);
+/* lsm.c */
+extern int apparmor_initialized;
+extern void info_message(const char *str);
+extern void apparmor_disable(void);
+
/* list.c */
extern void aa_profilelist_release(void);
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -214,6 +214,9 @@ int create_apparmorfs(void)
{
int error;
+ if (!apparmor_initialized)
+ return 0;
+
if (apparmor_dentry) {
AA_ERROR("%s: AppArmor securityfs already exists\n",
__FUNCTION__);
@@ -242,11 +245,16 @@ int create_apparmorfs(void)
if (error)
goto error;
+ /* Report that AppArmor fs is enabled */
+ info_message("AppArmor Filesystem Enabled");
return 0;
error:
destroy_apparmorfs();
AA_ERROR("Error creating AppArmor securityfs\n");
+ apparmor_disable();
return error;
}
+fs_initcall(create_apparmorfs);
+
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -23,16 +23,8 @@
#include "apparmor.h"
#include "inline.h"
-/* Boot time disable flag */
-int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
-
-static int __init apparmor_enabled_setup(char *str)
-{
- apparmor_enabled = simple_strtol(str, NULL, 0);
- return 1;
-}
-__setup("apparmor=", apparmor_enabled_setup);
-
+/* Flag indicating whether initialization completed */
+int apparmor_initialized = 0;
static int param_set_aabool(const char *val, struct kernel_param *kp);
static int param_get_aabool(char *buffer, struct kernel_param *kp);
@@ -75,6 +67,25 @@ unsigned int apparmor_path_max = 2 * PAT
module_param_named(path_max, apparmor_path_max, aauint, S_IRUSR | S_IWUSR);
MODULE_PARM_DESC(apparmor_path_max, "Maximum pathname length allowed");
+/* Boot time disable flag */
+#ifdef CONFIG_SECURITY_APPARMOR_DISABLE
+#define AA_ENABLED_PERMS 0600
+#else
+#define AA_ENABLED_PERMS 0400
+#endif
+static int param_set_aa_enabled(const char *val, struct kernel_param *kp);
+unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
+module_param_call(enabled, param_set_aa_enabled, param_get_aauint,
+ &apparmor_enabled, AA_ENABLED_PERMS);
+MODULE_PARM_DESC(apparmor_enabled, "Enable/Disable Apparmor on boot");
+
+static int __init apparmor_enabled_setup(char *str)
+{
+ apparmor_enabled = simple_strtol(str, NULL, 0);
+ return 1;
+}
+__setup("apparmor=", apparmor_enabled_setup);
+
static int param_set_aabool(const char *val, struct kernel_param *kp)
{
if (aa_task_context(current))
@@ -103,6 +114,35 @@ static int param_get_aauint(char *buffer
return param_get_uint(buffer, kp);
}
+/* allow run time disabling of apparmor */
+static int param_set_aa_enabled(const char *val, struct kernel_param *kp)
+{
+ char *endp;
+ unsigned long l;
+
+ if (!apparmor_initialized) {
+ apparmor_enabled = 0;
+ return 0;
+ }
+
+ if (!apparmor_enabled)
+ return -EINVAL;
+
+ if (aa_task_context(current))
+ return -EPERM;
+
+ if (!val)
+ return -EINVAL;
+
+ l = simple_strtoul(val, &endp, 0);
+ if (endp == val || l != 0)
+ return -EINVAL;
+
+ apparmor_enabled = 0;
+ apparmor_disable();
+ return 0;
+}
+
static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
const char *name)
{
@@ -880,14 +920,15 @@ struct security_operations apparmor_ops
.socket_shutdown = apparmor_socket_shutdown,
};
-static void info_message(const char *str)
+void info_message(const char *str)
{
struct aa_audit sa;
memset(&sa, 0, sizeof(sa));
sa.gfp_mask = GFP_KERNEL;
sa.info = str;
- printk(KERN_INFO "AppArmor: %s", str);
- aa_audit_message(NULL, &sa, AUDIT_APPARMOR_STATUS);
+ printk(KERN_INFO "AppArmor: %s\n", str);
+ if (audit_enabled)
+ aa_audit_message(NULL, &sa, AUDIT_APPARMOR_STATUS);
}
static int __init apparmor_init(void)
@@ -914,6 +955,8 @@ static int __init apparmor_init(void)
goto register_security_out;
}
+ /* Report that AppArmor successfully initialized */
+ apparmor_initialized = 1;
if (apparmor_complain)
info_message("AppArmor initialized: complainmode enabled");
else
@@ -932,7 +975,46 @@ createfs_out:
}
-module_init(apparmor_init);
+security_initcall(apparmor_init);
+
+void apparmor_disable(void)
+{
+ /* Remove and release all the profiles on the profile list. */
+ mutex_lock(&aa_interface_lock);
+ write_lock(&profile_list_lock);
+ while (!list_empty(&profile_list)) {
+ struct aa_profile *profile =
+ list_entry(profile_list.next, struct aa_profile, list);
+
+ /* Remove the profile from each task context it is on. */
+ lock_profile(profile);
+ profile->isstale = 1;
+ aa_unconfine_tasks(profile);
+ unlock_profile(profile);
+
+ /* Release the profile itself. */
+ list_del_init(&profile->list);
+ aa_put_profile(profile);
+ }
+ write_unlock(&profile_list_lock);
+
+ /* FIXME: cleanup profiles references on files */
+
+ free_null_complain_profile();
+ /*
+ * Delay for an rcu cycle to make sure that all active task
+ * context readers have finished, and all profiles have been
+ * freed by their rcu callbacks.
+ */
+ synchronize_rcu();
+
+ destroy_apparmorfs();
+ mutex_unlock(&aa_interface_lock);
+
+ apparmor_initialized = 0;
+
+ info_message("AppArmor protection removed");
+}
MODULE_DESCRIPTION("AppArmor process confinement");
MODULE_AUTHOR("Novell/Immunix, http://bugs.opensuse.org");

4
kernel-patches/for-mainline/sys_fchdir-nameidata.diff → kernel-patches/2.6.24/sys_fchdir-nameidata.diff
View File

@@ -13,7 +13,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/open.c
+++ b/fs/open.c
@@ -499,10 +499,8 @@ out:
@@ -501,10 +501,8 @@ out:
asmlinkage long sys_fchdir(unsigned int fd)
{
@@ -25,7 +25,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int error;
error = -EBADF;
@@ -510,17 +508,17 @@ asmlinkage long sys_fchdir(unsigned int
@@ -512,17 +510,17 @@ asmlinkage long sys_fchdir(unsigned int
if (!file)
goto out;

8
kernel-patches/for-mainline/sysctl-pathname.diff → kernel-patches/2.6.24/sysctl-pathname.diff
View File

@@ -15,8 +15,8 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -963,6 +963,8 @@ extern int proc_doulongvec_minmax(ctl_ta
extern int proc_doulongvec_ms_jiffies_minmax(ctl_table *table, int,
@@ -977,6 +977,8 @@ extern int proc_doulongvec_minmax(struct
extern int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int,
struct file *, void __user *, size_t *, loff_t *);
+extern char *sysctl_pathname(ctl_table *, char *, int);
@@ -26,7 +26,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
void __user *newval, size_t newlen);
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1297,6 +1297,33 @@ struct ctl_table_header *sysctl_head_nex
@@ -1327,6 +1327,33 @@ struct ctl_table_header *sysctl_head_nex
return NULL;
}
@@ -62,7 +62,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
void __user *newval, size_t newlen)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1427,40 +1427,15 @@ static int selinux_capable(struct task_s
@@ -1431,40 +1431,15 @@ static int selinux_capable(struct task_s
static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
{

10
kernel-patches/for-mainline/unambiguous-__d_path.diff → kernel-patches/2.6.24/unambiguous-__d_path.diff
View File

@@ -30,7 +30,7 @@ Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1766,52 +1766,51 @@ shouldnt_be_hashed:
@@ -1764,52 +1764,51 @@ shouldnt_be_hashed:
}
/**
@@ -110,7 +110,7 @@ Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
spin_lock(&vfsmount_lock);
if (vfsmnt->mnt_parent == vfsmnt) {
spin_unlock(&vfsmount_lock);
@@ -1825,33 +1824,72 @@ static char * __d_path( struct dentry *d
@@ -1823,33 +1822,72 @@ static char * __d_path( struct dentry *d
parent = dentry->d_parent;
prefetch(parent);
namelen = dentry->d_name.len;
@@ -198,7 +198,7 @@ Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
{
char *res;
struct vfsmount *rootmnt;
@@ -1871,9 +1909,8 @@ char * d_path(struct dentry *dentry, str
@@ -1869,9 +1907,8 @@ char * d_path(struct dentry *dentry, str
rootmnt = mntget(current->fs->rootmnt);
root = dget(current->fs->root);
read_unlock(&current->fs->lock);
@@ -210,7 +210,7 @@ Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
dput(root);
mntput(rootmnt);
return res;
@@ -1920,10 +1957,10 @@ char *dynamic_dname(struct dentry *dentr
@@ -1918,10 +1955,10 @@ char *dynamic_dname(struct dentry *dentr
*/
asmlinkage long sys_getcwd(char __user *buf, unsigned long size)
{
@@ -223,7 +223,7 @@ Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
if (!page)
return -ENOMEM;
@@ -1935,29 +1972,19 @@ asmlinkage long sys_getcwd(char __user *
@@ -1933,29 +1970,19 @@ asmlinkage long sys_getcwd(char __user *
root = dget(current->fs->root);
read_unlock(&current->fs->lock);

16
kernel-patches/for-mainline/vfs-getxattr.diff → kernel-patches/2.6.24/vfs-getxattr.diff
View File

@@ -18,7 +18,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1491,7 +1491,7 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
@@ -1496,7 +1496,7 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
}
if (bmval0 & (FATTR4_WORD0_ACL | FATTR4_WORD0_ACLSUPPORT
| FATTR4_WORD0_SUPPORTED_ATTRS)) {
@@ -29,7 +29,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (err == -EOPNOTSUPP)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -395,11 +395,12 @@ out_nfserr:
@@ -408,11 +408,12 @@ out_nfserr:
#if defined(CONFIG_NFSD_V2_ACL) || \
defined(CONFIG_NFSD_V3_ACL) || \
defined(CONFIG_NFSD_V4)
@@ -44,7 +44,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (buflen <= 0)
return buflen;
@@ -407,7 +408,7 @@ static ssize_t nfsd_getxattr(struct dent
@@ -420,7 +421,7 @@ static ssize_t nfsd_getxattr(struct dent
if (!*buf)
return -ENOMEM;
@@ -53,7 +53,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
#endif
@@ -488,13 +489,13 @@ out_nfserr:
@@ -501,13 +502,13 @@ out_nfserr:
}
static struct posix_acl *
@@ -69,7 +69,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (!buflen)
buflen = -ENODATA;
if (buflen <= 0)
@@ -506,14 +507,15 @@ _get_posix_acl(struct dentry *dentry, ch
@@ -519,14 +520,15 @@ _get_posix_acl(struct dentry *dentry, ch
}
int
@@ -87,7 +87,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (IS_ERR(pacl) && PTR_ERR(pacl) == -ENODATA)
pacl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL);
if (IS_ERR(pacl)) {
@@ -523,7 +525,7 @@ nfsd4_get_nfs4_acl(struct svc_rqst *rqst
@@ -536,7 +538,7 @@ nfsd4_get_nfs4_acl(struct svc_rqst *rqst
}
if (S_ISDIR(inode->i_mode)) {
@@ -96,7 +96,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (IS_ERR(dpacl) && PTR_ERR(dpacl) == -ENODATA)
dpacl = NULL;
else if (IS_ERR(dpacl)) {
@@ -1973,7 +1975,8 @@ nfsd_get_posix_acl(struct svc_fh *fhp, i
@@ -2001,7 +2003,8 @@ nfsd_get_posix_acl(struct svc_fh *fhp, i
return ERR_PTR(-EOPNOTSUPP);
}
@@ -158,7 +158,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -350,7 +352,7 @@ sys_fgetxattr(int fd, char __user *name,
if (!f)
return error;
audit_inode(NULL, f->f_path.dentry->d_inode);
audit_inode(NULL, f->f_path.dentry);
- error = getxattr(f->f_path.dentry, name, value, size);
+ error = getxattr(f->f_path.dentry, f->f_path.mnt, name, value, size);
fput(f);

10
kernel-patches/for-mainline/vfs-link.diff → kernel-patches/2.6.24/vfs-link.diff
View File

@@ -17,7 +17,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -411,19 +411,24 @@ static int ecryptfs_link(struct dentry *
@@ -389,19 +389,24 @@ static int ecryptfs_link(struct dentry *
struct dentry *new_dentry)
{
struct dentry *lower_old_dentry;
@@ -46,7 +46,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
rc = ecryptfs_interpose(lower_new_dentry, new_dentry, dir->i_sb, 0);
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2301,7 +2301,7 @@ asmlinkage long sys_symlink(const char _
@@ -2331,7 +2331,7 @@ asmlinkage long sys_symlink(const char _
return sys_symlinkat(oldname, AT_FDCWD, newname);
}
@@ -55,7 +55,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
struct inode *inode = old_dentry->d_inode;
int error;
@@ -2379,7 +2379,8 @@ asmlinkage long sys_linkat(int olddfd, c
@@ -2409,7 +2409,8 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -67,7 +67,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&nd.dentry->d_inode->i_mutex);
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1561,7 +1561,8 @@ nfsd_link(struct svc_rqst *rqstp, struct
@@ -1589,7 +1589,8 @@ nfsd_link(struct svc_rqst *rqstp, struct
dold = tfhp->fh_dentry;
dest = dold->d_inode;
@@ -79,7 +79,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
err = nfserrno(nfsd_sync_dir(ddir));
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1013,7 +1013,7 @@ extern int vfs_create(struct inode *, st
@@ -1071,7 +1071,7 @@ extern int vfs_create(struct inode *, st
extern int vfs_mkdir(struct inode *, struct dentry *, struct vfsmount *, int);
extern int vfs_mknod(struct inode *, struct dentry *, struct vfsmount *, int, dev_t);
extern int vfs_symlink(struct inode *, struct dentry *, struct vfsmount *, const char *, int);

2
kernel-patches/for-mainline/vfs-listxattr.diff → kernel-patches/2.6.24/vfs-listxattr.diff
View File

@@ -82,7 +82,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -425,7 +428,7 @@ sys_flistxattr(int fd, char __user *list
if (!f)
return error;
audit_inode(NULL, f->f_path.dentry->d_inode);
audit_inode(NULL, f->f_path.dentry);
- error = listxattr(f->f_path.dentry, list, size);
+ error = listxattr(f->f_path.dentry, f->f_path.mnt, list, size);
fput(f);

34
kernel-patches/for-mainline/vfs-mkdir.diff → kernel-patches/2.6.24/vfs-mkdir.diff
View File

@@ -14,11 +14,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/nfsd/nfs4recover.c | 3 ++-
fs/nfsd/vfs.c | 8 +++++---
include/linux/fs.h | 2 +-
5 files changed, 15 insertions(+), 8 deletions(-)
kernel/cgroup.c | 2 +-
6 files changed, 16 insertions(+), 9 deletions(-)
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -509,11 +509,14 @@ static int ecryptfs_mkdir(struct inode *
@@ -488,11 +488,14 @@ static int ecryptfs_mkdir(struct inode *
{
int rc;
struct dentry *lower_dentry;
@@ -36,7 +37,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
rc = ecryptfs_interpose(lower_dentry, dentry, dir->i_sb, 0);
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1967,7 +1967,8 @@ asmlinkage long sys_mknod(const char __u
@@ -1997,7 +1997,8 @@ asmlinkage long sys_mknod(const char __u
return sys_mknodat(AT_FDCWD, filename, mode, dev);
}
@@ -46,7 +47,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = may_create(dir, dentry, NULL);
@@ -2011,7 +2012,7 @@ asmlinkage long sys_mkdirat(int dfd, con
@@ -2041,7 +2042,7 @@ asmlinkage long sys_mkdirat(int dfd, con
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
@@ -57,7 +58,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&nd.dentry->d_inode->i_mutex);
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -156,7 +156,8 @@ nfsd4_create_clid_dir(struct nfs4_client
@@ -154,7 +154,8 @@ nfsd4_create_clid_dir(struct nfs4_client
dprintk("NFSD: nfsd4_create_clid_dir: DIRECTORY EXISTS\n");
goto out_put;
}
@@ -69,7 +70,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out_unlock:
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1140,6 +1140,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1165,6 +1165,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
int type, dev_t rdev, struct svc_fh *resfhp)
{
struct dentry *dentry, *dchild = NULL;
@@ -77,7 +78,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *dirp;
__be32 err;
int host_err;
@@ -1156,6 +1157,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1181,6 +1182,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
goto out;
dentry = fhp->fh_dentry;
@@ -85,7 +86,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
dirp = dentry->d_inode;
err = nfserr_notdir;
@@ -1172,7 +1174,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1197,7 +1199,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
host_err = PTR_ERR(dchild);
if (IS_ERR(dchild))
goto out_nfserr;
@@ -94,7 +95,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (err)
goto out;
} else {
@@ -1211,7 +1213,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1236,7 +1238,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
host_err = vfs_create(dirp, dchild, iap->ia_mode, NULL);
break;
case S_IFDIR:
@@ -103,7 +104,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
break;
case S_IFCHR:
case S_IFBLK:
@@ -1226,7 +1228,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1251,7 +1253,7 @@ nfsd_create(struct svc_rqst *rqstp, stru
if (host_err < 0)
goto out_nfserr;
@@ -114,7 +115,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1010,7 +1010,7 @@ extern void unlock_super(struct super_bl
@@ -1068,7 +1068,7 @@ extern void unlock_super(struct super_bl
*/
extern int vfs_permission(struct nameidata *, int);
extern int vfs_create(struct inode *, struct dentry *, int, struct nameidata *);
@@ -123,3 +124,14 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
extern int vfs_mknod(struct inode *, struct dentry *, int, dev_t);
extern int vfs_symlink(struct inode *, struct dentry *, const char *, int);
extern int vfs_link(struct dentry *, struct inode *, struct dentry *);
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2611,7 +2611,7 @@ int cgroup_clone(struct task_struct *tsk
}
/* Create the cgroup directory, which also creates the cgroup */
- ret = vfs_mkdir(inode, dentry, S_IFDIR | 0755);
+ ret = vfs_mkdir(inode, dentry, NULL, S_IFDIR | 0755);
child = __d_cgrp(dentry);
dput(dentry);
if (ret) {

12
kernel-patches/for-mainline/vfs-mknod.diff → kernel-patches/2.6.24/vfs-mknod.diff
View File

@@ -18,7 +18,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -560,11 +560,14 @@ ecryptfs_mknod(struct inode *dir, struct
@@ -539,11 +539,14 @@ ecryptfs_mknod(struct inode *dir, struct
{
int rc;
struct dentry *lower_dentry;
@@ -36,7 +36,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
rc = ecryptfs_interpose(lower_dentry, dentry, dir->i_sb, 0);
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1888,7 +1888,8 @@ fail:
@@ -1918,7 +1918,8 @@ fail:
}
EXPORT_SYMBOL_GPL(lookup_create);
@@ -46,7 +46,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = may_create(dir, dentry, NULL);
@@ -1940,11 +1941,12 @@ asmlinkage long sys_mknodat(int dfd, con
@@ -1970,11 +1971,12 @@ asmlinkage long sys_mknodat(int dfd, con
error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
break;
case S_IFCHR: case S_IFBLK:
@@ -64,7 +64,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
error = -EPERM;
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1219,7 +1219,8 @@ nfsd_create(struct svc_rqst *rqstp, stru
@@ -1244,7 +1244,8 @@ nfsd_create(struct svc_rqst *rqstp, stru
case S_IFBLK:
case S_IFIFO:
case S_IFSOCK:
@@ -76,7 +76,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
printk("nfsd: bad file type %o in nfsd_create\n", type);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1011,7 +1011,7 @@ extern void unlock_super(struct super_bl
@@ -1069,7 +1069,7 @@ extern void unlock_super(struct super_bl
extern int vfs_permission(struct nameidata *, int);
extern int vfs_create(struct inode *, struct dentry *, int, struct nameidata *);
extern int vfs_mkdir(struct inode *, struct dentry *, struct vfsmount *, int);
@@ -87,7 +87,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
extern int vfs_rmdir(struct inode *, struct dentry *);
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -808,7 +808,7 @@ static int unix_bind(struct socket *sock
@@ -839,7 +839,7 @@ static int unix_bind(struct socket *sock
*/
mode = S_IFSOCK |
(SOCK_INODE(sock)->i_mode & ~current->fs->umask);

107
kernel-patches/for-mainline/vfs-notify_change.diff → kernel-patches/2.6.24/vfs-notify_change.diff
View File

@@ -15,7 +15,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fs/exec.c | 3 ++-
fs/fat/file.c | 2 +-
fs/hpfs/namei.c | 2 +-
fs/namei.c | 3 ++-
fs/namei.c | 2 +-
fs/nfsd/vfs.c | 8 ++++----
fs/open.c | 28 +++++++++++++++-------------
fs/reiserfs/xattr.c | 6 +++---
@@ -24,7 +24,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
include/linux/fs.h | 6 +++---
mm/filemap.c | 2 +-
mm/tiny-shmem.c | 2 +-
14 files changed, 45 insertions(+), 37 deletions(-)
14 files changed, 44 insertions(+), 37 deletions(-)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -37,10 +37,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+ struct iattr *attr)
{
struct inode *inode = dentry->d_inode;
mode_t mode;
mode_t mode = inode->i_mode;
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -889,6 +889,7 @@ static int ecryptfs_setattr(struct dentr
@@ -850,6 +850,7 @@ static int ecryptfs_setattr(struct dentr
{
int rc = 0;
struct dentry *lower_dentry;
@@ -48,7 +48,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *inode;
struct inode *lower_inode;
struct ecryptfs_crypt_stat *crypt_stat;
@@ -899,6 +900,7 @@ static int ecryptfs_setattr(struct dentr
@@ -860,6 +861,7 @@ static int ecryptfs_setattr(struct dentr
inode = dentry->d_inode;
lower_inode = ecryptfs_inode_to_lower(inode);
lower_dentry = ecryptfs_dentry_to_lower(dentry);
@@ -56,10 +56,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_lock(&crypt_stat->cs_mutex);
if (S_ISDIR(dentry->d_inode->i_mode))
crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
@@ -955,7 +957,7 @@ static int ecryptfs_setattr(struct dentr
if (rc < 0)
goto out;
}
@@ -910,7 +912,7 @@ static int ecryptfs_setattr(struct dentr
if (ia->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID))
ia->ia_valid &= ~ATTR_MODE;
- rc = notify_change(lower_dentry, ia);
+ rc = notify_change(lower_dentry, lower_mnt, ia);
out:
@@ -67,7 +67,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return rc;
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1796,7 +1796,8 @@ int do_coredump(long signr, int exit_cod
@@ -1790,7 +1790,8 @@ int do_coredump(long signr, int exit_cod
goto close_fail;
if (!file->f_op->write)
goto close_fail;
@@ -76,7 +76,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+ do_truncate(file->f_path.dentry, file->f_path.mnt, 0, 0, file) != 0)
goto close_fail;
retval = binfmt->core_dump(signr, regs, file);
retval = binfmt->core_dump(signr, regs, file, core_limit);
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -92,7 +92,7 @@ int fat_generic_ioctl(struct inode *inod
@@ -101,19 +101,18 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
goto again;
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1631,7 +1631,8 @@ int may_open(struct nameidata *nd, int a
@@ -1660,7 +1660,7 @@ int may_open(struct nameidata *nd, int a
if (!error) {
DQUOT_INIT(inode);
- error = do_truncate(dentry, 0, ATTR_MTIME|ATTR_CTIME, NULL);
- error = do_truncate(dentry, 0,
+ error = do_truncate(dentry, nd->mnt, 0,
+ ATTR_MTIME|ATTR_CTIME, NULL);
ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,
NULL);
}
put_write_access(inode);
if (error)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -375,7 +375,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
@@ -388,7 +388,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
err = nfserr_notsync;
if (!check_guard || guardtime == inode->i_ctime.tv_sec) {
fh_lock(fhp);
@@ -122,7 +121,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
err = nfserrno(host_err);
fh_unlock(fhp);
}
@@ -918,13 +918,13 @@ out:
@@ -943,13 +943,13 @@ out:
return err;
}
@@ -130,7 +129,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
+static void kill_suid(struct dentry *dentry, struct vfsmount *mnt)
{
struct iattr ia;
ia.ia_valid = ATTR_KILL_SUID | ATTR_KILL_SGID;
ia.ia_valid = ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
mutex_lock(&dentry->d_inode->i_mutex);
- notify_change(dentry, &ia);
@@ -138,7 +137,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&dentry->d_inode->i_mutex);
}
@@ -983,7 +983,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
@@ -1008,7 +1008,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
/* clear setuid/setgid flag after write */
if (host_err >= 0 && (inode->i_mode & (S_ISUID | S_ISGID)))
@@ -169,16 +168,16 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&dentry->d_inode->i_mutex);
return err;
}
@@ -270,7 +270,7 @@ static long do_sys_truncate(const char _
@@ -271,7 +271,7 @@ static long do_sys_truncate(const char _
error = locks_verify_truncate(inode, NULL, length);
if (!error) {
DQUOT_INIT(inode);
- error = do_truncate(nd.dentry, length, 0, NULL);
+ error = do_truncate(nd.dentry, nd.mnt, length, 0, NULL);
}
put_write_access(inode);
@@ -322,7 +322,8 @@ static long do_sys_ftruncate(unsigned in
put_write_and_out:
@@ -324,7 +324,8 @@ static long do_sys_ftruncate(unsigned in
error = locks_verify_truncate(inode, file, length);
if (!error)
@@ -188,7 +187,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out_putf:
fput(file);
out:
@@ -580,7 +581,7 @@ asmlinkage long sys_fchmod(unsigned int
@@ -582,7 +583,7 @@ asmlinkage long sys_fchmod(unsigned int
mode = inode->i_mode;
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
@@ -197,7 +196,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&inode->i_mutex);
out_putf:
@@ -615,7 +616,7 @@ asmlinkage long sys_fchmodat(int dfd, co
@@ -617,7 +618,7 @@ asmlinkage long sys_fchmodat(int dfd, co
mode = inode->i_mode;
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
@@ -206,7 +205,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&inode->i_mutex);
dput_and_out:
@@ -629,7 +630,8 @@ asmlinkage long sys_chmod(const char __u
@@ -631,7 +632,8 @@ asmlinkage long sys_chmod(const char __u
return sys_fchmodat(AT_FDCWD, filename, mode);
}
@@ -216,16 +215,16 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
struct inode * inode;
int error;
@@ -658,7 +660,7 @@ static int chown_common(struct dentry *
if (!S_ISDIR(inode->i_mode))
newattrs.ia_valid |= ATTR_KILL_SUID|ATTR_KILL_SGID;
@@ -661,7 +663,7 @@ static int chown_common(struct dentry *
newattrs.ia_valid |=
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
mutex_lock(&inode->i_mutex);
- error = notify_change(dentry, &newattrs);
+ error = notify_change(dentry, mnt, &newattrs);
mutex_unlock(&inode->i_mutex);
out:
return error;
@@ -672,7 +674,7 @@ asmlinkage long sys_chown(const char __u
@@ -675,7 +677,7 @@ asmlinkage long sys_chown(const char __u
error = user_path_walk(filename, &nd);
if (error)
goto out;
@@ -234,7 +233,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
path_release(&nd);
out:
return error;
@@ -692,7 +694,7 @@ asmlinkage long sys_fchownat(int dfd, co
@@ -695,7 +697,7 @@ asmlinkage long sys_fchownat(int dfd, co
error = __user_walk_fd(dfd, filename, follow, &nd);
if (error)
goto out;
@@ -243,7 +242,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
path_release(&nd);
out:
return error;
@@ -706,7 +708,7 @@ asmlinkage long sys_lchown(const char __
@@ -709,7 +711,7 @@ asmlinkage long sys_lchown(const char __
error = user_path_walk_link(filename, &nd);
if (error)
goto out;
@@ -252,10 +251,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
path_release(&nd);
out:
return error;
@@ -725,7 +727,7 @@ asmlinkage long sys_fchown(unsigned int
@@ -728,7 +730,7 @@ asmlinkage long sys_fchown(unsigned int
dentry = file->f_path.dentry;
audit_inode(NULL, dentry->d_inode);
audit_inode(NULL, dentry);
- error = chown_common(dentry, user, group);
+ error = chown_common(dentry, file->f_path.mnt, user, group);
fput(file);
@@ -263,25 +262,25 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
return error;
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -479,7 +479,7 @@ reiserfs_xattr_set(struct inode *inode,
@@ -485,7 +485,7 @@ reiserfs_xattr_set(struct inode *inode,
newattrs.ia_size = buffer_size;
newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
mutex_lock(&xinode->i_mutex);
mutex_lock_nested(&xinode->i_mutex, I_MUTEX_XATTR);
- err = notify_change(fp->f_path.dentry, &newattrs);
+ err = notify_change(fp->f_path.dentry, NULL, &newattrs);
if (err)
goto out_filp;
@@ -819,7 +819,7 @@ reiserfs_chown_xattrs_filler(void *buf,
@@ -825,7 +825,7 @@ reiserfs_chown_xattrs_filler(void *buf,
}
if (!S_ISDIR(xafile->d_inode->i_mode))
- err = notify_change(xafile, attrs);
+ err = notify_change(xafile, NULL, attrs);
+ err = notify_change(xafile, NULL, attrs);
dput(xafile);
return err;
@@ -871,7 +871,7 @@ int reiserfs_chown_xattrs(struct inode *
@@ -877,7 +877,7 @@ int reiserfs_chown_xattrs(struct inode *
goto out_dir;
}
@@ -292,18 +291,18 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out_dir:
--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -524,7 +524,7 @@ int sysfs_chmod_file(struct kobject *kob
mutex_lock(&inode->i_mutex);
@@ -614,7 +614,7 @@ int sysfs_chmod_file(struct kobject *kob
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
- rc = notify_change(victim, &newattrs);
+ rc = notify_change(victim, NULL, &newattrs);
mutex_unlock(&inode->i_mutex);
out:
dput(victim);
if (rc == 0) {
mutex_lock(&sysfs_mutex);
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -46,7 +46,7 @@ long do_utimes(int dfd, char __user *fil
@@ -54,7 +54,7 @@ long do_utimes(int dfd, char __user *fil
{
int error;
struct nameidata nd;
@@ -312,7 +311,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *inode;
struct iattr newattrs;
struct file *f = NULL;
@@ -64,16 +64,17 @@ long do_utimes(int dfd, char __user *fil
@@ -77,16 +77,17 @@ long do_utimes(int dfd, char __user *fil
f = fget(dfd);
if (!f)
goto out;
@@ -333,7 +332,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
error = -EROFS;
if (IS_RDONLY(inode))
@@ -118,7 +119,7 @@ long do_utimes(int dfd, char __user *fil
@@ -131,7 +132,7 @@ long do_utimes(int dfd, char __user *fil
}
}
mutex_lock(&inode->i_mutex);
@@ -344,7 +343,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (f)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1404,8 +1404,8 @@ static inline int break_lease(struct ino
@@ -1536,8 +1536,8 @@ static inline int break_lease(struct ino
/* fs/open.c */
@@ -352,10 +351,10 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
- struct file *filp);
+extern int do_truncate(struct dentry *, struct vfsmount *, loff_t start,
+ unsigned int time_attrs, struct file *filp);
extern long do_sys_open(int fdf, const char __user *filename, int flags,
extern long do_sys_open(int dfd, const char __user *filename, int flags,
int mode);
extern struct file *filp_open(const char *, int, int);
@@ -1561,7 +1561,7 @@ extern int do_remount_sb(struct super_bl
@@ -1693,7 +1693,7 @@ extern int do_remount_sb(struct super_bl
#ifdef CONFIG_BLOCK
extern sector_t bmap(struct inode *, sector_t);
#endif
@@ -366,7 +365,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int (*check_acl)(struct inode *, int));
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1696,7 +1696,7 @@ int __remove_suid(struct path *path, int
@@ -1627,7 +1627,7 @@ int __remove_suid(struct path *path, int
struct iattr newattrs;
newattrs.ia_valid = ATTR_FORCE | kill;
@@ -377,8 +376,8 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
int remove_suid(struct path *path)
--- a/mm/tiny-shmem.c
+++ b/mm/tiny-shmem.c
@@ -86,7 +86,7 @@ struct file *shmem_file_setup(char *name
file->f_mode = FMODE_WRITE | FMODE_READ;
@@ -81,7 +81,7 @@ struct file *shmem_file_setup(char *name
inode->i_nlink = 0; /* It is unlinked */
/* notify everyone as to the change of file size */
- error = do_truncate(dentry, size, 0, file);

6
kernel-patches/for-mainline/vfs-removexattr.diff → kernel-patches/2.6.24/vfs-removexattr.diff
View File

@@ -16,7 +16,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1988,6 +1988,7 @@ nfsd_get_posix_acl(struct svc_fh *fhp, i
@@ -2016,6 +2016,7 @@ nfsd_get_posix_acl(struct svc_fh *fhp, i
int
nfsd_set_posix_acl(struct svc_fh *fhp, int type, struct posix_acl *acl)
{
@@ -24,7 +24,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *inode = fhp->fh_dentry->d_inode;
char *name;
void *value = NULL;
@@ -2020,14 +2021,14 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
@@ -2048,14 +2049,14 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
} else
size = 0;
@@ -92,7 +92,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -491,7 +491,7 @@ sys_fremovexattr(int fd, char __user *na
return error;
dentry = f->f_path.dentry;
audit_inode(NULL, dentry->d_inode);
audit_inode(NULL, dentry);
- error = removexattr(dentry, name);
+ error = removexattr(dentry, f->f_path.mnt, name);
fput(f);

16
kernel-patches/for-mainline/vfs-rename.diff → kernel-patches/2.6.24/vfs-rename.diff
View File

@@ -17,7 +17,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -598,19 +598,24 @@ ecryptfs_rename(struct inode *old_dir, s
@@ -577,19 +577,24 @@ ecryptfs_rename(struct inode *old_dir, s
{
int rc;
struct dentry *lower_old_dentry;
@@ -45,7 +45,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
fsstack_copy_attr_all(new_dir, lower_new_dir_dentry->d_inode, NULL);
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2434,7 +2434,8 @@ asmlinkage long sys_link(const char __us
@@ -2464,7 +2464,8 @@ asmlinkage long sys_link(const char __us
* locking].
*/
static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
@@ -55,7 +55,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = 0;
struct inode *target;
@@ -2477,7 +2478,8 @@ static int vfs_rename_dir(struct inode *
@@ -2507,7 +2508,8 @@ static int vfs_rename_dir(struct inode *
}
static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
@@ -65,7 +65,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
struct inode *target;
int error;
@@ -2505,7 +2507,8 @@ static int vfs_rename_other(struct inode
@@ -2535,7 +2537,8 @@ static int vfs_rename_other(struct inode
}
int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -75,7 +75,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error;
int is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
@@ -2534,9 +2537,11 @@ int vfs_rename(struct inode *old_dir, st
@@ -2564,9 +2567,11 @@ int vfs_rename(struct inode *old_dir, st
old_name = fsnotify_oldname_init(old_dentry->d_name.name);
if (is_dir)
@@ -89,7 +89,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (!error) {
const char *new_name = old_dentry->d_name.name;
fsnotify_move(old_dir, new_dir, old_name, new_name, is_dir,
@@ -2608,8 +2613,8 @@ static int do_rename(int olddfd, const c
@@ -2638,8 +2643,8 @@ static int do_rename(int olddfd, const c
if (new_dentry == trap)
goto exit5;
@@ -102,7 +102,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
exit4:
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1655,7 +1655,8 @@ nfsd_rename(struct svc_rqst *rqstp, stru
@@ -1683,7 +1683,8 @@ nfsd_rename(struct svc_rqst *rqstp, stru
host_err = -EPERM;
} else
#endif
@@ -114,7 +114,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (!host_err)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1016,7 +1016,7 @@ extern int vfs_symlink(struct inode *, s
@@ -1074,7 +1074,7 @@ extern int vfs_symlink(struct inode *, s
extern int vfs_link(struct dentry *, struct vfsmount *, struct inode *, struct dentry *, struct vfsmount *);
extern int vfs_rmdir(struct inode *, struct dentry *, struct vfsmount *);
extern int vfs_unlink(struct inode *, struct dentry *, struct vfsmount *);

18
kernel-patches/for-mainline/vfs-rmdir.diff → kernel-patches/2.6.24/vfs-rmdir.diff
View File

@@ -19,7 +19,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -542,14 +542,16 @@ out:
@@ -521,14 +521,16 @@ out:
static int ecryptfs_rmdir(struct inode *dir, struct dentry *dentry)
{
struct dentry *lower_dentry;
@@ -39,7 +39,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
d_delete(lower_dentry);
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2057,7 +2057,7 @@ void dentry_unhash(struct dentry *dentry
@@ -2087,7 +2087,7 @@ void dentry_unhash(struct dentry *dentry
spin_unlock(&dcache_lock);
}
@@ -48,7 +48,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = may_delete(dir, dentry, 1);
@@ -2121,7 +2121,7 @@ static long do_rmdir(int dfd, const char
@@ -2151,7 +2151,7 @@ static long do_rmdir(int dfd, const char
error = PTR_ERR(dentry);
if (IS_ERR(dentry))
goto exit2;
@@ -59,7 +59,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&nd.dentry->d_inode->i_mutex);
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -276,7 +276,7 @@ nfsd4_clear_clid_dir(struct dentry *dir,
@@ -274,7 +274,7 @@ nfsd4_clear_clid_dir(struct dentry *dir,
* a kernel from the future.... */
nfsd4_list_rec_dir(dentry, nfsd4_remove_clid_file);
mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);
@@ -70,7 +70,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1691,6 +1691,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
@@ -1719,6 +1719,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
char *fname, int flen)
{
struct dentry *dentry, *rdentry;
@@ -78,7 +78,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *dirp;
__be32 err;
int host_err;
@@ -1705,6 +1706,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
@@ -1733,6 +1734,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
fh_lock_nested(fhp, I_MUTEX_PARENT);
dentry = fhp->fh_dentry;
dirp = dentry->d_inode;
@@ -86,7 +86,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
rdentry = lookup_one_len(fname, dentry, flen);
host_err = PTR_ERR(rdentry);
@@ -1722,21 +1724,21 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
@@ -1750,21 +1752,21 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
if (type != S_IFDIR) { /* It's UNLINK */
#ifdef MSNFS
@@ -113,7 +113,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out_nfserr:
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -775,7 +775,7 @@ int reiserfs_delete_xattrs(struct inode
@@ -781,7 +781,7 @@ int reiserfs_delete_xattrs(struct inode
if (dir->d_inode->i_nlink <= 2) {
root = get_xa_root(inode->i_sb, XATTR_REPLACE);
reiserfs_write_lock_xattrs(inode->i_sb);
@@ -124,7 +124,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
} else {
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1014,7 +1014,7 @@ extern int vfs_mkdir(struct inode *, str
@@ -1072,7 +1072,7 @@ extern int vfs_mkdir(struct inode *, str
extern int vfs_mknod(struct inode *, struct dentry *, struct vfsmount *, int, dev_t);
extern int vfs_symlink(struct inode *, struct dentry *, struct vfsmount *, const char *, int);
extern int vfs_link(struct dentry *, struct vfsmount *, struct inode *, struct dentry *, struct vfsmount *);

14
kernel-patches/for-mainline/vfs-setxattr.diff → kernel-patches/2.6.24/vfs-setxattr.diff
View File

@@ -16,7 +16,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -413,7 +413,8 @@ static ssize_t nfsd_getxattr(struct dent
@@ -426,7 +426,8 @@ static ssize_t nfsd_getxattr(struct dent
#if defined(CONFIG_NFSD_V4)
static int
@@ -26,7 +26,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int len;
size_t buflen;
@@ -432,7 +433,7 @@ set_nfsv4_acl_one(struct dentry *dentry,
@@ -445,7 +446,7 @@ set_nfsv4_acl_one(struct dentry *dentry,
goto out;
}
@@ -35,7 +35,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out:
kfree(buf);
return error;
@@ -445,6 +446,7 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
@@ -458,6 +459,7 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
__be32 error;
int host_error;
struct dentry *dentry;
@@ -43,7 +43,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct inode *inode;
struct posix_acl *pacl = NULL, *dpacl = NULL;
unsigned int flags = 0;
@@ -455,6 +457,7 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
@@ -468,6 +470,7 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
return error;
dentry = fhp->fh_dentry;
@@ -51,7 +51,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
inode = dentry->d_inode;
if (S_ISDIR(inode->i_mode))
flags = NFS4_ACL_DIR;
@@ -465,12 +468,14 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
@@ -478,12 +481,14 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
} else if (host_error < 0)
goto out_nfserr;
@@ -68,7 +68,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out_release:
posix_acl_release(pacl);
@@ -2013,7 +2018,8 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
@@ -2041,7 +2046,8 @@ nfsd_set_posix_acl(struct svc_fh *fhp, i
size = 0;
if (size)
@@ -132,7 +132,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
@@ -268,7 +268,7 @@ sys_fsetxattr(int fd, char __user *name,
return error;
dentry = f->f_path.dentry;
audit_inode(NULL, dentry->d_inode);
audit_inode(NULL, dentry);
- error = setxattr(dentry, name, value, size, flags);
+ error = setxattr(dentry, f->f_vfsmnt, name, value, size, flags);
fput(f);

18
kernel-patches/for-mainline/vfs-symlink.diff → kernel-patches/2.6.24/vfs-symlink.diff
View File

@@ -17,7 +17,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -470,6 +470,7 @@ static int ecryptfs_symlink(struct inode
@@ -449,6 +449,7 @@ static int ecryptfs_symlink(struct inode
{
int rc;
struct dentry *lower_dentry;
@@ -25,7 +25,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
struct dentry *lower_dir_dentry;
umode_t mode;
char *encoded_symname;
@@ -478,6 +479,7 @@ static int ecryptfs_symlink(struct inode
@@ -457,6 +458,7 @@ static int ecryptfs_symlink(struct inode
lower_dentry = ecryptfs_dentry_to_lower(dentry);
dget(lower_dentry);
@@ -33,7 +33,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
lower_dir_dentry = lock_parent(lower_dentry);
mode = S_IALLUGO;
encoded_symlen = ecryptfs_encode_filename(crypt_stat, symname,
@@ -487,7 +489,7 @@ static int ecryptfs_symlink(struct inode
@@ -466,7 +468,7 @@ static int ecryptfs_symlink(struct inode
rc = encoded_symlen;
goto out_lock;
}
@@ -44,7 +44,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (rc || !lower_dentry->d_inode)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2236,7 +2236,8 @@ asmlinkage long sys_unlink(const char __
@@ -2266,7 +2266,8 @@ asmlinkage long sys_unlink(const char __
return do_unlinkat(AT_FDCWD, pathname);
}
@@ -54,7 +54,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = may_create(dir, dentry, NULL);
@@ -2282,7 +2283,8 @@ asmlinkage long sys_symlinkat(const char
@@ -2312,7 +2313,8 @@ asmlinkage long sys_symlinkat(const char
if (IS_ERR(dentry))
goto out_unlock;
@@ -66,7 +66,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
mutex_unlock(&nd.dentry->d_inode->i_mutex);
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1461,6 +1461,7 @@ nfsd_symlink(struct svc_rqst *rqstp, str
@@ -1489,6 +1489,7 @@ nfsd_symlink(struct svc_rqst *rqstp, str
struct iattr *iap)
{
struct dentry *dentry, *dnew;
@@ -74,7 +74,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
__be32 err, cerr;
int host_err;
umode_t mode;
@@ -1487,6 +1488,7 @@ nfsd_symlink(struct svc_rqst *rqstp, str
@@ -1515,6 +1516,7 @@ nfsd_symlink(struct svc_rqst *rqstp, str
if (iap && (iap->ia_valid & ATTR_MODE))
mode = iap->ia_mode & S_IALLUGO;
@@ -82,7 +82,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
if (unlikely(path[plen] != 0)) {
char *path_alloced = kmalloc(plen+1, GFP_KERNEL);
if (path_alloced == NULL)
@@ -1494,20 +1496,22 @@ nfsd_symlink(struct svc_rqst *rqstp, str
@@ -1522,20 +1524,22 @@ nfsd_symlink(struct svc_rqst *rqstp, str
else {
strncpy(path_alloced, path, plen);
path_alloced[plen] = 0;
@@ -111,7 +111,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
out:
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1012,7 +1012,7 @@ extern int vfs_permission(struct nameida
@@ -1070,7 +1070,7 @@ extern int vfs_permission(struct nameida
extern int vfs_create(struct inode *, struct dentry *, int, struct nameidata *);
extern int vfs_mkdir(struct inode *, struct dentry *, struct vfsmount *, int);
extern int vfs_mknod(struct inode *, struct dentry *, struct vfsmount *, int, dev_t);

14
kernel-patches/for-mainline/vfs-unlink.diff → kernel-patches/2.6.24/vfs-unlink.diff
View File

@@ -19,7 +19,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -453,10 +453,11 @@ static int ecryptfs_unlink(struct inode
@@ -431,10 +431,11 @@ static int ecryptfs_unlink(struct inode
{
int rc = 0;
struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
@@ -34,7 +34,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
goto out_unlock;
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2138,7 +2138,7 @@ asmlinkage long sys_rmdir(const char __u
@@ -2168,7 +2168,7 @@ asmlinkage long sys_rmdir(const char __u
return do_rmdir(AT_FDCWD, pathname);
}
@@ -43,7 +43,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
{
int error = may_delete(dir, dentry, 0);
@@ -2202,7 +2202,7 @@ static long do_unlinkat(int dfd, const c
@@ -2232,7 +2232,7 @@ static long do_unlinkat(int dfd, const c
inode = dentry->d_inode;
if (inode)
atomic_inc(&inode->i_count);
@@ -54,7 +54,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -261,7 +261,7 @@ nfsd4_remove_clid_file(struct dentry *di
@@ -259,7 +259,7 @@ nfsd4_remove_clid_file(struct dentry *di
return -EINVAL;
}
mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);
@@ -65,7 +65,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1729,7 +1729,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
@@ -1757,7 +1757,7 @@ nfsd_unlink(struct svc_rqst *rqstp, stru
host_err = -EPERM;
} else
#endif
@@ -76,7 +76,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
}
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1015,7 +1015,7 @@ extern int vfs_mknod(struct inode *, str
@@ -1073,7 +1073,7 @@ extern int vfs_mknod(struct inode *, str
extern int vfs_symlink(struct inode *, struct dentry *, struct vfsmount *, const char *, int);
extern int vfs_link(struct dentry *, struct vfsmount *, struct inode *, struct dentry *, struct vfsmount *);
extern int vfs_rmdir(struct inode *, struct dentry *, struct vfsmount *);
@@ -87,7 +87,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
/*
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -748,7 +748,7 @@ asmlinkage long sys_mq_unlink(const char
@@ -744,7 +744,7 @@ asmlinkage long sys_mq_unlink(const char
if (inode)
atomic_inc(&inode->i_count);

Some files were not shown because too many files have changed in this diff Show More