Enable fix-aa_register.diff. Add no-new-namespaces.diff.

2025-03-04 08:24:42 +01:00 · 2007-02-24 18:14:47 +00:00 · 2007-02-24 18:14:47 +00:00 · 06a239c9c8
commit 06a239c9c8
parent bd442e3869
4 changed files with 40 additions and 4 deletions
--- a/kernel-patches/for-mainline/fix-aa_register.diff
+++ b/kernel-patches/for-mainline/fix-aa_register.diff
@ -2,7 +2,7 @@ Index: b/security/apparmor/main.c
 ===================================================================
 --- a/security/apparmor/main.c
 +++ b/security/apparmor/main.c
-@@ -844,16 +844,16 @@ repeat:
+@@ -843,16 +843,16 @@ repeat:
 		 */
 		exec_mode = aa_match(profile->file_rules, filename);
 
@ -23,7 +23,7 @@ Index: b/security/apparmor/main.c
 				AA_DEBUG("%s: UNCONSTRAINED %s\n",
 					 __FUNCTION__,
 					 filename);
-@@ -862,7 +862,7 @@ repeat:
+@@ -861,7 +861,7 @@ repeat:
 				newprofile = NULL;
 				break;
 
--- a/kernel-patches/for-mainline/no-new-namespaces.diff
+++ b/kernel-patches/for-mainline/no-new-namespaces.diff
@ -0,0 +1,35 @@
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -467,6 +467,22 @@ out:
+ 	return error;
+ }
+ 
+static int apparmor_task_create(unsigned long clone_flags)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = aa_get_profile(current);
+	if (profile) {
+		/* Don't allow to create new namespaces. */
+		if (clone_flags & CLONE_NEWNS)
+			error = -EPERM;
+	}
+	aa_put_profile(profile);
+
+	return error;
+}
+
+ static int apparmor_file_alloc_security(struct file *file)
+ {
+ 	struct aa_profile *profile;
+@@ -714,6 +730,7 @@ struct security_operations apparmor_ops 
+ 	.file_mmap =			apparmor_file_mmap,
+ 	.file_mprotect =		apparmor_file_mprotect,
+ 
+	.task_create =			apparmor_task_create,
+ 	.task_alloc_security =		apparmor_task_alloc_security,
+ 	.task_free_security =		apparmor_task_free_security,
+ 	.task_post_setuid =		apparmor_task_post_setuid,
--- a/kernel-patches/for-mainline/rework-locking-2.diff
+++ b/kernel-patches/for-mainline/rework-locking-2.diff
@ -107,7 +107,7 @@ Index: b/security/apparmor/main.c
 +				new_profile = NULL;
 				break;
 
- 			case AA_EXEC_PROFILE:
+ 			case MAY_EXEC | AA_EXEC_PROFILE:
 				AA_DEBUG("%s: PROFILE %s\n",
 					 __FUNCTION__,
 					 filename);
--- a/kernel-patches/for-mainline/series
+++ b/kernel-patches/for-mainline/series
@ -70,7 +70,7 @@ match-changes.diff
 rename-audit_context.diff
 cleanup-aa_register.diff
 cleanup-aa_register-2.diff
-# ? fix-aa_register.diff
+fix-aa_register.diff
 rewrite-profile-list-functions.diff
 make-parent-point-to-itself.diff
 per-profile-task-contexts.diff
@ -84,3 +84,4 @@ tell-files-from-dirs.diff
 ptrace.diff
 clarify-audit-status-handling.diff
 link-subset-check.diff
+no-new-namespaces.diff