diff --git a/kernel-patches/for-mainline/apparmor-audit-flags2.diff b/kernel-patches/for-mainline/apparmor-audit-flags2.diff index a7f2888df..b53298e6d 100644 --- a/kernel-patches/for-mainline/apparmor-audit-flags2.diff +++ b/kernel-patches/for-mainline/apparmor-audit-flags2.diff @@ -1,15 +1,15 @@ --- - security/apparmor/apparmor.h | 16 - + security/apparmor/apparmor.h | 14 - security/apparmor/apparmorfs.c | 2 - security/apparmor/inline.h | 14 - security/apparmor/main.c | 502 +++++++++++++++++++---------------- + security/apparmor/inline.h | 14 - + security/apparmor/main.c | 490 +++++++++++++++++++---------------- security/apparmor/match.c | 9 security/apparmor/module_interface.c | 10 - 6 files changed, 322 insertions(+), 231 deletions(-) + 6 files changed, 309 insertions(+), 230 deletions(-) --- a/security/apparmor/apparmor.h +++ b/security/apparmor/apparmor.h -@@ -46,8 +46,7 @@ +@@ -44,8 +44,7 @@ AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \ AA_EXEC_MOD_4) @@ -19,7 +19,7 @@ #define AA_EXEC_UNCONFINED AA_EXEC_MOD_0 #define AA_EXEC_INHERIT AA_EXEC_MOD_1 -@@ -87,6 +86,10 @@ +@@ -85,6 +84,10 @@ AA_AUDIT_FIELD) #define AA_VALID_PERM_MASK (AA_FILE_PERMS | AA_SHARED_PERMS) @@ -30,7 +30,7 @@ #define AA_VALID_PERM2_MASK 0x0fffffff #define AA_SECURE_EXEC_NEEDED 1 -@@ -181,11 +184,16 @@ struct aa_profile { +@@ -179,6 +182,9 @@ struct aa_profile { int isstale; kernel_cap_t capabilities; @@ -40,14 +40,7 @@ struct kref count; struct list_head task_contexts; spinlock_t lock; - unsigned long int_flags; - u16 network_families[AF_MAX]; -+ u16 audit_network[AF_MAX]; -+ u16 quiet_network[AF_MAX]; - }; - - extern struct list_head profile_ns_list; -@@ -229,7 +237,7 @@ struct aa_audit { +@@ -226,7 +232,7 @@ struct aa_audit { const char *name; const char *name2; const char *name3; @@ -55,8 +48,8 @@ + int request_mask, denied_mask, audit_mask; struct iattr *iattr; pid_t task, parent; - int family, type, protocol; -@@ -338,7 +346,7 @@ extern struct aa_dfa *aa_match_alloc(voi + int error_code; +@@ -331,7 +337,7 @@ extern struct aa_dfa *aa_match_alloc(voi extern void aa_match_free(struct aa_dfa *dfa); extern int unpack_dfa(struct aa_dfa *dfa, void *blob, size_t size); extern int verify_dfa(struct aa_dfa *dfa); @@ -102,7 +95,7 @@ #endif /* __INLINE_H__ */ --- a/security/apparmor/main.c +++ b/security/apparmor/main.c -@@ -39,204 +39,6 @@ static int aa_inode_mode(struct inode *i +@@ -36,204 +36,6 @@ static int aa_inode_mode(struct inode *i return AA_OTHER_SHIFT; } @@ -307,7 +300,7 @@ int alloc_default_namespace(void) { struct aa_namespace *ns; -@@ -510,20 +312,259 @@ int aa_audit(struct aa_profile *profile, +@@ -471,20 +273,259 @@ int aa_audit(struct aa_profile *profile, int type = AUDIT_APPARMOR_DENIED; struct audit_context *audit_cxt; @@ -575,7 +568,7 @@ /** * aa_attr - check if attribute change is allowed * @profile: profile to check against -@@ -660,10 +701,11 @@ int aa_perm_path(struct aa_profile *prof +@@ -621,10 +662,11 @@ int aa_perm_path(struct aa_profile *prof else sa.request_mask = mask << AA_OTHER_SHIFT; @@ -589,7 +582,7 @@ } /** -@@ -699,7 +741,7 @@ int aa_capability(struct aa_task_context +@@ -660,7 +702,7 @@ int aa_capability(struct aa_task_context sa.name = capability_names[cap]; sa.error_code = error; @@ -598,7 +591,7 @@ return error; } -@@ -748,11 +790,12 @@ int aa_link(struct aa_profile *profile, +@@ -709,11 +751,12 @@ int aa_link(struct aa_profile *profile, if (sa.name && sa.name2) { sa.denied_mask = aa_link_denied(profile, sa.name, sa.name2, aa_inode_mode(target->d_inode), @@ -613,40 +606,7 @@ aa_put_name_buffer(buffer); aa_put_name_buffer(buffer2); -@@ -765,7 +808,7 @@ int aa_net_perm(struct aa_profile *profi - { - struct aa_audit sa; - int error = 0; -- u16 family_mask; -+ u16 family_mask, audit_mask, quiet_mask; - - if ((family < 0) || (family >= AF_MAX)) - return -EINVAL; -@@ -778,6 +821,8 @@ int aa_net_perm(struct aa_profile *profi - return 0; - - family_mask = profile->network_families[family]; -+ audit_mask = profile->audit_network[family]; -+ quiet_mask = profile->quiet_network[family]; - - error = (family_mask & (1 << type)) ? 0 : -EACCES; - -@@ -789,6 +834,14 @@ int aa_net_perm(struct aa_profile *profi - sa.protocol = protocol; - sa.error_code = error; - -+ if (likely(!error)) { -+ if (!PROFILE_AUDIT(profile) && !(family_mask & audit_mask)) -+ return 0; -+ } else if (!((1 << type) & ~quiet_mask)) { -+//printk("Quieting network %d family 0x%x audit 0x%x quiet 0x%x\n", family, family_mask, audit_mask, quiet_mask); -+ return error; -+ } -+//printk("auditing network\n"); - error = aa_audit(profile, &sa); - - return error; -@@ -898,8 +951,8 @@ aa_register_find(struct aa_profile *prof +@@ -802,8 +845,8 @@ aa_register_find(struct aa_profile *prof new_profile = aa_dup_profile(profile->ns->null_complain_profile); } else { @@ -657,7 +617,7 @@ } } else { /* Only way we can get into this code is if task -@@ -959,7 +1012,8 @@ repeat: +@@ -863,7 +906,8 @@ repeat: /* Confined task, determine what mode inherit, unconfined or * mandatory to load new profile */ @@ -667,7 +627,7 @@ if (exec_mode & sa.request_mask) { switch ((exec_mode >> shift) & AA_EXEC_MODIFIERS) { -@@ -1002,6 +1056,9 @@ repeat: +@@ -906,6 +950,9 @@ repeat: break; } @@ -677,7 +637,7 @@ } else if (complain) { /* There was no entry in calling profile * describing mode to execute image in. -@@ -1012,8 +1069,8 @@ repeat: +@@ -916,8 +963,8 @@ repeat: exec_mode |= AA_EXEC_UNSAFE << shift; } else { sa.denied_mask = sa.request_mask; @@ -688,7 +648,7 @@ } } else { /* Unconfined task, load profile if it exists */ -@@ -1069,6 +1126,7 @@ repeat: +@@ -973,6 +1020,7 @@ repeat: sa.info = "set profile"; aa_audit_hint(new_profile, &sa); } @@ -696,7 +656,7 @@ cleanup: aa_put_name_buffer(buffer); if (IS_ERR(new_profile)) -@@ -1245,7 +1303,7 @@ repeat: +@@ -1149,7 +1197,7 @@ repeat: if (PROFILE_COMPLAIN(profile) || (ns == profile->ns && @@ -705,7 +665,7 @@ error = do_change_profile(profile, ns, name, 0, 0, &sa); else { /* check for a rule with a namespace prepended */ -@@ -1452,9 +1510,11 @@ void aa_change_task_context(struct task_ +@@ -1356,9 +1404,11 @@ void aa_change_task_context(struct task_ call_rcu(&old_cxt->rcu, free_aa_task_context_rcu_callback); } if (new_cxt) { @@ -752,7 +712,7 @@ /** --- a/security/apparmor/module_interface.c +++ b/security/apparmor/module_interface.c -@@ -312,6 +312,10 @@ static struct aa_profile *aa_unpack_prof +@@ -310,6 +310,10 @@ static struct aa_profile *aa_unpack_prof if (!aa_is_u32(e, &(profile->capabilities), NULL)) goto fail; @@ -761,20 +721,20 @@ + if (!aa_is_u32(e, &(profile->quiet_caps), NULL)) + goto fail; - size = aa_is_array(e, "net_allowed_af"); - if (size) { -@@ -321,6 +325,10 @@ static struct aa_profile *aa_unpack_prof - for (i = 0; i < size; i++) { - if (!aa_is_u16(e, &profile->network_families[i], NULL)) - goto fail; + /* get file rules */ + profile->file_rules = aa_unpack_dfa(e); +@@ -317,6 +321,10 @@ static struct aa_profile *aa_unpack_prof + error = PTR_ERR(profile->file_rules); + profile->file_rules = NULL; + goto fail; + if (!aa_is_u16(e, &profile->audit_network[i], NULL)) + goto fail; + if (!aa_is_u16(e, &profile->quiet_network[i], NULL)) + goto fail; - } - if (!aa_is_nameX(e, AA_ARRAYEND, NULL)) - goto fail; -@@ -380,7 +388,7 @@ static int aa_verify_header(struct aa_ex + } + + if (!aa_is_nameX(e, AA_STRUCTEND, NULL)) +@@ -360,7 +368,7 @@ static int aa_verify_header(struct aa_ex } /* check that the interface version is currently supported */ diff --git a/kernel-patches/for-mainline/apparmor-intree.diff b/kernel-patches/for-mainline/apparmor-intree.diff index 88a6357cf..2a5edc013 100644 --- a/kernel-patches/for-mainline/apparmor-intree.diff +++ b/kernel-patches/for-mainline/apparmor-intree.diff @@ -5,10 +5,9 @@ Signed-off-by: John Johansen Signed-off-by: Andreas Gruenbacher --- - security/Kconfig | 1 + - security/Makefile | 1 + - security/apparmor/Kconfig | 3 ++- - 3 files changed, 4 insertions(+), 1 deletion(-) + security/Kconfig | 1 + + security/Makefile | 1 + + 2 files changed, 2 insertions(+) --- a/security/Kconfig +++ b/security/Kconfig @@ -29,14 +28,3 @@ Signed-off-by: Andreas Gruenbacher +obj-$(CONFIG_SECURITY_APPARMOR) += commoncap.o apparmor/ obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o ---- a/security/apparmor/Kconfig -+++ b/security/apparmor/Kconfig -@@ -1,6 +1,7 @@ - config SECURITY_APPARMOR - tristate "AppArmor support" -- depends on SECURITY!=n -+ depends on SECURITY -+ select AUDIT - help - This enables the AppArmor security module. - Required userspace tools (if they are not included in your diff --git a/kernel-patches/for-mainline/apparmor-misc.diff b/kernel-patches/for-mainline/apparmor-misc.diff index a5280dc60..4b6c42675 100644 --- a/kernel-patches/for-mainline/apparmor-misc.diff +++ b/kernel-patches/for-mainline/apparmor-misc.diff @@ -11,7 +11,7 @@ Signed-off-by: John Johansen Signed-off-by: Andreas Gruenbacher --- - security/apparmor/Kconfig | 9 + + security/apparmor/Kconfig | 10 + security/apparmor/Makefile | 13 ++ security/apparmor/apparmor.h | 257 +++++++++++++++++++++++++++++++++++++++++ security/apparmor/apparmorfs.c | 252 ++++++++++++++++++++++++++++++++++++++++ @@ -19,14 +19,15 @@ Signed-off-by: Andreas Gruenbacher security/apparmor/list.c | 94 ++++++++++++++ security/apparmor/locking.txt | 68 ++++++++++ security/apparmor/procattr.c | 155 ++++++++++++++++++++++++ - 8 files changed, 1059 insertions(+) + 8 files changed, 1060 insertions(+) --- /dev/null +++ b/security/apparmor/Kconfig -@@ -0,0 +1,9 @@ +@@ -0,0 +1,10 @@ +config SECURITY_APPARMOR + tristate "AppArmor support" -+ depends on SECURITY!=n ++ depends on SECURITY ++ select AUDIT + help + This enables the AppArmor security module. + Required userspace tools (if they are not included in your diff --git a/kernel-patches/for-mainline/apparmor-network.diff b/kernel-patches/for-mainline/apparmor-network.diff index b15eb6b54..96f8e4761 100644 --- a/kernel-patches/for-mainline/apparmor-network.diff +++ b/kernel-patches/for-mainline/apparmor-network.diff @@ -1,10 +1,10 @@ --- security/apparmor/Makefile | 7 + - security/apparmor/apparmor.h | 7 + + security/apparmor/apparmor.h | 9 ++ security/apparmor/lsm.c | 147 ++++++++++++++++++++++++++++++++++- - security/apparmor/main.c | 96 ++++++++++++++++++++++ + security/apparmor/main.c | 106 +++++++++++++++++++++++++ security/apparmor/module_interface.c | 20 ++++ - 5 files changed, 273 insertions(+), 4 deletions(-) + 5 files changed, 285 insertions(+), 4 deletions(-) --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -32,23 +32,25 @@ /* * We use MAY_READ, MAY_WRITE, MAY_EXEC, MAY_APPEND and the following flags -@@ -114,6 +116,7 @@ struct aa_profile { +@@ -199,6 +201,9 @@ struct aa_profile { struct list_head task_contexts; spinlock_t lock; unsigned long int_flags; + u16 network_families[AF_MAX]; ++ u16 audit_network[AF_MAX]; ++ u16 quiet_network[AF_MAX]; }; - extern struct list_head profile_list; -@@ -159,6 +162,7 @@ struct aa_audit { - int requested_mask, denied_mask; + extern struct list_head profile_ns_list; +@@ -245,6 +250,7 @@ struct aa_audit { + int request_mask, denied_mask, audit_mask; struct iattr *iattr; pid_t task, parent; + int family, type, protocol; int error_code; }; -@@ -223,6 +227,9 @@ extern void aa_change_task_context(struc +@@ -306,6 +312,9 @@ extern void aa_change_task_context(struc struct aa_profile *previous_profile); extern int aa_may_ptrace(struct aa_task_context *cxt, struct aa_profile *tracee); @@ -56,8 +58,8 @@ + int family, int type, int protocol); +extern int aa_revalidate_sk(struct sock *sk, char *operation); - /* list.c */ - extern void aa_profilelist_release(void); + /* lsm.c */ + extern int apparmor_initialized; --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -18,6 +18,7 @@ @@ -68,7 +70,7 @@ #include "apparmor.h" #include "inline.h" -@@ -605,6 +606,133 @@ static void apparmor_task_free_security( +@@ -653,6 +654,133 @@ static void apparmor_task_free_security( aa_release(task); } @@ -202,7 +204,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, char **value) { -@@ -705,9 +833,6 @@ struct security_operations apparmor_ops +@@ -753,9 +881,6 @@ struct security_operations apparmor_ops .capable = apparmor_capable, .syslog = cap_syslog, @@ -212,7 +214,7 @@ .bprm_apply_creds = cap_bprm_apply_creds, .bprm_set_security = apparmor_bprm_set_security, .bprm_secureexec = apparmor_bprm_secureexec, -@@ -743,6 +868,22 @@ struct security_operations apparmor_ops +@@ -791,6 +916,22 @@ struct security_operations apparmor_ops .getprocattr = apparmor_getprocattr, .setprocattr = apparmor_setprocattr, @@ -234,7 +236,7 @@ + .socket_getpeersec_dgram = apparmor_socket_getpeersec_dgram, }; - static void info_message(const char *str) + void info_message(const char *str) --- a/security/apparmor/main.c +++ b/security/apparmor/main.c @@ -14,6 +14,9 @@ @@ -247,8 +249,8 @@ #include "apparmor.h" -@@ -283,6 +286,24 @@ static void aa_audit_file_mask(struct au - audit_log_format(ab, " %s=\"%s\"", name, mask_str); +@@ -133,6 +136,24 @@ static void aa_audit_file_mask(struct au + audit_log_format(ab, " %s=\"%s::%s\"", name, user, other); } +static const char *address_families[] = { @@ -272,7 +274,7 @@ /** * aa_audit - Log an audit event to the audit subsystem * @profile: profile to check against -@@ -348,6 +369,24 @@ static int aa_audit_base(struct aa_profi +@@ -204,6 +225,25 @@ static int aa_audit_base(struct aa_profi audit_log_untrustedstring(ab, sa->name2); } @@ -294,10 +296,11 @@ + audit_log_format(ab, " protocol=%d", sa->protocol); + } + ++ audit_log_format(ab, " pid=%d", current->pid); audit_log_format(ab, " pid=%d", current->pid); if (profile) { -@@ -660,6 +699,63 @@ int aa_link(struct aa_profile *profile, +@@ -766,6 +806,72 @@ int aa_link(struct aa_profile *profile, return error; } @@ -306,7 +309,7 @@ +{ + struct aa_audit sa; + int error = 0; -+ u16 family_mask; ++ u16 family_mask, audit_mask, quiet_mask; + + if ((family < 0) || (family >= AF_MAX)) + return -EINVAL; @@ -319,6 +322,8 @@ + return 0; + + family_mask = profile->network_families[family]; ++ audit_mask = profile->audit_network[family]; ++ quiet_mask = profile->quiet_network[family]; + + error = (family_mask & (1 << type)) ? 0 : -EACCES; + @@ -330,6 +335,13 @@ + sa.protocol = protocol; + sa.error_code = error; + ++ if (likely(!error)) { ++ if (!PROFILE_AUDIT(profile) && !(family_mask & audit_mask)) ++ return 0; ++ } else if (!((1 << type) & ~quiet_mask)) { ++ return error; ++ } ++ + error = aa_audit(profile, &sa); + + return error; @@ -363,7 +375,7 @@ *******************************/ --- a/security/apparmor/module_interface.c +++ b/security/apparmor/module_interface.c -@@ -282,6 +282,8 @@ static struct aa_profile *aa_unpack_prof +@@ -283,6 +283,8 @@ static struct aa_profile *aa_unpack_prof { struct aa_profile *profile = NULL; struct aa_audit sa; @@ -372,8 +384,8 @@ int error = -EPROTO; -@@ -310,6 +312,24 @@ static struct aa_profile *aa_unpack_prof - if (!aa_is_u32(e, &(profile->capabilities), NULL)) +@@ -317,6 +319,24 @@ static struct aa_profile *aa_unpack_prof + if (!aa_is_u32(e, &(profile->set_caps), NULL)) goto fail; + size = aa_is_array(e, "net_allowed_af"); diff --git a/kernel-patches/for-mainline/rlimits.diff b/kernel-patches/for-mainline/rlimits.diff index f38af0dc7..60d54c8ce 100644 --- a/kernel-patches/for-mainline/rlimits.diff +++ b/kernel-patches/for-mainline/rlimits.diff @@ -1,9 +1,10 @@ --- security/apparmor/apparmor.h | 23 ++++++ + security/apparmor/apparmorfs.c | 2 security/apparmor/lsm.c | 16 ++++ security/apparmor/main.c | 132 +++++++++++++++++++++++++++++++---- security/apparmor/module_interface.c | 56 ++++++++++++++ - 4 files changed, 214 insertions(+), 13 deletions(-) + 5 files changed, 215 insertions(+), 14 deletions(-) --- a/security/apparmor/apparmor.h +++ b/security/apparmor/apparmor.h @@ -72,6 +73,17 @@ /* lsm.c */ extern int apparmor_initialized; +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -105,7 +105,7 @@ static ssize_t aa_features_read(struct f + { + const char *features = "file=3.0 capability=2.0 network=1.0 " + "change_hat=1.4 change_profile=1.0 " +- "aanamespaces=1.0"; ++ "aanamespaces=1.0 rlimit=1.0"; + + return simple_read_from_buffer(buf, size, ppos, features, + strlen(features)); --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -856,6 +856,21 @@ static int apparmor_setprocattr(struct t @@ -106,7 +118,7 @@ .setprocattr = apparmor_setprocattr, --- a/security/apparmor/main.c +++ b/security/apparmor/main.c -@@ -196,6 +196,9 @@ static int aa_audit_base(struct aa_profi +@@ -176,6 +176,9 @@ static int aa_audit_base(struct aa_profi if (sa->request_mask) audit_log_format(ab, " fsuid=%d", current->fsuid); @@ -116,7 +128,7 @@ if (sa->iattr) { struct iattr *iattr = sa->iattr; -@@ -873,6 +876,79 @@ int aa_revalidate_sk(struct sock *sk, ch +@@ -871,6 +874,79 @@ int aa_revalidate_sk(struct sock *sk, ch return error; } @@ -196,7 +208,7 @@ /******************************* * Global task related functions -@@ -886,6 +962,7 @@ int aa_revalidate_sk(struct sock *sk, ch +@@ -884,6 +960,7 @@ int aa_revalidate_sk(struct sock *sk, ch */ int aa_clone(struct task_struct *child) { @@ -204,7 +216,7 @@ struct aa_task_context *cxt, *child_cxt; struct aa_profile *profile; -@@ -895,6 +972,11 @@ int aa_clone(struct task_struct *child) +@@ -893,6 +970,11 @@ int aa_clone(struct task_struct *child) if (!child_cxt) return -ENOMEM; @@ -216,7 +228,7 @@ repeat: profile = aa_get_profile(current); if (profile) { -@@ -911,18 +993,22 @@ repeat: +@@ -909,18 +991,22 @@ repeat: goto repeat; } @@ -244,7 +256,7 @@ aa_audit_hint(profile, &sa); } aa_put_profile(profile); -@@ -1100,6 +1186,10 @@ repeat: +@@ -1098,6 +1184,10 @@ repeat: sa.task = current->parent->pid; aa_audit_reject(profile, &sa); } @@ -255,7 +267,7 @@ new_profile = old_profile; goto cleanup; } -@@ -1239,6 +1329,12 @@ static int do_change_profile(struct aa_p +@@ -1237,6 +1327,12 @@ static int do_change_profile(struct aa_p goto out; } @@ -268,7 +280,7 @@ if (new_profile == ns->null_complain_profile) aa_audit_hint(cxt->profile, sa); -@@ -1427,17 +1523,18 @@ struct aa_profile *__aa_replace_profile( +@@ -1425,17 +1521,18 @@ struct aa_profile *__aa_replace_profile( cxt = lock_task_and_profiles(task, profile); if (unlikely(profile && profile->isstale)) { @@ -295,7 +307,7 @@ } if (cxt) -@@ -1445,8 +1542,15 @@ struct aa_profile *__aa_replace_profile( +@@ -1443,8 +1540,15 @@ struct aa_profile *__aa_replace_profile( aa_change_task_context(task, new_cxt, profile, 0, NULL); task_unlock(task); @@ -311,7 +323,7 @@ } /** -@@ -1511,6 +1615,7 @@ void aa_change_task_context(struct task_ +@@ -1509,6 +1613,7 @@ void aa_change_task_context(struct task_ if (old_cxt) { list_del_init(&old_cxt->list); @@ -319,7 +331,7 @@ call_rcu(&old_cxt->rcu, free_aa_task_context_rcu_callback); } if (new_cxt) { -@@ -1522,6 +1627,7 @@ void aa_change_task_context(struct task_ +@@ -1520,6 +1625,7 @@ void aa_change_task_context(struct task_ new_cxt->cookie = cookie; new_cxt->task = task; new_cxt->profile = aa_dup_profile(profile); diff --git a/kernel-patches/for-mainline/series b/kernel-patches/for-mainline/series index 2c7fe80bf..51ce9e5c6 100644 --- a/kernel-patches/for-mainline/series +++ b/kernel-patches/for-mainline/series @@ -49,10 +49,9 @@ apparmor-lsm.diff apparmor-module_interface.diff apparmor-misc.diff apparmor-intree.diff -apparmor-network.diff + fix-rcu-deref.diff fix-name-errorpath.diff -fix-net.diff change-profile-kernel-v2.diff expand-dfa.diff #slash-null-dfa.diff @@ -67,6 +66,17 @@ split_init.diff apparmor-fix-sysctl-refcount.diff apparmor-fix-lock-letter.diff fix-link-subset.diff +hat_perm.diff +extend-x-mods.diff +no-safex-link-subset.diff +apparmor-create-append.diff +apparmor-failed-name-error.diff +audit-uid.diff +apparmor-secondary-accept.diff +apparmor-audit-flags2.diff +fix-profile-namespaces.diff +fix-dfa.diff +cap-set.diff #foobar.diff # # NOT YET # ecryptfs-d_revalidate.diff @@ -92,21 +102,13 @@ fix-link-subset.diff # vfs_unlink-args.diff # may_delete-args.diff #fix-change_profile-namespace.diff -hat_perm.diff -extend-x-mods.diff -no-safex-link-subset.diff -apparmor-create-append.diff -apparmor-failed-name-error.diff -audit-uid.diff -apparmor-secondary-accept.diff -apparmor-audit-flags2.diff -audit-log-type-in-syslog.diff + #audit_denied.diff #apparmor-audit-flags.diff #FS2.2.2_fix-unionfs-with-AppArmor.patch #FS2.1.3_fix-unionfs-with-AppArmor.patch -fix-profile-namespaces.diff -fix-dfa.diff -cap-set.diff +apparmor-network.diff +fix-net.diff rlimits.diff +audit-log-type-in-syslog.diff