M vfs-mkdir.diff

- pass vfsmnt param for cgroups

A    fix-user-audit.diff
- nothing

A    fix-link-subset.diff
- fix reporting of failed link subsets

A    apparmor-fix-lock-letter.diff
- fix the reported lock letter in apparmorfs/matching
- reverted audit request_mask back to requested_mask

A    apparmor-fix-sysctl-refcount.diff
- fix a refcount leak in sysctl audit

kernel-patches/for-mainline/apparmor-fix-lock-letter.diff

@@ -0,0 +1,36 @@
+---
+ security/apparmor/apparmorfs.c |    2 +-
+ security/apparmor/main.c       |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -89,7 +89,7 @@ static struct file_operations apparmorfs
+ static ssize_t aa_matching_read(struct file *file, char __user *buf,
+ 			       size_t size, loff_t *ppos)
+ {
+-	const char *matching = "pattern=aadfa perms=rwxamlz user:other";
++	const char *matching = "pattern=aadfa perms=rwxamlk/ user:other";
+ 
+ 	return simple_read_from_buffer(buf, size, ppos, matching,
+ 				       strlen(matching));
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -99,7 +99,7 @@ static int aa_link_denied(struct aa_prof
+ 	/* Link always requires 'l' on the link for both parts of the pair.
+ 	 * If a subset test is required a permission subset test of the
+ 	 * perms for the link are done against the user:group:other of the
+-	 * target's 'r', 'w', 'x', 'a', 'z', and 'm' permissions.
++	 * target's 'r', 'w', 'x', 'a', 'k', and 'm' permissions.
+ 	 *
+ 	 * If the link has 'x', an exact match of all the execute flags
+ 	 * ('i', 'u', 'p').  safe exec is treated as a subset of unsafe exec
+@@ -388,7 +388,7 @@ static int aa_audit_base(struct aa_profi
+ 		audit_log_format(ab, " info=\"%s\"", sa->info);
+ 
+ 	if (sa->request_mask)
+-		aa_audit_file_mask(ab, "request_mask", sa->request_mask);
++		aa_audit_file_mask(ab, "requested_mask", sa->request_mask);
+ 
+ 	if (sa->denied_mask)
+ 		aa_audit_file_mask(ab, "denied_mask", sa->denied_mask);

kernel-patches/for-mainline/apparmor-fix-sysctl-refcount.diff

@@ -0,0 +1,14 @@
+---
+ security/apparmor/lsm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -249,6 +249,7 @@ static int apparmor_sysctl(struct ctl_ta
+ 	}
+ 
+ out:
++	aa_put_profile(profile);
+ 	return error;
+ }
+ 

kernel-patches/for-mainline/fix-link-subset.diff

@@ -0,0 +1,73 @@
+---
+ security/apparmor/main.c |   35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -68,7 +68,7 @@ static int aa_link_denied(struct aa_prof
+ 			  int *request_mask)
+ {
+ 	unsigned int state;
+-	int l_mode, t_mode, denied_mask = 0;
++	int l_mode, t_mode, l_subset, denied_mask = 0;
+ 	int link_mask = AA_MAY_LINK << target_mode;
+ 
+ 	*request_mask = link_mask;
+@@ -83,31 +83,35 @@ static int aa_link_denied(struct aa_prof
+ 
+ 		if (!(mode & link_mask))
+ 			denied_mask |= link_mask;
++		/* return if link subset test is not required */
+ 		if (!(mode & (AA_LINK_SUBSET_TEST << target_mode)))
+ 			return denied_mask;
+ 	}
+ 
+-	/* do link perm subset test */
+-	t_mode = aa_match(profile->file_rules, target);
+-
+-	/* Ignore valid-profile-transition flags. */
+-	l_mode &= ~AA_SHARED_PERMS;
+-	t_mode &= ~AA_SHARED_PERMS;
+-
+-	*request_mask = l_mode | link_mask;
+-
+-	/* Link always requires 'l' on the link for both parts of the pair.
++	/* Do link perm subset test
+ 	 * If a subset test is required a permission subset test of the
+ 	 * perms for the link are done against the user:group:other of the
+ 	 * target's 'r', 'w', 'x', 'a', 'k', and 'm' permissions.
+ 	 *
+ 	 * If the link has 'x', an exact match of all the execute flags
+-	 * ('i', 'u', 'p').  safe exec is treated as a subset of unsafe exec
++	 * must match.
+  	 */
+-#define SUBSET_PERMS (AA_FILE_PERMS & ~AA_LINK_BITS)
+ 	denied_mask |= ~l_mode & link_mask;
+-	if (l_mode & SUBSET_PERMS) {
+-		denied_mask |= (l_mode & SUBSET_PERMS) & ~t_mode;
++
++	t_mode = aa_match(profile->file_rules, target);
++
++
++	/* For actual subset test ignore valid-profile-transition flags,
++	 * and link bits
++	 */
++	l_mode &= ~(AA_SHARED_PERMS & AA_LINK_BITS);
++	t_mode &= ~(AA_SHARED_PERMS & AA_LINK_BITS);
++	l_subset = l_mode & AA_FILE_PERMS;
++
++	*request_mask = l_mode | link_mask;
++
++	if (l_subset) {
++		denied_mask |= (l_subset) & ~t_mode;
+ 		if (denied_mask & AA_EXEC_BITS)
+ 			denied_mask |= l_mode & AA_ALL_EXEC_MODS;
+ 		else if (l_mode & AA_EXEC_BITS) {
+@@ -128,7 +132,6 @@ static int aa_link_denied(struct aa_prof
+ 		}
+ 	} else
+ 		denied_mask |= t_mode | link_mask;
+-#undef SUBSET_PERMS
+ 
+ 	return denied_mask;
+ }

kernel-patches/for-mainline/fix-user-audit.diff

@@ -0,0 +1,15 @@
+---
+ security/apparmor/main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -338,7 +338,7 @@ static void aa_audit_file_mask(struct au
+ 	aa_audit_file_sub_mask(ab, other,
+ 			       (mask & AA_OTHER_PERMS) >> AA_OTHER_SHIFT);
+ 
+-	audit_log_format(ab, " %s=\"%s::%s\"", name, user, other);
++	audit_log_format(ab, " %s=\"%s:%s\"", name, user, other);
+ }
+ 
+ static const char *address_families[] = {

kernel-patches/for-mainline/series

@@ -1,3 +1,5 @@
+#unionfs-2.2.2_for_2.6.24-rc7.diff
+#unionfs-2.1.11_for_2.6.24-rc4.diff
 security-create.diff
 remove_suid.diff
 vfs-notify_change.diff
@@ -60,6 +62,11 @@ apparmor-link-pairs.diff
 apparmor-bootdisable.diff
 apparmor-builtin-only.diff
 apparmor-security-goal.diff
+apparmor-features.diff
+split_init.diff
+apparmor-fix-sysctl-refcount.diff
+apparmor-fix-lock-letter.diff
+fix-link-subset.diff
 #foobar.diff
 # # NOT YET
 # ecryptfs-d_revalidate.diff
@@ -84,5 +91,6 @@ apparmor-security-goal.diff
 # vfs_rmdir-args.diff
 # vfs_unlink-args.diff
 # may_delete-args.diff
-apparmor-features.diff
-split_init.diff
+FS2.2.2_fix-unionfs-with-AppArmor.patch
+#FS2.1.3_fix-unionfs-with-AppArmor.patch
+

kernel-patches/for-mainline/vfs-mkdir.diff

@@ -14,11 +14,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
  fs/nfsd/nfs4recover.c |    3 ++-
  fs/nfsd/vfs.c         |    8 +++++---
  include/linux/fs.h    |    2 +-
- 5 files changed, 15 insertions(+), 8 deletions(-)
+ kernel/cgroup.c       |    2 +-
+ 6 files changed, 16 insertions(+), 9 deletions(-)
 
 --- a/fs/ecryptfs/inode.c
 +++ b/fs/ecryptfs/inode.c
-@@ -500,11 +500,14 @@ static int ecryptfs_mkdir(struct inode *
+@@ -488,11 +488,14 @@ static int ecryptfs_mkdir(struct inode *
  {
  	int rc;
  	struct dentry *lower_dentry;
@@ -36,7 +37,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
  	rc = ecryptfs_interpose(lower_dentry, dentry, dir->i_sb, 0);
 --- a/fs/namei.c
 +++ b/fs/namei.c
-@@ -1997,7 +1997,8 @@ asmlinkage long sys_mknod(const char __u
+@@ -1998,7 +1998,8 @@ asmlinkage long sys_mknod(const char __u
  	return sys_mknodat(AT_FDCWD, filename, mode, dev);
  }
  
@@ -46,7 +47,7 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
  {
  	int error = may_create(dir, dentry, NULL);
  
-@@ -2041,7 +2042,7 @@ asmlinkage long sys_mkdirat(int dfd, con
+@@ -2042,7 +2043,7 @@ asmlinkage long sys_mkdirat(int dfd, con
  
  	if (!IS_POSIXACL(nd.dentry->d_inode))
  		mode &= ~current->fs->umask;
@@ -123,3 +124,14 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
  extern int vfs_mknod(struct inode *, struct dentry *, int, dev_t);
  extern int vfs_symlink(struct inode *, struct dentry *, const char *, int);
  extern int vfs_link(struct dentry *, struct inode *, struct dentry *);
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -2611,7 +2611,7 @@ int cgroup_clone(struct task_struct *tsk
+ 	}
+ 
+ 	/* Create the cgroup directory, which also creates the cgroup */
+-	ret = vfs_mkdir(inode, dentry, S_IFDIR | 0755);
++	ret = vfs_mkdir(inode, dentry, NULL, S_IFDIR | 0755);
+ 	child = __d_cgrp(dentry);
+ 	dput(dentry);
+ 	if (ret) {