patch to convert complain mode to learning mode

kernel-patches/for-mainline/complain-to-learn.diff

@@ -0,0 +1,459 @@
+Index: b/security/apparmor/apparmor.h
+===================================================================
+--- a/security/apparmor/apparmor.h
++++ b/security/apparmor/apparmor.h
+@@ -37,7 +37,7 @@
+ 
+ /* Control parameters (0 or 1), settable thru module/boot flags or
+  * via /sys/kernel/security/apparmor/control */
+-extern int apparmor_complain;
++extern int apparmor_learning;
+ extern int apparmor_debug;
+ extern int apparmor_audit;
+ extern int apparmor_logsyscall;
+@@ -48,12 +48,12 @@ static inline int mediated_filesystem(st
+ 	return !(inode->i_sb->s_flags & MS_NOUSER);
+ }
+ 
+-#define PROFILE_COMPLAIN(_profile) \
+-	(apparmor_complain == 1 || ((_profile) && (_profile)->flags.complain))
++#define PROFILE_LEARNING(_profile) \
++	(apparmor_learning == 1 || ((_profile) && (_profile)->flags.learning))
+ 
+-#define APPARMOR_COMPLAIN(_cxt) \
+-	(apparmor_complain == 1 || \
+-	 ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.complain))
++#define APPARMOR_LEARNING(_cxt) \
++	(apparmor_learning == 1 || \
++	 ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.learning))
+ 
+ #define PROFILE_AUDIT(_profile) \
+ 	(apparmor_audit == 1 || ((_profile) && (_profile)->flags.audit))
+@@ -116,7 +116,7 @@ struct aa_profile {
+ 	struct list_head list;
+ 	struct list_head sub;
+ 	struct {
+-		int complain;
++		int learning;
+ 		int audit;
+ 	} flags;
+ 	struct aa_profile *null_profile;
+@@ -158,7 +158,7 @@ static inline struct aa_task_context *aa
+ 	return rcu_dereference((struct aa_task_context *)task->security);
+ }
+ 
+-extern struct aa_profile *null_complain_profile;
++extern struct aa_profile *null_learning_profile;
+ 
+ /* aa_audit - AppArmor auditing structure
+  * Structure is populated by access control code and passed to aa_audit which
+@@ -217,8 +217,8 @@ struct aa_audit {
+ 
+ /* main.c */
+ extern void free_aa_task_context_rcu_callback(struct rcu_head *head);
+-extern int alloc_null_complain_profile(void);
+-extern void free_null_complain_profile(void);
++extern int alloc_null_learning_profile(void);
++extern void free_null_learning_profile(void);
+ extern int attach_nullprofile(struct aa_profile *profile);
+ extern int aa_audit_message(struct aa_profile *profile, gfp_t gfp, int,
+ 			    const char *, ...);
+Index: b/security/apparmor/apparmorfs.c
+===================================================================
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -106,8 +106,8 @@ static struct root_entry {
+ 
+ 	/* interface for setting binary config values */
+ 	{"control",  	S_IFDIR, 0550},
+-	{"complain", 	S_IFREG, 0640, &apparmorfs_control_fops,
+-				       &apparmor_complain},
++	{"learning", 	S_IFREG, 0640, &apparmorfs_control_fops,
++				       &apparmor_learning},
+ 	{"audit",    	S_IFREG, 0640, &apparmorfs_control_fops,
+ 				       &apparmor_audit},
+ 	{"debug",    	S_IFREG, 0640, &apparmorfs_control_fops,
+Index: b/security/apparmor/list.c
+===================================================================
+--- a/security/apparmor/list.c
++++ b/security/apparmor/list.c
+@@ -84,7 +84,7 @@ static int seq_show_profile(struct seq_f
+ {
+ 	struct aa_profile *profile = (struct aa_profile *)v;
+ 	seq_printf(f, "%s (%s)\n", profile->name,
+-		   PROFILE_COMPLAIN(profile) ? "complain" : "enforce");
++		   PROFILE_LEARNING(profile) ? "learning" : "enforce");
+ 	return 0;
+ }
+ 
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -26,15 +26,15 @@
+  * /sys/modules/parameters, as we want to do additional mediation and
+  * don't want to add special path code. */
+ 
+-/* Complain mode -- in complain mode access failures result in auditing only
++/* Learning mode -- in learning mode access failures result in auditing only
+  * and task is allowed access.  audit events are processed by userspace to
+  * generate policy.  Default is 'enforce' (0).
+  * Value is also togglable per profile and referenced when global value is
+  * enforce.
+  */
+-int apparmor_complain = 0;
+-module_param_named(complain, apparmor_complain, int, S_IRUSR);
+-MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode");
++int apparmor_learning = 0;
++module_param_named(learning, apparmor_learning, int, S_IRUSR);
++MODULE_PARM_DESC(apparmor_learning, "Toggle AppArmor learning mode");
+ 
+ /* Debug mode */
+ int apparmor_debug = 0;
+@@ -767,15 +767,15 @@ struct security_operations apparmor_ops 
+ static int __init apparmor_init(void)
+ {
+ 	int error;
+-	const char *complainmsg = ": complainmode enabled";
++	const char *learningmsg = ": learningmode enabled";
+ 
+ 	if ((error = create_apparmorfs())) {
+ 		AA_ERROR("Unable to activate AppArmor filesystem\n");
+ 		goto createfs_out;
+ 	}
+ 
+-	if ((error = alloc_null_complain_profile())){
+-		AA_ERROR("Unable to allocate null complain profile\n");
++	if ((error = alloc_null_learning_profile())){
++		AA_ERROR("Unable to allocate null learning profile\n");
+ 		goto alloc_out;
+ 	}
+ 
+@@ -785,15 +785,15 @@ static int __init apparmor_init(void)
+ 	}
+ 
+ 	AA_INFO(GFP_KERNEL, "AppArmor initialized%s\n",
+-		apparmor_complain ? complainmsg : "");
++		apparmor_learning ? learningmsg : "");
+ 	aa_audit_message(NULL, GFP_KERNEL, 0,
+ 		"AppArmor initialized%s\n",
+-		apparmor_complain ? complainmsg : "");
++		apparmor_learning ? learningmsg : "");
+ 
+ 	return error;
+ 
+ register_security_out:
+-	free_null_complain_profile();
++	free_null_learning_profile();
+ 
+ alloc_out:
+ 	(void)destroy_apparmorfs();
+@@ -825,7 +825,7 @@ static void __exit apparmor_exit(void)
+ 
+ 	/* FIXME: cleanup profiles references on files */
+ 
+-	free_null_complain_profile();
++	free_null_learning_profile();
+ 
+ 	/**
+ 	 * Delay for an rcu cycle to make sure that all active task
+Index: b/security/apparmor/main.c
+===================================================================
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -25,17 +25,17 @@ static const char *capability_names[] = 
+ #include "capability_names.h"
+ };
+ 
+-/* NULL complain profile
++/* NULL learning profile
+  *
+- * Used when in complain mode, to emit Permitting messages for non-existant
++ * Used when in learning mode, to emit Permitting messages for non-existant
+  * profiles and hats.  This is necessary because of selective mode, in which
+- * case we need a complain null_profile and enforce null_profile
++ * case we need a learning null_profile and enforce null_profile
+  *
+- * The null_complain_profile cannot be statically allocated, because it
++ * The null_learning_profile cannot be statically allocated, because it
+  * can be associated to files which keep their reference even if apparmor is
+  * unloaded
+  */
+-struct aa_profile *null_complain_profile;
++struct aa_profile *null_learning_profile;
+ 
+ /***************************
+  * Private utility functions
+@@ -237,14 +237,14 @@ int attach_nullprofile(struct aa_profile
+ 	hat = alloc_aa_profile();
+ 	if (!hat)
+ 		goto fail;
+-	if (profile->flags.complain)
+-		hatname = kstrdup("null-complain-profile", GFP_KERNEL);
++	if (profile->flags.learning)
++		hatname = kstrdup("null-learning-profile", GFP_KERNEL);
+ 	else
+ 		hatname = kstrdup("null-profile", GFP_KERNEL);
+ 	if (!hatname)
+ 		goto fail;
+ 
+-	hat->flags.complain = profile->flags.complain;
++	hat->flags.learning = profile->flags.learning;
+ 	hat->name = hatname;
+ 	hat->parent = profile;
+ 
+@@ -261,43 +261,43 @@ fail:
+ 
+ 
+ /**
+- * alloc_null_complain_profile - Allocate the global null_complain_profile.
++ * alloc_null_learning_profile - Allocate the global null_learning_profile.
+  *
+  * Return %0 (success) or error (-%ENOMEM)
+  */
+-int alloc_null_complain_profile(void)
++int alloc_null_learning_profile(void)
+ {
+-	null_complain_profile = alloc_aa_profile();
+-	if (!null_complain_profile)
++	null_learning_profile = alloc_aa_profile();
++	if (!null_learning_profile)
+ 		goto fail;
+ 
+-	null_complain_profile->name =
+-		kstrdup("null-complain-profile", GFP_KERNEL);
++	null_learning_profile->name =
++		kstrdup("null-learning-profile", GFP_KERNEL);
+ 
+-	if (!null_complain_profile->name)
++	if (!null_learning_profile->name)
+ 		goto fail;
+ 
+-	null_complain_profile->flags.complain = 1;
+-	if (attach_nullprofile(null_complain_profile))
++	null_learning_profile->flags.learning = 1;
++	if (attach_nullprofile(null_learning_profile))
+ 		goto fail;
+ 
+ 	return 0;
+ 
+ fail:
+ 	/* free_aa_profile is safe for freeing partially constructed objects */
+-	free_aa_profile(null_complain_profile);
+-	null_complain_profile = NULL;
++	free_aa_profile(null_learning_profile);
++	null_learning_profile = NULL;
+ 
+ 	return -ENOMEM;
+ }
+ 
+ /**
+- * free_null_complain_profile - Free null profiles
++ * free_null_learning_profile - Free null profiles
+  */
+-void free_null_complain_profile(void)
++void free_null_learning_profile(void)
+ {
+-	aa_put_profile(null_complain_profile);
+-	null_complain_profile = NULL;
++	aa_put_profile(null_learning_profile);
++	null_learning_profile = NULL;
+ }
+ 
+ /**
+@@ -362,7 +362,7 @@ int aa_audit(struct aa_profile *profile,
+ 	const char *logcls;
+ 	unsigned int flags;
+ 	int audit = 0,
+-	    complain = 0,
++	    learning = 0,
+ 	    error = -EINVAL,
+ 	    opspec_error = -EACCES;
+ 
+@@ -400,8 +400,8 @@ int aa_audit(struct aa_profile *profile,
+ 		 */
+ 		logcls = "REJECTING";
+ 	} else {
+-		complain = PROFILE_COMPLAIN(profile);
+-		logcls = complain ? "PERMITTING" : "REJECTING";
++		learning = PROFILE_LEARNING(profile);
++		logcls = learning ? "PERMITTING" : "REJECTING";
+ 	}
+ 
+ 	/* In future extend w/ per-profile flags
+@@ -427,7 +427,7 @@ int aa_audit(struct aa_profile *profile,
+ 	if (!ab) {
+ 		AA_ERROR("Unable to log event (%d) to audit subsys\n",
+ 			sa->type);
+-		if (complain)
++		if (learning)
+ 			error = 0;
+ 		goto out;
+ 	}
+@@ -509,7 +509,7 @@ int aa_audit(struct aa_profile *profile,
+ 
+ 	audit_log_end(ab);
+ 
+-	if (complain)
++	if (learning)
+ 		error = 0;
+ 	else
+ 		error = sa->result ? 0 : opspec_error;
+@@ -664,7 +664,7 @@ int aa_capability(struct aa_task_context
+ 
+ 	/* test if cap has alread been logged */
+ 	if (cap_raised(cxt->caps_logged, cap)) {
+-		if (PROFILE_COMPLAIN(cxt->profile))
++		if (PROFILE_LEARNING(cxt->profile))
+ 			error = 0;
+ 		return error;
+ 	} else
+@@ -773,8 +773,8 @@ repeat:
+ 				       cxt->hat_magic);
+ 		unlock_profile(profile);
+ 
+-		if (APPARMOR_COMPLAIN(child_cxt) &&
+-		    profile == null_complain_profile) {
++		if (APPARMOR_LEARNING(child_cxt) &&
++		    profile == null_learning_profile) {
+ 			LOG_HINT(profile, GFP_KERNEL, HINT_FORK,
+ 				 "pid=%d child=%d\n",
+ 				 current->pid, child->pid);
+@@ -788,7 +788,7 @@ repeat:
+ 
+ static struct aa_profile *
+ aa_register_find(struct aa_profile *profile, const char *name, int mandatory,
+-		 int complain)
++		 int learning)
+ {
+ 	struct aa_profile *new_profile;
+ 
+@@ -798,14 +798,14 @@ aa_register_find(struct aa_profile *prof
+ 		AA_DEBUG("%s: setting profile %s\n",
+ 			 __FUNCTION__, new_profile->name);
+ 	} else if (mandatory && profile) {
+-		if (complain) {
++		if (learning) {
+ 			LOG_HINT(profile, GFP_KERNEL, HINT_MANDPROF,
+ 				"image=%s pid=%d profile=%s active=%s\n",
+ 				name,
+ 				current->pid,
+ 				profile->parent->name, profile->name);
+ 
+-			profile = aa_dup_profile(null_complain_profile);
++			profile = aa_dup_profile(null_learning_profile);
+ 		} else {
+ 			AA_WARN(GFP_KERNEL, "REJECTING exec(2) of image '%s'. "
+ 				"Profile mandatory and not found "
+@@ -838,7 +838,7 @@ int aa_register(struct linux_binprm *bpr
+ 	char *filename, *buffer = NULL;
+ 	struct file *filp = bprm->file;
+ 	struct aa_profile *profile, *old_profile, *new_profile = NULL;
+-	int exec_mode = AA_EXEC_UNSAFE, complain = 0;
++	int exec_mode = AA_EXEC_UNSAFE, learning = 0;
+ 
+ 	AA_DEBUG("%s\n", __FUNCTION__);
+ 
+@@ -852,7 +852,7 @@ int aa_register(struct linux_binprm *bpr
+ repeat:
+ 	profile = aa_get_profile(current);
+ 	if (profile) {
+-		complain = PROFILE_COMPLAIN(profile);
++		learning = PROFILE_LEARNING(profile);
+ 
+ 		/* Confined task, determine what mode inherit, unconfined or
+ 		 * mandatory to load new profile
+@@ -883,7 +883,7 @@ repeat:
+ 					 filename);
+ 				new_profile = aa_register_find(profile,
+ 							       filename, 1,
+-							       complain);
++							       learning);
+ 				break;
+ 
+ 			default:
+@@ -900,12 +900,12 @@ repeat:
+ 				break;
+ 			}
+ 
+-		} else if (complain) {
++		} else if (learning) {
+ 			/* There was no entry in calling profile
+ 			 * describing mode to execute image in.
+ 			 * Drop into null-profile (disabling secure exec).
+ 			 */
+-			new_profile = aa_dup_profile(null_complain_profile);
++			new_profile = aa_dup_profile(null_learning_profile);
+ 			exec_mode |= AA_EXEC_UNSAFE;
+ 		} else {
+ 			AA_WARN(GFP_KERNEL,
+@@ -957,7 +957,7 @@ repeat:
+ 			((unsigned long)bprm->security | bprm_flags);
+ 	}
+ 
+-	if (complain && new_profile == null_complain_profile) {
++	if (learning && new_profile == null_learning_profile) {
+ 		LOG_HINT(new_profile, GFP_ATOMIC, HINT_CHGPROF,
+ 			"pid=%d\n",
+ 			current->pid);
+@@ -1044,7 +1044,7 @@ static inline int do_change_hat(const ch
+ 	} else {
+ 		struct aa_profile *profile = cxt->profile;
+ 
+-		if (APPARMOR_COMPLAIN(cxt)) {
++		if (APPARMOR_LEARNING(cxt)) {
+ 			LOG_HINT(profile, GFP_ATOMIC, HINT_UNKNOWN_HAT,
+  				"%s pid=%d "
+ 				"profile=%s active=%s\n",
+@@ -1116,7 +1116,7 @@ int aa_change_hat(const char *hat_name, 
+ 	profile = cxt->profile;
+ 
+ 	/* check to see if the confined process has any hats. */
+-	if (list_empty(&profile->parent->sub) && !PROFILE_COMPLAIN(profile)) {
++	if (list_empty(&profile->parent->sub) && !PROFILE_LEARNING(profile)) {
+ 		error = -ECHILD;
+ 		goto out;
+ 	}
+Index: b/security/apparmor/module_interface.c
+===================================================================
+--- a/security/apparmor/module_interface.c
++++ b/security/apparmor/module_interface.c
+@@ -245,12 +245,12 @@ static struct aa_profile *aa_unpack_prof
+ 	if (!aa_is_dynstring(e, &profile->name, NULL))
+ 		goto fail;
+ 
+-	/* per profile debug flags (complain, audit) */
++	/* per profile debug flags (learning, audit) */
+ 	if (!aa_is_nameX(e, AA_STRUCT, "flags"))
+ 		goto fail;
+ 	if (!aa_is_u32(e, NULL, NULL))
+ 		goto fail;
+-	if (!aa_is_u32(e, &(profile->flags.complain), NULL))
++	if (!aa_is_u32(e, &(profile->flags.learning), NULL))
+ 		goto fail;
+ 	if (!aa_is_u32(e, &(profile->flags.audit), NULL))
+ 		goto fail;
+@@ -308,7 +308,7 @@ static struct aa_profile *aa_unpack_prof
+ {
+ 	struct aa_profile *profile = aa_unpack_profile(e);
+ 	if (!IS_ERR(profile) &&
+-	    (!list_empty(&profile->sub) || profile->flags.complain)) {
++	    (!list_empty(&profile->sub) || profile->flags.learning)) {
+ 		int error;
+ 		if ((error = attach_nullprofile(profile))) {
+ 			aa_put_profile(profile);
+Index: b/security/apparmor/procattr.c
+===================================================================
+--- a/security/apparmor/procattr.c
++++ b/security/apparmor/procattr.c
+@@ -19,8 +19,8 @@ int aa_getprocattr(struct aa_profile *pr
+ 	char *str;
+ 
+ 	if (profile) {
+-		const char *mode_str = PROFILE_COMPLAIN(profile) ?
+-			" (complain)" : " (enforce)";
++		const char *mode_str = PROFILE_LEARNING(profile) ?
++			" (learning)" : " (enforce)";
+ 
+ 		*len = ((profile != profile->parent) ?
+ 		           strlen(profile->parent->name) + 1 : 0) +

kernel-patches/for-mainline/rename-activate-unpack.diff

@@ -95,3 +95,12 @@ Index: b/security/apparmor/module_interface.c
  	if (IS_ERR(new_profile))
  		return PTR_ERR(new_profile);
  
+@@ -489,7 +489,7 @@ ssize_t aa_file_prof_replace(void *udata
+ 		if (new_profile->isstale) {
+ 			struct aa_profile *profile;
+ 			if (IS_ERR(new_profile->isstale)) {
+-				/* new_profile was removed so become removal */
++				/* new_profile was removed so do removal */
+ 				remove_tasks_on_context_list(old_profile);
+ 				unlock_both_profiles(old_profile, new_profile);
+ 				break;

kernel-patches/for-mainline/series

@@ -124,3 +124,4 @@ rename-activate-unpack.diff
 #rcu-task-context-5.diff 
 misc-typos.diff
 warn-info-messages.diff
+complain-to-learn.diff