Add auditing of x modifiers and split mask into requested and denied masks

kernel-patches/for-mainline/audit-defines.diff

@@ -9,8 +9,8 @@
  #define AUDIT_MAC_IPSEC_DELSPD	1414	/* Delete a XFRM policy */
  
 +#define AUDIT_APPARMOR_AUDIT	1501	/* AppArmor audited grants */
-+#define AUDIT_APPARMOR_COMPLAIN	1502	/* Allowed Access for learning */
-+#define AUDIT_APPARMOR_REJECT	1503	/* Denied Access */
++#define AUDIT_APPARMOR_ALLOWED	1502	/* Allowed Access for learning */
++#define AUDIT_APPARMOR_DENIED	1503	/* Denied Access */
 +#define AUDIT_APPARMOR_HINT	1504	/* Process Tracking information */
 +#define AUDIT_APPARMOR_STATUS	1505	/* Changes in config */
 +#define AUDIT_APPARMOR_ERROR	1506	/* Internal AppArmor Errors */

kernel-patches/for-mainline/audit-link-perms.diff

@@ -61,7 +61,7 @@
  }
  
  /**
-@@ -639,21 +645,18 @@ int aa_link(struct aa_profile *profile,
+@@ -649,21 +655,18 @@ int aa_link(struct aa_profile *profile,
  	sa.name2 = aa_get_name(target, target_mnt, &sa.buffer2, check);
  
  	if (IS_ERR(sa.name)) {

kernel-patches/for-mainline/audit-pairs-3.diff

@@ -0,0 +1,65 @@
+---
+ security/apparmor/main.c |   38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -274,6 +274,22 @@ void free_null_complain_profile(void)
+ 	null_complain_profile = NULL;
+ }
+ 
++static void aa_audit_file_mask(struct audit_buffer *ab, const char *name,
++			       int mask)
++{
++	audit_log_format(ab, " %s=\"%s%s%s%s%s%s%s%s%s\"",
++			 name,
++			 mask & AA_EXEC_UNSAFE ? "unsafe " : "",
++			 mask & AA_EXEC_MMAP ? "m" : "",
++			 mask & MAY_READ  ? "r" : "",
++			 mask & MAY_WRITE ? "w" : "",
++			 mask & AA_EXEC_INHEIT ? "i" : "",
++			 mask & AA_EXEC_UNCONFINED ? "u" : "",
++			 mask & AA_EXEC_PROFILE ? "p" : "",
++			 mask & MAY_EXEC  ? "x" : "",
++			 mask & AA_MAY_LINK  ? "l" : "");
++}
++
+ /**
+  * aa_audit - Log an audit event to the audit subsystem
+  * @profile: profile to check against
+@@ -291,9 +307,9 @@ static int aa_audit_base(struct aa_profi
+ 	if (!ab) {
+ 		AA_ERROR("Unable to log event (%d) to audit subsys\n",
+ 			 type);
+-		/* FIXME: do we want to keep old behavior - as below
+-		 * don't fail operations in complain mode even if logging
+-		 * fails */
++		/* don't fail operations in complain mode even when
++		 * logging fails
++		 */
+ 		return type == AUDIT_APPARMOR_COMPLAIN ? 0 : -ENOMEM;
+ 	}
+ 
+@@ -303,17 +319,11 @@ static int aa_audit_base(struct aa_profi
+ 	if (sa->info)
+ 		audit_log_format(ab, " info=\"%s\"", sa->info);
+ 
+-	if (sa->requested_mask | sa->denied_mask) {
+-		int mask = sa->denied_mask ? sa->denied_mask :
+-			sa->requested_mask;
+-
+-		audit_log_format(ab, " mask=\"%s%s%s%s%s\"",
+-				 mask & AA_EXEC_MMAP ? "m" : "",
+-				 mask & MAY_READ  ? "r" : "",
+-				 mask & MAY_WRITE ? "w" : "",
+-				 mask & MAY_EXEC  ? "x" : "",
+-				 mask & AA_MAY_LINK  ? "l" : "");
+-	}
++	if (sa->requested_mask)
++		aa_audit_file_mask(ab, "requested_mask", sa->requested_mask);
++
++	if (sa->denied_mask)
++		aa_audit_file_mask(an, "denied_mask", sa->denied_mask);
+ 
+ 	if (sa->iattr) {
+ 		struct iattr *iattr = sa->iattr;

kernel-patches/for-mainline/audit-remove-buffer.diff

@@ -38,7 +38,7 @@
  
  	return error;
  }
-@@ -635,14 +635,13 @@ int aa_link(struct aa_profile *profile,
+@@ -645,14 +645,13 @@ int aa_link(struct aa_profile *profile,
  {
  	int error, check = 0;
  	struct aa_audit sa;
@@ -56,7 +56,7 @@
  
  	if (IS_ERR(sa.name)) {
  		sa.error_code = PTR_ERR(sa.name);
-@@ -662,8 +661,8 @@ int aa_link(struct aa_profile *profile,
+@@ -672,8 +671,8 @@ int aa_link(struct aa_profile *profile,
  
  	error = aa_audit(profile, &sa);
  

kernel-patches/for-mainline/series

@@ -55,8 +55,13 @@ fix-link-name2.diff
 audit-remove-mangle.diff
 audit-pairs.diff
 audit-pairs-2.diff
+audit-pairs-3.diff
 audit-link-perms.diff
 audit-remove-buffer.diff
+#multi-profile-load.diff
+#flatten-hats.diff
+#change_profile.diff
+#change_hat-to-change_profile.diff
 do_path_lookup-nameidata.diff
 sys_fchdir-nameidata.diff
 file_permission-nameidata.diff