Fold apparmor-sysctl-pathname.diff into the other patches.

2025-03-04 08:24:42 +01:00 · 2007-04-27 19:02:03 +00:00 · 2007-04-27 19:02:03 +00:00 · 769179ccf4
commit 769179ccf4
parent 7ee57d5e7a
6 changed files with 65 additions and 113 deletions
--- a/kernel-patches/for-mainline/apparmor-lsm.diff
+++ b/kernel-patches/for-mainline/apparmor-lsm.diff
@ -7,12 +7,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

 ---
- security/apparmor/lsm.c |  762 ++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 762 insertions(+)
+ security/apparmor/lsm.c |  784 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 784 insertions(+)

 --- /dev/null
 +++ b/security/apparmor/lsm.c
-@@ -0,0 +1,762 @@
+@@ -0,0 +1,784 @@
 +/*
 + *	Copyright (C) 1998-2007 Novell/SUSE
 + *
@ -31,6 +31,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 +#include <linux/mount.h>
 +#include <linux/namei.h>
 +#include <linux/ctype.h>
+#include <linux/sysctl.h>
 +
 +#include "apparmor.h"
 +#include "inline.h"
@ -179,12 +180,33 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 +
 +static int apparmor_sysctl(struct ctl_table *table, int op)
 +{
+	struct aa_profile *profile = aa_get_profile(current);
 +	int error = 0;
 +
-+	if ((op & 002) && !capable(CAP_SYS_ADMIN))
-+		error = aa_reject_syscall(current, GFP_KERNEL,
-+					  "sysctl (write)");
+	if (profile) {
+		char *buffer, *name;
+		int mask;
 +
+		mask = 0;
+		if (op & 4)
+			mask |= MAY_READ;
+		if (op & 2)
+			mask |= MAY_WRITE;
+
+		error = -ENOMEM;
+		buffer = (char*)__get_free_page(GFP_KERNEL);
+		if (!buffer)
+			goto out;
+		name = sysctl_pathname(table, buffer, PAGE_SIZE);
+		if (name && name - buffer >= 5) {
+			name -= 5;
+			memcpy(name, "/proc", 5);
+			error = aa_perm_path(profile, name, mask);
+		}
+		free_page((unsigned long)buffer);
+	}
+
+out:
 +	return error;
 +}
 +
--- a/kernel-patches/for-mainline/apparmor-main.diff
+++ b/kernel-patches/for-mainline/apparmor-main.diff
@ -7,12 +7,12 @@ Signed-off-by: John Johansen <jjohansen@suse.de>
 Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

 ---
- security/apparmor/main.c | 1340 +++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 1340 insertions(+)
+ security/apparmor/main.c | 1357 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 1357 insertions(+)

 --- /dev/null
 +++ b/security/apparmor/main.c
-@@ -0,0 +1,1340 @@
+@@ -0,0 +1,1357 @@
 +/*
 + *	Copyright (C) 2002-2007 Novell/SUSE
 + *
@ -697,6 +697,23 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 +			      AA_CHECK_DIR | AA_CHECK_LEAF);
 +}
 +
+int aa_perm_path(struct aa_profile *profile, const char *name, int mask)
+{
+	struct aa_audit sa;
+	int denied_mask;
+
+	sa.type = AA_AUDITTYPE_FILE;
+	sa.mask = mask;
+	sa.flags = 0;
+	sa.gfp_mask = GFP_KERNEL;
+	sa.name = name;
+
+	denied_mask = aa_file_denied(profile, name, mask);
+	aa_permerror2result(denied_mask, &sa);
+
+	return aa_audit(profile, &sa);
+}
+
 +/**
 + * aa_capability - test permission to use capability
 + * @cxt: aa_task_context with profile to check against
--- a/kernel-patches/for-mainline/apparmor-misc.diff
+++ b/kernel-patches/for-mainline/apparmor-misc.diff
@ -13,13 +13,13 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 ---
 security/apparmor/Kconfig      |    9 +
 security/apparmor/Makefile     |   13 +
- security/apparmor/apparmor.h   |  279 +++++++++++++++++++++++++++++++++++++++++
+ security/apparmor/apparmor.h   |  280 +++++++++++++++++++++++++++++++++++++++++
 security/apparmor/apparmorfs.c |  248 ++++++++++++++++++++++++++++++++++++
 security/apparmor/inline.h     |  219 ++++++++++++++++++++++++++++++++
 security/apparmor/list.c       |   94 +++++++++++++
 security/apparmor/locking.txt  |   59 ++++++++
- security/apparmor/procattr.c   |  143 +++++++++++++++++++++
- 8 files changed, 1064 insertions(+)
+ security/apparmor/procattr.c   |  143 ++++++++++++++++++++
+ 8 files changed, 1065 insertions(+)

 --- /dev/null
 +++ b/security/apparmor/Kconfig
@ -51,7 +51,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 +	$(call cmd,make-caps)
 --- /dev/null
 +++ b/security/apparmor/apparmor.h
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,280 @@
 +/*
 + *	Copyright (C) 1998-2007 Novell/SUSE
 + *
@ -281,6 +281,7 @@ Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
 +		   struct vfsmount *mnt, int mask, int check);
 +extern int aa_perm_dir(struct aa_profile *profile, struct dentry *dentry,
 +		       struct vfsmount *mnt, const char *operation, int mask);
+extern int aa_perm_path(struct aa_profile *, const char *, int);
 +extern int aa_link(struct aa_profile *profile,
 +		   struct dentry *link, struct vfsmount *link_mnt,
 +		   struct dentry *target, struct vfsmount *target_mnt);
--- a/kernel-patches/for-mainline/apparmor-sysctl-pathname.diff
+++ b/kernel-patches/for-mainline/apparmor-sysctl-pathname.diff
@ -1,89 +0,0 @@
---
- security/apparmor/apparmor.h |    1 +
- security/apparmor/lsm.c      |   28 +++++++++++++++++++++++++---
- security/apparmor/main.c     |   17 +++++++++++++++++
- 3 files changed, 43 insertions(+), 3 deletions(-)
-
--- a/security/apparmor/apparmor.h
-+++ b/security/apparmor/apparmor.h
-@@ -227,6 +227,7 @@ extern int aa_perm(struct aa_profile *pr
- 		   struct vfsmount *mnt, int mask, int check);
- extern int aa_perm_dir(struct aa_profile *profile, struct dentry *dentry,
- 		       struct vfsmount *mnt, const char *operation, int mask);
-+extern int aa_perm_path(struct aa_profile *, const char *, int);
- extern int aa_link(struct aa_profile *profile,
- 		   struct dentry *link, struct vfsmount *link_mnt,
- 		   struct dentry *target, struct vfsmount *target_mnt);
--- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -16,6 +16,7 @@
- #include <linux/mount.h>
- #include <linux/namei.h>
- #include <linux/ctype.h>
-+#include <linux/sysctl.h>
- 
- #include "apparmor.h"
- #include "inline.h"
-@@ -164,12 +165,33 @@ static int apparmor_capable(struct task_
- 
- static int apparmor_sysctl(struct ctl_table *table, int op)
- {
-+	struct aa_profile *profile = aa_get_profile(current);
- 	int error = 0;
- 
-	if ((op & 002) && !capable(CAP_SYS_ADMIN))
-		error = aa_reject_syscall(current, GFP_KERNEL,
-					  "sysctl (write)");
-+	if (profile) {
-+		char *buffer, *name;
-+		int mask;
- 
-+		mask = 0;
-+		if (op & 4)
-+			mask |= MAY_READ;
-+		if (op & 2)
-+			mask |= MAY_WRITE;
-+
-+		error = -ENOMEM;
-+		buffer = (char*)__get_free_page(GFP_KERNEL);
-+		if (!buffer)
-+			goto out;
-+		name = sysctl_pathname(table, buffer, PAGE_SIZE);
-+		if (name && name - buffer >= 5) {
-+			name -= 5;
-+			memcpy(name, "/proc", 5);
-+			error = aa_perm_path(profile, name, mask);
-+		}
-+		free_page((unsigned long)buffer);
-+	}
-+
-+out:
- 	return error;
- }
- 
--- a/security/apparmor/main.c
-+++ b/security/apparmor/main.c
-@@ -682,6 +682,23 @@ int aa_perm_dir(struct aa_profile *profi
- 			      AA_CHECK_DIR | AA_CHECK_LEAF);
- }
- 
-+int aa_perm_path(struct aa_profile *profile, const char *name, int mask)
-+{
-+	struct aa_audit sa;
-+	int denied_mask;
-+
-+	sa.type = AA_AUDITTYPE_FILE;
-+	sa.mask = mask;
-+	sa.flags = 0;
-+	sa.gfp_mask = GFP_KERNEL;
-+	sa.name = name;
-+
-+	denied_mask = aa_file_denied(profile, name, mask);
-+	aa_permerror2result(denied_mask, &sa);
-+
-+	return aa_audit(profile, &sa);
-+}
-+
- /**
-  * aa_capability - test permission to use capability
-  * @cxt: aa_task_context with profile to check against
--- a/kernel-patches/for-mainline/ecryptfs-d_revalidate.diff
+++ b/kernel-patches/for-mainline/ecryptfs-d_revalidate.diff
@ -3,10 +3,12 @@ Subject: Check for NULL nameidata in ecryptfs_d_revalidate

 Some filesystems like nfsd and ecryptfs use lookup_one_len() on other
 filesystems. This causes d_revalidate() calls with nd == NULL through
-__lookup_hash() and cached_lookup(). Because of that, all filesystems
-must cope with NULL nameidata.
+__lookup_hash() and cached_lookup(), so we need to check for NULL
+nameidata.

 Signed-off-by: Andreas Gruenbacher <agruen@use.de>
+Cc: Mike Halcrow <mhalcrow@us.ibm.com>
+Cc: Phillip Hellewell <phillip@hellewell.homeip.net>

 ---
 fs/ecryptfs/dentry.c |   16 ++++++++++------
--- a/kernel-patches/for-mainline/series
+++ b/kernel-patches/for-mainline/series
@ -1,5 +1,3 @@
-# statvfs.diff
-# statvfs-2.diff
 security-create.diff
 proc_setattr.diff 
 proc_sys_setattr.diff
@ -33,10 +31,6 @@ security-removexattr.diff
 unambiguous-__d_path.diff
 mount-consistent-__d_path.diff
 d_namespace_path.diff
-# fix-getcwd.diff
-proc-mounts-cleanup.diff
-# proc-mounts-check-d_path-result.diff
-# fix-d_path.diff
 file-handle-ops.diff
 security-xattr-file.diff
 sysctl-pathname.diff
@ -47,15 +41,20 @@ apparmor-lsm.diff
 apparmor-module_interface.diff
 apparmor-misc.diff
 apparmor-intree.diff
-ecryptfs-d_revalidate.diff
-apparmor-sysctl-pathname.diff
-vfs_create-nameidata.diff
 do_path_lookup-nameidata.diff
 sys_fchdir-nameidata.diff
 nfsd_permission-nameidata.diff
 file_permission-nameidata.diff
 # NOT YET
+ecryptfs-d_revalidate.diff
+# statvfs.diff
+# statvfs-2.diff
+# fix-getcwd.diff
+# proc-mounts-cleanup.diff
+# proc-mounts-check-d_path-result.diff
+# fix-d_path.diff
 nfs-nameidata-check.diff
+vfs_create-nameidata.diff
 split-up-nameidata.diff
 # xattr_permission.diff
 # vfs_create-args.diff