A fix_apparmor_getprocattr.diff

fix getprocattr so that it returns the start of the profile name string instead of the end of it. A rcu-locking-docs.txt Change the locking docs to reflect the locking changes for rcu aa_task_contexts A fix-rename-file-type.diff Use the dentry->inode to determine if the medieated dentry is a directory. The use of the inode that is pasted in is incorrect because it is often the parent inode of the dentry being mediated. A misc-typos.diff Fix a few miscellaneous typos A rcu-stale-forward-ptr.diff A rcu-caps-cache-comment.diff Add a comment as to why resetting the caps cache instead of propogating it is the right thing to do. A warn-info-messages.diff Convert AA_WARN to us aa_audit_message, most of these messages while not necessary for learning mode should be present in the logs with the other apparmor messages. A rename-activate-unpack.diff rename the interface routines to use unpack instead of activate, its simpler and more standard. j
2025-03-04 08:24:42 +01:00 · 2007-03-26 10:18:14 +00:00 · 2007-03-26 10:18:14 +00:00 · 7d43226fbd
commit 7d43226fbd
parent f5a8698fdf
9 changed files with 679 additions and 1 deletions
--- a/kernel-patches/for-mainline/fix-rename-file-type.diff
+++ b/kernel-patches/for-mainline/fix-rename-file-type.diff
@ -0,0 +1,14 @@
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -260,7 +260,8 @@ static int aa_permission(struct inode *i
+ 
+ 		profile = aa_get_profile(current);
+ 		if (profile) {
+-			if (inode && S_ISDIR(inode->i_mode))
+			struct inode *d_inode = dentry->d_inode;
+			if (d_inode && S_ISDIR(d_inode->i_mode))
+ 				check |= AA_CHECK_DIR;
+ 			error = aa_perm(profile, dentry, mnt, mask, check);
+ 		}
--- a/kernel-patches/for-mainline/fix_apparmor_getprocattr.diff
+++ b/kernel-patches/for-mainline/fix_apparmor_getprocattr.diff
@ -0,0 +1,12 @@
+Index: b/security/apparmor/procattr.c
+===================================================================
+--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
+@@ -40,6 +40,7 @@ int aa_getprocattr(struct aa_profile *pr
+ 		memcpy(str, mode_str, strlen(mode_str));
+ 		str += strlen(mode_str);
+ 		*str++ = '\n';
+		str -= *len;
+ 	} else {
+ 		const char *unconfined_str = "unconfined\n";
+ 
--- a/kernel-patches/for-mainline/misc-typos.diff
+++ b/kernel-patches/for-mainline/misc-typos.diff
@ -0,0 +1,39 @@
+Index: b/security/apparmor/apparmorfs.c
+===================================================================
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -235,7 +235,7 @@ static ssize_t aa_profile_remove(struct 
+ 	ssize_t error;
+ 
+ 	/* aa_file_prof_remove needs a null terminated string so 1 extra
+-	 * byte is allocated and null the copied data is then null terminated
+	 * byte is allocated and the copied data is then null terminated
+ 	 */
+ 	data = aa_simple_write_to_buffer(buf, size+1, size, pos, "removal");
+ 
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -819,6 +819,8 @@ static void __exit apparmor_exit(void)
+ 	}
+ 	write_unlock(&profile_list_lock);
+ 
+	/* FIXME: cleanup profiles references on files */
+
+ 	free_null_complain_profile();
+ 
+ 	/**
+Index: b/security/apparmor/main.c
+===================================================================
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -671,7 +671,7 @@ int aa_capability(struct aa_task_context
+ 		/* don't worry about rcu replacement of the cxt here.
+ 		 * caps_logged is a cache to reduce the occurance of
+ 		 * duplicate messages in the log.  The worst that can
+-		 * happen is duplicate capability messages show up in
+		 * happen is duplicate capability messages shows up in
+ 		 * the audit log
+ 		 */
+ 		cap_raise(cxt->caps_logged, cap);
--- a/kernel-patches/for-mainline/rcu-caps-cache-comment.diff
+++ b/kernel-patches/for-mainline/rcu-caps-cache-comment.diff
@ -0,0 +1,13 @@
+Index: b/security/apparmor/main.c
+===================================================================
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -1281,6 +1281,8 @@ void aa_change_task_context(struct task_
+ 		call_rcu(&old_cxt->rcu, free_aa_task_context_rcu_callback);
+ 	}
+ 	if (new_cxt) {
+		/* clear the caps_logged cache, so that new profile/hat has
+		 * chance to emit its own set of cap messages */
+ 		new_cxt->caps_logged = CAP_EMPTY_SET;
+ 		new_cxt->hat_magic = hat_magic;
+ 		new_cxt->task = task;
--- a/kernel-patches/for-mainline/rcu-locking-docs.txt
+++ b/kernel-patches/for-mainline/rcu-locking-docs.txt
@ -0,0 +1,37 @@
+Index: b/security/apparmor/locking.txt
+===================================================================
+--- a/security/apparmor/locking.txt
+++ b/security/apparmor/locking.txt
+@@ -15,15 +15,11 @@ Which lock protects what?
+ 	>-----------------------+-------------------------------<
+ 	| profile_list,		| profile_list_lock		|
+ 	+-----------------------+-------------------------------+
+	| aa_profile		| reference count		|
+	+-----------------------+-------------------------------+
+ 	| aa_profile->		| aa_profile->lock		|
+ 	|   isstale,		|				|
+ 	|   task_contexts	|				|
+-	| aa_profile->count	| RCU				|
+-	+-----------------------+-------------------------------+
+-	| aa_task_context->	|				|
+-	|   profile		| read: RCU			|
+-	|			| write: aa_profile->lock +	|
+-	|			|	 task_lock()		|
+ 	+-----------------------+-------------------------------+
+ 	| task_struct->security	| read: RCU			|
+ 	|			| write: task_lock()		|
+@@ -39,8 +35,9 @@ When moving a task context from one prof
+ profile locks with lock_both_profiles(). This ensures that both locks
+ are always taken in the same order, and so we won't deadlock.
+ 
+-Since aa_task_struct->profile is RCU protected, it can change under a
+-reader at any time. Therefore, we should grab the pointer and use the
+-cached result, but we can only do this after all blocking operations (or
+-else the pointer could just change again). The ->profile pointer may
+-change or become NULL at any time; we must be careful about this.
+Since task_struct->security is RCU protected the aa_task_struct it
+references is only guarenteed to exist for the rcu cycle.  Where
+aa_task_context->profile is needed in blocking operations the
+profile's reference count is incremented and the profile reference
+is used.
+
--- a/kernel-patches/for-mainline/rcu-stale-forward-ptr.diff
+++ b/kernel-patches/for-mainline/rcu-stale-forward-ptr.diff
@ -0,0 +1,219 @@
+Index: b/security/apparmor/apparmor.h
+===================================================================
+--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
+@@ -88,7 +88,7 @@ static inline int mediated_filesystem(st
+  * @sub: profiles list of subprofiles (HATS)
+  * @flags: flags controlling profile behavior
+  * @null_profile: if needed per profile learning and null confinement profile
+- * @isstale: flag to indicate the profile is stale
+ * @isstale: flag indicating profile is stale by pointing to its replacement
+  * @capabilities: capabilities granted by the process
+  * @count: reference count of the profile
+  *
+@@ -114,7 +114,7 @@ struct aa_profile {
+ 		int audit;
+ 	} flags;
+ 	struct aa_profile *null_profile;
+-	int isstale;
+	struct aa_profile *isstale;
+ 
+ 	kernel_cap_t capabilities;
+ 	struct kref count;
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -809,16 +809,8 @@ static void __exit apparmor_exit(void)
+ 
+ 		/* Remove the profile from each task context it is on. */
+ 		lock_profile(profile);
+-		profile->isstale = 1;
+-		while (!list_empty(&profile->task_contexts)) {
+-			struct task_struct *task =
+-				list_entry(profile->task_contexts.next,
+-					   struct aa_task_context, list)->task;
+-
+-			task_lock(task);
+-			aa_change_task_context(task, NULL, NULL, 0);
+-			task_unlock(task);
+-		}
+		profile->isstale = ERR_PTR(-ENOENT);
+		remove_tasks_on_context_list(profile);
+ 		unlock_profile(profile);
+ 
+ 		/* Release the profile itself. */
+Index: b/security/apparmor/module_interface.c
+===================================================================
+--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
+@@ -14,8 +14,6 @@
+ #include "apparmor.h"
+ #include "inline.h"
+ 
+-static DEFINE_MUTEX(aa_interface_lock);
+-
+ /* The AppArmor interface treats data as a type byte followed by the
+  * actual data.  The interface has the notion of a a named entry
+  * which has a name (AA_NAME typecode followed by name string) followed by
+@@ -364,18 +362,15 @@ ssize_t aa_file_prof_add(void *data, siz
+ 	if (IS_ERR(profile))
+ 		return PTR_ERR(profile);
+ 
+-	mutex_lock(&aa_interface_lock);
+ 	write_lock(&profile_list_lock);
+ 	if (__aa_find_profile(profile->name, &profile_list)) {
+ 		/* A profile with this name exists already. */
+ 		write_unlock(&profile_list_lock);
+-		mutex_unlock(&aa_interface_lock);
+ 		aa_put_profile(profile);
+ 		return -EEXIST;
+ 	}
+ 	list_add(&profile->list, &profile_list);
+ 	write_unlock(&profile_list_lock);
+-	mutex_unlock(&aa_interface_lock);
+ 
+ 	return size;
+ }
+@@ -446,13 +441,13 @@ ssize_t aa_file_prof_replace(void *udata
+ 	if (IS_ERR(new_profile))
+ 		return PTR_ERR(new_profile);
+ 
+-	mutex_lock(&aa_interface_lock);
+ 	write_lock(&profile_list_lock);
+ 	old_profile = __aa_find_profile(new_profile->name, &profile_list);
+ 	if (old_profile) {
+-		old_profile->isstale = 1;
+		old_profile->isstale = aa_dup_profile(new_profile);
+ 		list_del_init(&old_profile->list);
+ 	}
+	aa_dup_profile(new_profile);
+ 	list_add(&new_profile->list, &profile_list);
+ 	write_unlock(&profile_list_lock);
+ 
+@@ -460,9 +455,18 @@ ssize_t aa_file_prof_replace(void *udata
+ 		goto out;
+ 
+ 	/*
+-	 * FIXME: this loop is confusing. Can't we simply allocate the new
+-	 * task context under the profile locks after checking that we
+-	 * actually need it?
+	 * Replacement needs to allocate a new aa_task_context for each
+	 * task confined by old_profile.  To do this the profile locks
+	 * are only held when the actual switch is done per task.  While
+	 * looping to allocate a new aa_task_context the old_task list
+	 * may get shorter if tasks exist/change their profile but will
+	 * not get longer as new task will not use old_profile detecting
+	 * that is stale.
+	 * The new_profile could be removed/replaced becoming stale itself.
+	 * In this case replacement switches to using new_profile->isstale
+	 * forwarding pointer for replacement of any remaining tasks.
+	 * The replacement that made new_profile stale will take care of
+	 * replacing any tasks that were already moved to new_profile.
+ 	 */
+ 	do {
+ 		new_cxt = aa_alloc_task_context();
+@@ -480,7 +484,22 @@ ssize_t aa_file_prof_replace(void *udata
+ 		 * profile (updating the list) and replacement updating
+ 		 * the list
+ 		 */
+	repeat:
+ 		lock_both_profiles(old_profile, new_profile);
+		if (new_profile->isstale) {
+			struct aa_profile *profile;
+			if (IS_ERR(new_profile->isstale)) {
+				/* new_profile was removed so become removal */
+				remove_tasks_on_context_list(old_profile);
+				unlock_both_profiles(old_profile, new_profile);
+				break;
+			}
+			profile = aa_dup_profile(new_profile->isstale);
+			unlock_both_profiles(old_profile, new_profile);
+			aa_put_profile(new_profile);
+			new_profile = profile;
+			goto repeat;
+		}
+ 		if (!list_empty(&old_profile->task_contexts)) {
+ 			struct task_struct *task =
+ 				list_entry(old_profile->task_contexts.next,
+@@ -494,9 +513,8 @@ ssize_t aa_file_prof_replace(void *udata
+ 	} while (!new_cxt);
+ 	aa_free_task_context(new_cxt);
+ 	aa_put_profile(old_profile);
+-
+	aa_put_profile(new_profile);
+ out:
+-	mutex_unlock(&aa_interface_lock);
+ 
+ 	return size;
+ }
+@@ -513,29 +531,19 @@ ssize_t aa_file_prof_remove(const char *
+ {
+ 	struct aa_profile *profile;
+ 
+-	mutex_lock(&aa_interface_lock);
+ 	write_lock(&profile_list_lock);
+ 	profile = __aa_find_profile(name, &profile_list);
+ 	if (!profile) {
+ 		write_unlock(&profile_list_lock);
+-		mutex_unlock(&aa_interface_lock);
+ 		return -ENOENT;
+ 	}
+-	profile->isstale = 1;
+	profile->isstale = ERR_PTR(-ENOENT);
+ 	list_del_init(&profile->list);
+ 	write_unlock(&profile_list_lock);
+ 
+ 	lock_profile(profile);
+-	while (!list_empty(&profile->task_contexts)) {
+-		struct task_struct *task =
+-			list_entry(profile->task_contexts.next,
+-				   struct aa_task_context, list)->task;
+-		task_lock(task);
+-		aa_change_task_context(task, NULL, NULL, 0);
+-		task_unlock(task);
+-	}
+	remove_tasks_on_context_list(profile);
+ 	unlock_profile(profile);
+-	mutex_unlock(&aa_interface_lock);
+ 	aa_put_profile(profile);
+ 
+ 	return size;
+@@ -579,6 +587,8 @@ void free_aa_profile(struct aa_profile *
+ 		BUG();
+ 	}
+ 
+	if (!IS_ERR(profile->isstale))
+		aa_put_profile(profile->isstale);
+ 	aa_match_free(profile->file_rules);
+ 
+ 	/* use free_aa_profile instead of aa_put_profile to destroy the
+Index: b/security/apparmor/inline.h
+===================================================================
+--- a/security/apparmor/inline.h
+++ b/security/apparmor/inline.h
+@@ -104,6 +104,24 @@ static inline struct aa_profile *alloc_a
+ }
+ 
+ /**
+ * remove_tasks_on_context_list - remove tasks on @profiles task_contexts list
+ * @profile: profile to remove associated tasks
+ *
+ * Assumes that @profile lock is held
+ */
+static inline void remove_tasks_on_context_list(struct aa_profile *profile)
+{
+	while (!list_empty(&profile->task_contexts)) {
+		struct task_struct *task =
+			list_entry(profile->task_contexts.next,
+				   struct aa_task_context, list)->task;
+		task_lock(task);
+		aa_change_task_context(task, NULL, NULL, 0);
+		task_unlock(task);
+	}
+}
+
+/**
+  * lock_profile - lock a profile
+  * @profile: the profile to lock
+  *
--- a/kernel-patches/for-mainline/rename-activate-unpack.diff
+++ b/kernel-patches/for-mainline/rename-activate-unpack.diff
@ -0,0 +1,97 @@
+Index: b/security/apparmor/module_interface.c
+===================================================================
+--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
+@@ -38,7 +38,7 @@ enum aa_code {
+ 
+ /* aa_ext is the read of the buffer containing the serialized profile.  The
+  * data is copied into a kernel buffer in apparmorfs and then handed off to
+- * the activate routines.
+ * the unpack routines.
+  */
+ struct aa_ext {
+ 	void *start;
+@@ -188,12 +188,12 @@ fail:
+ }
+ 
+ /**
+- * aa_activate_dfa - unpack a file rule dfa
+ * aa_unpack_dfa - unpack a file rule dfa
+  * @e: serialized data extent information
+  *
+  * returns dfa or ERR_PTR
+  */
+-struct aa_dfa *aa_activate_dfa(struct aa_ext *e)
+struct aa_dfa *aa_unpack_dfa(struct aa_ext *e)
+ {
+ 	char *blob = NULL;
+ 	size_t size, error = 0;
+@@ -225,11 +225,11 @@ struct aa_dfa *aa_activate_dfa(struct aa
+ }
+ 
+ /**
+- * aa_activate_profile - unpack a serialized profile
+ * aa_unpack_profile - unpack a serialized profile
+  * @e: serialized data extent information
+  * @error: error code returned if unpacking fails
+  */
+-static struct aa_profile *aa_activate_profile(struct aa_ext *e)
+static struct aa_profile *aa_unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 
+@@ -261,7 +261,7 @@ static struct aa_profile *aa_activate_pr
+ 		goto fail;
+ 
+ 	/* get file rules */
+-	profile->file_rules = aa_activate_dfa(e);
+	profile->file_rules = aa_unpack_dfa(e);
+ 	if (IS_ERR(profile->file_rules)) {
+ 		error = PTR_ERR(profile->file_rules);
+ 		profile->file_rules = NULL;
+@@ -272,7 +272,7 @@ static struct aa_profile *aa_activate_pr
+ 	if (aa_is_nameX(e, AA_LIST, "hats")) {
+ 		while (!aa_is_nameX(e, AA_LISTEND, NULL)) {
+ 			struct aa_profile *subprofile;
+-			subprofile = aa_activate_profile(e);
+			subprofile = aa_unpack_profile(e);
+ 			if (IS_ERR(subprofile)) {
+ 				error = PTR_ERR(subprofile);
+ 				goto fail;
+@@ -298,15 +298,15 @@ fail:
+ }
+ 
+ /**
+- * aa_activate_profile_wrapper - unpack a serialized base profile
+ * aa_unpack_profile_wrapper - unpack a serialized base profile
+  * @e: serialized data extent information
+  *
+  * check interface version unpack a profile and all its hats and patch
+  * in any extra information that the profile needs.
+  */
+-static struct aa_profile *aa_activate_profile_wrapper(struct aa_ext *e)
+static struct aa_profile *aa_unpack_profile_wrapper(struct aa_ext *e)
+ {
+-	struct aa_profile *profile = aa_activate_profile(e);
+	struct aa_profile *profile = aa_unpack_profile(e);
+ 	if (!IS_ERR(profile) &&
+ 	    (!list_empty(&profile->sub) || profile->flags.complain)) {
+ 		int error;
+@@ -358,7 +358,7 @@ ssize_t aa_file_prof_add(void *data, siz
+ 	if (error)
+ 		return error;
+ 
+-	profile = aa_activate_profile_wrapper(&e);
+	profile = aa_unpack_profile_wrapper(&e);
+ 	if (IS_ERR(profile))
+ 		return PTR_ERR(profile);
+ 
+@@ -437,7 +437,7 @@ ssize_t aa_file_prof_replace(void *udata
+ 	if (error)
+ 		return error;
+ 
+-	new_profile = aa_activate_profile_wrapper(&e);
+	new_profile = aa_unpack_profile_wrapper(&e);
+ 	if (IS_ERR(new_profile))
+ 		return PTR_ERR(new_profile);
+ 
--- a/kernel-patches/for-mainline/series
+++ b/kernel-patches/for-mainline/series
@ -102,15 +102,25 @@ file-handle-ops-2.diff
 # unlink.diff
 coding-style.diff
 dir-leaf-nodes.diff
+#rename-file-type-aa_permission.diff
 rename-file-type.diff
+fix-rename-file-type.diff
 fix-vfs_rmdir.diff
 fix-change_hat-replacement.diff
 64bit-changehat.diff
 dfa-table-order.diff
 apparmor_getprocattr.diff
+fix_apparmor_getprocattr.diff
 rcu-task-context.diff
 rcu-task-context-2.diff
+rcu-fix-lock_both_profiles.diff
 no-inline-aa_change_task_context.diff
 rcu-task-context-3.diff 
 rcu-task-context-4.diff 
-rcu-task-context-5.diff 
+rcu-caps-cache-comment.diff
+rcu-stale-forward-ptr.diff
+rcu-locking-docs.txt
+rename-activate-unpack.diff
+#rcu-task-context-5.diff 
+misc-typos.diff
+warn-info-messages.diff
--- a/kernel-patches/for-mainline/warn-info-messages.diff
+++ b/kernel-patches/for-mainline/warn-info-messages.diff
@ -0,0 +1,237 @@
+Index: b/security/apparmor/apparmor.h
+===================================================================
+--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
+@@ -72,8 +72,14 @@ static inline int mediated_filesystem(st
+ 		if (apparmor_debug)					\
+ 			printk(KERN_DEBUG "AppArmor: " fmt, ##args);	\
+ 	} while (0)
+-#define AA_INFO(fmt, args...)	printk(KERN_INFO "AppArmor: " fmt, ##args)
+-#define AA_WARN(fmt, args...)	printk(KERN_WARNING "AppArmor: " fmt, ##args)
+#define AA_INFO(gfp, fmt, args...) \
+	do { \
+		printk(KERN_INFO "AppArmor: " fmt, ##args); \
+		aa_audit_message(NULL, gfp, 0, fmt, ##args); \
+	} while (0)
+#define AA_WARN(gfp, fmt, args...) \
+	aa_audit_message(NULL, gfp, 0, fmt, ##args);
+
+ #define AA_ERROR(fmt, args...)	printk(KERN_ERR "AppArmor: " fmt, ##args)
+ 
+ /* basic AppArmor data structures */
+Index: b/security/apparmor/apparmorfs.c
+===================================================================
+--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
+@@ -166,7 +166,7 @@ static char *aa_simple_write_to_buffer(c
+ 	 */
+ 	profile = aa_get_profile(current);
+ 	if (profile) {
+-		AA_WARN("REJECTING access to profile %s (%s(%d) "
+		AA_WARN(GFP_KERNEL, "REJECTING access to profile %s (%s(%d) "
+ 			"profile %s active %s)\n",
+ 			msg, current->comm, current->pid,
+ 			profile->parent->name, profile->name);
+Index: b/security/apparmor/lsm.c
+===================================================================
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -628,7 +628,8 @@ static int apparmor_setprocattr(struct t
+ 
+ 		/* Only the current process may change it's hat */
+ 		if (current != task) {
+-			AA_WARN("%s: Attempt by foreign task %s(%d) "
+			AA_WARN(GFP_KERNEL,
+				"%s: Attempt by foreign task %s(%d) "
+ 				"[user %d] to changehat of task %s(%d)\n",
+ 				__FUNCTION__,
+ 				current->comm,
+@@ -655,7 +656,8 @@ static int apparmor_setprocattr(struct t
+ 		 */
+ 
+ 		if (!capable(CAP_SYS_ADMIN)) {
+-			AA_WARN("%s: Unprivileged attempt by task %s(%d) "
+			AA_WARN(GFP_KERNEL,
+				"%s: Unprivileged attempt by task %s(%d) "
+ 				"[user %d] to assign profile to task %s(%d)\n",
+ 				__FUNCTION__,
+ 				current->comm,
+@@ -679,7 +681,8 @@ static int apparmor_setprocattr(struct t
+ 				 */
+ 				error = size;
+ 		} else {
+-			AA_WARN("%s: Attempt by confined task %s(%d) "
+			AA_WARN(GFP_KERNEL,
+				"%s: Attempt by confined task %s(%d) "
+ 				"[user %d] to assign profile to task %s(%d)\n",
+ 				__FUNCTION__,
+ 				current->comm,
+@@ -693,8 +696,9 @@ static int apparmor_setprocattr(struct t
+ 		aa_put_profile(profile);
+ 	} else {
+ 		/* unknown operation */
+-		AA_WARN("%s: Unknown setprocattr command '%.*s' by task %s(%d) "
+-			"[user %d] for task %s(%d)\n",
+		AA_WARN(GFP_KERNEL,
+			"%s: Unknown setprocattr command '%.*s' by task %s(%d)"
+			" [user %d] for task %s(%d)\n",
+ 			__FUNCTION__,
+ 			size < 16 ? (int)size : 16,
+ 			cmd,
+@@ -780,7 +784,7 @@ static int __init apparmor_init(void)
+ 		goto register_security_out;
+ 	}
+ 
+-	AA_INFO("AppArmor initialized%s\n",
+	AA_INFO(GFP_KERNEL, "AppArmor initialized%s\n",
+ 		apparmor_complain ? complainmsg : "");
+ 	aa_audit_message(NULL, GFP_KERNEL, 0,
+ 		"AppArmor initialized%s\n",
+@@ -833,9 +837,10 @@ static void __exit apparmor_exit(void)
+ 	destroy_apparmorfs();
+ 
+ 	if (unregister_security(&apparmor_ops))
+-		AA_WARN("Unable to properly unregister AppArmor\n");
+		AA_INFO(GFP_KERNEL, "Unable to properly unregister "
+			"AppArmor\n");
+ 
+-	AA_INFO("AppArmor protection removed\n");
+	AA_INFO(GFP_KERNEL, "AppArmor protection removed\n");
+ 	aa_audit_message(NULL, GFP_KERNEL, 0,
+ 		"AppArmor protection removed\n");
+ }
+Index: b/security/apparmor/main.c
+===================================================================
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -807,7 +807,7 @@ aa_register_find(struct aa_profile *prof
+ 
+ 			profile = aa_dup_profile(null_complain_profile);
+ 		} else {
+-			AA_WARN("REJECTING exec(2) of image '%s'. "
+			AA_WARN(GFP_KERNEL, "REJECTING exec(2) of image '%s'. "
+ 				"Profile mandatory and not found "
+ 				"(%s(%d) profile %s active %s)\n",
+ 				name,
+@@ -844,7 +844,8 @@ int aa_register(struct linux_binprm *bpr
+ 
+ 	filename = aa_get_name(filp->f_dentry, filp->f_vfsmnt, &buffer, 0);
+ 	if (IS_ERR(filename)) {
+-		AA_WARN("%s: Failed to get filename\n", __FUNCTION__);
+		AA_WARN(GFP_KERNEL, "%s: Failed to get filename\n",
+			__FUNCTION__);
+ 		return -ENOENT;
+ 	}
+ 
+@@ -907,7 +908,8 @@ repeat:
+ 			new_profile = aa_dup_profile(null_complain_profile);
+ 			exec_mode |= AA_EXEC_UNSAFE;
+ 		} else {
+-			AA_WARN("%s: Rejecting exec(2) of image '%s'. "
+			AA_WARN(GFP_KERNEL,
+				"%s: Rejecting exec(2) of image '%s'. "
+ 				"Unable to determine exec qualifier "
+ 				"(%s (pid %d) profile %s active %s)\n",
+ 				__FUNCTION__,
+@@ -1094,7 +1096,7 @@ int aa_change_hat(const char *hat_name, 
+ 
+ 	/* Dump out above debugging in WARN mode if we are in AUDIT mode */
+ 	if (APPARMOR_AUDIT(aa_task_context(current))) {
+-		AA_WARN("%s: %s, 0x%llx (pid %d)\n",
+		AA_WARN(GFP_KERNEL, "%s: %s, 0x%llx (pid %d)\n",
+ 			__FUNCTION__, hat_name ? hat_name : "NULL",
+ 			hat_magic, current->pid);
+ 	}
+Index: b/security/apparmor/module_interface.c
+===================================================================
+--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
+@@ -288,7 +288,7 @@ static struct aa_profile *aa_unpack_prof
+ 	return profile;
+ 
+ fail:
+-	AA_WARN("Invalid profile %s\n",
+	AA_WARN(GFP_KERNEL, "Invalid profile %s\n",
+ 		profile && profile->name ? profile->name : "unknown");
+ 
+ 	if (profile)
+@@ -329,13 +329,14 @@ static int aa_verify_header(struct aa_ex
+ {
+ 	/* get the interface version */
+ 	if (!aa_is_u32(e, &e->version, "version")) {
+-		AA_WARN("Interface version missing\n");
+		AA_WARN(GFP_KERNEL, "Interface version missing\n");
+ 		return -EPROTONOSUPPORT;
+ 	}
+ 
+ 	/* check that the interface version is currently supported */
+ 	if (e->version != 3) {
+-		AA_WARN("Unsupported interface version (%d)\n", e->version);
+		AA_WARN(GFP_KERNEL,
+			"Unsupported interface version (%d)\n", e->version);
+ 		return -EPROTONOSUPPORT;
+ 	}
+ 	return 0;
+Index: b/security/apparmor/procattr.c
+===================================================================
+--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
+@@ -86,7 +86,8 @@ int aa_setprocattr_changehat(char *hatin
+ 
+ 	magic = simple_strtoull(token, &hat, 16);
+ 	if (hat == token || *hat != '^') {
+-		AA_WARN("%s: Invalid input '%s'\n", __FUNCTION__, token);
+		AA_WARN(GFP_KERNEL, "%s: Invalid input '%s'\n",
+			__FUNCTION__, token);
+ 		goto out;
+ 	}
+ 
+@@ -97,7 +98,8 @@ int aa_setprocattr_changehat(char *hatin
+ 		hat = NULL;
+ 
+ 	if (!hat && !magic) {
+-		AA_WARN("%s: Invalid input, NULL hat and NULL magic\n",
+		AA_WARN(GFP_KERNEL,
+			"%s: Invalid input, NULL hat and NULL magic\n",
+ 			__FUNCTION__);
+ 		goto out;
+ 	}
+@@ -145,7 +147,8 @@ repeat:
+ 	if (strcmp(name_copy, "unconfined") != 0) {
+ 		new_profile = aa_find_profile(name_copy);
+ 		if (!new_profile) {
+-			AA_WARN("%s: Unable to switch task %s(%d) to profile"
+			AA_WARN(GFP_KERNEL,
+				"%s: Unable to switch task %s(%d) to profile"
+ 				"'%s'. No such profile.\n",
+ 				__FUNCTION__,
+ 				task->comm, task->pid,
+@@ -167,7 +170,8 @@ repeat:
+ 	}
+ 
+ 	if (new_profile) {
+-		AA_WARN("%s: Switching task %s(%d) "
+		AA_WARN(GFP_KERNEL,
+			"%s: Switching task %s(%d) "
+ 			"profile %s active %s to new profile %s\n",
+ 			__FUNCTION__,
+ 			task->comm, task->pid,
+@@ -177,14 +181,16 @@ repeat:
+ 			name_copy);
+ 	} else {
+ 		if (old_profile) {
+-			AA_WARN("%s: Unconfining task %s(%d) "
+			AA_WARN(GFP_KERNEL,
+				"%s: Unconfining task %s(%d) "
+ 				"profile %s active %s\n",
+ 				__FUNCTION__,
+ 				task->comm, task->pid,
+ 				old_profile->parent->name,
+ 				old_profile->name);
+ 		} else {
+-			AA_WARN("%s: task %s(%d) "
+			AA_WARN(GFP_KERNEL,
+				"%s: task %s(%d) "
+ 				"is already unconfined\n",
+ 				__FUNCTION__, task->comm, task->pid);
+ 		}