patches
0001-0022 are backports of fixes from the 4.8 pull-request
0023-0025 are the out of tree feature patches
Signed-off-by: John Johansen <john.johansen@canonical.com>
- fix-complain.diff
Fixes deny rules in complain mode so that they don't reject events
- mount-capability.diff
Allow confined applications to mount and unmount as long as they
have capability sys_admin
- fix-config.diff
Add the missing SECURITY_NETWORK dependency
- fix-security-param.diff
Make apparmor respect the security= parameter
- securit_default.diff
Add a new kernel config option to allow setting the default LSM,
When multiple LSMs are compiled into the kernel this is often
more desirable than taking the first LSM to register
- fork-tracking.diff
Newer kernels have changed the allocation of child pid until after
the security_clone hook. This breaks AppArmor's fork tracking
for processes that enter the null-complain-profile.
To fix this the parent pid is output with every message. A corresponding
update in the tools also must be done.
- fix-d_namespace_path.diff
It is possible that the root.mnt->mnt_ns has been unmounted, resulting
in an oops. In this case just test for it, and if it happens the
ns_root.mnt passed to __d_path will be NULL resulting in a disconnected
path.
- AppArmor-misc-cleanups.diff
Some miscelleanous cleanups from Miklos Szeredi, covering some
kernel coding style and defaults cleanups
- AppArmor-checkpatch.diff
patch from Miklos Szeredi, to cleanup sparse warnings, and other misc
coding style errors.
of rlimits supported by the kernel.
- remove hat rules
- add hat flag for each profile
- fix apparmorfs profile listing code. Used to only return the first
80 or so profiles, and then refuse to output more
- rework how null transitions are done.
M fix-profile-namespaces.diff
- fix namespaces to use the :namespace: syntax
A cap-set.diff
- allow a profile to set a tasks capabilities similar to fscap
A rlimits.diff
- allow control of a tasks rlimits
- fix split init so that apparmor can be enabled at the boot command line.
The init was broken so that apparmor couldn't be enabled unless enabled
by default.
M apparmor-fix-lock-letter.diff
- fix the lock letter being reported (z -> k) and update some comments
A apparmor-create-append.diff
- fix semanitc bug where full write perms were needed to create a new file,
where only append is needed.
M fix-link-subset.diff
- partial fix of link subset
A no-safex-link-subset.diff
- more link subset fixes
A audit-log-type-in-syslog.diff
- fix audit type being missing when messages go to syslog. This patch
is needed for apparmor to work when messages go to syslog instead of
auditd. This patch can be dropped when upstream includes the
patch to report audit number when reporting to syslog
A audit-uid.diff
- report the fsuid to the log
A hat_perm.diff
- setup to use hat permissions instead of just profile search for
2.3
A apparmor-failed-name-error.diff
- fix a bug where on failed name resolution no error or information is
output. It now reports info in the status field and includes an
error_code
A extend-x-mods.diff
- extend the x-mods in preparation of audit ctl
A apparmor-secondary-accept.diff
- extend the dfa to have a second accept table used for audit ctl
A apparmor-audit-flags2.diff
- extend apparmor to support audit ctl of individual permissions.
- finish fixing link-subset
A fix-change_profile-namespace.diff
- Not applied, ignore
- pass vfsmnt param for cgroups
A fix-user-audit.diff
- nothing
A fix-link-subset.diff
- fix reporting of failed link subsets
A apparmor-fix-lock-letter.diff
- fix the reported lock letter in apparmorfs/matching
- reverted audit request_mask back to requested_mask
A apparmor-fix-sysctl-refcount.diff
- fix a refcount leak in sysctl audit
