Add kernel patches that will NEVER be sent upstream. These provide abi
compatibility with the v2.x network and af_unix rules.
The 4.17 network mediation pull request deliberately broke abi
compatibility with the v2.x rules, and these are provided so that
distros who shipped the v2.x compatible patches can provide new
kernels on older releases that require v2.x network support.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The old out of tree patchseries has been completely dropped. v4.13
has most of the newer apparmor 3.x code in it. v4.14 has the rest except
the af_unix mediation which is included as the last patch
patches
0001-0022 are backports of fixes from the 4.8 pull-request
0023-0025 are the out of tree feature patches
Signed-off-by: John Johansen <john.johansen@canonical.com>
- fix-complain.diff
Fixes deny rules in complain mode so that they don't reject events
- mount-capability.diff
Allow confined applications to mount and unmount as long as they
have capability sys_admin
- fix-config.diff
Add the missing SECURITY_NETWORK dependency
- fix-security-param.diff
Make apparmor respect the security= parameter
- securit_default.diff
Add a new kernel config option to allow setting the default LSM,
When multiple LSMs are compiled into the kernel this is often
more desirable than taking the first LSM to register
- fork-tracking.diff
Newer kernels have changed the allocation of child pid until after
the security_clone hook. This breaks AppArmor's fork tracking
for processes that enter the null-complain-profile.
To fix this the parent pid is output with every message. A corresponding
update in the tools also must be done.
- fix-d_namespace_path.diff
It is possible that the root.mnt->mnt_ns has been unmounted, resulting
in an oops. In this case just test for it, and if it happens the
ns_root.mnt passed to __d_path will be NULL resulting in a disconnected
path.
- AppArmor-misc-cleanups.diff
Some miscelleanous cleanups from Miklos Szeredi, covering some
kernel coding style and defaults cleanups
- AppArmor-checkpatch.diff
patch from Miklos Szeredi, to cleanup sparse warnings, and other misc
coding style errors.
of rlimits supported by the kernel.
- remove hat rules
- add hat flag for each profile
- fix apparmorfs profile listing code. Used to only return the first
80 or so profiles, and then refuse to output more
- rework how null transitions are done.
M fix-profile-namespaces.diff
- fix namespaces to use the :namespace: syntax
A cap-set.diff
- allow a profile to set a tasks capabilities similar to fscap
A rlimits.diff
- allow control of a tasks rlimits
