security/apparmor/Kconfig | 1 + security/apparmor/apparmor.h | 7 +++---- security/apparmor/inline.h | 4 ++-- security/apparmor/list.c | 2 ++ security/apparmor/lsm.c | 22 ++++++---------------- security/apparmor/main.c | 5 +++-- security/apparmor/match.c | 5 +++-- security/apparmor/module_interface.c | 13 ++++++------- 8 files changed, 26 insertions(+), 33 deletions(-) --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -3,6 +3,7 @@ config SECURITY_APPARMOR depends on SECURITY depends on SECURITY_NETWORK select AUDIT + default n help This enables the AppArmor security module. Required userspace tools (if they are not included in your --- a/security/apparmor/apparmor.h +++ b/security/apparmor/apparmor.h @@ -214,9 +214,9 @@ struct aa_profile { char **exec_table; struct aa_dfa *file_rules; struct { - int hat; - int complain; - int audit; + u32 hat; + u32 complain; + u32 audit; } flags; int isstale; @@ -310,7 +310,6 @@ void aa_audit_status(struct aa_profile * int aa_audit_reject(struct aa_profile *profile, struct aa_audit *sa); extern int aa_audit_syscallreject(struct aa_profile *profile, gfp_t gfp, const char *); -extern int aa_audit(struct aa_profile *profile, struct aa_audit *); extern int aa_attr(struct aa_profile *profile, struct dentry *dentry, struct vfsmount *mnt, struct iattr *iattr); --- a/security/apparmor/inline.h +++ b/security/apparmor/inline.h @@ -21,7 +21,7 @@ static inline int mediated_filesystem(st static inline struct aa_task_context *aa_task_context(struct task_struct *task) { - return (struct aa_task_context *) rcu_dereference(task->security); + return rcu_dereference(task->security); } static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) @@ -91,7 +91,7 @@ static inline struct aa_profile *aa_get_ static inline struct aa_profile *aa_find_profile(struct aa_namespace *ns, const char *name) { - struct aa_profile *profile = NULL; + struct aa_profile *profile; read_lock(&ns->lock); profile = aa_dup_profile(__aa_find_profile(name, &ns->profiles)); --- a/security/apparmor/list.c +++ b/security/apparmor/list.c @@ -112,6 +112,7 @@ static struct aa_profile *next_profile(s } static void *p_start(struct seq_file *f, loff_t *pos) + __acquires(profile_ns_list_lock) { struct aa_namespace *ns; loff_t l = *pos; @@ -144,6 +145,7 @@ static void *p_next(struct seq_file *f, } static void p_stop(struct seq_file *f, void *p) + __releases(profile_ns_list_lock) { struct aa_profile *profile = (struct aa_profile *) p; --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -10,7 +10,7 @@ */ #include -#include +#include #include #include #include @@ -59,27 +59,21 @@ static int param_get_aauint(char *buffer */ int apparmor_complain; module_param_named(complain, apparmor_complain, aabool, S_IRUSR | S_IWUSR); -MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode"); /* Debug mode */ int apparmor_debug; module_param_named(debug, apparmor_debug, aabool, S_IRUSR | S_IWUSR); -MODULE_PARM_DESC(apparmor_debug, "Toggle AppArmor debug mode"); /* Audit mode */ int apparmor_audit; module_param_named(audit, apparmor_audit, aabool, S_IRUSR | S_IWUSR); -MODULE_PARM_DESC(apparmor_audit, "Toggle AppArmor audit mode"); - /* Syscall logging mode */ int apparmor_logsyscall; module_param_named(logsyscall, apparmor_logsyscall, aabool, S_IRUSR | S_IWUSR); -MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode"); /* Maximum pathname length before accesses will start getting rejected */ unsigned int apparmor_path_max = 2 * PATH_MAX; module_param_named(path_max, apparmor_path_max, aauint, S_IRUSR | S_IWUSR); -MODULE_PARM_DESC(apparmor_path_max, "Maximum pathname length allowed"); /* Boot time disable flag */ #ifdef CONFIG_SECURITY_APPARMOR_DISABLE @@ -88,10 +82,9 @@ MODULE_PARM_DESC(apparmor_path_max, "Max #define AA_ENABLED_PERMS 0400 #endif static int param_set_aa_enabled(const char *val, struct kernel_param *kp); -unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; +static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; module_param_call(enabled, param_set_aa_enabled, param_get_aauint, &apparmor_enabled, AA_ENABLED_PERMS); -MODULE_PARM_DESC(apparmor_enabled, "Enable/Disable Apparmor on boot"); static int __init apparmor_enabled_setup(char *str) { @@ -578,7 +571,7 @@ static int apparmor_file_permission(stru aa_mask_permissions(mask)); } -static inline int apparmor_file_lock(struct file *file, unsigned int cmd) +static int apparmor_file_lock(struct file *file, unsigned int cmd) { int mask = AA_MAY_LOCK; if (cmd == F_WRLCK) @@ -604,8 +597,8 @@ static void apparmor_file_free_security( aa_put_profile(file_profile); } -static inline int aa_mmap(struct file *file, const char *operation, - unsigned long prot, unsigned long flags) +static int aa_mmap(struct file *file, const char *operation, + unsigned long prot, unsigned long flags) { struct dentry *dentry; int mask = 0; @@ -936,7 +929,7 @@ int apparmor_unregister_subsecurity(cons return error; } -struct security_operations apparmor_ops = { +static struct security_operations apparmor_ops = { .name = "apparmor", .ptrace = apparmor_ptrace, .capget = cap_capget, @@ -1083,6 +1076,3 @@ void apparmor_disable(void) info_message("AppArmor protection removed", NULL); } -MODULE_DESCRIPTION("AppArmor process confinement"); -MODULE_AUTHOR("Novell/Immunix, http://bugs.opensuse.org"); -MODULE_LICENSE("GPL"); --- a/security/apparmor/main.c +++ b/security/apparmor/main.c @@ -299,7 +299,7 @@ int aa_audit_reject(struct aa_profile *p * @profile: profile to check against * @sa: audit event */ -int aa_audit(struct aa_profile *profile, struct aa_audit *sa) +static int aa_audit(struct aa_profile *profile, struct aa_audit *sa) { int type = AUDIT_APPARMOR_DENIED; struct audit_context *audit_cxt; @@ -520,7 +520,8 @@ static char *new_compound_name(const cha sprintf(name, "%s//%s", n1, n2); return name; } -static inline void aa_put_name_buffer(char *buffer) + +static void aa_put_name_buffer(char *buffer) { kfree(buffer); } --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -226,8 +226,9 @@ void aa_match_free(struct aa_dfa *dfa) * but that would require traversing the string twice and be slightly * slower. */ -unsigned int aa_dfa_next_state_len(struct aa_dfa *dfa, unsigned int start, - const char *str, int len) +static unsigned int aa_dfa_next_state_len(struct aa_dfa *dfa, + unsigned int start, + const char *str, int len) { u16 *def = DEFAULT_TABLE(dfa); u32 *base = BASE_TABLE(dfa); --- a/security/apparmor/module_interface.c +++ b/security/apparmor/module_interface.c @@ -61,7 +61,7 @@ struct aa_ext { char *ns_name; }; -static inline int aa_inbounds(struct aa_ext *e, size_t size) +static int aa_inbounds(struct aa_ext *e, size_t size) { return (size <= e->end - e->pos); } @@ -94,7 +94,7 @@ fail: return 0; } -static inline int aa_is_X(struct aa_ext *e, enum aa_code code) +static int aa_is_X(struct aa_ext *e, enum aa_code code) { if (!aa_inbounds(e, 1)) return 0; @@ -369,7 +369,7 @@ fail: static struct aa_profile *aa_unpack_profile(struct aa_ext *e, struct aa_audit *sa) { - struct aa_profile *profile = NULL; + struct aa_profile *profile; size_t size = 0; int i, error = -EPROTO; @@ -465,8 +465,7 @@ fail: sa->info = "failed to unpack profile"; aa_audit_status(NULL, sa); - if (profile) - free_aa_profile(profile); + free_aa_profile(profile); return ERR_PTR(error); } @@ -508,7 +507,7 @@ static int aa_verify_header(struct aa_ex */ ssize_t aa_add_profile(void *data, size_t size) { - struct aa_profile *profile = NULL; + struct aa_profile *profile; struct aa_namespace *ns = NULL; struct aa_ext e = { .start = data, @@ -585,7 +584,7 @@ ssize_t aa_add_profile(void *data, size_ * @new_cxt: new aa_task_context to do replacement with * @new_profile: new profile */ -static inline void task_replace(struct task_struct *task, +static void task_replace(struct task_struct *task, struct aa_task_context *new_cxt, struct aa_profile *new_profile) {