mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
72bdec2f76
- fix-complain.diff Fixes deny rules in complain mode so that they don't reject events - mount-capability.diff Allow confined applications to mount and unmount as long as they have capability sys_admin - fix-config.diff Add the missing SECURITY_NETWORK dependency - fix-security-param.diff Make apparmor respect the security= parameter - securit_default.diff Add a new kernel config option to allow setting the default LSM, When multiple LSMs are compiled into the kernel this is often more desirable than taking the first LSM to register - fork-tracking.diff Newer kernels have changed the allocation of child pid until after the security_clone hook. This breaks AppArmor's fork tracking for processes that enter the null-complain-profile. To fix this the parent pid is output with every message. A corresponding update in the tools also must be done. - fix-d_namespace_path.diff It is possible that the root.mnt->mnt_ns has been unmounted, resulting in an oops. In this case just test for it, and if it happens the ns_root.mnt passed to __d_path will be NULL resulting in a disconnected path. - AppArmor-misc-cleanups.diff Some miscelleanous cleanups from Miklos Szeredi, covering some kernel coding style and defaults cleanups - AppArmor-checkpatch.diff patch from Miklos Szeredi, to cleanup sparse warnings, and other misc coding style errors.
56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
From: John Johansen <jjohansen@suse.de>
|
|
Subject: fix log messages to enable tools profile learning
|
|
Patch-mainline: no
|
|
References: bnc#447564
|
|
|
|
The allocation of the child pid is done after the LSM clone hook, which
|
|
breaks the AppArmor tools fork tracking, for profiles learning. Output
|
|
the parent pid with each log message to enable the tools to handle fork
|
|
tracking.
|
|
|
|
Signed-off-by: John Johansen <jjohansen@suse.de>
|
|
|
|
---
|
|
security/apparmor/main.c | 10 +++++-----
|
|
security/apparmor/module_interface.c | 2 +-
|
|
2 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi
|
|
audit_log_format(ab, " protocol=%d", sa->protocol);
|
|
}
|
|
|
|
- audit_log_format(ab, " pid=%d", current->pid);
|
|
+ audit_log_format(ab, " pid=%d", current->pid);
|
|
|
|
if (profile) {
|
|
+ if (!sa->parent)
|
|
+ audit_log_format(ab, " parent=%d",
|
|
+ current->real_parent->pid);
|
|
+
|
|
audit_log_format(ab, " profile=");
|
|
audit_log_untrustedstring(ab, profile->name);
|
|
|
|
@@ -1007,10 +1011,6 @@ repeat:
|
|
|
|
unlock_profile(profile);
|
|
|
|
- if (APPARMOR_COMPLAIN(child_cxt) &&
|
|
- profile == profile->ns->null_complain_profile) {
|
|
- aa_audit_hint(profile, &sa);
|
|
- }
|
|
aa_put_profile(profile);
|
|
} else
|
|
aa_free_task_context(child_cxt);
|
|
--- a/security/apparmor/module_interface.c
|
|
+++ b/security/apparmor/module_interface.c
|
|
@@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e,
|
|
* AA_NAME tag value is a u16.
|
|
*/
|
|
if (aa_is_X(e, AA_NAME)) {
|
|
- char *tag;
|
|
+ char *tag = NULL;
|
|
size_t size = aa_is_u16_chunk(e, &tag);
|
|
/* if a name is specified it must match. otherwise skip tag */
|
|
if (name && (!size || strcmp(name, tag)))
|