mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
139 lines
4.2 KiB
Diff
139 lines
4.2 KiB
Diff
Index: linux-2.6.19/security/apparmor/Kconfig
|
|
===================================================================
|
|
--- linux-2.6.19.orig/security/apparmor/Kconfig
|
|
+++ linux-2.6.19/security/apparmor/Kconfig
|
|
@@ -1,8 +1,9 @@
|
|
config SECURITY_APPARMOR
|
|
- tristate "AppArmor support"
|
|
- depends on SECURITY!=n
|
|
+ bool "AppArmor support"
|
|
+ depends on SECURITY && AUDIT
|
|
+ default n
|
|
help
|
|
- This enables the AppArmor security module.
|
|
+ This enables the AppArmor security module (built-in only).
|
|
Required userspace tools (if they are not included in your
|
|
distribution) and further information may be found at
|
|
<http://forge.novell.com/modules/xfmod/project/?apparmor>
|
|
Index: linux-2.6.19/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- linux-2.6.19.orig/security/apparmor/lsm.c
|
|
+++ linux-2.6.19/security/apparmor/lsm.c
|
|
@@ -53,36 +53,6 @@ int apparmor_logsyscall = 0;
|
|
module_param_named(logsyscall, apparmor_logsyscall, int, S_IRUSR);
|
|
MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode");
|
|
|
|
-#ifndef MODULE
|
|
-static int __init aa_getopt_complain(char *str)
|
|
-{
|
|
- get_option(&str, &apparmor_complain);
|
|
- return 1;
|
|
-}
|
|
-__setup("apparmor_complain=", aa_getopt_complain);
|
|
-
|
|
-static int __init aa_getopt_debug(char *str)
|
|
-{
|
|
- get_option(&str, &apparmor_debug);
|
|
- return 1;
|
|
-}
|
|
-__setup("apparmor_debug=", aa_getopt_debug);
|
|
-
|
|
-static int __init aa_getopt_audit(char *str)
|
|
-{
|
|
- get_option(&str, &apparmor_audit);
|
|
- return 1;
|
|
-}
|
|
-__setup("apparmor_audit=", aa_getopt_audit);
|
|
-
|
|
-static int __init aa_getopt_logsyscall(char *str)
|
|
-{
|
|
- get_option(&str, &apparmor_logsyscall);
|
|
- return 1;
|
|
-}
|
|
-__setup("apparmor_logsyscall=", aa_getopt_logsyscall);
|
|
-#endif
|
|
-
|
|
static int apparmor_ptrace(struct task_struct *parent,
|
|
struct task_struct *child)
|
|
{
|
|
@@ -891,67 +861,4 @@ createfs_out:
|
|
|
|
}
|
|
|
|
-static int apparmor_exit_removeall_iter(struct subdomain *sd, void *cookie)
|
|
-{
|
|
- /* spin_lock(&sd_lock) held here */
|
|
-
|
|
- if (__aa_is_confined(sd)) {
|
|
- AA_DEBUG("%s: Dropping profiles %s(%d) "
|
|
- "profile %s(%p) active %s(%p)\n",
|
|
- __FUNCTION__,
|
|
- sd->task->comm, sd->task->pid,
|
|
- BASE_PROFILE(sd->active)->name,
|
|
- BASE_PROFILE(sd->active),
|
|
- sd->active->name, sd->active);
|
|
- aa_switch_unconfined(sd);
|
|
- }
|
|
-
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static void __exit apparmor_exit(void)
|
|
-{
|
|
- unsigned long flags;
|
|
-
|
|
- /* Remove profiles from the global profile list.
|
|
- * This is just for tidyness as there is no way to reference this
|
|
- * list once the AppArmor lsm hooks are detached (below)
|
|
- */
|
|
- aa_profilelist_release();
|
|
-
|
|
- /* Remove profiles from active tasks
|
|
- * If this is not done, if module is reloaded after being removed,
|
|
- * old profiles (still refcounted in memory) will become 'magically'
|
|
- * reattached
|
|
- */
|
|
-
|
|
- spin_lock_irqsave(&sd_lock, flags);
|
|
- aa_subdomainlist_iterate(apparmor_exit_removeall_iter, NULL);
|
|
- spin_unlock_irqrestore(&sd_lock, flags);
|
|
-
|
|
- /* Free up list of active subdomain */
|
|
- aa_subdomainlist_release();
|
|
-
|
|
- free_null_complain_profile();
|
|
-
|
|
- destroy_apparmorfs();
|
|
-
|
|
- if (unregister_security(&apparmor_ops))
|
|
- AA_WARN("Unable to properly unregister AppArmor\n");
|
|
-
|
|
- /* delay for an rcu cycle to make ensure that profiles pending
|
|
- * destruction in the rcu callback are freed.
|
|
- */
|
|
- synchronize_rcu();
|
|
-
|
|
- AA_INFO("AppArmor protection removed\n");
|
|
- aa_audit_message(NULL, GFP_KERNEL, 0,
|
|
- "AppArmor protection removed\n");
|
|
-}
|
|
-
|
|
module_init(apparmor_init);
|
|
-module_exit(apparmor_exit);
|
|
-
|
|
-MODULE_DESCRIPTION("AppArmor process confinement");
|
|
-MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
|
|
-MODULE_LICENSE("GPL");
|
|
Index: linux-2.6.19/security/Makefile
|
|
===================================================================
|
|
--- linux-2.6.19.orig/security/Makefile
|
|
+++ linux-2.6.19/security/Makefile
|
|
@@ -16,7 +16,7 @@ obj-$(CONFIG_SECURITY) += security.o d
|
|
# Must precede capability.o in order to stack properly.
|
|
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
|
|
ifeq ($(CONFIG_SECURITY_APPARMOR),y)
|
|
-obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
|
|
+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o commoncap.o
|
|
endif
|
|
obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
|
|
obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
|