4.4-stable patches

added patches:
	apparmor-fix-security_apparmor_hash_default-parameter-handling.patch

diff --git a/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch b/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch
new file mode 100644 (file)
index 0000000..549c843
--- /dev/null
+++ b/queue-4.4/apparmor-fix-security_apparmor_hash_default-parameter-handling.patch
@@ -0,0 +1,63 @@
+From 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Jul 2016 10:59:07 -0700
+Subject: apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 upstream.
+
+The newly added Kconfig option could never work and just causes a build error
+when disabled:
+
+security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
+ bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
+
+The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
+helper to turn it into a boolean constant.
+
+Another minor problem with the original patch is that the option is even offered
+in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
+in that case.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 6059f71f1e94 ("apparmor: add parameter to control whether policy hashing is used")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+[backported to 4.4 by Loic]
+Cc: Loic <hackurx@opensec.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+---
+ security/apparmor/crypto.c |    3 +++
+ security/apparmor/lsm.c    |    6 ++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/security/apparmor/crypto.c
++++ b/security/apparmor/crypto.c
+@@ -39,6 +39,9 @@ int aa_calc_profile_hash(struct aa_profi
+       int error = -ENOMEM;
+       u32 le32_version = cpu_to_le32(version);
+ 
++      if (!aa_g_hash_policy)
++              return 0;
++
+       if (!apparmor_tfm)
+               return 0;
+ 
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -692,6 +692,12 @@ enum profile_mode aa_g_profile_mode = AP
+ module_param_call(mode, param_set_mode, param_get_mode,
+                 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_HASH
++/* whether policy verification hashing is enabled */
++bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
++module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
++#endif
++
+ /* Debug mode */
+ bool aa_g_debug;
+ module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);

diff --git a/queue-4.4/series b/queue-4.4/series
index 6888714437c14f284bc35da259b1918711e9a897..17d56cdcbd9a66104ce55800ab80155d2db7273e 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -54,3 +54,4 @@ mtd-ubi-wl-fix-error-return-code-in-ubi_wl_init.patch
 autofs-fix-autofs_sbi-does-not-check-super-block-type.patch
 x86-speculation-l1tf-increase-l1tf-memory-limit-for-nehalem.patch
 mm-get-rid-of-vmacache_flush_all-entirely.patch
+apparmor-fix-security_apparmor_hash_default-parameter-handling.patch