[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / fork-tracking.diff

From: John Johansen <jjohansen@suse.de>
Subject: fix log messages to enable tools profile learning
Patch-mainline: no
References: bnc#447564  

The allocation of the child pid is done after the LSM clone hook, which
breaks the AppArmor tools fork tracking, for profiles learning.  Output
the parent pid with each log message to enable the tools to handle fork
tracking.

Signed-off-by: John Johansen <jjohansen@suse.de>

---
 security/apparmor/lsm.c              |   28 ----------------------------
 security/apparmor/main.c             |   10 +++++-----
 security/apparmor/module_interface.c |    2 +-
 3 files changed, 6 insertions(+), 34 deletions(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -143,20 +143,6 @@ static int param_set_aa_enabled(const ch
 	return 0;
 }
 
-static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
-			     const char *name)
-{
-	struct aa_profile *profile = aa_get_profile(task);
-	int error = 0;
-
-	if (profile) {
-		error = aa_audit_syscallreject(profile, flags, name);
-		aa_put_profile(profile);
-	}
-
-	return error;
-}
-
 static int apparmor_ptrace(struct task_struct *parent,
 			   struct task_struct *child)
 {
@@ -292,17 +278,6 @@ static int apparmor_bprm_secureexec(stru
 	return ret;
 }
 
-static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
-			      unsigned long flags, void *data)
-{
-	return aa_reject_syscall(current, GFP_KERNEL, "mount");
-}
-
-static int apparmor_umount(struct vfsmount *mnt, int flags)
-{
-	return aa_reject_syscall(current, GFP_KERNEL, "umount");
-}
-
 static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry,
 				struct vfsmount *mnt, int mask)
 {
@@ -925,9 +900,6 @@ struct security_operations apparmor_ops
 	.bprm_set_security =		apparmor_bprm_set_security,
 	.bprm_secureexec =		apparmor_bprm_secureexec,
 
-	.sb_mount =			apparmor_sb_mount,
-	.sb_umount =			apparmor_umount,
-
 	.inode_mkdir =			apparmor_inode_mkdir,
 	.inode_rmdir =			apparmor_inode_rmdir,
 	.inode_create =			apparmor_inode_create,
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi
 		audit_log_format(ab, " protocol=%d", sa->protocol);
 	}
 
-        audit_log_format(ab, " pid=%d", current->pid);
+	audit_log_format(ab, " pid=%d", current->pid);
 
 	if (profile) {
+		if (!sa->parent)
+			audit_log_format(ab, " parent=%d",
+					 current->real_parent->pid);
+
 		audit_log_format(ab, " profile=");
 		audit_log_untrustedstring(ab, profile->name);
 
@@ -1006,10 +1010,6 @@ repeat:
 
 		unlock_profile(profile);
 
-		if (APPARMOR_COMPLAIN(child_cxt) &&
-		    profile == profile->ns->null_complain_profile) {
-			aa_audit_hint(profile, &sa);
-		}
 		aa_put_profile(profile);
 	} else
 		aa_free_task_context(child_cxt);
--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
@@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e,
 	 * AA_NAME tag value is a u16.
 	 */
 	if (aa_is_X(e, AA_NAME)) {
-		char *tag;
+		char *tag = NULL;
 		size_t size = aa_is_u16_chunk(e, &tag);
 		/* if a name is specified it must match. otherwise skip tag */
 		if (name && (!size || strcmp(name, tag)))
Commit	Line	Data
6a930a95 BS	1	From: John Johansen <jjohansen@suse.de>
	2	Subject: fix log messages to enable tools profile learning
	3	Patch-mainline: no
	4	References: bnc#447564
	5
	6	The allocation of the child pid is done after the LSM clone hook, which
	7	breaks the AppArmor tools fork tracking, for profiles learning. Output
	8	the parent pid with each log message to enable the tools to handle fork
	9	tracking.
	10
	11	Signed-off-by: John Johansen <jjohansen@suse.de>
	12
	13	---
	14	security/apparmor/lsm.c \| 28 ----------------------------
	15	security/apparmor/main.c \| 10 +++++-----
	16	security/apparmor/module_interface.c \| 2 +-
	17	3 files changed, 6 insertions(+), 34 deletions(-)
	18
	19	--- a/security/apparmor/lsm.c
	20	+++ b/security/apparmor/lsm.c
	21	@@ -143,20 +143,6 @@ static int param_set_aa_enabled(const ch
	22	return 0;
	23	}
	24
	25	-static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
	26	- const char *name)
	27	-{
	28	- struct aa_profile *profile = aa_get_profile(task);
	29	- int error = 0;
	30	-
	31	- if (profile) {
	32	- error = aa_audit_syscallreject(profile, flags, name);
	33	- aa_put_profile(profile);
	34	- }
	35	-
	36	- return error;
	37	-}
	38	-
	39	static int apparmor_ptrace(struct task_struct *parent,
	40	struct task_struct *child)
	41	{
	42	@@ -292,17 +278,6 @@ static int apparmor_bprm_secureexec(stru
	43	return ret;
	44	}
	45
	46	-static int apparmor_sb_mount(char dev_name, struct path path, char *type,
	47	- unsigned long flags, void *data)
	48	-{
	49	- return aa_reject_syscall(current, GFP_KERNEL, "mount");
	50	-}
	51	-
	52	-static int apparmor_umount(struct vfsmount *mnt, int flags)
	53	-{
	54	- return aa_reject_syscall(current, GFP_KERNEL, "umount");
	55	-}
	56	-
	57	static int apparmor_inode_mkdir(struct inode dir, struct dentry dentry,
	58	struct vfsmount *mnt, int mask)
	59	{
	60	@@ -925,9 +900,6 @@ struct security_operations apparmor_ops
	61	.bprm_set_security = apparmor_bprm_set_security,
	62	.bprm_secureexec = apparmor_bprm_secureexec,
	63
	64	- .sb_mount = apparmor_sb_mount,
65	- .sb_umount = apparmor_umount,
66	-
67	.inode_mkdir = apparmor_inode_mkdir,
68	.inode_rmdir = apparmor_inode_rmdir,
69	.inode_create = apparmor_inode_create,
70	--- a/security/apparmor/main.c
71	+++ b/security/apparmor/main.c
72	@@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi
73	audit_log_format(ab, " protocol=%d", sa->protocol);
74	}
75
76	- audit_log_format(ab, " pid=%d", current->pid);
77	+ audit_log_format(ab, " pid=%d", current->pid);
78
79	if (profile) {
80	+ if (!sa->parent)
81	+ audit_log_format(ab, " parent=%d",
82	+ current->real_parent->pid);
83	+
84	audit_log_format(ab, " profile=");
85	audit_log_untrustedstring(ab, profile->name);
86
87	@@ -1006,10 +1010,6 @@ repeat:
88
89	unlock_profile(profile);
90
91	- if (APPARMOR_COMPLAIN(child_cxt) &&
92	- profile == profile->ns->null_complain_profile) {
93	- aa_audit_hint(profile, &sa);
94	- }
95	aa_put_profile(profile);
96	} else
97	aa_free_task_context(child_cxt);
98	--- a/security/apparmor/module_interface.c
99	+++ b/security/apparmor/module_interface.c
100	@@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e,
101	* AA_NAME tag value is a u16.
102	*/
103	if (aa_is_X(e, AA_NAME)) {
104	- char *tag;
105	+ char *tag = NULL;
106	size_t size = aa_is_u16_chunk(e, &tag);
107	/* if a name is specified it must match. otherwise skip tag */
108	if (name && (!size \|\| strcmp(name, tag)))