1 From: John Johansen <jjohansen@suse.de>
2 Subject: fix log messages to enable tools profile learning
6 The allocation of the child pid is done after the LSM clone hook, which
7 breaks the AppArmor tools fork tracking, for profiles learning. Output
8 the parent pid with each log message to enable the tools to handle fork
11 Signed-off-by: John Johansen <jjohansen@suse.de>
14 security/apparmor/lsm.c | 28 ----------------------------
15 security/apparmor/main.c | 10 +++++-----
16 security/apparmor/module_interface.c | 2 +-
17 3 files changed, 6 insertions(+), 34 deletions(-)
19 --- a/security/apparmor/lsm.c
20 +++ b/security/apparmor/lsm.c
21 @@ -143,20 +143,6 @@ static int param_set_aa_enabled(const ch
25 -static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
28 - struct aa_profile *profile = aa_get_profile(task);
32 - error = aa_audit_syscallreject(profile, flags, name);
33 - aa_put_profile(profile);
39 static int apparmor_ptrace(struct task_struct *parent,
40 struct task_struct *child)
42 @@ -292,17 +278,6 @@ static int apparmor_bprm_secureexec(stru
46 -static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
47 - unsigned long flags, void *data)
49 - return aa_reject_syscall(current, GFP_KERNEL, "mount");
52 -static int apparmor_umount(struct vfsmount *mnt, int flags)
54 - return aa_reject_syscall(current, GFP_KERNEL, "umount");
57 static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry,
58 struct vfsmount *mnt, int mask)
60 @@ -925,9 +900,6 @@ struct security_operations apparmor_ops
61 .bprm_set_security = apparmor_bprm_set_security,
62 .bprm_secureexec = apparmor_bprm_secureexec,
64 - .sb_mount = apparmor_sb_mount,
65 - .sb_umount = apparmor_umount,
67 .inode_mkdir = apparmor_inode_mkdir,
68 .inode_rmdir = apparmor_inode_rmdir,
69 .inode_create = apparmor_inode_create,
70 --- a/security/apparmor/main.c
71 +++ b/security/apparmor/main.c
72 @@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi
73 audit_log_format(ab, " protocol=%d", sa->protocol);
76 - audit_log_format(ab, " pid=%d", current->pid);
77 + audit_log_format(ab, " pid=%d", current->pid);
81 + audit_log_format(ab, " parent=%d",
82 + current->real_parent->pid);
84 audit_log_format(ab, " profile=");
85 audit_log_untrustedstring(ab, profile->name);
87 @@ -1006,10 +1010,6 @@ repeat:
89 unlock_profile(profile);
91 - if (APPARMOR_COMPLAIN(child_cxt) &&
92 - profile == profile->ns->null_complain_profile) {
93 - aa_audit_hint(profile, &sa);
95 aa_put_profile(profile);
97 aa_free_task_context(child_cxt);
98 --- a/security/apparmor/module_interface.c
99 +++ b/security/apparmor/module_interface.c
100 @@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e,
101 * AA_NAME tag value is a u16.
103 if (aa_is_X(e, AA_NAME)) {
106 size_t size = aa_is_u16_chunk(e, &tag);
107 /* if a name is specified it must match. otherwise skip tag */
108 if (name && (!size || strcmp(name, tag)))