]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/suse-2.6.27.39/patches.apparmor/fork-tracking.diff
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add ignored *.diff files of the xen patches
[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.apparmor / fork-tracking.diff
1 From: John Johansen <jjohansen@suse.de>
2 Subject: fix log messages to enable tools profile learning
3 Patch-mainline: no
4 References: bnc#447564
5
6 The allocation of the child pid is done after the LSM clone hook, which
7 breaks the AppArmor tools fork tracking, for profiles learning. Output
8 the parent pid with each log message to enable the tools to handle fork
9 tracking.
10
11 Signed-off-by: John Johansen <jjohansen@suse.de>
12
13 ---
14 security/apparmor/lsm.c | 28 ----------------------------
15 security/apparmor/main.c | 10 +++++-----
16 security/apparmor/module_interface.c | 2 +-
17 3 files changed, 6 insertions(+), 34 deletions(-)
18
19 --- a/security/apparmor/lsm.c
20 +++ b/security/apparmor/lsm.c
21 @@ -143,20 +143,6 @@ static int param_set_aa_enabled(const ch
22 return 0;
23 }
24
25 -static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
26 - const char *name)
27 -{
28 - struct aa_profile *profile = aa_get_profile(task);
29 - int error = 0;
30 -
31 - if (profile) {
32 - error = aa_audit_syscallreject(profile, flags, name);
33 - aa_put_profile(profile);
34 - }
35 -
36 - return error;
37 -}
38 -
39 static int apparmor_ptrace(struct task_struct *parent,
40 struct task_struct *child)
41 {
42 @@ -292,17 +278,6 @@ static int apparmor_bprm_secureexec(stru
43 return ret;
44 }
45
46 -static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
47 - unsigned long flags, void *data)
48 -{
49 - return aa_reject_syscall(current, GFP_KERNEL, "mount");
50 -}
51 -
52 -static int apparmor_umount(struct vfsmount *mnt, int flags)
53 -{
54 - return aa_reject_syscall(current, GFP_KERNEL, "umount");
55 -}
56 -
57 static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry,
58 struct vfsmount *mnt, int mask)
59 {
60 @@ -925,9 +900,6 @@ struct security_operations apparmor_ops
61 .bprm_set_security = apparmor_bprm_set_security,
62 .bprm_secureexec = apparmor_bprm_secureexec,
63
64 - .sb_mount = apparmor_sb_mount,
65 - .sb_umount = apparmor_umount,
66 -
67 .inode_mkdir = apparmor_inode_mkdir,
68 .inode_rmdir = apparmor_inode_rmdir,
69 .inode_create = apparmor_inode_create,
70 --- a/security/apparmor/main.c
71 +++ b/security/apparmor/main.c
72 @@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi
73 audit_log_format(ab, " protocol=%d", sa->protocol);
74 }
75
76 - audit_log_format(ab, " pid=%d", current->pid);
77 + audit_log_format(ab, " pid=%d", current->pid);
78
79 if (profile) {
80 + if (!sa->parent)
81 + audit_log_format(ab, " parent=%d",
82 + current->real_parent->pid);
83 +
84 audit_log_format(ab, " profile=");
85 audit_log_untrustedstring(ab, profile->name);
86
87 @@ -1006,10 +1010,6 @@ repeat:
88
89 unlock_profile(profile);
90
91 - if (APPARMOR_COMPLAIN(child_cxt) &&
92 - profile == profile->ns->null_complain_profile) {
93 - aa_audit_hint(profile, &sa);
94 - }
95 aa_put_profile(profile);
96 } else
97 aa_free_task_context(child_cxt);
98 --- a/security/apparmor/module_interface.c
99 +++ b/security/apparmor/module_interface.c
100 @@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e,
101 * AA_NAME tag value is a u16.
102 */
103 if (aa_is_X(e, AA_NAME)) {
104 - char *tag;
105 + char *tag = NULL;
106 size_t size = aa_is_u16_chunk(e, &tag);
107 /* if a name is specified it must match. otherwise skip tag */
108 if (name && (!size || strcmp(name, tag)))
Peter's tree of IPFire 2.x