Initial patches commit
This commit is contained in:
commit
a902c236c9
@ -0,0 +1,553 @@
|
||||
From dc13dec93dbd04bfa7a9ba67df1b8ed3431d8d48 Mon Sep 17 00:00:00 2001
|
||||
From: John Johansen <john.johansen@canonical.com>
|
||||
Date: Wed, 10 Aug 2011 22:02:39 -0700
|
||||
Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
|
||||
|
||||
Add compatibility for v5 network rules.
|
||||
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
include/linux/lsm_audit.h | 4 +
|
||||
security/apparmor/Makefile | 19 ++++-
|
||||
security/apparmor/include/net.h | 40 +++++++++
|
||||
security/apparmor/include/policy.h | 3 +
|
||||
security/apparmor/lsm.c | 112 +++++++++++++++++++++++
|
||||
security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++
|
||||
security/apparmor/policy.c | 1 +
|
||||
security/apparmor/policy_unpack.c | 48 ++++++++++-
|
||||
8 files changed, 394 insertions(+), 3 deletions(-)
|
||||
create mode 100644 security/apparmor/include/net.h
|
||||
create mode 100644 security/apparmor/net.c
|
||||
|
||||
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
|
||||
index 88e78de..c63979a 100644
|
||||
--- a/include/linux/lsm_audit.h
|
||||
+++ b/include/linux/lsm_audit.h
|
||||
@@ -124,6 +124,10 @@ struct common_audit_data {
|
||||
u32 denied;
|
||||
uid_t ouid;
|
||||
} fs;
|
||||
+ struct {
|
||||
+ int type, protocol;
|
||||
+ struct sock *sk;
|
||||
+ } net;
|
||||
};
|
||||
} apparmor_audit_data;
|
||||
#endif
|
||||
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
|
||||
index 2dafe50..7cefef9 100644
|
||||
--- a/security/apparmor/Makefile
|
||||
+++ b/security/apparmor/Makefile
|
||||
@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
|
||||
|
||||
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
|
||||
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
|
||||
- resource.o sid.o file.o
|
||||
+ resource.o sid.o file.o net.o
|
||||
|
||||
-clean-files := capability_names.h rlim_names.h
|
||||
+clean-files := capability_names.h rlim_names.h af_names.h
|
||||
|
||||
|
||||
# Build a lower case string table of capability names
|
||||
@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
|
||||
sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
|
||||
echo "};" >> $@
|
||||
|
||||
+# Build a lower case string table of address family names.
|
||||
+# Transform lines from
|
||||
+# #define AF_INET 2 /* Internet IP Protocol */
|
||||
+# to
|
||||
+# [2] = "inet",
|
||||
+quiet_cmd_make-af = GEN $@
|
||||
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
|
||||
+ sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
|
||||
+ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
|
||||
+ echo "};" >> $@
|
||||
+
|
||||
+
|
||||
$(obj)/capability.o : $(obj)/capability_names.h
|
||||
$(obj)/resource.o : $(obj)/rlim_names.h
|
||||
+$(obj)/net.o : $(obj)/af_names.h
|
||||
$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
|
||||
$(call cmd,make-caps)
|
||||
$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
|
||||
$(call cmd,make-rlim)
|
||||
+$(obj)/af_names.h : $(srctree)/include/linux/socket.h
|
||||
+ $(call cmd,make-af)
|
||||
\ No newline at end of file
|
||||
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
|
||||
new file mode 100644
|
||||
index 0000000..3c7d599
|
||||
--- /dev/null
|
||||
+++ b/security/apparmor/include/net.h
|
||||
@@ -0,0 +1,40 @@
|
||||
+/*
|
||||
+ * AppArmor security module
|
||||
+ *
|
||||
+ * This file contains AppArmor network mediation definitions.
|
||||
+ *
|
||||
+ * Copyright (C) 1998-2008 Novell/SUSE
|
||||
+ * Copyright 2009-2010 Canonical Ltd.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __AA_NET_H
|
||||
+#define __AA_NET_H
|
||||
+
|
||||
+#include <net/sock.h>
|
||||
+
|
||||
+/* struct aa_net - network confinement data
|
||||
+ * @allowed: basic network families permissions
|
||||
+ * @audit_network: which network permissions to force audit
|
||||
+ * @quiet_network: which network permissions to quiet rejects
|
||||
+ */
|
||||
+struct aa_net {
|
||||
+ u16 allow[AF_MAX];
|
||||
+ u16 audit[AF_MAX];
|
||||
+ u16 quiet[AF_MAX];
|
||||
+};
|
||||
+
|
||||
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
|
||||
+ int type, int protocol, struct sock *sk);
|
||||
+extern int aa_revalidate_sk(int op, struct sock *sk);
|
||||
+
|
||||
+static inline void aa_free_net_rules(struct aa_net *new)
|
||||
+{
|
||||
+ /* NOP */
|
||||
+}
|
||||
+
|
||||
+#endif /* __AA_NET_H */
|
||||
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
|
||||
index aeda5cf..6776929 100644
|
||||
--- a/security/apparmor/include/policy.h
|
||||
+++ b/security/apparmor/include/policy.h
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "capability.h"
|
||||
#include "domain.h"
|
||||
#include "file.h"
|
||||
+#include "net.h"
|
||||
#include "resource.h"
|
||||
|
||||
extern const char *profile_mode_names[];
|
||||
@@ -145,6 +146,7 @@ struct aa_namespace {
|
||||
* @size: the memory consumed by this profiles rules
|
||||
* @file: The set of rules governing basic file access and domain transitions
|
||||
* @caps: capabilities for the profile
|
||||
+ * @net: network controls for the profile
|
||||
* @rlimits: rlimits for the profile
|
||||
*
|
||||
* The AppArmor profile contains the basic confinement data. Each profile
|
||||
@@ -181,6 +183,7 @@ struct aa_profile {
|
||||
|
||||
struct aa_file_rules file;
|
||||
struct aa_caps caps;
|
||||
+ struct aa_net net;
|
||||
struct aa_rlimit rlimits;
|
||||
};
|
||||
|
||||
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
|
||||
index 3d2fd14..aa293ae 100644
|
||||
--- a/security/apparmor/lsm.c
|
||||
+++ b/security/apparmor/lsm.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include "include/context.h"
|
||||
#include "include/file.h"
|
||||
#include "include/ipc.h"
|
||||
+#include "include/net.h"
|
||||
#include "include/path.h"
|
||||
#include "include/policy.h"
|
||||
#include "include/procattr.h"
|
||||
@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
|
||||
return error;
|
||||
}
|
||||
|
||||
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
|
||||
+{
|
||||
+ struct aa_profile *profile;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (kern)
|
||||
+ return 0;
|
||||
+
|
||||
+ profile = __aa_current_profile();
|
||||
+ if (!unconfined(profile))
|
||||
+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
|
||||
+ NULL);
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_bind(struct socket *sock,
|
||||
+ struct sockaddr *address, int addrlen)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_BIND, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_connect(struct socket *sock,
|
||||
+ struct sockaddr *address, int addrlen)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_CONNECT, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_listen(struct socket *sock, int backlog)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_LISTEN, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_ACCEPT, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_sendmsg(struct socket *sock,
|
||||
+ struct msghdr *msg, int size)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_SENDMSG, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_recvmsg(struct socket *sock,
|
||||
+ struct msghdr *msg, int size, int flags)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_RECVMSG, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_getsockname(struct socket *sock)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_getpeername(struct socket *sock)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_GETPEERNAME, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
|
||||
+ int optname)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
|
||||
+ int optname)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_socket_shutdown(struct socket *sock, int how)
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+
|
||||
+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
|
||||
+}
|
||||
+
|
||||
static struct security_operations apparmor_ops = {
|
||||
.name = "apparmor",
|
||||
|
||||
@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
|
||||
.getprocattr = apparmor_getprocattr,
|
||||
.setprocattr = apparmor_setprocattr,
|
||||
|
||||
+ .socket_create = apparmor_socket_create,
|
||||
+ .socket_bind = apparmor_socket_bind,
|
||||
+ .socket_connect = apparmor_socket_connect,
|
||||
+ .socket_listen = apparmor_socket_listen,
|
||||
+ .socket_accept = apparmor_socket_accept,
|
||||
+ .socket_sendmsg = apparmor_socket_sendmsg,
|
||||
+ .socket_recvmsg = apparmor_socket_recvmsg,
|
||||
+ .socket_getsockname = apparmor_socket_getsockname,
|
||||
+ .socket_getpeername = apparmor_socket_getpeername,
|
||||
+ .socket_getsockopt = apparmor_socket_getsockopt,
|
||||
+ .socket_setsockopt = apparmor_socket_setsockopt,
|
||||
+ .socket_shutdown = apparmor_socket_shutdown,
|
||||
+
|
||||
.cred_alloc_blank = apparmor_cred_alloc_blank,
|
||||
.cred_free = apparmor_cred_free,
|
||||
.cred_prepare = apparmor_cred_prepare,
|
||||
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
|
||||
new file mode 100644
|
||||
index 0000000..1765901
|
||||
--- /dev/null
|
||||
+++ b/security/apparmor/net.c
|
||||
@@ -0,0 +1,170 @@
|
||||
+/*
|
||||
+ * AppArmor security module
|
||||
+ *
|
||||
+ * This file contains AppArmor network mediation
|
||||
+ *
|
||||
+ * Copyright (C) 1998-2008 Novell/SUSE
|
||||
+ * Copyright 2009-2010 Canonical Ltd.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ */
|
||||
+
|
||||
+#include "include/apparmor.h"
|
||||
+#include "include/audit.h"
|
||||
+#include "include/context.h"
|
||||
+#include "include/net.h"
|
||||
+#include "include/policy.h"
|
||||
+
|
||||
+#include "af_names.h"
|
||||
+
|
||||
+static const char *sock_type_names[] = {
|
||||
+ "unknown(0)",
|
||||
+ "stream",
|
||||
+ "dgram",
|
||||
+ "raw",
|
||||
+ "rdm",
|
||||
+ "seqpacket",
|
||||
+ "dccp",
|
||||
+ "unknown(7)",
|
||||
+ "unknown(8)",
|
||||
+ "unknown(9)",
|
||||
+ "packet",
|
||||
+};
|
||||
+
|
||||
+/* audit callback for net specific fields */
|
||||
+static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
+{
|
||||
+ struct common_audit_data *sa = va;
|
||||
+
|
||||
+ audit_log_format(ab, " family=");
|
||||
+ if (address_family_names[sa->u.net.family]) {
|
||||
+ audit_log_string(ab, address_family_names[sa->u.net.family]);
|
||||
+ } else {
|
||||
+ audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
|
||||
+ }
|
||||
+
|
||||
+ audit_log_format(ab, " sock_type=");
|
||||
+ if (sock_type_names[sa->aad.net.type]) {
|
||||
+ audit_log_string(ab, sock_type_names[sa->aad.net.type]);
|
||||
+ } else {
|
||||
+ audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
|
||||
+ }
|
||||
+
|
||||
+ audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * audit_net - audit network access
|
||||
+ * @profile: profile being enforced (NOT NULL)
|
||||
+ * @op: operation being checked
|
||||
+ * @family: network family
|
||||
+ * @type: network type
|
||||
+ * @protocol: network protocol
|
||||
+ * @sk: socket auditing is being applied to
|
||||
+ * @error: error code for failure else 0
|
||||
+ *
|
||||
+ * Returns: %0 or sa->error else other errorcode on failure
|
||||
+ */
|
||||
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
|
||||
+ int protocol, struct sock *sk, int error)
|
||||
+{
|
||||
+ int audit_type = AUDIT_APPARMOR_AUTO;
|
||||
+ struct common_audit_data sa;
|
||||
+ if (sk) {
|
||||
+ COMMON_AUDIT_DATA_INIT(&sa, NET);
|
||||
+ } else {
|
||||
+ COMMON_AUDIT_DATA_INIT(&sa, NONE);
|
||||
+ }
|
||||
+ /* todo fill in socket addr info */
|
||||
+
|
||||
+ sa.aad.op = op,
|
||||
+ sa.u.net.family = family;
|
||||
+ sa.u.net.sk = sk;
|
||||
+ sa.aad.net.type = type;
|
||||
+ sa.aad.net.protocol = protocol;
|
||||
+ sa.aad.error = error;
|
||||
+
|
||||
+ if (likely(!sa.aad.error)) {
|
||||
+ u16 audit_mask = profile->net.audit[sa.u.net.family];
|
||||
+ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
|
||||
+ !(1 << sa.aad.net.type & audit_mask)))
|
||||
+ return 0;
|
||||
+ audit_type = AUDIT_APPARMOR_AUDIT;
|
||||
+ } else {
|
||||
+ u16 quiet_mask = profile->net.quiet[sa.u.net.family];
|
||||
+ u16 kill_mask = 0;
|
||||
+ u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
|
||||
+
|
||||
+ if (denied & kill_mask)
|
||||
+ audit_type = AUDIT_APPARMOR_KILL;
|
||||
+
|
||||
+ if ((denied & quiet_mask) &&
|
||||
+ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
|
||||
+ AUDIT_MODE(profile) != AUDIT_ALL)
|
||||
+ return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
|
||||
+ }
|
||||
+
|
||||
+ return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_net_perm - very course network access check
|
||||
+ * @op: operation being checked
|
||||
+ * @profile: profile being enforced (NOT NULL)
|
||||
+ * @family: network family
|
||||
+ * @type: network type
|
||||
+ * @protocol: network protocol
|
||||
+ *
|
||||
+ * Returns: %0 else error if permission denied
|
||||
+ */
|
||||
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
|
||||
+ int protocol, struct sock *sk)
|
||||
+{
|
||||
+ u16 family_mask;
|
||||
+ int error;
|
||||
+
|
||||
+ if ((family < 0) || (family >= AF_MAX))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ if ((type < 0) || (type >= SOCK_MAX))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ /* unix domain and netlink sockets are handled by ipc */
|
||||
+ if (family == AF_UNIX || family == AF_NETLINK)
|
||||
+ return 0;
|
||||
+
|
||||
+ family_mask = profile->net.allow[family];
|
||||
+
|
||||
+ error = (family_mask & (1 << type)) ? 0 : -EACCES;
|
||||
+
|
||||
+ return audit_net(profile, op, family, type, protocol, sk, error);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_revalidate_sk - Revalidate access to a sock
|
||||
+ * @op: operation being checked
|
||||
+ * @sk: sock being revalidated (NOT NULL)
|
||||
+ *
|
||||
+ * Returns: %0 else error if permission denied
|
||||
+ */
|
||||
+int aa_revalidate_sk(int op, struct sock *sk)
|
||||
+{
|
||||
+ struct aa_profile *profile;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ /* aa_revalidate_sk should not be called from interrupt context
|
||||
+ * don't mediate these calls as they are not task related
|
||||
+ */
|
||||
+ if (in_interrupt())
|
||||
+ return 0;
|
||||
+
|
||||
+ profile = __aa_current_profile();
|
||||
+ if (!unconfined(profile))
|
||||
+ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
|
||||
+ sk->sk_protocol, sk);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
|
||||
index 4f0eade..4d5ce13 100644
|
||||
--- a/security/apparmor/policy.c
|
||||
+++ b/security/apparmor/policy.c
|
||||
@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
|
||||
|
||||
aa_free_file_rules(&profile->file);
|
||||
aa_free_cap_rules(&profile->caps);
|
||||
+ aa_free_net_rules(&profile->net);
|
||||
aa_free_rlimit_rules(&profile->rlimits);
|
||||
|
||||
aa_free_sid(profile->sid);
|
||||
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
|
||||
index d6d9a57..f4874c4 100644
|
||||
--- a/security/apparmor/policy_unpack.c
|
||||
+++ b/security/apparmor/policy_unpack.c
|
||||
@@ -190,6 +190,19 @@ fail:
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
|
||||
+{
|
||||
+ if (unpack_nameX(e, AA_U16, name)) {
|
||||
+ if (!inbounds(e, sizeof(u16)))
|
||||
+ return 0;
|
||||
+ if (data)
|
||||
+ *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
|
||||
+ e->pos += sizeof(u16);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
|
||||
{
|
||||
if (unpack_nameX(e, AA_U32, name)) {
|
||||
@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
|
||||
{
|
||||
struct aa_profile *profile = NULL;
|
||||
const char *name = NULL;
|
||||
- int error = -EPROTO;
|
||||
+ size_t size = 0;
|
||||
+ int i, error = -EPROTO;
|
||||
kernel_cap_t tmpcap;
|
||||
u32 tmp;
|
||||
|
||||
@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
|
||||
if (!unpack_rlimits(e, profile))
|
||||
goto fail;
|
||||
|
||||
+ size = unpack_array(e, "net_allowed_af");
|
||||
+ if (size) {
|
||||
+
|
||||
+ for (i = 0; i < size; i++) {
|
||||
+ /* discard extraneous rules that this kernel will
|
||||
+ * never request
|
||||
+ */
|
||||
+ if (i >= AF_MAX) {
|
||||
+ u16 tmp;
|
||||
+ if (!unpack_u16(e, &tmp, NULL) ||
|
||||
+ !unpack_u16(e, &tmp, NULL) ||
|
||||
+ !unpack_u16(e, &tmp, NULL))
|
||||
+ goto fail;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (!unpack_u16(e, &profile->net.allow[i], NULL))
|
||||
+ goto fail;
|
||||
+ if (!unpack_u16(e, &profile->net.audit[i], NULL))
|
||||
+ goto fail;
|
||||
+ if (!unpack_u16(e, &profile->net.quiet[i], NULL))
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
|
||||
+ goto fail;
|
||||
+ /*
|
||||
+ * allow unix domain and netlink sockets they are handled
|
||||
+ * by IPC
|
||||
+ */
|
||||
+ }
|
||||
+ profile->net.allow[AF_UNIX] = 0xffff;
|
||||
+ profile->net.allow[AF_NETLINK] = 0xffff;
|
||||
+
|
||||
/* get file rules */
|
||||
profile->file.dfa = unpack_dfa(e);
|
||||
if (IS_ERR(profile->file.dfa)) {
|
||||
--
|
||||
1.7.5.4
|
||||
|
@ -0,0 +1,299 @@
|
||||
From f9072731bedac6f6373dd75798b5a801ce614c02 Mon Sep 17 00:00:00 2001
|
||||
From: Arianna Avanzini <avanzini.arianna@gmail.com>
|
||||
Date: Mon, 19 Dec 2011 16:33:41 +0100
|
||||
Subject: [PATCH 1/3] block: prepare I/O context code for BFQ-v5 for 3.2
|
||||
|
||||
BFQ uses struct cfq_io_context to store its per-process per-device data,
|
||||
reusing the same code for cic handling of CFQ. The code is not shared
|
||||
ATM to minimize the impact of these patches.
|
||||
|
||||
This patch introduces a new hlist to each io_context to store all the
|
||||
cic's allocated by BFQ to allow calling the right destructor on module
|
||||
unload; the radix tree used for cic lookup needs to be duplicated
|
||||
because it can contain dead keys inserted by a scheduler and later
|
||||
retrieved by the other one.
|
||||
|
||||
Update the io_context exit and free paths to take care also of
|
||||
the BFQ cic's.
|
||||
|
||||
Change the type of cfqq inside struct cfq_io_context to void *
|
||||
to use it also for BFQ per-queue data.
|
||||
|
||||
A new bfq-specific ioprio_changed field is necessary, too, to avoid
|
||||
clobbering cfq's one, so switch ioprio_changed to a bitmap, with one
|
||||
element per scheduler.
|
||||
|
||||
Signed-off-by: Fabio Checconi <fabio@gandalf.sssup.it>
|
||||
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
|
||||
Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
|
||||
---
|
||||
block/Kconfig.iosched | 26 ++++++++++++++++++++++++++
|
||||
block/blk-ioc.c | 30 +++++++++++++++++-------------
|
||||
block/cfq-iosched.c | 10 +++++++---
|
||||
fs/ioprio.c | 9 +++++++--
|
||||
include/linux/iocontext.h | 18 +++++++++++++++---
|
||||
5 files changed, 72 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/block/Kconfig.iosched b/block/Kconfig.iosched
|
||||
index 3199b76..5905452 100644
|
||||
--- a/block/Kconfig.iosched
|
||||
+++ b/block/Kconfig.iosched
|
||||
@@ -43,6 +43,28 @@ config CFQ_GROUP_IOSCHED
|
||||
---help---
|
||||
Enable group IO scheduling in CFQ.
|
||||
|
||||
+config IOSCHED_BFQ
|
||||
+ tristate "BFQ I/O scheduler"
|
||||
+ depends on EXPERIMENTAL
|
||||
+ default n
|
||||
+ ---help---
|
||||
+ The BFQ I/O scheduler tries to distribute bandwidth among
|
||||
+ all processes according to their weights.
|
||||
+ It aims at distributing the bandwidth as desired, independently of
|
||||
+ the disk parameters and with any workload. It also tries to
|
||||
+ guarantee low latency to interactive and soft real-time
|
||||
+ applications. If compiled built-in (saying Y here), BFQ can
|
||||
+ be configured to support hierarchical scheduling.
|
||||
+
|
||||
+config CGROUP_BFQIO
|
||||
+ bool "BFQ hierarchical scheduling support"
|
||||
+ depends on CGROUPS && IOSCHED_BFQ=y
|
||||
+ default n
|
||||
+ ---help---
|
||||
+ Enable hierarchical scheduling in BFQ, using the cgroups
|
||||
+ filesystem interface. The name of the subsystem will be
|
||||
+ bfqio.
|
||||
+
|
||||
choice
|
||||
prompt "Default I/O scheduler"
|
||||
default DEFAULT_CFQ
|
||||
@@ -56,6 +78,9 @@ choice
|
||||
config DEFAULT_CFQ
|
||||
bool "CFQ" if IOSCHED_CFQ=y
|
||||
|
||||
+ config DEFAULT_BFQ
|
||||
+ bool "BFQ" if IOSCHED_BFQ=y
|
||||
+
|
||||
config DEFAULT_NOOP
|
||||
bool "No-op"
|
||||
|
||||
@@ -65,6 +90,7 @@ config DEFAULT_IOSCHED
|
||||
string
|
||||
default "deadline" if DEFAULT_DEADLINE
|
||||
default "cfq" if DEFAULT_CFQ
|
||||
+ default "bfq" if DEFAULT_BFQ
|
||||
default "noop" if DEFAULT_NOOP
|
||||
|
||||
endmenu
|
||||
diff --git a/block/blk-ioc.c b/block/blk-ioc.c
|
||||
index 6f9bbd9..d0d16d4 100644
|
||||
--- a/block/blk-ioc.c
|
||||
+++ b/block/blk-ioc.c
|
||||
@@ -5,6 +5,7 @@
|
||||
#include <linux/module.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/bio.h>
|
||||
+#include <linux/bitmap.h>
|
||||
#include <linux/blkdev.h>
|
||||
#include <linux/bootmem.h> /* for max_pfn/max_low_pfn */
|
||||
#include <linux/slab.h>
|
||||
@@ -16,13 +17,12 @@
|
||||
*/
|
||||
static struct kmem_cache *iocontext_cachep;
|
||||
|
||||
-static void cfq_dtor(struct io_context *ioc)
|
||||
+static void hlist_sched_dtor(struct io_context *ioc, struct hlist_head *list)
|
||||
{
|
||||
- if (!hlist_empty(&ioc->cic_list)) {
|
||||
+ if (!hlist_empty(list)) {
|
||||
struct cfq_io_context *cic;
|
||||
|
||||
- cic = hlist_entry(ioc->cic_list.first, struct cfq_io_context,
|
||||
- cic_list);
|
||||
+ cic = hlist_entry(list->first, struct cfq_io_context, cic_list);
|
||||
cic->dtor(ioc);
|
||||
}
|
||||
}
|
||||
@@ -40,7 +40,9 @@ int put_io_context(struct io_context *ioc)
|
||||
|
||||
if (atomic_long_dec_and_test(&ioc->refcount)) {
|
||||
rcu_read_lock();
|
||||
- cfq_dtor(ioc);
|
||||
+
|
||||
+ hlist_sched_dtor(ioc, &ioc->cic_list);
|
||||
+ hlist_sched_dtor(ioc, &ioc->bfq_cic_list);
|
||||
rcu_read_unlock();
|
||||
|
||||
kmem_cache_free(iocontext_cachep, ioc);
|
||||
@@ -50,15 +52,14 @@ int put_io_context(struct io_context *ioc)
|
||||
}
|
||||
EXPORT_SYMBOL(put_io_context);
|
||||
|
||||
-static void cfq_exit(struct io_context *ioc)
|
||||
+static void hlist_sched_exit(struct io_context *ioc, struct hlist_head *list)
|
||||
{
|
||||
rcu_read_lock();
|
||||
|
||||
- if (!hlist_empty(&ioc->cic_list)) {
|
||||
+ if (!hlist_empty(list)) {
|
||||
struct cfq_io_context *cic;
|
||||
|
||||
- cic = hlist_entry(ioc->cic_list.first, struct cfq_io_context,
|
||||
- cic_list);
|
||||
+ cic = hlist_entry(list->first, struct cfq_io_context, cic_list);
|
||||
cic->exit(ioc);
|
||||
}
|
||||
rcu_read_unlock();
|
||||
@@ -74,9 +75,10 @@ void exit_io_context(struct task_struct *task)
|
||||
task->io_context = NULL;
|
||||
task_unlock(task);
|
||||
|
||||
- if (atomic_dec_and_test(&ioc->nr_tasks))
|
||||
- cfq_exit(ioc);
|
||||
-
|
||||
+ if (atomic_dec_and_test(&ioc->nr_tasks)) {
|
||||
+ hlist_sched_exit(ioc, &ioc->cic_list);
|
||||
+ hlist_sched_exit(ioc, &ioc->bfq_cic_list);
|
||||
+ }
|
||||
put_io_context(ioc);
|
||||
}
|
||||
|
||||
@@ -89,12 +91,14 @@ struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
|
||||
atomic_long_set(&ioc->refcount, 1);
|
||||
atomic_set(&ioc->nr_tasks, 1);
|
||||
spin_lock_init(&ioc->lock);
|
||||
- ioc->ioprio_changed = 0;
|
||||
+ bitmap_zero(ioc->ioprio_changed, IOC_IOPRIO_CHANGED_BITS);
|
||||
ioc->ioprio = 0;
|
||||
ioc->last_waited = 0; /* doesn't matter... */
|
||||
ioc->nr_batch_requests = 0; /* because this is 0 */
|
||||
INIT_RADIX_TREE(&ioc->radix_root, GFP_ATOMIC | __GFP_HIGH);
|
||||
INIT_HLIST_HEAD(&ioc->cic_list);
|
||||
+ INIT_RADIX_TREE(&ioc->bfq_radix_root, GFP_ATOMIC | __GFP_HIGH);
|
||||
+ INIT_HLIST_HEAD(&ioc->bfq_cic_list);
|
||||
ioc->ioc_data = NULL;
|
||||
#if defined(CONFIG_BLK_CGROUP) || defined(CONFIG_BLK_CGROUP_MODULE)
|
||||
ioc->cgroup_changed = 0;
|
||||
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
|
||||
index 3548705..a120a31 100644
|
||||
--- a/block/cfq-iosched.c
|
||||
+++ b/block/cfq-iosched.c
|
||||
@@ -2946,7 +2946,6 @@ static void changed_ioprio(struct io_context *ioc, struct cfq_io_context *cic)
|
||||
static void cfq_ioc_set_ioprio(struct io_context *ioc)
|
||||
{
|
||||
call_for_each_cic(ioc, changed_ioprio);
|
||||
- ioc->ioprio_changed = 0;
|
||||
}
|
||||
|
||||
static void cfq_init_cfqq(struct cfq_data *cfqd, struct cfq_queue *cfqq,
|
||||
@@ -3238,8 +3237,13 @@ retry:
|
||||
goto err_free;
|
||||
|
||||
out:
|
||||
- smp_read_barrier_depends();
|
||||
- if (unlikely(ioc->ioprio_changed))
|
||||
+ /*
|
||||
+ * test_and_clear_bit() implies a memory barrier, paired with
|
||||
+ * the wmb() in fs/ioprio.c, so the value seen for ioprio is the
|
||||
+ * new one.
|
||||
+ */
|
||||
+ if (unlikely(test_and_clear_bit(IOC_CFQ_IOPRIO_CHANGED,
|
||||
+ ioc->ioprio_changed)))
|
||||
cfq_ioc_set_ioprio(ioc);
|
||||
|
||||
#ifdef CONFIG_CFQ_GROUP_IOSCHED
|
||||
diff --git a/fs/ioprio.c b/fs/ioprio.c
|
||||
index f79dab8..6b0cb885 100644
|
||||
--- a/fs/ioprio.c
|
||||
+++ b/fs/ioprio.c
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
int set_task_ioprio(struct task_struct *task, int ioprio)
|
||||
{
|
||||
- int err;
|
||||
+ int err, i;
|
||||
struct io_context *ioc;
|
||||
const struct cred *cred = current_cred(), *tcred;
|
||||
|
||||
@@ -61,12 +61,17 @@ int set_task_ioprio(struct task_struct *task, int ioprio)
|
||||
err = -ENOMEM;
|
||||
break;
|
||||
}
|
||||
+ /* let other ioc users see the new values */
|
||||
+ smp_wmb();
|
||||
task->io_context = ioc;
|
||||
} while (1);
|
||||
|
||||
if (!err) {
|
||||
ioc->ioprio = ioprio;
|
||||
- ioc->ioprio_changed = 1;
|
||||
+ /* make sure schedulers see the new ioprio value */
|
||||
+ wmb();
|
||||
+ for (i = 0; i < IOC_IOPRIO_CHANGED_BITS; i++)
|
||||
+ set_bit(i, ioc->ioprio_changed);
|
||||
}
|
||||
|
||||
task_unlock(task);
|
||||
diff --git a/include/linux/iocontext.h b/include/linux/iocontext.h
|
||||
index 5037a0a..69fdd58 100644
|
||||
--- a/include/linux/iocontext.h
|
||||
+++ b/include/linux/iocontext.h
|
||||
@@ -1,10 +1,10 @@
|
||||
#ifndef IOCONTEXT_H
|
||||
#define IOCONTEXT_H
|
||||
|
||||
+#include <linux/bitmap.h>
|
||||
#include <linux/radix-tree.h>
|
||||
#include <linux/rcupdate.h>
|
||||
|
||||
-struct cfq_queue;
|
||||
struct cfq_ttime {
|
||||
unsigned long last_end_request;
|
||||
|
||||
@@ -16,7 +16,7 @@ struct cfq_ttime {
|
||||
struct cfq_io_context {
|
||||
void *key;
|
||||
|
||||
- struct cfq_queue *cfqq[2];
|
||||
+ void *cfqq[2];
|
||||
|
||||
struct io_context *ioc;
|
||||
|
||||
@@ -32,6 +32,16 @@ struct cfq_io_context {
|
||||
};
|
||||
|
||||
/*
|
||||
+ * Indexes into the ioprio_changed bitmap. A bit set indicates that
|
||||
+ * the corresponding I/O scheduler needs to see a ioprio update.
|
||||
+ */
|
||||
+enum {
|
||||
+ IOC_CFQ_IOPRIO_CHANGED,
|
||||
+ IOC_BFQ_IOPRIO_CHANGED,
|
||||
+ IOC_IOPRIO_CHANGED_BITS
|
||||
+};
|
||||
+
|
||||
+/*
|
||||
* I/O subsystem state of the associated processes. It is refcounted
|
||||
* and kmalloc'ed. These could be shared between processes.
|
||||
*/
|
||||
@@ -43,7 +53,7 @@ struct io_context {
|
||||
spinlock_t lock;
|
||||
|
||||
unsigned short ioprio;
|
||||
- unsigned short ioprio_changed;
|
||||
+ DECLARE_BITMAP(ioprio_changed, IOC_IOPRIO_CHANGED_BITS);
|
||||
|
||||
#if defined(CONFIG_BLK_CGROUP) || defined(CONFIG_BLK_CGROUP_MODULE)
|
||||
unsigned short cgroup_changed;
|
||||
@@ -57,6 +67,8 @@ struct io_context {
|
||||
|
||||
struct radix_tree_root radix_root;
|
||||
struct hlist_head cic_list;
|
||||
+ struct radix_tree_root bfq_radix_root;
|
||||
+ struct hlist_head bfq_cic_list;
|
||||
void __rcu *ioc_data;
|
||||
};
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
391
3.2.34/0002-AppArmor-compatibility-patch-for-v5-interface.patch
Normal file
391
3.2.34/0002-AppArmor-compatibility-patch-for-v5-interface.patch
Normal file
@ -0,0 +1,391 @@
|
||||
From a2515f25ad5a7833ddc5a032d34eee6a5ddee3a2 Mon Sep 17 00:00:00 2001
|
||||
From: John Johansen <john.johansen@canonical.com>
|
||||
Date: Wed, 10 Aug 2011 22:02:40 -0700
|
||||
Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
|
||||
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
security/apparmor/Kconfig | 9 +
|
||||
security/apparmor/Makefile | 1 +
|
||||
security/apparmor/apparmorfs-24.c | 287 ++++++++++++++++++++++++++++++++
|
||||
security/apparmor/apparmorfs.c | 18 ++-
|
||||
security/apparmor/include/apparmorfs.h | 6 +
|
||||
5 files changed, 319 insertions(+), 2 deletions(-)
|
||||
create mode 100644 security/apparmor/apparmorfs-24.c
|
||||
|
||||
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
|
||||
index 9b9013b..51ebf96 100644
|
||||
--- a/security/apparmor/Kconfig
|
||||
+++ b/security/apparmor/Kconfig
|
||||
@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
|
||||
boot.
|
||||
|
||||
If you are unsure how to answer this question, answer 1.
|
||||
+
|
||||
+config SECURITY_APPARMOR_COMPAT_24
|
||||
+ bool "Enable AppArmor 2.4 compatability"
|
||||
+ depends on SECURITY_APPARMOR
|
||||
+ default y
|
||||
+ help
|
||||
+ This option enables compatability with AppArmor 2.4. It is
|
||||
+ recommended if compatability with older versions of AppArmor
|
||||
+ is desired.
|
||||
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
|
||||
index 7cefef9..0bb604b 100644
|
||||
--- a/security/apparmor/Makefile
|
||||
+++ b/security/apparmor/Makefile
|
||||
@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
|
||||
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
|
||||
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
|
||||
resource.o sid.o file.o net.o
|
||||
+apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
|
||||
|
||||
clean-files := capability_names.h rlim_names.h af_names.h
|
||||
|
||||
diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
|
||||
new file mode 100644
|
||||
index 0000000..dc8c744
|
||||
--- /dev/null
|
||||
+++ b/security/apparmor/apparmorfs-24.c
|
||||
@@ -0,0 +1,287 @@
|
||||
+/*
|
||||
+ * AppArmor security module
|
||||
+ *
|
||||
+ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
|
||||
+ *
|
||||
+ * Copyright (C) 1998-2008 Novell/SUSE
|
||||
+ * Copyright 2009-2010 Canonical Ltd.
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ *
|
||||
+ * This file contain functions providing an interface for <= AppArmor 2.4
|
||||
+ * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
|
||||
+ * being set (see Makefile).
|
||||
+ */
|
||||
+
|
||||
+#include <linux/security.h>
|
||||
+#include <linux/vmalloc.h>
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/seq_file.h>
|
||||
+#include <linux/uaccess.h>
|
||||
+#include <linux/namei.h>
|
||||
+
|
||||
+#include "include/apparmor.h"
|
||||
+#include "include/audit.h"
|
||||
+#include "include/context.h"
|
||||
+#include "include/policy.h"
|
||||
+
|
||||
+
|
||||
+/* apparmor/matching */
|
||||
+static ssize_t aa_matching_read(struct file *file, char __user *buf,
|
||||
+ size_t size, loff_t *ppos)
|
||||
+{
|
||||
+ const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
|
||||
+ "user::other";
|
||||
+
|
||||
+ return simple_read_from_buffer(buf, size, ppos, matching,
|
||||
+ sizeof(matching) - 1);
|
||||
+}
|
||||
+
|
||||
+const struct file_operations aa_fs_matching_fops = {
|
||||
+ .read = aa_matching_read,
|
||||
+};
|
||||
+
|
||||
+/* apparmor/features */
|
||||
+static ssize_t aa_features_read(struct file *file, char __user *buf,
|
||||
+ size_t size, loff_t *ppos)
|
||||
+{
|
||||
+ const char features[] = "file=3.1 capability=2.0 network=1.0 "
|
||||
+ "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
|
||||
+
|
||||
+ return simple_read_from_buffer(buf, size, ppos, features,
|
||||
+ sizeof(features) - 1);
|
||||
+}
|
||||
+
|
||||
+const struct file_operations aa_fs_features_fops = {
|
||||
+ .read = aa_features_read,
|
||||
+};
|
||||
+
|
||||
+/**
|
||||
+ * __next_namespace - find the next namespace to list
|
||||
+ * @root: root namespace to stop search at (NOT NULL)
|
||||
+ * @ns: current ns position (NOT NULL)
|
||||
+ *
|
||||
+ * Find the next namespace from @ns under @root and handle all locking needed
|
||||
+ * while switching current namespace.
|
||||
+ *
|
||||
+ * Returns: next namespace or NULL if at last namespace under @root
|
||||
+ * NOTE: will not unlock root->lock
|
||||
+ */
|
||||
+static struct aa_namespace *__next_namespace(struct aa_namespace *root,
|
||||
+ struct aa_namespace *ns)
|
||||
+{
|
||||
+ struct aa_namespace *parent;
|
||||
+
|
||||
+ /* is next namespace a child */
|
||||
+ if (!list_empty(&ns->sub_ns)) {
|
||||
+ struct aa_namespace *next;
|
||||
+ next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
|
||||
+ read_lock(&next->lock);
|
||||
+ return next;
|
||||
+ }
|
||||
+
|
||||
+ /* check if the next ns is a sibling, parent, gp, .. */
|
||||
+ parent = ns->parent;
|
||||
+ while (parent) {
|
||||
+ read_unlock(&ns->lock);
|
||||
+ list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
|
||||
+ read_lock(&ns->lock);
|
||||
+ return ns;
|
||||
+ }
|
||||
+ if (parent == root)
|
||||
+ return NULL;
|
||||
+ ns = parent;
|
||||
+ parent = parent->parent;
|
||||
+ }
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * __first_profile - find the first profile in a namespace
|
||||
+ * @root: namespace that is root of profiles being displayed (NOT NULL)
|
||||
+ * @ns: namespace to start in (NOT NULL)
|
||||
+ *
|
||||
+ * Returns: unrefcounted profile or NULL if no profile
|
||||
+ */
|
||||
+static struct aa_profile *__first_profile(struct aa_namespace *root,
|
||||
+ struct aa_namespace *ns)
|
||||
+{
|
||||
+ for ( ; ns; ns = __next_namespace(root, ns)) {
|
||||
+ if (!list_empty(&ns->base.profiles))
|
||||
+ return list_first_entry(&ns->base.profiles,
|
||||
+ struct aa_profile, base.list);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * __next_profile - step to the next profile in a profile tree
|
||||
+ * @profile: current profile in tree (NOT NULL)
|
||||
+ *
|
||||
+ * Perform a depth first taversal on the profile tree in a namespace
|
||||
+ *
|
||||
+ * Returns: next profile or NULL if done
|
||||
+ * Requires: profile->ns.lock to be held
|
||||
+ */
|
||||
+static struct aa_profile *__next_profile(struct aa_profile *p)
|
||||
+{
|
||||
+ struct aa_profile *parent;
|
||||
+ struct aa_namespace *ns = p->ns;
|
||||
+
|
||||
+ /* is next profile a child */
|
||||
+ if (!list_empty(&p->base.profiles))
|
||||
+ return list_first_entry(&p->base.profiles, typeof(*p),
|
||||
+ base.list);
|
||||
+
|
||||
+ /* is next profile a sibling, parent sibling, gp, subling, .. */
|
||||
+ parent = p->parent;
|
||||
+ while (parent) {
|
||||
+ list_for_each_entry_continue(p, &parent->base.profiles,
|
||||
+ base.list)
|
||||
+ return p;
|
||||
+ p = parent;
|
||||
+ parent = parent->parent;
|
||||
+ }
|
||||
+
|
||||
+ /* is next another profile in the namespace */
|
||||
+ list_for_each_entry_continue(p, &ns->base.profiles, base.list)
|
||||
+ return p;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * next_profile - step to the next profile in where ever it may be
|
||||
+ * @root: root namespace (NOT NULL)
|
||||
+ * @profile: current profile (NOT NULL)
|
||||
+ *
|
||||
+ * Returns: next profile or NULL if there isn't one
|
||||
+ */
|
||||
+static struct aa_profile *next_profile(struct aa_namespace *root,
|
||||
+ struct aa_profile *profile)
|
||||
+{
|
||||
+ struct aa_profile *next = __next_profile(profile);
|
||||
+ if (next)
|
||||
+ return next;
|
||||
+
|
||||
+ /* finished all profiles in namespace move to next namespace */
|
||||
+ return __first_profile(root, __next_namespace(root, profile->ns));
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * p_start - start a depth first traversal of profile tree
|
||||
+ * @f: seq_file to fill
|
||||
+ * @pos: current position
|
||||
+ *
|
||||
+ * Returns: first profile under current namespace or NULL if none found
|
||||
+ *
|
||||
+ * acquires first ns->lock
|
||||
+ */
|
||||
+static void *p_start(struct seq_file *f, loff_t *pos)
|
||||
+ __acquires(root->lock)
|
||||
+{
|
||||
+ struct aa_profile *profile = NULL;
|
||||
+ struct aa_namespace *root = aa_current_profile()->ns;
|
||||
+ loff_t l = *pos;
|
||||
+ f->private = aa_get_namespace(root);
|
||||
+
|
||||
+
|
||||
+ /* find the first profile */
|
||||
+ read_lock(&root->lock);
|
||||
+ profile = __first_profile(root, root);
|
||||
+
|
||||
+ /* skip to position */
|
||||
+ for (; profile && l > 0; l--)
|
||||
+ profile = next_profile(root, profile);
|
||||
+
|
||||
+ return profile;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * p_next - read the next profile entry
|
||||
+ * @f: seq_file to fill
|
||||
+ * @p: profile previously returned
|
||||
+ * @pos: current position
|
||||
+ *
|
||||
+ * Returns: next profile after @p or NULL if none
|
||||
+ *
|
||||
+ * may acquire/release locks in namespace tree as necessary
|
||||
+ */
|
||||
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
|
||||
+{
|
||||
+ struct aa_profile *profile = p;
|
||||
+ struct aa_namespace *root = f->private;
|
||||
+ (*pos)++;
|
||||
+
|
||||
+ return next_profile(root, profile);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * p_stop - stop depth first traversal
|
||||
+ * @f: seq_file we are filling
|
||||
+ * @p: the last profile writen
|
||||
+ *
|
||||
+ * Release all locking done by p_start/p_next on namespace tree
|
||||
+ */
|
||||
+static void p_stop(struct seq_file *f, void *p)
|
||||
+ __releases(root->lock)
|
||||
+{
|
||||
+ struct aa_profile *profile = p;
|
||||
+ struct aa_namespace *root = f->private, *ns;
|
||||
+
|
||||
+ if (profile) {
|
||||
+ for (ns = profile->ns; ns && ns != root; ns = ns->parent)
|
||||
+ read_unlock(&ns->lock);
|
||||
+ }
|
||||
+ read_unlock(&root->lock);
|
||||
+ aa_put_namespace(root);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * seq_show_profile - show a profile entry
|
||||
+ * @f: seq_file to file
|
||||
+ * @p: current position (profile) (NOT NULL)
|
||||
+ *
|
||||
+ * Returns: error on failure
|
||||
+ */
|
||||
+static int seq_show_profile(struct seq_file *f, void *p)
|
||||
+{
|
||||
+ struct aa_profile *profile = (struct aa_profile *)p;
|
||||
+ struct aa_namespace *root = f->private;
|
||||
+
|
||||
+ if (profile->ns != root)
|
||||
+ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
|
||||
+ seq_printf(f, "%s (%s)\n", profile->base.hname,
|
||||
+ COMPLAIN_MODE(profile) ? "complain" : "enforce");
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static const struct seq_operations aa_fs_profiles_op = {
|
||||
+ .start = p_start,
|
||||
+ .next = p_next,
|
||||
+ .stop = p_stop,
|
||||
+ .show = seq_show_profile,
|
||||
+};
|
||||
+
|
||||
+static int profiles_open(struct inode *inode, struct file *file)
|
||||
+{
|
||||
+ return seq_open(file, &aa_fs_profiles_op);
|
||||
+}
|
||||
+
|
||||
+static int profiles_release(struct inode *inode, struct file *file)
|
||||
+{
|
||||
+ return seq_release(inode, file);
|
||||
+}
|
||||
+
|
||||
+const struct file_operations aa_fs_profiles_fops = {
|
||||
+ .open = profiles_open,
|
||||
+ .read = seq_read,
|
||||
+ .llseek = seq_lseek,
|
||||
+ .release = profiles_release,
|
||||
+};
|
||||
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
|
||||
index 0848292..28c52ac 100644
|
||||
--- a/security/apparmor/apparmorfs.c
|
||||
+++ b/security/apparmor/apparmorfs.c
|
||||
@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
|
||||
aafs_remove(".remove");
|
||||
aafs_remove(".replace");
|
||||
aafs_remove(".load");
|
||||
-
|
||||
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
|
||||
+ aafs_remove("profiles");
|
||||
+ aafs_remove("matching");
|
||||
+ aafs_remove("features");
|
||||
+#endif
|
||||
securityfs_remove(aa_fs_dentry);
|
||||
aa_fs_dentry = NULL;
|
||||
}
|
||||
@@ -218,7 +222,17 @@ int __init aa_create_aafs(void)
|
||||
aa_fs_dentry = NULL;
|
||||
goto error;
|
||||
}
|
||||
-
|
||||
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
|
||||
+ error = aafs_create("matching", 0444, &aa_fs_matching_fops);
|
||||
+ if (error)
|
||||
+ goto error;
|
||||
+ error = aafs_create("features", 0444, &aa_fs_features_fops);
|
||||
+ if (error)
|
||||
+ goto error;
|
||||
+#endif
|
||||
+ error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
|
||||
+ if (error)
|
||||
+ goto error;
|
||||
error = aafs_create(".load", 0640, &aa_fs_profile_load);
|
||||
if (error)
|
||||
goto error;
|
||||
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
|
||||
index cb1e93a..14f955c 100644
|
||||
--- a/security/apparmor/include/apparmorfs.h
|
||||
+++ b/security/apparmor/include/apparmorfs.h
|
||||
@@ -17,4 +17,10 @@
|
||||
|
||||
extern void __init aa_destroy_aafs(void);
|
||||
|
||||
+#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
|
||||
+extern const struct file_operations aa_fs_matching_fops;
|
||||
+extern const struct file_operations aa_fs_features_fops;
|
||||
+extern const struct file_operations aa_fs_profiles_fops;
|
||||
+#endif
|
||||
+
|
||||
#endif /* __AA_APPARMORFS_H */
|
||||
--
|
||||
1.7.5.4
|
||||
|
@ -0,0 +1,46 @@
|
||||
From 9396d61706a827dfc4dcdfdc8f687e0e9e24f53d Mon Sep 17 00:00:00 2001
|
||||
From: Arianna Avanzini <avanzini.arianna@gmail.com>
|
||||
Date: Mon, 19 Dec 2011 16:34:01 +0100
|
||||
Subject: [PATCH 2/3] block: cgroups, kconfig, build bits for BFQ-v5-3.2
|
||||
|
||||
Add a Kconfig option and do the related Makefile changes to compile
|
||||
the BFQ I/O scheduler. Also let the cgroups subsystem know about the
|
||||
BFQ I/O controller.
|
||||
|
||||
Signed-off-by: Fabio Checconi <fabio@gandalf.sssup.it>
|
||||
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
|
||||
Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
|
||||
---
|
||||
block/Makefile | 1 +
|
||||
include/linux/cgroup_subsys.h | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/block/Makefile b/block/Makefile
|
||||
index 514c6e4..653d27b 100644
|
||||
--- a/block/Makefile
|
||||
+++ b/block/Makefile
|
||||
@@ -14,6 +14,7 @@ obj-$(CONFIG_BLK_DEV_THROTTLING) += blk-throttle.o
|
||||
obj-$(CONFIG_IOSCHED_NOOP) += noop-iosched.o
|
||||
obj-$(CONFIG_IOSCHED_DEADLINE) += deadline-iosched.o
|
||||
obj-$(CONFIG_IOSCHED_CFQ) += cfq-iosched.o
|
||||
+obj-$(CONFIG_IOSCHED_BFQ) += bfq-iosched.o
|
||||
|
||||
obj-$(CONFIG_BLOCK_COMPAT) += compat_ioctl.o
|
||||
obj-$(CONFIG_BLK_DEV_INTEGRITY) += blk-integrity.o
|
||||
diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h
|
||||
index ac663c1..c966638 100644
|
||||
--- a/include/linux/cgroup_subsys.h
|
||||
+++ b/include/linux/cgroup_subsys.h
|
||||
@@ -64,3 +64,9 @@ SUBSYS(perf)
|
||||
#endif
|
||||
|
||||
/* */
|
||||
+
|
||||
+#ifdef CONFIG_CGROUP_BFQIO
|
||||
+SUBSYS(bfqio)
|
||||
+#endif
|
||||
+
|
||||
+/* */
|
||||
--
|
||||
1.7.10.4
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 7a10d093f9779f42cb8d6affcb6a4436d3ebd6d3 Mon Sep 17 00:00:00 2001
|
||||
From: John Johansen <john.johansen@canonical.com>
|
||||
Date: Wed, 10 Aug 2011 22:02:41 -0700
|
||||
Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
|
||||
userspace
|
||||
|
||||
The apparmor_parser when compiling policy could generate invalid dfas
|
||||
that did not have sufficient padding to avoid invalid references, when
|
||||
used by the kernel. The kernels check to verify the next/check table
|
||||
size was broken meaning invalid dfas were being created by userspace
|
||||
and not caught.
|
||||
|
||||
To remain compatible with old tools that are not fixed, pad the loaded
|
||||
dfas next/check table. The dfa's themselves are valid except for the
|
||||
high padding for potentially invalid transitions (high bounds error),
|
||||
which have a maximimum is 256 entries. So just allocate an extra null filled
|
||||
256 entries for the next/check tables. This will guarentee all bounds
|
||||
are good and invalid transitions go to the null (0) state.
|
||||
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
security/apparmor/match.c | 17 +++++++++++++++++
|
||||
1 files changed, 17 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
|
||||
index 94de6b4..081491e 100644
|
||||
--- a/security/apparmor/match.c
|
||||
+++ b/security/apparmor/match.c
|
||||
@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
|
||||
if (bsize < tsize)
|
||||
goto out;
|
||||
|
||||
+ /* Pad table allocation for next/check by 256 entries to remain
|
||||
+ * backwards compatible with old (buggy) tools and remain safe without
|
||||
+ * run time checks
|
||||
+ */
|
||||
+ if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
|
||||
+ tsize += 256 * th.td_flags;
|
||||
+
|
||||
table = kvmalloc(tsize);
|
||||
if (table) {
|
||||
+ /* ensure the pad is clear, else there will be errors */
|
||||
+ memset(table, 0, tsize);
|
||||
*table = th;
|
||||
if (th.td_flags == YYTD_DATA8)
|
||||
UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
|
||||
@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
|
||||
goto out;
|
||||
|
||||
if (flags & DFA_FLAG_VERIFY_STATES) {
|
||||
+ int warning = 0;
|
||||
for (i = 0; i < state_count; i++) {
|
||||
if (DEFAULT_TABLE(dfa)[i] >= state_count)
|
||||
goto out;
|
||||
/* TODO: do check that DEF state recursion terminates */
|
||||
if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
|
||||
+ if (warning)
|
||||
+ continue;
|
||||
+ printk(KERN_WARNING "AppArmor DFA next/check "
|
||||
+ "upper bounds error fixed, upgrade "
|
||||
+ "user space tools \n");
|
||||
+ warning = 1;
|
||||
+ } else if (BASE_TABLE(dfa)[i] >= trans_count) {
|
||||
printk(KERN_ERR "AppArmor DFA next/check upper "
|
||||
"bounds error\n");
|
||||
goto out;
|
||||
--
|
||||
1.7.5.4
|
||||
|
5986
3.2.34/0003-block-introduce-the-BFQ-v5-I-O-sched-for-3.2.patch
Normal file
5986
3.2.34/0003-block-introduce-the-BFQ-v5-I-O-sched-for-3.2.patch
Normal file
File diff suppressed because it is too large
Load Diff
174
3.2.34/01patch-2.6.33_atopcnt.patch
Normal file
174
3.2.34/01patch-2.6.33_atopcnt.patch
Normal file
@ -0,0 +1,174 @@
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index d1a9a0a..8b54acb 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -73,6 +73,17 @@ static void drive_stat_acct(struct request *rq, int new_io)
|
||||
part_inc_in_flight(part, rw);
|
||||
}
|
||||
|
||||
+ switch (rw) { /* ATOP */
|
||||
+ case READ: /* ATOP */
|
||||
+ current->group_leader->stat.dsk_rio += new_io; /* ATOP */
|
||||
+ current->group_leader->stat.dsk_rsz += blk_rq_sectors(rq); /* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ case WRITE: /* ATOP */
|
||||
+ current->group_leader->stat.dsk_wio += new_io; /* ATOP */
|
||||
+ current->group_leader->stat.dsk_wsz += blk_rq_sectors(rq); /* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+
|
||||
part_stat_unlock();
|
||||
}
|
||||
|
||||
diff --git a/fs/proc/array.c b/fs/proc/array.c
|
||||
index 13b5d07..cac522e 100644
|
||||
--- a/fs/proc/array.c
|
||||
+++ b/fs/proc/array.c
|
||||
@@ -515,6 +515,25 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
|
||||
(unsigned long long)delayacct_blkio_ticks(task),
|
||||
cputime_to_clock_t(gtime),
|
||||
cputime_to_clock_t(cgtime));
|
||||
+
|
||||
+ seq_printf(m, /* ATOP */
|
||||
+ "%lu %llu %lu %llu %lu %llu %lu " /* ATOP */
|
||||
+ "%llu %lu %llu %lu %llu %lu %lu\n", /* ATOP */
|
||||
+ task->stat.dsk_rio, /* ATOP */
|
||||
+ task->stat.dsk_rsz, /* ATOP */
|
||||
+ task->stat.dsk_wio, /* ATOP */
|
||||
+ task->stat.dsk_wsz, /* ATOP */
|
||||
+ task->stat.tcp_snd, /* ATOP */
|
||||
+ task->stat.tcp_ssz, /* ATOP */
|
||||
+ task->stat.tcp_rcv, /* ATOP */
|
||||
+ task->stat.tcp_rsz, /* ATOP */
|
||||
+ task->stat.udp_snd, /* ATOP */
|
||||
+ task->stat.udp_ssz, /* ATOP */
|
||||
+ task->stat.udp_rcv, /* ATOP */
|
||||
+ task->stat.udp_rsz, /* ATOP */
|
||||
+ task->stat.raw_snd, /* ATOP */
|
||||
+ task->stat.raw_rcv); /* ATOP */
|
||||
+
|
||||
if (mm)
|
||||
mmput(mm);
|
||||
return 0;
|
||||
diff --git a/include/linux/sched.h b/include/linux/sched.h
|
||||
index 78efe7c..22391bf 100644
|
||||
--- a/include/linux/sched.h
|
||||
+++ b/include/linux/sched.h
|
||||
@@ -1512,6 +1512,17 @@ struct task_struct {
|
||||
#endif
|
||||
atomic_t fs_excl; /* holding fs exclusive resources */
|
||||
struct rcu_head rcu;
|
||||
+
|
||||
+ struct { /* ATOP */
|
||||
+ unsigned long dsk_rio, dsk_wio; /* ATOP */
|
||||
+ unsigned long long dsk_rsz, dsk_wsz; /* ATOP */
|
||||
+ unsigned long tcp_snd, tcp_rcv; /* ATOP */
|
||||
+ unsigned long long tcp_ssz, tcp_rsz; /* ATOP */
|
||||
+ unsigned long udp_snd, udp_rcv; /* ATOP */
|
||||
+ unsigned long long udp_ssz, udp_rsz; /* ATOP */
|
||||
+ unsigned long raw_snd, raw_rcv; /* ATOP */
|
||||
+ } stat; /* ATOP */
|
||||
+
|
||||
|
||||
/*
|
||||
* cache last used pipe for splice
|
||||
diff --git a/kernel/acct.c b/kernel/acct.c
|
||||
index a6605ca..d5df53a 100644
|
||||
--- a/kernel/acct.c
|
||||
+++ b/kernel/acct.c
|
||||
@@ -565,7 +565,7 @@ static void do_acct_process(struct bsd_acct_struct *acct,
|
||||
ac.ac_exitcode = pacct->ac_exitcode;
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
ac.ac_io = encode_comp_t(0 /* current->io_usage */); /* %% */
|
||||
- ac.ac_rw = encode_comp_t(ac.ac_io / 1024);
|
||||
+ ac.ac_rw = encode_comp_t(current->stat.dsk_rio + current->stat.dsk_wio); /* ATOP */
|
||||
ac.ac_swaps = encode_comp_t(0);
|
||||
|
||||
/*
|
||||
diff --git a/kernel/fork.c b/kernel/fork.c
|
||||
index f88bd98..bab2085 100644
|
||||
--- a/kernel/fork.c
|
||||
+++ b/kernel/fork.c
|
||||
@@ -683,6 +683,14 @@ static int copy_mm(unsigned long clone_flags, struct task_struct * tsk)
|
||||
|
||||
tsk->min_flt = tsk->maj_flt = 0;
|
||||
tsk->nvcsw = tsk->nivcsw = 0;
|
||||
+ tsk->stat.dsk_rio = tsk->stat.dsk_wio = 0; /* ATOP */
|
||||
+ tsk->stat.dsk_rsz = tsk->stat.dsk_wsz = 0; /* ATOP */
|
||||
+ tsk->stat.tcp_snd = tsk->stat.tcp_rcv = 0; /* ATOP */
|
||||
+ tsk->stat.tcp_ssz = tsk->stat.tcp_rsz = 0; /* ATOP */
|
||||
+ tsk->stat.udp_snd = tsk->stat.udp_rcv = 0; /* ATOP */
|
||||
+ tsk->stat.udp_ssz = tsk->stat.udp_rsz = 0; /* ATOP */
|
||||
+ tsk->stat.raw_snd = tsk->stat.raw_rcv = 0; /* ATOP */
|
||||
+
|
||||
#ifdef CONFIG_DETECT_HUNG_TASK
|
||||
tsk->last_switch_count = tsk->nvcsw + tsk->nivcsw;
|
||||
#endif
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index 769c386..3ba19f6 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -547,10 +547,28 @@ static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
|
||||
si->size = size;
|
||||
|
||||
err = security_socket_sendmsg(sock, msg, size);
|
||||
- if (err)
|
||||
- return err;
|
||||
-
|
||||
- return sock->ops->sendmsg(iocb, sock, msg, size);
|
||||
+ if (!err)
|
||||
+ err = sock->ops->sendmsg(iocb, sock, msg, size);
|
||||
+
|
||||
+ if (err >= 0 && sock->sk) { /* ATOP */
|
||||
+ switch (sock->sk->sk_family) { /* ATOP */
|
||||
+ case PF_INET: /* ATOP */
|
||||
+ case PF_INET6: /* ATOP */
|
||||
+ switch (sock->sk->sk_type) { /* ATOP */
|
||||
+ case SOCK_STREAM: /* ATOP */
|
||||
+ current->group_leader->stat.tcp_snd++; /* ATOP */
|
||||
+ current->group_leader->stat.tcp_ssz+=size;/* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ case SOCK_DGRAM: /* ATOP */
|
||||
+ current->group_leader->stat.udp_snd++; /* ATOP */
|
||||
+ current->group_leader->stat.udp_ssz+=size;/* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ case SOCK_RAW: /* ATOP */
|
||||
+ current->group_leader->stat.raw_snd++; /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ return err;
|
||||
}
|
||||
|
||||
int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
|
||||
@@ -682,7 +700,29 @@ static inline int __sock_recvmsg(struct kiocb *iocb, struct socket *sock,
|
||||
{
|
||||
int err = security_socket_recvmsg(sock, msg, size, flags);
|
||||
|
||||
- return err ?: __sock_recvmsg_nosec(iocb, sock, msg, size, flags);
|
||||
+ if (!err)
|
||||
+ err = __sock_recvmsg_nosec(iocb, sock, msg, size, flags);
|
||||
+
|
||||
+ if (err >= 0 && sock->sk) { /* ATOP */
|
||||
+ switch (sock->sk->sk_family) { /* ATOP */
|
||||
+ case PF_INET: /* ATOP */
|
||||
+ case PF_INET6: /* ATOP */
|
||||
+ switch (sock->sk->sk_type) { /* ATOP */
|
||||
+ case SOCK_STREAM: /* ATOP */
|
||||
+ current->group_leader->stat.tcp_rcv++; /* ATOP */
|
||||
+ current->group_leader->stat.tcp_rsz+=err; /* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ case SOCK_DGRAM: /* ATOP */
|
||||
+ current->group_leader->stat.udp_rcv++; /* ATOP */
|
||||
+ current->group_leader->stat.udp_rsz+=err; /* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ case SOCK_RAW: /* ATOP */
|
||||
+ current->group_leader->stat.raw_rcv++; /* ATOP */
|
||||
+ break; /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ } /* ATOP */
|
||||
+ return err;
|
||||
}
|
||||
|
||||
int sock_recvmsg(struct socket *sock, struct msghdr *msg,
|
125
3.2.34/02patch-2.6.33_atopacct.patch
Normal file
125
3.2.34/02patch-2.6.33_atopacct.patch
Normal file
@ -0,0 +1,125 @@
|
||||
Index: linux-2.6.28/include/linux/acct.h
|
||||
===================================================================
|
||||
--- linux-2.6.28.orig/include/linux/acct.h 2009-01-14 13:02:24.000000000 +0100
|
||||
+++ linux-2.6.28/include/linux/acct.h 2009-01-14 13:03:33.000000000 +0100
|
||||
@@ -97,6 +97,54 @@
|
||||
char ac_comm[ACCT_COMM]; /* Command Name */
|
||||
};
|
||||
|
||||
+struct acct_atop
|
||||
+{
|
||||
+ char ac_flag; /* Flags */
|
||||
+ char ac_version; /* Always set to ACCT_VERSION */
|
||||
+ __u32 ac_pid; /* Process ID */
|
||||
+ __u32 ac_ppid; /* Parent Process ID */
|
||||
+ __u16 ac_uid16; /* LSB of Real User ID */
|
||||
+ __u16 ac_gid16; /* LSB of Real Group ID */
|
||||
+ __u16 ac_tty; /* Control Terminal */
|
||||
+ __u32 ac_btime; /* Process Creation Time */
|
||||
+ comp_t ac_utime; /* User Time */
|
||||
+ comp_t ac_stime; /* System Time */
|
||||
+ comp_t ac_etime; /* Elapsed Time */
|
||||
+ comp_t ac_mem; /* Virtual Memory */
|
||||
+ comp_t ac_rss; /* Resident Memory */
|
||||
+ comp_t ac_io; /* Chars Transferred */
|
||||
+ comp_t ac_rw; /* Blocks Read or Written */
|
||||
+ comp_t ac_bread; /* Blocks Read */
|
||||
+ comp_t ac_bwrite; /* Blocks Written */
|
||||
+ comp2_t ac_dskrsz; /* Cum. blocks read */
|
||||
+ comp2_t ac_dskwsz; /* Cum. blocks written */
|
||||
+ comp_t ac_tcpsnd; /* TCP send requests */
|
||||
+ comp_t ac_tcprcv; /* TCP recv requests */
|
||||
+ comp2_t ac_tcpssz; /* TCP cum. length */
|
||||
+ comp2_t ac_tcprsz; /* TCP cum. length */
|
||||
+ comp_t ac_udpsnd; /* UDP send requests */
|
||||
+ comp_t ac_udprcv; /* UDP recv requests */
|
||||
+ comp2_t ac_udpssz; /* UDP cum. length */
|
||||
+ comp2_t ac_udprsz; /* UDP cum. length */
|
||||
+ comp_t ac_rawsnd; /* RAW send requests */
|
||||
+ comp_t ac_rawrcv; /* RAW recv requests */
|
||||
+ comp_t ac_minflt; /* Minor Pagefaults */
|
||||
+ comp_t ac_majflt; /* Major Pagefaults */
|
||||
+ comp_t ac_swaps; /* Number of Swaps */
|
||||
+/* m68k had no padding here. */
|
||||
+#if !defined(CONFIG_M68K) || !defined(__KERNEL__)
|
||||
+ __u16 ac_ahz; /* AHZ */
|
||||
+#endif
|
||||
+ __u32 ac_exitcode; /* Exitcode */
|
||||
+ char ac_comm[ACCT_COMM + 1]; /* Command Name */
|
||||
+ __u8 ac_etime_hi; /* Elapsed Time MSB */
|
||||
+ __u16 ac_etime_lo; /* Elapsed Time LSB */
|
||||
+ __u32 ac_uid; /* Real User ID */
|
||||
+ __u32 ac_gid; /* Real Group ID */
|
||||
+};
|
||||
+
|
||||
+
|
||||
+
|
||||
/*
|
||||
* accounting flags
|
||||
*/
|
||||
@@ -146,7 +194,13 @@
|
||||
* 5: new binary incompatible format (128 bytes, second half)
|
||||
*
|
||||
*/
|
||||
+#define CONFIG_PROCESS_ACCT_ATOP
|
||||
|
||||
+#ifdef CONFIG_PROCESS_ACCT_ATOP
|
||||
+#define ACCT_VERSION 6
|
||||
+#define AHZ (USER_HZ)
|
||||
+typedef struct acct_atop acct_t;
|
||||
+#else
|
||||
#ifdef CONFIG_BSD_PROCESS_ACCT_V3
|
||||
#define ACCT_VERSION 3
|
||||
#define AHZ 100
|
||||
@@ -160,6 +214,7 @@
|
||||
#define AHZ (USER_HZ)
|
||||
typedef struct acct acct_t;
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#else
|
||||
#define ACCT_VERSION 2
|
||||
Index: linux-2.6.28/kernel/acct.c
|
||||
===================================================================
|
||||
--- linux-2.6.28.orig/kernel/acct.c 2009-01-14 13:03:31.000000000 +0100
|
||||
+++ linux-2.6.28/kernel/acct.c 2009-01-14 13:03:33.000000000 +0100
|
||||
@@ -405,7 +405,7 @@
|
||||
return exp;
|
||||
}
|
||||
|
||||
-#if ACCT_VERSION==1 || ACCT_VERSION==2
|
||||
+#if ACCT_VERSION==1 || ACCT_VERSION==2 || ACCT_VERSION==6
|
||||
/*
|
||||
* encode an u64 into a comp2_t (24 bits)
|
||||
*
|
||||
@@ -552,6 +552,30 @@
|
||||
ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns);
|
||||
rcu_read_unlock();
|
||||
#endif
|
||||
+#if ACCT_VERSION==6 /* ATOP */
|
||||
+ ac.ac_pid = current->pid;
|
||||
+ ac.ac_ppid = current->parent->pid;
|
||||
+ ac.ac_uid16 = ac.ac_uid;
|
||||
+ ac.ac_gid16 = ac.ac_gid;
|
||||
+ ac.ac_ahz = AHZ;
|
||||
+ ac.ac_bread = encode_comp_t(current->stat.dsk_rio);
|
||||
+ ac.ac_bwrite = encode_comp_t(current->stat.dsk_wio);
|
||||
+ ac.ac_dskrsz = encode_comp2_t(current->stat.dsk_rsz);
|
||||
+ ac.ac_dskwsz = encode_comp2_t(current->stat.dsk_wsz);
|
||||
+ ac.ac_tcpsnd = encode_comp_t(current->stat.tcp_snd);
|
||||
+ ac.ac_tcprcv = encode_comp_t(current->stat.tcp_rcv);
|
||||
+ ac.ac_tcpssz = encode_comp2_t(current->stat.tcp_ssz);
|
||||
+ ac.ac_tcprsz = encode_comp2_t(current->stat.tcp_rsz);
|
||||
+ ac.ac_udpsnd = encode_comp_t(current->stat.udp_snd);
|
||||
+ ac.ac_udprcv = encode_comp_t(current->stat.udp_rcv);
|
||||
+ ac.ac_udpssz = encode_comp2_t(current->stat.udp_ssz);
|
||||
+ ac.ac_udprsz = encode_comp2_t(current->stat.udp_rsz);
|
||||
+ ac.ac_rawsnd = encode_comp_t(current->stat.raw_snd);
|
||||
+ ac.ac_rawrcv = encode_comp_t(current->stat.raw_rcv);
|
||||
+ ac.ac_rss = current->mm ?
|
||||
+ encode_comp_t(get_mm_rss(current->mm)<<(PAGE_SHIFT-10)) :
|
||||
+ encode_comp_t(0);
|
||||
+#endif
|
||||
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
tty = current->signal->tty; /* Safe as we hold the siglock */
|
9093
3.2.34/3.2.0-ck1.patch
Normal file
9093
3.2.34/3.2.0-ck1.patch
Normal file
File diff suppressed because it is too large
Load Diff
181
3.2.34/3rd-3rdparty-1.0-tree.patch
Normal file
181
3.2.34/3rd-3rdparty-1.0-tree.patch
Normal file
@ -0,0 +1,181 @@
|
||||
|
||||
3rdparty/mkbuild.pl | 92 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
Documentation/3rdparty.txt | 76 +++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 168 insertions(+)
|
||||
|
||||
diff -Nurp linux-2.6.37/3rdparty/mkbuild.pl 3rdparty/mkbuild.pl
|
||||
--- linux-2.6.37/3rdparty/mkbuild.pl 1970-01-01 02:00:00.000000000 +0200
|
||||
+++ 3rdparty/mkbuild.pl 2004-04-23 14:59:03.000000000 +0300
|
||||
@@ -0,0 +1,92 @@
|
||||
+#!/usr/bin/perl -w
|
||||
+#
|
||||
+# Version 1.0
|
||||
+#
|
||||
+# Copyright 2001 Jeff Garzik <jgarzik@mandrakesoft.com>
|
||||
+# Copyright 2002 Juan Quintela <quintela@mandrakesoft.com>
|
||||
+# Copyright 2003 Nicolas Planel <nplanel@mandrakesoft.com>
|
||||
+#
|
||||
+# This software may be used and distributed according to the terms
|
||||
+# of the GNU General Public License, incorporated herein by reference.
|
||||
+#
|
||||
+#
|
||||
+# Run "mkbuild.pl"
|
||||
+#
|
||||
+# This program generates the following files
|
||||
+# Makefile
|
||||
+# Makefile.drivers
|
||||
+# Config.in
|
||||
+# using the information in the subdirs of this directory.
|
||||
+#
|
||||
+# subdirs need to have:
|
||||
+# a Config.in file
|
||||
+# a Makefile with a O_TARGET/L_TARGET targets
|
||||
+# The config.in should set a CONFIG_<module_dir_name> to m/y.
|
||||
+
|
||||
+use strict;
|
||||
+
|
||||
+opendir(THISDIR, ".");
|
||||
+# get dirs without . and .. garbage
|
||||
+my (@modules) = grep(!/\.\.?$/,grep(-d, readdir(THISDIR)));
|
||||
+closedir(THISDIR);
|
||||
+
|
||||
+generate_kconfig(@modules);
|
||||
+generate_makefile(@modules);
|
||||
+exit(0);
|
||||
+
|
||||
+##########################################################################
|
||||
+
|
||||
+sub generate_makefile {
|
||||
+ my (@modules) = @_;
|
||||
+
|
||||
+ local *F;
|
||||
+ open F, "> Makefile" or die "Cannot create new Makefile: $!\n";
|
||||
+ print F <<'EOM';
|
||||
+#
|
||||
+# THIS IS AN AUTOMATICALLY GENERATED FILE. DO NOT EDIT.
|
||||
+#
|
||||
+
|
||||
+EOM
|
||||
+ printf F "obj- := 3rdparty.o # Dummy rule to force built-in.o to be made\n";
|
||||
+ printf F "obj-\$(%s) += %s\n", to_CONFIG($_), $_ . '/' foreach @modules;
|
||||
+}
|
||||
+
|
||||
+sub generate_kconfig {
|
||||
+ my (@modules) = @_;
|
||||
+
|
||||
+ local *F;
|
||||
+ open F, "> Kconfig" or die "Cannot create Kconfig: $!\n";
|
||||
+ print F <<"EOM";
|
||||
+#
|
||||
+# THIS IS AN AUTOMATICALLY GENERATED FILE. DO NOT EDIT.
|
||||
+#
|
||||
+
|
||||
+menu "Unofficial 3rd party kernel additions"
|
||||
+
|
||||
+EOM
|
||||
+
|
||||