Drop old apparmor ebuilds
This commit is contained in:
parent
d56c9affd4
commit
f184ff9ef7
@ -1,8 +0,0 @@
|
||||
DIST apparmor-docs-2.0-6269.tar.gz 2697657 RMD160 474048d988d72cbf9bf21d50e8aef37d06d9b000 SHA1 792f4339d86d02d179b786de87a47394abfdadae SHA256 9c2d63bfe42cc4582e24d1248a7560dd19cee718db513c7dedb12d45fe168221
|
||||
EBUILD apparmor-docs-2.0_p6269.ebuild 955 RMD160 7d0ef9d6bc1a7742684c3c3ced41fd846647a659 SHA1 1f46784c84ea199daa365a19e5d2ff500b84540b SHA256 0db0811764e7dee4543a7d8435f998a76d01ac54335d1b6603295a7a7d929c12
|
||||
MD5 38dd72e1548593a135e9e3554d583b3a apparmor-docs-2.0_p6269.ebuild 955
|
||||
RMD160 7d0ef9d6bc1a7742684c3c3ced41fd846647a659 apparmor-docs-2.0_p6269.ebuild 955
|
||||
SHA256 0db0811764e7dee4543a7d8435f998a76d01ac54335d1b6603295a7a7d929c12 apparmor-docs-2.0_p6269.ebuild 955
|
||||
MD5 2729ec9e31f63d936db2d7745ef9be57 files/digest-apparmor-docs-2.0_p6269 271
|
||||
RMD160 1c537c1e781a06a7bac39b2cfb7170ba281bb875 files/digest-apparmor-docs-2.0_p6269 271
|
||||
SHA256 1a62f3ad2e11540f9e65c1c623357a588f44ecd1244c2559c6436f426aa210ba files/digest-apparmor-docs-2.0_p6269 271
|
@ -1,42 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils perl-module toolchain-funcs
|
||||
|
||||
MY_PV="${PV/_p/-}"
|
||||
MY_P="${PN}-${MY_PV}"
|
||||
MY_S="${WORKDIR}/${PN}-${PV/_p*/}"
|
||||
MONTH="April"
|
||||
|
||||
DESCRIPTION="Documentation for AppArmor."
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE="doc"
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND="${DEPEND}"
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
cd ${MY_S}
|
||||
sed -i "s:NOVELL/SUSE:Gentoo:g" Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
make DESTDIR=${D} install_manpages || die
|
||||
# Some files are missing from the doc distribution, so no '|| die'
|
||||
# bug submitted upstream
|
||||
make DESTDIR=${D} DOCDIR=/usr/share/doc/${P} install_documents
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
MD5 a5130a30a6a9e7cac316fe7658af031a apparmor-docs-2.0-6269.tar.gz 2697657
|
||||
RMD160 474048d988d72cbf9bf21d50e8aef37d06d9b000 apparmor-docs-2.0-6269.tar.gz 2697657
|
||||
SHA256 9c2d63bfe42cc4582e24d1248a7560dd19cee718db513c7dedb12d45fe168221 apparmor-docs-2.0-6269.tar.gz 2697657
|
@ -1,8 +0,0 @@
|
||||
DIST apparmor-syntax-200609.tar.bz2 1944 RMD160 ffffda77d691edfdbdc2044f6b7aa6f33f7bb223 SHA1 602a63663b4c82183cdee568fffee6eea53b3ee1 SHA256 db5aa288aa500f6b7d3bbe3a51949d3a427ee015b385c5353ada8d78846dfe0a
|
||||
EBUILD apparmor-syntax-200609.ebuild 424 RMD160 7791f7d04affb46b767f0d329a888c7be42d984e SHA1 420618adeb7b0ed315cdb1a8e29e0fa8bddc3995 SHA256 60ec62ca7820c57ca4caa25a913c476cf6ea5a060d6befab151a5335fb3303f1
|
||||
MD5 780f8eead7c9f97774e2fb98d66a12c0 apparmor-syntax-200609.ebuild 424
|
||||
RMD160 7791f7d04affb46b767f0d329a888c7be42d984e apparmor-syntax-200609.ebuild 424
|
||||
SHA256 60ec62ca7820c57ca4caa25a913c476cf6ea5a060d6befab151a5335fb3303f1 apparmor-syntax-200609.ebuild 424
|
||||
MD5 c72538221b6d11278c4aa3364e2818bb files/digest-apparmor-syntax-200609 265
|
||||
RMD160 feff8dcf95a810e9ee6eba1e03a135379d2434ef files/digest-apparmor-syntax-200609 265
|
||||
SHA256 e7cfd2f74c1811198bee4763f1f5f8400d8780bd9d3c49eeed2a977540d2e6f5 files/digest-apparmor-syntax-200609 265
|
@ -1,14 +0,0 @@
|
||||
# Copyright 1999-2005 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit vim-plugin
|
||||
|
||||
DESCRIPTION="vim plugin: AppArmor policy syntax"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
LICENSE="vim"
|
||||
KEYWORDS="alpha amd64 ia64 mips ~ppc ppc64 sparc x86"
|
||||
IUSE=""
|
||||
|
||||
VIM_PLUGIN_HELPTEXT="This plugin provides syntax highlighting for Apparmor
|
||||
policy files."
|
@ -1,3 +0,0 @@
|
||||
MD5 c44d7356708377424d641aa0c66a72a8 apparmor-syntax-200609.tar.bz2 1944
|
||||
RMD160 ffffda77d691edfdbdc2044f6b7aa6f33f7bb223 apparmor-syntax-200609.tar.bz2 1944
|
||||
SHA256 db5aa288aa500f6b7d3bbe3a51949d3a427ee015b385c5353ada8d78846dfe0a apparmor-syntax-200609.tar.bz2 1944
|
@ -1,37 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE catmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<catmetadata>
|
||||
<longdescription lang="en">
|
||||
The app-vim category contains plugins, syntax file and spelling
|
||||
packages for the Vim text editor.
|
||||
</longdescription>
|
||||
<longdescription lang="de">
|
||||
Die Kategorie app-vim enthält Plugins und
|
||||
Syntax-Pakete für den Vim Texteditor.
|
||||
</longdescription>
|
||||
<longdescription lang="es">
|
||||
La categoría app-vim contiene extensiones y paquetes
|
||||
de syntaxis para el editor de texto Vim.
|
||||
</longdescription>
|
||||
<longdescription lang="nl">
|
||||
De app-vim categorie bevat plugins en syntax-bestanden
|
||||
voor de vim text editor.
|
||||
</longdescription>
|
||||
<longdescription lang="vi">
|
||||
Nhóm app-vim chứa các plugin và các gói syntax cho
|
||||
trình soạn thảo văn bản Vim.
|
||||
</longdescription>
|
||||
<longdescription lang="it">
|
||||
La categoria app-vim contiene estensioni e pacchetti di sintassi
|
||||
per l'editor di testo Vim.
|
||||
</longdescription>
|
||||
<longdescription lang="pt">
|
||||
A categoria app-vim contém plugins e pacotes de sintaxe e grafia
|
||||
para o editor de texto Vim.
|
||||
</longdescription>
|
||||
<longdescription lang="pl">
|
||||
Kategoria app-vim zawiera rozszerzenia, schematy podświetlania składni
|
||||
oraz dodatki służące do sprawdzania pisowni dla edytora tekstu Vim.
|
||||
</longdescription>
|
||||
</catmetadata>
|
||||
|
Binary file not shown.
@ -1,10 +0,0 @@
|
||||
# ChangeLog for sec-policy/apparmor-profiles
|
||||
# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
|
||||
# $Header: $
|
||||
|
||||
13 Aug 2006; Mario Fetka <mario-fetka@gmx.at>
|
||||
+apparmor-profiles-2.0_p6376.ebuild:
|
||||
Initial Import of
|
||||
Matthew Snelham <zeypher@sigalrm.com>
|
||||
Apparmor ebuilds
|
||||
|
@ -1,24 +0,0 @@
|
||||
DIST apparmor-profiles-2.0-119.tar.gz 38442 RMD160 41960baad897408ef9fed48829975b7d7ad5381a SHA1 ced8c4e1a8837b9c243fba9146454cf284e357f6 SHA256 747be3c170cd9bb599e6c5a6b1c19a1ec8e8f614b469ef52d7e6640830698efd
|
||||
DIST apparmor-profiles-2.0-6376.tar.gz 33651 RMD160 cd64269b9c12fd60256f624b7b81aa1bddbb74c3 SHA1 151a18c3bc05355f24188cd1bc4b77cbae7e15dd SHA256 55103b0ce98616b6860fb43eff23587ad0faf5e38ab828bdd025d87a55b0f073
|
||||
EBUILD apparmor-profiles-2.0_p119.ebuild 1770 RMD160 685fb1f50b304a0e926a4cfe5f83f56668e66089 SHA1 2f99943e2dd586f370a44930a2fe77bf4c5d5d24 SHA256 e45329f2b1d6ee704507ca81af87b910b24390cb215de7ef198029661c720433
|
||||
MD5 237f7fa6f27dbff8548383c39213645d apparmor-profiles-2.0_p119.ebuild 1770
|
||||
RMD160 685fb1f50b304a0e926a4cfe5f83f56668e66089 apparmor-profiles-2.0_p119.ebuild 1770
|
||||
SHA256 e45329f2b1d6ee704507ca81af87b910b24390cb215de7ef198029661c720433 apparmor-profiles-2.0_p119.ebuild 1770
|
||||
EBUILD apparmor-profiles-2.0_p6376.ebuild 1761 RMD160 c71682fbb885b3be54813c691258d4c6a3d6de59 SHA1 778fa06e704b167e03946a0a26f2b6e5f282f37f SHA256 350943388432d8280888d86ea36e3fb92af128c64553ef99f3421c07b2274d04
|
||||
MD5 84869f70eb14cb24d0d296fa2f764cef apparmor-profiles-2.0_p6376.ebuild 1761
|
||||
RMD160 c71682fbb885b3be54813c691258d4c6a3d6de59 apparmor-profiles-2.0_p6376.ebuild 1761
|
||||
SHA256 350943388432d8280888d86ea36e3fb92af128c64553ef99f3421c07b2274d04 apparmor-profiles-2.0_p6376.ebuild 1761
|
||||
MISC ChangeLog 298 RMD160 b9b60d4693e022c3a3b51d7a125fcfb8a81accff SHA1 f5cace28303705a7765c4b80748f2d17918bdad8 SHA256 d0ed57cfaa564a15c378fd4ed2417338c1f228a7facf33f2dc7e2679ccc514c1
|
||||
MD5 754dcad22d0341872441dba94bca8272 ChangeLog 298
|
||||
RMD160 b9b60d4693e022c3a3b51d7a125fcfb8a81accff ChangeLog 298
|
||||
SHA256 d0ed57cfaa564a15c378fd4ed2417338c1f228a7facf33f2dc7e2679ccc514c1 ChangeLog 298
|
||||
MISC metadata.xml 409 RMD160 968882ff27e0b0a3f97af92b6f537b8b00a646ff SHA1 3fcb95fd59a93e7aa310e0a41474df97187da15a SHA256 3043f699fbff382064ac346e6be45c4bdfa03ab4e0a92f8cdaea0737f9edce0f
|
||||
MD5 042c5aa592b5d0dbb5fce79de0cd78d8 metadata.xml 409
|
||||
RMD160 968882ff27e0b0a3f97af92b6f537b8b00a646ff metadata.xml 409
|
||||
SHA256 3043f699fbff382064ac346e6be45c4bdfa03ab4e0a92f8cdaea0737f9edce0f metadata.xml 409
|
||||
MD5 009b398f5b231e38fc3422558483629e files/digest-apparmor-profiles-2.0_p119 274
|
||||
RMD160 d85cd1212273237347788ba31a1b757e9aec6635 files/digest-apparmor-profiles-2.0_p119 274
|
||||
SHA256 a51796af9a3ecb31ff8752d4f3d3d19a6c3f613e8da9e32d02b7a79101996232 files/digest-apparmor-profiles-2.0_p119 274
|
||||
MD5 45e145b77a88f384033973676b4cf1c0 files/digest-apparmor-profiles-2.0_p6376 277
|
||||
RMD160 75b6c9ba5340bafa72a8410339ceeeda13a71d00 files/digest-apparmor-profiles-2.0_p6376 277
|
||||
SHA256 b4229927d9665b3c60a9ba4d956d942083d5d7c59b8f3ced3c36d8741efad10d files/digest-apparmor-profiles-2.0_p6376 277
|
@ -1,60 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils toolchain-funcs
|
||||
|
||||
MY_P="${P/_p/-}"
|
||||
MY_S="${WORKDIR}/${P/_p*/}"
|
||||
MONTH="October"
|
||||
|
||||
DESCRIPTION="AppArmor pre-built application encapsulation profiles."
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND="sys-apps/apparmor"
|
||||
|
||||
pkg_postinst() {
|
||||
ewarn
|
||||
ewarn "DO NOT EXPECT THESE PROFILES TO WORK ON YOUR SYSTEM!!!"
|
||||
ewarn " Expect that ENABLING THEM WILL BREAK things"
|
||||
ewarn " "
|
||||
ewarn "These profiles were built to work with a SuSE base install, and "
|
||||
ewarn "make many assumptions about file placement and system facilities "
|
||||
ewarn "that are quite possibly untrue on any Gentoo system ever emerged."
|
||||
ewarn " "
|
||||
ewarn "They are provided for reference purposes only, until profiles can "
|
||||
ewarn "be created and verified for Gentoo. If you are interested in using "
|
||||
ewarn "AppArmor, and modifiying these base profiles for a Gentoo package, "
|
||||
ewarn "please feel free to do so, and contact the AppArmor package "
|
||||
ewarn "maintainer with your working profiles!"
|
||||
ewarn
|
||||
epause
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
cd ${MY_S}
|
||||
# Move profiles to a different dir so that none of
|
||||
# them are sourced by default on startup.
|
||||
sed -i 's:apparmor.d$:apparmor.d/suse-defaults:g' Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
# Place profiles in /usr/share, instead of /usr/src/Immunix
|
||||
MY_SHAREDIR="/usr/share/${PN}"
|
||||
make DESTDIR=${D} EXTRASDIR=${D}/${MY_SHAREDIR} install || die
|
||||
}
|
@ -1,58 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils
|
||||
|
||||
MY_P="${P/_p/-}"
|
||||
MY_S="${WORKDIR}/${P/_p*//}"
|
||||
DESCRIPTION="AppArmor pre-built application encapsulation profiles."
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forge.novell.com/modules/xfcontent/private.php/apparmor/Development%20-%20April%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND=">=sys-apps/apparmor-2.0"
|
||||
|
||||
pkg_postinst() {
|
||||
ewarn
|
||||
ewarn "DO NOT EXPECT THESE PROFILES TO WORK ON YOUR SYSTEM!!!"
|
||||
ewarn " Expect that ENABLING THEM WILL BREAK things"
|
||||
ewarn " "
|
||||
ewarn "These profiles were built to work with a SuSE base install, and "
|
||||
ewarn "make many assumptions about file placement and system facilities "
|
||||
ewarn "that are quite possibly untrue on any Gentoo system ever emerged."
|
||||
ewarn " "
|
||||
ewarn "They are provided for reference purposes only, until profiles can "
|
||||
ewarn "be created and verified for Gentoo. If you are interested in using "
|
||||
ewarn "AppArmor, and modifiying these base profiles for a Gentoo package, "
|
||||
ewarn "please feel free to do so, and contact the AppArmor package "
|
||||
ewarn "maintainer with your working profiles!"
|
||||
ewarn
|
||||
epause
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
cd ${MY_S}
|
||||
# Move profiles to a different dir so that none of
|
||||
# them are sourced by default on startup.
|
||||
sed -i 's:apparmor.d$:apparmor.d/suse-defaults:g' Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
# Place profiles in /usr/share, instead of /usr/src/Immunix
|
||||
MY_SHAREDIR="/usr/share/${PN}"
|
||||
make DESTDIR=${D} EXTRASDIR=${D}/${MY_SHAREDIR} install || die
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
MD5 93e3dbee491b4dc5c12ea6b4ccf7309a apparmor-profiles-2.0-119.tar.gz 38442
|
||||
RMD160 41960baad897408ef9fed48829975b7d7ad5381a apparmor-profiles-2.0-119.tar.gz 38442
|
||||
SHA256 747be3c170cd9bb599e6c5a6b1c19a1ec8e8f614b469ef52d7e6640830698efd apparmor-profiles-2.0-119.tar.gz 38442
|
@ -1,3 +0,0 @@
|
||||
MD5 526e971c18cc6588271e9ad1787adf2a apparmor-profiles-2.0-6376.tar.gz 33651
|
||||
RMD160 cd64269b9c12fd60256f624b7b81aa1bddbb74c3 apparmor-profiles-2.0-6376.tar.gz 33651
|
||||
SHA256 55103b0ce98616b6860fb43eff23587ad0faf5e38ab828bdd025d87a55b0f073 apparmor-profiles-2.0-6376.tar.gz 33651
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Default Apparmor profiles from the official Novell releases.</longdescription>
|
||||
</pkgmetadata>
|
@ -1,41 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE catmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<catmetadata>
|
||||
<longdescription lang="en">
|
||||
The sec-policy category contains security policies for
|
||||
access control systems such as SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="es">
|
||||
La categoría sec-policy contiene políticas de seguridad para sistemas de
|
||||
control de acceso como SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="de">
|
||||
Die Kategorie sec-policy enthält Sicherheitsrichtlinien für
|
||||
Zugriffskontrollsysteme wie SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="ja">
|
||||
sec-policyカテゴリーにはSELinuxのようなアクセス・コントロール・システムの
|
||||
ためのセキュリティポリシー(修正をが加えられたパッケージ)が含まれています。
|
||||
</longdescription>
|
||||
<longdescription lang="nl">
|
||||
De sec-policy categorie bevat beveilingsrichtlijnen voor toegangscontrole-
|
||||
systemen als SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="vi">
|
||||
Nhóm sec-policy chứa các chính sách an ninh cho các hệ thống
|
||||
điều khiển quyền truy cập như SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="it">
|
||||
La categoria sec-policy contiene le politiche di sicurezza per i sistemi di controllo
|
||||
di accesso come SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="pt">
|
||||
A categoria sec-policy contém políticas de segurança para
|
||||
sistemas de controle de acesso como SELinux.
|
||||
</longdescription>
|
||||
<longdescription lang="pl">
|
||||
Kategoria sec-policy zawiera polityki bezpieczeństwa i programy kontroli
|
||||
dostępu takie jak np. SELinux.
|
||||
</longdescription>
|
||||
</catmetadata>
|
||||
|
@ -1,16 +0,0 @@
|
||||
AUX apparmor-modules-2.0_2.6.17.9_symbol_export.patch 2976 RMD160 b9232cb4b78bfccd7154f27af554aedc0a01b53f SHA1 19ac2f051379f6733f7760eee2c37dde670bb746 SHA256 f364111249e598379886880d427435474609898dd77df8770112b3594305bd80
|
||||
MD5 fb0f6966a5fafacc3ca5cd453973e3f9 files/apparmor-modules-2.0_2.6.17.9_symbol_export.patch 2976
|
||||
RMD160 b9232cb4b78bfccd7154f27af554aedc0a01b53f files/apparmor-modules-2.0_2.6.17.9_symbol_export.patch 2976
|
||||
SHA256 f364111249e598379886880d427435474609898dd77df8770112b3594305bd80 files/apparmor-modules-2.0_2.6.17.9_symbol_export.patch 2976
|
||||
DIST apparmor-external-module.tar.gz 112408 RMD160 b333459588b0ccaaf36c6247555ff560daa3f95c SHA1 fbef407f3611c8c38ca66ce977fc5271e4140eec SHA256 70d66089a46f87f7fbaf504a3e40e4511e21c4a03345f0142315743bb9278d2f
|
||||
EBUILD apparmor-modules-2.0_p20061013.ebuild 2247 RMD160 2d24031783f504a6b14c851ad6b17c71321734c6 SHA1 654ad904b3fc212aac414ac1f5d5232481521dbd SHA256 6bb6ab77b7031d06f15ca6e7d184106bdac67cb5fb1140a4fb5e7c49c4ae878e
|
||||
MD5 28986c695d0e89060b84df4f2ba26ef0 apparmor-modules-2.0_p20061013.ebuild 2247
|
||||
RMD160 2d24031783f504a6b14c851ad6b17c71321734c6 apparmor-modules-2.0_p20061013.ebuild 2247
|
||||
SHA256 6bb6ab77b7031d06f15ca6e7d184106bdac67cb5fb1140a4fb5e7c49c4ae878e apparmor-modules-2.0_p20061013.ebuild 2247
|
||||
MISC metadata.xml 380 RMD160 95812084d1fe1893b607bec7b448d2bd7920600a SHA1 766cf3cabd61149d9041b84aee4953f4f4e89b86 SHA256 5decb87b114447cecedd46af9b0ee264093dd4b0b1550aa6414c2fdf44ef26ee
|
||||
MD5 cf1a96cd124b5fc5b8646794bbc6b3cc metadata.xml 380
|
||||
RMD160 95812084d1fe1893b607bec7b448d2bd7920600a metadata.xml 380
|
||||
SHA256 5decb87b114447cecedd46af9b0ee264093dd4b0b1550aa6414c2fdf44ef26ee metadata.xml 380
|
||||
MD5 ada15501d8ce59813443b9fb8b7359ef files/digest-apparmor-modules-2.0_p20061013 274
|
||||
RMD160 76b75c7fd71ca82c198ecb095af6723f6314188e files/digest-apparmor-modules-2.0_p20061013 274
|
||||
SHA256 f382eb61c05a9f0e47d7b5e336bb296846875f76e2fe59261eaab4cf9d42d93c files/digest-apparmor-modules-2.0_p20061013 274
|
@ -1,85 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit linux-mod
|
||||
|
||||
MY_S="${WORKDIR}/apparmor_modules/module"
|
||||
MONTH="October"
|
||||
|
||||
DESCRIPTION="Kernel modules for AppArmor"
|
||||
HOMEPAGE="ihttp://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/apparmor-external-module.tar.gz"
|
||||
|
||||
LICENSE="LGPL-2.1"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE=""
|
||||
|
||||
DEPEND="virtual/libc"
|
||||
RDEPEND="${DEPEND}
|
||||
sys-apps/apparmor-parser"
|
||||
|
||||
pkg_setup() {
|
||||
linux-info_pkg_setup
|
||||
|
||||
if kernel_is lt 2 6 16 ; then
|
||||
eerror "You must have at least a 2.6.16 kernel to use this package."
|
||||
die "Insufficent kernel version"
|
||||
fi
|
||||
|
||||
#if kernel_is eq 2 6 18 ; then
|
||||
# eerror "Support for 2.6.18 and forward kernels is not yet availible"
|
||||
# die "Unsupported kernel version"
|
||||
#fi
|
||||
|
||||
if linux_chkconfig_present CONFIG_SECURITY ; then
|
||||
eerror "CONFIG_SECURITY must be enabled in your kernel to build ${PN}"
|
||||
die "Bad kernel config"
|
||||
fi
|
||||
|
||||
if (grep 'namespace_sem' ${KV_DIR}/include/linux/namespace.h >/dev/null 2>&1 && grep 'AUDIT_SD' ${KV_DIR}/include/linux/audit.h >/dev/null 2>&1 )
|
||||
then
|
||||
einfo "Required Symbol patch seems to have been applied; continuing."
|
||||
else
|
||||
eerror "Required symbols do not appear to be exported."
|
||||
ewarn
|
||||
ewarn "AppArmor modules requires a patch be applied against the"
|
||||
ewarn "kernel source to export several symbols."
|
||||
ewarn
|
||||
ewarn "Current patches can currently be found in: "
|
||||
ewarn " ${FILESDIR}"
|
||||
ewarn "where the clostest matching KERNEL_VER patch:"
|
||||
ewarn " ${P/_p*/}_[KERNEL_VER]_symbol_export.patch"
|
||||
ewarn "should apply cleanly."
|
||||
ewarn
|
||||
ewarn "After applying this patch and re-compiling,"
|
||||
ewarn "re-emerge this package"
|
||||
ewarn
|
||||
die "Missing apparmor symbol export patch"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
cd "${MY_S}"
|
||||
|
||||
sed -i 's/^all:/modules:/g' Makefile
|
||||
sed -i 's/mv/#mv/g' Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd "${MY_S}"
|
||||
unset ARCH
|
||||
CONFIG_SECURITY_APPARMOR=m make
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd "${MY_S}"
|
||||
|
||||
insinto /lib/modules/${KV_FULL}/kernel/security/apparmor
|
||||
doins apparmor.ko
|
||||
insinto /lib/modules/${KV_FULL}/kernel/security/apparmor/aamatch
|
||||
doins aamatch/aamatch_pcre.ko
|
||||
}
|
@ -1,83 +0,0 @@
|
||||
From: tonyj@suse.de
|
||||
Subject: Export namespace semaphore
|
||||
Patch-mainline: no
|
||||
|
||||
Export global namespace_sem (this used to be a per namespace semaphore).
|
||||
Alas, this isn't going to win _any_ points for style.
|
||||
Patch is not in mainline -- pending AppArmor code submission to lkml
|
||||
|
||||
---
|
||||
--- linux-2.6.17.9.orig/fs/namespace.c
|
||||
+++ linux-2.6.17.9/fs/namespace.c
|
||||
@@ -46,7 +46,8 @@ static int event;
|
||||
static struct list_head *mount_hashtable __read_mostly;
|
||||
static int hash_mask __read_mostly, hash_bits __read_mostly;
|
||||
static kmem_cache_t *mnt_cache __read_mostly;
|
||||
-static struct rw_semaphore namespace_sem;
|
||||
+struct rw_semaphore namespace_sem;
|
||||
+EXPORT_SYMBOL_GPL(namespace_sem);
|
||||
|
||||
/* /sys/fs */
|
||||
decl_subsys(fs, NULL, NULL);
|
||||
--- linux-2.6.17.9.orig/include/linux/namespace.h
|
||||
+++ linux-2.6.17.9/include/linux/namespace.h
|
||||
@@ -5,6 +5,9 @@
|
||||
#include <linux/mount.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
+/* exported for AppArmor (SubDomain) */
|
||||
+extern struct rw_semaphore namespace_sem;
|
||||
+
|
||||
struct namespace {
|
||||
atomic_t count;
|
||||
struct vfsmount * root;
|
||||
|
||||
|
||||
From: tonyj@suse.de
|
||||
Subject: Export audit subsystem for use by modules
|
||||
Patch-mainline: no
|
||||
|
||||
Adds necessary export symbols for audit subsystem routines.
|
||||
Changes audit_log_vformat to be externally visible (analagous to vprintf)
|
||||
Patch is not in mainline -- pending AppArmor code submission to lkml
|
||||
|
||||
--- linux-2.6.17.9.orig/include/linux/audit.h
|
||||
+++ linux-2.6.17.9/include/linux/audit.h
|
||||
@@ -96,6 +96,8 @@
|
||||
#define AUDIT_LAST_KERN_ANOM_MSG 1799
|
||||
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
|
||||
|
||||
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
|
||||
+
|
||||
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
|
||||
|
||||
/* Rule flags */
|
||||
@@ -357,6 +359,9 @@ extern void audit_log(struct audit_
|
||||
__attribute__((format(printf,4,5)));
|
||||
|
||||
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
|
||||
+extern void audit_log_vformat(struct audit_buffer *ab,
|
||||
+ const char *fmt, va_list args)
|
||||
+ __attribute__((format(printf,2,0)));
|
||||
extern void audit_log_format(struct audit_buffer *ab,
|
||||
const char *fmt, ...)
|
||||
__attribute__((format(printf,2,3)));
|
||||
--- linux-2.6.17.9.orig/kernel/audit.c
|
||||
+++ linux-2.6.17.9/kernel/audit.c
|
||||
@@ -893,8 +893,7 @@ static inline int audit_expand(struct au
|
||||
* will be called a second time. Currently, we assume that a printk
|
||||
* can't format message larger than 1024 bytes, so we don't either.
|
||||
*/
|
||||
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
|
||||
- va_list args)
|
||||
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt, va_list args)
|
||||
{
|
||||
int len, avail;
|
||||
struct sk_buff *skb;
|
||||
@@ -1096,3 +1095,6 @@ EXPORT_SYMBOL(audit_log_start);
|
||||
EXPORT_SYMBOL(audit_log_end);
|
||||
EXPORT_SYMBOL(audit_log_format);
|
||||
EXPORT_SYMBOL(audit_log);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_vformat);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_d_path);
|
@ -1,3 +0,0 @@
|
||||
MD5 919d64ba6c357a24a3c8e78ea0f94058 apparmor-external-module.tar.gz 112408
|
||||
RMD160 b333459588b0ccaaf36c6247555ff560daa3f95c apparmor-external-module.tar.gz 112408
|
||||
SHA256 70d66089a46f87f7fbaf504a3e40e4511e21c4a03345f0142315743bb9278d2f apparmor-external-module.tar.gz 112408
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor-modules</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Apparmor kernel modules</longdescription>
|
||||
</pkgmetadata>
|
@ -1,28 +0,0 @@
|
||||
AUX aaeventd 824 RMD160 032cce20f81b7b0e1f6f38cb6e1c392d70407ad5 SHA1 8adaa5e21867cab21c5fa907c974fb94cb280f70 SHA256 dbaa7fd1197388146c7a1a9b59553815fdcd0498510f7b7bf752af88f8eb1780
|
||||
MD5 379ee71ea946bd90c98e94e362bf9f2c files/aaeventd 824
|
||||
RMD160 032cce20f81b7b0e1f6f38cb6e1c392d70407ad5 files/aaeventd 824
|
||||
SHA256 dbaa7fd1197388146c7a1a9b59553815fdcd0498510f7b7bf752af88f8eb1780 files/aaeventd 824
|
||||
AUX apparmor 1090 RMD160 8d9781974318232731ef26881d7d57fc5991044c SHA1 2acee7585d1329bcb92cb8902ec36e1d0b94f5d6 SHA256 5c7b251473e7bf6a876e0d59d89cff3707bf5a6fcda0d9e95d50a463c8eddc8f
|
||||
MD5 7771cab70810b82185f0ed211f131018 files/apparmor 1090
|
||||
RMD160 8d9781974318232731ef26881d7d57fc5991044c files/apparmor 1090
|
||||
SHA256 5c7b251473e7bf6a876e0d59d89cff3707bf5a6fcda0d9e95d50a463c8eddc8f files/apparmor 1090
|
||||
AUX rc.apparmor.functions 11898 RMD160 12453790ffd14deed48b062f27d12bf2b2910ee4 SHA1 ec936b69474750dfd0205f451472e7d81b66f41a SHA256 d9cdb82c10bb5aa40c39d0f93c418a11020abc2d6df7154a831a71c816345618
|
||||
MD5 2adf748409596598872530ec06ef8717 files/rc.apparmor.functions 11898
|
||||
RMD160 12453790ffd14deed48b062f27d12bf2b2910ee4 files/rc.apparmor.functions 11898
|
||||
SHA256 d9cdb82c10bb5aa40c39d0f93c418a11020abc2d6df7154a831a71c816345618 files/rc.apparmor.functions 11898
|
||||
AUX rc.helper.functions 690 RMD160 d0b3b06a45645be5bc9d30b8ef19d518ac59940a SHA1 a58ba3ca5d59e099a3570ee21a62f5b4a6eb25fa SHA256 d065ac76a66d856716d77dd06b64478ed90c3b487d414cf8e33fc46ea77a723d
|
||||
MD5 5d9c000b99bd66788b988cb6d14b9b3d files/rc.helper.functions 690
|
||||
RMD160 d0b3b06a45645be5bc9d30b8ef19d518ac59940a files/rc.helper.functions 690
|
||||
SHA256 d065ac76a66d856716d77dd06b64478ed90c3b487d414cf8e33fc46ea77a723d files/rc.helper.functions 690
|
||||
DIST apparmor-parser-2.0-150.tar.gz 189171 RMD160 cf3299716fdf042cf326cf884d93fdcb5089dba6 SHA1 099ae08655ee2fc1d206166a7a4f8622637c02fc SHA256 678027c88cf69b42f8c7a36adfbe917489eb80800bc9eefe3b3f043bf01e6ee6
|
||||
EBUILD apparmor-parser-2.0_p150.ebuild 1534 RMD160 652650ef546dc3c89047c57ad786d26b7dc01a9e SHA1 88f2bc8bc7edf9e78191de27da30d657d1de8f58 SHA256 57b280dbe289c33afc5bee01eccaf6656db9a3d6836b2c1a00d5a307207e19cf
|
||||
MD5 cca56bab055f29313b607265af189cb4 apparmor-parser-2.0_p150.ebuild 1534
|
||||
RMD160 652650ef546dc3c89047c57ad786d26b7dc01a9e apparmor-parser-2.0_p150.ebuild 1534
|
||||
SHA256 57b280dbe289c33afc5bee01eccaf6656db9a3d6836b2c1a00d5a307207e19cf apparmor-parser-2.0_p150.ebuild 1534
|
||||
MISC metadata.xml 436 RMD160 e15033b9b3e6c069ebf4fc0e0470c5792e33030a SHA1 a441df5f7fca5964bd09ff8f81af063aada1d157 SHA256 5781a6c617edd46a5bb4976d24b07d8df048a7e03b2cf36ea9edcee4fc9e3cfc
|
||||
MD5 832848da3df614d8f1bcb956856bb75e metadata.xml 436
|
||||
RMD160 e15033b9b3e6c069ebf4fc0e0470c5792e33030a metadata.xml 436
|
||||
SHA256 5781a6c617edd46a5bb4976d24b07d8df048a7e03b2cf36ea9edcee4fc9e3cfc metadata.xml 436
|
||||
MD5 f8b11c14f5b9a1945c17a5f94b338d2b files/digest-apparmor-parser-2.0_p150 271
|
||||
RMD160 a70e60c1977d77b9b90bca4617758a60e1449115 files/digest-apparmor-parser-2.0_p150 271
|
||||
SHA256 0d5798506f6e78b3f6f8bff3f1d8d98d43d040576e2edbe3c893ac8fa164847a files/digest-apparmor-parser-2.0_p150 271
|
@ -1,62 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils perl-module toolchain-funcs
|
||||
|
||||
MY_PV="${PV/_p/-}"
|
||||
MY_P="${PN}-${MY_PV}"
|
||||
MY_S="${WORKDIR}/${PN}-${PV/_p*/}"
|
||||
MONTH="October"
|
||||
|
||||
DESCRIPTION="The userspace tools and init scripts to load security profiles into the apparmor kernel security module."
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE=""
|
||||
|
||||
DEPEND="sys-libs/libapparmor
|
||||
sys-libs/libcap
|
||||
dev-libs/libpcre
|
||||
sys-devel/bison
|
||||
sys-devel/flex"
|
||||
|
||||
RDEPEND="(sys-kernel/apparmor-sources || sys-apps/apparmor-modules)"
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
## apparmor-parser
|
||||
cd ${MY_S}
|
||||
# the Make.rules isn't needed for Gentoo
|
||||
sed -i "s/^include Make.rules//g" Makefile
|
||||
# Un-needed historical artifact, AND ugly non-LSB path
|
||||
# This is mounted at /sys/kernel/security/subdomain, not /subdomain
|
||||
sed -i 's/^.*\/subdomain//g' Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
|
||||
## apparmor-parser
|
||||
cd ${MY_S}
|
||||
make DESTDIR=${D} install || die
|
||||
|
||||
## Init script and addtional files
|
||||
doinitd ${FILESDIR}/apparmor
|
||||
doinitd ${FILESDIR}/aaeventd
|
||||
insopts -m0644
|
||||
insinto /lib/apparmor
|
||||
doins ${FILESDIR}/rc.helper.functions
|
||||
doins ${FILESDIR}/rc.apparmor.functions
|
||||
|
||||
dodir /etc/apparmor.d/abstractions
|
||||
}
|
@ -1,40 +0,0 @@
|
||||
#!/sbin/runscript
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
|
||||
APPARMOR_HELPERS=/lib/apparmor/rc.helper.functions
|
||||
if [ -f "${APPARMOR_HELPERS}" -a -f "${APPARMOR_FUNCTIONS}" ]; then
|
||||
source ${APPARMOR_HELPERS}
|
||||
source ${APPARMOR_FUNCTIONS}
|
||||
else
|
||||
eend 1 "Unable to find AppArmor initscript functions"
|
||||
fi
|
||||
|
||||
depend() {
|
||||
need apparmor
|
||||
use logger dns
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting aaeventd (AppArmor Event Daemon)"
|
||||
|
||||
if [ "${APPARMOR_ENABLE_AAEVENTD}" = "no" ]; then
|
||||
eend 1 " aaeventd disabled in ${APPARMOR_CONF}."
|
||||
fi
|
||||
|
||||
start_sd_event
|
||||
eend $waserror
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping aaeventd (AppArmor Event Daemon)"
|
||||
stop_sd_event
|
||||
eend $waserror
|
||||
}
|
||||
|
||||
restart() {
|
||||
srv_stop
|
||||
srv_start
|
||||
}
|
@ -1,55 +0,0 @@
|
||||
#!/sbin/runscript
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
#
|
||||
# rc.apparmor.gentoo: contribuited by Matthew Snelham
|
||||
# /etc/init.d/apparmor
|
||||
|
||||
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
|
||||
APPARMOR_HELPERS=/lib/apparmor/rc.helper.functions
|
||||
if [ -f "${APPARMOR_HELPERS}" -a -f "${APPARMOR_FUNCTIONS}" ]; then
|
||||
source ${APPARMOR_HELPERS}
|
||||
source ${APPARMOR_FUNCTIONS}
|
||||
else
|
||||
eend 1 "Unable to find AppArmor initscript functions"
|
||||
fi
|
||||
|
||||
opts="${opts} reload status"
|
||||
|
||||
depend() {
|
||||
need localmount
|
||||
## AppArmor needs to be loaded before any other
|
||||
## (potentially protected) user-space services come up.
|
||||
#before *
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting AppArmor"
|
||||
subdomain_start
|
||||
einfo "...AppArmor Start"
|
||||
eend $waserror
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping AppArmor"
|
||||
subdomain_stop
|
||||
einfo "...AppArmor Stop"
|
||||
eend $waserror
|
||||
}
|
||||
|
||||
restart() {
|
||||
svc_stop; svc_start
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Restarting AppArmor"
|
||||
subdomain_restart
|
||||
eend $?
|
||||
}
|
||||
|
||||
status() {
|
||||
ebegin "Checking AppArmor Status"
|
||||
subdomain_status
|
||||
eend $?
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
MD5 cbb25435e4353b10b5fdd96f80c854b9 apparmor-parser-2.0-150.tar.gz 189171
|
||||
RMD160 cf3299716fdf042cf326cf884d93fdcb5089dba6 apparmor-parser-2.0-150.tar.gz 189171
|
||||
SHA256 678027c88cf69b42f8c7a36adfbe917489eb80800bc9eefe3b3f043bf01e6ee6 apparmor-parser-2.0-150.tar.gz 189171
|
@ -1,443 +0,0 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# ----------------------------------------------------------------------
|
||||
# Copyright (c) 1999, 2000, 20001, 2004, 2005, NOVELL (All rights reserved)
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, contact Novell, Inc.
|
||||
# ----------------------------------------------------------------------
|
||||
# rc.subdomain.functions by Steve Beattie
|
||||
# Modified for Gentoo Linux, by Matthew Snelham
|
||||
#
|
||||
# Modifications Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
|
||||
# NOTE: rc.subdomain initscripts that source this file need to implement
|
||||
# the following set of functions:
|
||||
# sd_action
|
||||
# sd_log_info_msg
|
||||
# sd_log_success_msg
|
||||
# sd_log_warning_msg
|
||||
# sd_log_failure_msg
|
||||
|
||||
|
||||
CONFIG_DIR=/etc/apparmor
|
||||
MODULE=apparmor
|
||||
OLD_MODULE=subdomain
|
||||
if [ -f "${CONFIG_DIR}/${MODULE}.conf" ] ; then
|
||||
APPARMOR_CONF="${CONFIG_DIR}/${MODULE}.conf"
|
||||
elif [ -f "${CONFIG_DIR}/${OLD_MODULE}.conf" ] ; then
|
||||
APPARMOR_CONF="${CONFIG_DIR}/${OLD_MODULE}.conf"
|
||||
else
|
||||
sd_log_warning_msg "Unable to find config file in ${CONFIG_DIR}, installation problem?"
|
||||
fi
|
||||
|
||||
# Read configuration options from ${APPARMOR_CONF}, default is to
|
||||
# warn if subdomain won't load.
|
||||
APPARMOR_MODULE_PANIC="warn"
|
||||
SUBDOMAIN_ENABLE_OWLSM="no"
|
||||
APPARMOR_ENABLE_AAEVENTD="no"
|
||||
|
||||
if [ -f "${APPARMOR_CONF}" ] ; then
|
||||
source "${APPARMOR_CONF}"
|
||||
fi
|
||||
|
||||
if [ -f /sbin/apparmor_parser ] ; then
|
||||
PARSER=/sbin/apparmor_parser
|
||||
else
|
||||
sd_log_failure_msg "Unable to find apparmor_parser, installation problem?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# APPARMOR_DIR might be redefined in ${APPARMOR_CONF}
|
||||
if [ -d "${APPAMROR_DIR}" ] ; then
|
||||
PROFILE_DIR=${APPARMOR_DIR}
|
||||
elif [ -d /etc/apparmor.d ] ; then
|
||||
PROFILE_DIR=/etc/apparmor.d
|
||||
fi
|
||||
ABSTRACTIONS="-I${PROFILE_DIR}"
|
||||
AA_EV_BIN=/usr/sbin/aa-eventd
|
||||
AA_EV_PIDFILE=/var/run/aa-eventd.pid
|
||||
AA_STATUS=/usr/sbin/apparmor_status
|
||||
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
|
||||
SD_EV_PIDFILE=/var/run/sd-event-dispatch.init.pid
|
||||
SD_STATUS=/usr/sbin/subdomain_status
|
||||
if grep -q securityfs /proc/filesystems ; then
|
||||
SECURITYFS=/sys/kernel/security
|
||||
fi
|
||||
|
||||
SUBDOMAINFS_MOUNTPOINT=$(grep subdomainfs /etc/fstab | \
|
||||
sed -e 's|^[[:space:]]*[^[:space:]]\+[[:space:]]\+\(/[^[:space:]]*\)[[:space:]]\+subdomainfs.*$|\1|' 2> /dev/null)
|
||||
|
||||
if [ -d "/var/lib/${MODULE}" ] ; then
|
||||
APPARMOR_TMPDIR="/var/lib/${MODULE}"
|
||||
else
|
||||
APPARMOR_TMPDIR="/tmp"
|
||||
fi
|
||||
|
||||
|
||||
function parse_profiles() {
|
||||
# get parser arg
|
||||
case "$1" in
|
||||
load)
|
||||
PARSER_ARGS="--add"
|
||||
PARSER_MSG="Loading AppArmor profiles "
|
||||
;;
|
||||
reload)
|
||||
PARSER_ARGS="--replace"
|
||||
PARSER_MSG="Reloading AppArmor profiles "
|
||||
;;
|
||||
*)
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
sd_log_info_msg "$PARSER_MSG"
|
||||
|
||||
# run the parser on all of the apparmor profiles
|
||||
if [ ! -f "$PARSER" ]; then
|
||||
sd_log_failure_msg "$PARSER_MSG - AppArmor parser not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "$PROFILE_DIR" ]; then
|
||||
sd_log_failure_msg "$PARSER_MSG - Profile directory not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "X" == "X$(ls $PROFILE_DIR/)" ]; then
|
||||
sd_log_warning_msg "$PARSER_MSG - No profiles found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for profile in $PROFILE_DIR/*; do
|
||||
if [ "${profile%.rpmnew}" != "${profile}" -o \
|
||||
"${profile%.rpmsave}" != "${profile}" -o \
|
||||
"${profile%\~}" != "${profile}" ]
|
||||
then
|
||||
sd_log_warning_msg "Skipping profile $profile"
|
||||
elif [ -f "${profile}" ] ; then
|
||||
sd_action " Adding profile: `basename ${profile}`" $PARSER $ABSTRACTIONS $PARSER_ARGS ${profile}
|
||||
if [ $? -ne 0 ]; then
|
||||
waserror=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function profiles_names_list() {
|
||||
# run the parser on all of the apparmor profiles
|
||||
TMPFILE=$1
|
||||
if [ ! -f "$PARSER" ]; then
|
||||
sd_log_failure_msg "AppArmor parser ($PARSER) not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "$PROFILE_DIR" ]; then
|
||||
sd_log_failure_msg "Profile directory ($PROFILE_DIR) not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for profile in $PROFILE_DIR/*; do
|
||||
if [ "${profile%.rpmnew}" != "${profile}" -o \
|
||||
"${profile%.rpmsave}" != "${profile}" -o \
|
||||
"${profile%\~}" != "${profile}" ]
|
||||
then
|
||||
echo "nop" >/dev/null
|
||||
elif [ -f "${profile}" ] ; then
|
||||
LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" | grep -v '\^')
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "$LIST_ADD" >>$TMPFILE
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function is_securityfs_mounted() {
|
||||
if grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts ; then
|
||||
if [ -f "${SECURITYFS}/${MODULE}/profiles" ]; then
|
||||
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
function mount_securityfs() {
|
||||
if [ "X" != "X${SECURITYFS}" ]; then
|
||||
if ! grep -q securityfs /proc/mounts ; then
|
||||
sd_action "Mounting securityfs on ${SECURITYFS}" \
|
||||
mount -t securityfs securityfs "${SECURITYFS}"
|
||||
rc=$?
|
||||
if [ -f "${SECURITYFS}/${MODULE}/profiles" ]; then
|
||||
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
|
||||
else
|
||||
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
|
||||
fi
|
||||
return $rc
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
function unmount_securityfs() {
|
||||
SUBDOMAINFS=$(grep subdomainfs /proc/mounts | cut -d" " -f2 2> /dev/null)
|
||||
if [ "X" != "X${SUBDOMAINFS}" ]; then
|
||||
sd_action "Unmounting securityfs" umount ${SUBDOMAINFS}
|
||||
fi
|
||||
}
|
||||
|
||||
function failstop_system() {
|
||||
level=$(runlevel | cut -d" " -f2)
|
||||
if [ $level -ne "1" ] ; then
|
||||
sd_log_failure_msg "Could not start AppArmor. Changing to runlevel 1"
|
||||
telinit 1;
|
||||
return -1;
|
||||
fi
|
||||
sd_log_failure_msg "Could not start AppArmor."
|
||||
return -1
|
||||
}
|
||||
|
||||
function module_panic() {
|
||||
# the module failed to load, determine what action should be taken
|
||||
|
||||
case "$APPARMOR_MODULE_PANIC" in
|
||||
"warn"|"WARN") sd_log_failure_msg "Could not start AppArmor"
|
||||
return -1 ;;
|
||||
"panic"|"PANIC") failstop_system
|
||||
rc=$?
|
||||
return $rc ;;
|
||||
*) sd_log_failure_msg "Invalid AppArmor module fail option"
|
||||
return -1 ;;
|
||||
esac
|
||||
}
|
||||
|
||||
function load_module() {
|
||||
if modinfo -F filename apparmor > /dev/null 2>&1 ; then
|
||||
MODULE=apparmor
|
||||
elif modinfo -F filename subdomain > /dev/null 2>&1 ; then
|
||||
MODULE=subdomain
|
||||
fi
|
||||
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
|
||||
sd_action "Loading AppArmor module" /sbin/modprobe $MODULE $1
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
# we couldn't find the module
|
||||
module_panic
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
exit $rc
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function start_sd_event() {
|
||||
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
||||
sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
|
||||
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
||||
sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
|
||||
fi
|
||||
}
|
||||
|
||||
function stop_sd_event() {
|
||||
if [ -x "$AA_EV_BIN" -a -f "$AA_EV_PIDFILE" ] ; then
|
||||
sd_action "Shutting down AppArmor Event daemon" killproc -G -p $AA_EV_PIDFILE -INT $AA_EV_BIN
|
||||
fi
|
||||
if [ -f "$SD_EV_PIDFILE" ] ; then
|
||||
sd_action "Shutting down AppArmor Event daemon" killproc -G -p $SD_EV_PIDFILE -INT $SD_EV_BIN
|
||||
fi
|
||||
}
|
||||
|
||||
function subdomain_start() {
|
||||
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
|
||||
load_module
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
return $rc
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! is_securityfs_mounted ; then
|
||||
mount_securityfs
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
return $rc
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -w "$SFS_MOUNTPOINT/.load" ] ; then
|
||||
sd_log_failure_msg "Loading AppArmor profiles - failed, Do you have the correct privileges?"
|
||||
return 1
|
||||
fi
|
||||
|
||||
configure_owlsm
|
||||
|
||||
if [ $(wc -l "$SFS_MOUNTPOINT/profiles" | awk '{print $1}') -eq 0 ] ; then
|
||||
parse_profiles load
|
||||
else
|
||||
sd_log_warning_msg "Loading AppArmor profiles - AppArmor already loaded with profiles."
|
||||
fi
|
||||
}
|
||||
|
||||
function remove_profiles() {
|
||||
# removing profiles as we directly read from subdomainfs
|
||||
# doesn't work, since we are removing entries which screws up
|
||||
# our position. Lets hope there are never enough profiles to
|
||||
# overflow the variable
|
||||
if ! is_securityfs_mounted ; then
|
||||
sd_log_failure_msg "failed: is securityfs loaded?"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ ! -w "$SFS_MOUNTPOINT/.remove" ] ; then
|
||||
sd_log_failure_msg "failed: Do you have the correct privileges?"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ ! -x "${PARSER}" ] ; then
|
||||
sd_log_failure_msg "failed: unable to execute subdomain parser"
|
||||
return 1
|
||||
fi
|
||||
|
||||
retval=0
|
||||
IFS=$'\n'
|
||||
enforced_profiles=$(sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles")
|
||||
for profile in $enforced_profiles ; do
|
||||
sd_action " Removing profile: ${profile}" sh -c "echo \"$profile { }\" | $PARSER -R"
|
||||
rc=$?
|
||||
if [ ${rc} -ne 0 ] ; then
|
||||
retval=${rc}
|
||||
fi
|
||||
done
|
||||
if [ ${retval} -ne 0 ] ; then
|
||||
waserror=1
|
||||
fi
|
||||
}
|
||||
|
||||
function subdomain_stop() {
|
||||
stop_sd_event
|
||||
sd_log_info_msg "Unloading AppArmor profiles"
|
||||
remove_profiles
|
||||
}
|
||||
|
||||
function subdomain_kill() {
|
||||
stop_sd_event
|
||||
unmount_securityfs
|
||||
if grep -qE "^apparmor[[:space:]]" /proc/modules ; then
|
||||
MODULE=apparmor
|
||||
elif grep -qE "^subdomain[[:space:]]" /proc/modules ; then
|
||||
MODULE=subdomain
|
||||
else
|
||||
MODULE=apparmor
|
||||
fi
|
||||
sd_action "Unloading AppArmor modules" /sbin/modprobe -r $MODULE
|
||||
}
|
||||
|
||||
function __subdomain_restart() {
|
||||
if [ ! -w "$SFS_MOUNTPOINT/.load" ] ; then
|
||||
sd_log_failure_msg "Loading AppArmor profiles - failed, Do you have the correct privileges?"
|
||||
return 4
|
||||
fi
|
||||
|
||||
configure_owlsm
|
||||
parse_profiles reload
|
||||
PNAMES_LIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
|
||||
profiles_names_list ${PNAMES_LIST}
|
||||
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
|
||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
|
||||
#profiles=$(cat $PNAMES_LIST | sort | comm -2 -3 "$MODULE_PLIST" -)
|
||||
#for profile in $profiles ; do
|
||||
IFS=$'\n' && for profile in $(cat $PNAMES_LIST | sort | comm -2 -3 "$MODULE_PLIST" -) ; do
|
||||
echo "\"$profile\" {}" | $PARSER -R >/dev/null
|
||||
done
|
||||
rm "$MODULE_PLIST"
|
||||
rm "$PNAMES_LIST"
|
||||
return 0
|
||||
}
|
||||
|
||||
function subdomain_restart() {
|
||||
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
|
||||
subdomain_start
|
||||
rc=$?
|
||||
return $rc
|
||||
fi
|
||||
|
||||
if ! is_securityfs_mounted ; then
|
||||
mount_securityfs
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
return $rc
|
||||
fi
|
||||
fi
|
||||
|
||||
__subdomain_restart
|
||||
rc=$?
|
||||
return $rc
|
||||
}
|
||||
|
||||
function subdomain_try_restart() {
|
||||
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
if ! is_securityfs_mounted ; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
__subdomain_restart
|
||||
rc=$?
|
||||
return $rc
|
||||
}
|
||||
|
||||
function subdomain_debug() {
|
||||
subdomain_kill
|
||||
load_module "subdomain_debug=1"
|
||||
mount_securityfs
|
||||
configure_owlsm
|
||||
parse_profiles load
|
||||
}
|
||||
|
||||
function configure_owlsm () {
|
||||
if [ "${SUBDOMAIN_ENABLE_OWLSM}" = "yes" -a -f ${SFS_MOUNTPOINT}/control/owlsm ] ; then
|
||||
# Sigh, the "sh -c" is necessary for the SuSE sd_action
|
||||
# and it can't be abstracted out as a seperate function, as
|
||||
# that breaks under RedHat's action, which needs a
|
||||
# binary to invoke.
|
||||
sd_action "Enabling OWLSM extension" sh -c "echo -n \"1\" > \"${SFS_MOUNTPOINT}/control/owlsm\""
|
||||
elif [ -f "${SFS_MOUNTPOINT}/control/owlsm" ] ; then
|
||||
sd_action "Disabling OWLSM extension" sh -c "echo -n \"0\" > \"${SFS_MOUNTPOINT}/control/owlsm\""
|
||||
fi
|
||||
}
|
||||
|
||||
function subdomain_status () {
|
||||
if test -x ${AA_STATUS} ; then
|
||||
${AA_STATUS} --verbose
|
||||
return $?
|
||||
fi
|
||||
if test -x ${SD_STATUS} ; then
|
||||
${SD_STATUS} --verbose
|
||||
return $?
|
||||
fi
|
||||
if ! grep -qE "^(subdomain|apparmor)[[:space:]]" /proc/modules ; then
|
||||
sd_log_failure_msg "AppArmor not loaded."
|
||||
rc=1
|
||||
else
|
||||
sd_log_success_msg "AppArmor module enabled."
|
||||
rc=0
|
||||
fi
|
||||
sd_log_warning_msg "Install the apparmor-utils package to receive more detailed"
|
||||
sd_log_warning_msg "status information here (or examine ${SFS_MOUNTPOINT} directly)."
|
||||
|
||||
return $rc
|
||||
}
|
@ -1,47 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
waserror=0
|
||||
|
||||
function sd_action() {
|
||||
MSG=$1
|
||||
shift
|
||||
#echo "ACTION: $*"
|
||||
$* > /dev/null
|
||||
rc=$?
|
||||
if [ $rc -ne 0 ] ; then
|
||||
sd_log_failure_msg $"$MSG"
|
||||
else
|
||||
sd_log_success_msg $"$MSG"
|
||||
fi
|
||||
return $rc
|
||||
}
|
||||
|
||||
function sd_log_info_msg() {
|
||||
einfo " $*"
|
||||
}
|
||||
|
||||
function sd_log_warning_msg() {
|
||||
ewarn " $*"
|
||||
}
|
||||
|
||||
function sd_log_success_msg() {
|
||||
einfo " $*"
|
||||
eend 0
|
||||
}
|
||||
|
||||
function sd_log_failure_msg() {
|
||||
waserror=1
|
||||
einfo " $*"
|
||||
eend 1
|
||||
}
|
||||
|
||||
function startproc() {
|
||||
/sbin/start-stop-daemon --start -p $3 --exec $4 -- -p $3
|
||||
}
|
||||
|
||||
function killproc() {
|
||||
/sbin/start-stop-daemon --stop -p $3
|
||||
}
|
||||
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Core Apparmor package containing userspace policy parser, utilities, and documentation.</longdescription>
|
||||
</pkgmetadata>
|
@ -1,12 +0,0 @@
|
||||
DIST apparmor-utils-2.0-142.tar.gz 87393 RMD160 306371feded05fd6fc0daeb418aa85ed0a07f95b SHA1 7686dbc1e5a1df0f7fba9fff95d6d692372e3360 SHA256 27e1d9716bcfa82ebb12163e59734b1ce3a8598b9af3031b04498142e872c6b8
|
||||
EBUILD apparmor-utils-2.0_p142.ebuild 1179 RMD160 876ccf1fab163dcc310280f8d489efc9e7079a17 SHA1 795fa5c5558185638062cf011b26a78547e213a3 SHA256 9fd1410245fbca6c76de0f67f8a10e430e50d154d9facc82ceb840cd806bfd21
|
||||
MD5 a05a89d6ce564e3215e08ef3e7ecd20f apparmor-utils-2.0_p142.ebuild 1179
|
||||
RMD160 876ccf1fab163dcc310280f8d489efc9e7079a17 apparmor-utils-2.0_p142.ebuild 1179
|
||||
SHA256 9fd1410245fbca6c76de0f67f8a10e430e50d154d9facc82ceb840cd806bfd21 apparmor-utils-2.0_p142.ebuild 1179
|
||||
MISC metadata.xml 412 RMD160 7e37f8a3e1009597bbd430fd280b15009e3b01d8 SHA1 681094f0550454d2931d0e08f50ab9829b61c625 SHA256 658f844f1a47f69962d42d4fd00961327f7a42bdfee2737bfe22605c4a23d8ec
|
||||
MD5 f3a4b4e95726969c96d8930966395051 metadata.xml 412
|
||||
RMD160 7e37f8a3e1009597bbd430fd280b15009e3b01d8 metadata.xml 412
|
||||
SHA256 658f844f1a47f69962d42d4fd00961327f7a42bdfee2737bfe22605c4a23d8ec metadata.xml 412
|
||||
MD5 fa93f53f0da00233ecf5f96ca3205461 files/digest-apparmor-utils-2.0_p142 265
|
||||
RMD160 fb95c24dd19ede19556c35a65085736241a5a868 files/digest-apparmor-utils-2.0_p142 265
|
||||
SHA256 9e4f3666c0beaa61748c798a3937b529cc8110901f5405bdc498f4668c8d6eb9 files/digest-apparmor-utils-2.0_p142 265
|
@ -1,54 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils perl-module toolchain-funcs
|
||||
|
||||
#MY_PN="apparmor-utils"
|
||||
MY_PV="${PV/_p/-}"
|
||||
MY_P="${PN}-${MY_PV}"
|
||||
MY_S="${WORKDIR}/${PN}-${PV/_p*/}"
|
||||
MONTH="October"
|
||||
|
||||
DESCRIPTION="AppArmor utilities for profile creation and management."
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE=""
|
||||
|
||||
DEPEND="sys-libs/libapparmor
|
||||
sys-apps/aparmor-parser
|
||||
sys-libs/libcap
|
||||
dev-libs/libpcre
|
||||
dev-lang/perl
|
||||
perl-core/Test-Harness
|
||||
perl-core/Getopt-Long
|
||||
dev-perl/DBI
|
||||
dev-perl/DBD-SQLite
|
||||
dev-perl/TimeDate
|
||||
dev-perl/File-Tail
|
||||
dev-perl/Locale-gettext"
|
||||
RDEPEND="${DEPEND}"
|
||||
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
cd ${MY_S}
|
||||
|
||||
# Correct path for logger
|
||||
sed -i "s/\/bin\/logger/\/usr\/bin\/logger/g" genprof
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
perlinfo
|
||||
make DESTDIR=${D} PERLDIR="${D}/${VENDOR_LIB}/Immunix" install || die
|
||||
}
|
@ -1,3 +0,0 @@
|
||||
MD5 b2447c84edc2df843b7bc4baa8a1eb2c apparmor-utils-2.0-142.tar.gz 87393
|
||||
RMD160 306371feded05fd6fc0daeb418aa85ed0a07f95b apparmor-utils-2.0-142.tar.gz 87393
|
||||
SHA256 27e1d9716bcfa82ebb12163e59734b1ce3a8598b9af3031b04498142e872c6b8 apparmor-utils-2.0-142.tar.gz 87393
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Apparmor utilities allowing for profile creation and mangement.</longdescription>
|
||||
</pkgmetadata>
|
@ -1,45 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE catmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<catmetadata>
|
||||
<longdescription lang="en">
|
||||
The sys-apps category contains various core system applications, and
|
||||
some non-core system applications which have not yet been moved out into
|
||||
other sys- categories.
|
||||
</longdescription>
|
||||
<longdescription lang="es">
|
||||
La categoría sys-apps contiene varios paquetes esenciales del sistema, y
|
||||
algunos paquetes no esenciales que aún no han sido movidos a otras
|
||||
categorías sys-.
|
||||
</longdescription>
|
||||
<longdescription lang="de">
|
||||
Die Kategorie sys-apps enthält sowohl Programme die Bestandteil des Basissystems sind,
|
||||
als auch Applikationen die noch nicht in eine der anderen sys- Kategorien eingeordnet
|
||||
wurden.
|
||||
</longdescription>
|
||||
<longdescription lang="ja">
|
||||
sys-appsカテゴリには様々なコアシステムアプリケーションの他、まだ他のsys-カテゴリに
|
||||
移動されていないシステムアプリケーションが含まれています。
|
||||
</longdescription>
|
||||
<longdescription lang="nl">
|
||||
De sys-apps categorie bevat kerenbestanddelen van het systeem, en bepaalde
|
||||
niet-kern toepassingen die nog niet in andere categorien zijn geplaatst.
|
||||
</longdescription>
|
||||
<longdescription lang="vi">
|
||||
Nhóm sys-apps chứa các phần mềm hệ thống cốt lõi, và vài phần mềm
|
||||
hệ thống không phải cốt lõi mà chưa được chuyển sang các nhóm sys- khác.
|
||||
</longdescription>
|
||||
<longdescription lang="it">
|
||||
La categoria sys-apps contiene vari pacchetti essenziali per il sistema, e alcuni pacchetti
|
||||
non essenziali che non sono ancora stati spostati in altre categorie sys-.
|
||||
</longdescription>
|
||||
<longdescription lang="pt">
|
||||
A categoria sys-apps contém vários pacotes essenciais do sistema, e
|
||||
algumas aplicações não-centrais que ainda não foram colocadas em
|
||||
outras categorias sys-.
|
||||
</longdescription>
|
||||
<longdescription lang="pl">
|
||||
Kategoria sys-apps zawiera programy systemowe oraz inne dodatkowe
|
||||
programy, których jeszcze nie przeniesiono do kategorii sys-.
|
||||
</longdescription>
|
||||
</catmetadata>
|
||||
|
@ -1,23 +0,0 @@
|
||||
# ChangeLog for sys-kernel/apparmor-sources
|
||||
# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
|
||||
# $Header: $
|
||||
|
||||
13 Aug 2006; Mario Fetka <mario-fetka@gmx.at>
|
||||
+files/5000_apparmor-integrate.patch,
|
||||
+files/5001_apparmor-core-header.patch,
|
||||
+files/5002_apparmor-lsm-interface.patch,
|
||||
+files/5004_apparmor-filesystem.patch, +apparmor-sources-2.6.17.ebuild,
|
||||
+files/5003_apparmor-core-access-controls.patch,
|
||||
+files/5006_apparmor-misc.patch, +files/5008_apparmor-audit-changes.patch,
|
||||
+apparmor-sources-2.6.17-r1.ebuild,
|
||||
+files/apparmor-sources-2.6.17-r1-apparmor_main.patch,
|
||||
+files/5007_apparmor-pathname-matching-submodule.patch,
|
||||
+files/5010_apparmor-export-namespace-semaphor.patch,
|
||||
+files/apparmor-sources-2.6.17-r1-apparmor_audit.patch,
|
||||
+files/apparmor-sources-2.6.17-r1-apparmor_namespacesem.patch,
|
||||
+files/5005_apparmor-userspace-interface.patch,
|
||||
+files/5009_apparmor-add-flags.patch:
|
||||
Initial Import of
|
||||
Matthew Snelham <zeypher@sigalrm.com>
|
||||
Apparmor ebuilds
|
||||
|
@ -1,93 +0,0 @@
|
||||
AUX 5000_apparmor-integrate.patch 2398 RMD160 4f3100e01a64531217137303b151d4b8f57cb5ea SHA1 c61a433e8449cd2e173eaf4526de807cd074d12b SHA256 558a025803b209d2502562553e7ec1a42dde706c6a3de4d1a442f4a4a17e8b89
|
||||
MD5 d98fc30c0c02d3b6e1fdb5a56973ed67 files/5000_apparmor-integrate.patch 2398
|
||||
RMD160 4f3100e01a64531217137303b151d4b8f57cb5ea files/5000_apparmor-integrate.patch 2398
|
||||
SHA256 558a025803b209d2502562553e7ec1a42dde706c6a3de4d1a442f4a4a17e8b89 files/5000_apparmor-integrate.patch 2398
|
||||
AUX 5001_apparmor-core-header.patch 21692 RMD160 d991a62378cf9394ed785ce170567c5a1636ed3a SHA1 6646b0ab9603356241ca09ac26093649b264e6f5 SHA256 104c8a90f300b967937d2930bfdb46fccc14d1c33e0eeeaccc2539795b02c9f7
|
||||
MD5 589ca3ad54269790ce4ff0ac86bf1e22 files/5001_apparmor-core-header.patch 21692
|
||||
RMD160 d991a62378cf9394ed785ce170567c5a1636ed3a files/5001_apparmor-core-header.patch 21692
|
||||
SHA256 104c8a90f300b967937d2930bfdb46fccc14d1c33e0eeeaccc2539795b02c9f7 files/5001_apparmor-core-header.patch 21692
|
||||
AUX 5002_apparmor-lsm-interface.patch 21459 RMD160 b61ddaab908a7a790472d7de3c0ee03dfe576489 SHA1 464d3806b9db782adfba98e37884f538f4f02fdd SHA256 8f22edd4509598b9188ef05b47028a745905af4402482f1698bf123f66d3b407
|
||||
MD5 2ef63832bbbef8442cbf8a08d0279425 files/5002_apparmor-lsm-interface.patch 21459
|
||||
RMD160 b61ddaab908a7a790472d7de3c0ee03dfe576489 files/5002_apparmor-lsm-interface.patch 21459
|
||||
SHA256 8f22edd4509598b9188ef05b47028a745905af4402482f1698bf123f66d3b407 files/5002_apparmor-lsm-interface.patch 21459
|
||||
AUX 5003_apparmor-core-access-controls.patch 42703 RMD160 fa685b1526b69cc5e436707b0e94513c963cf7e5 SHA1 756e4adac0c15e216b21c4b86bd390d2318f2092 SHA256 585f135ce0b07bc325503cccd5da07afa559ca75c9c3c0aeef3b1309f59aacb5
|
||||
MD5 282fc71ae3ba0b0f37b10e856cb0bbb7 files/5003_apparmor-core-access-controls.patch 42703
|
||||
RMD160 fa685b1526b69cc5e436707b0e94513c963cf7e5 files/5003_apparmor-core-access-controls.patch 42703
|
||||
SHA256 585f135ce0b07bc325503cccd5da07afa559ca75c9c3c0aeef3b1309f59aacb5 files/5003_apparmor-core-access-controls.patch 42703
|
||||
AUX 5004_apparmor-filesystem.patch 11823 RMD160 c356279b0a7aa3c86b7e61fa4fd19fcae01e4e28 SHA1 7bac3503d5d3c1c89c3c83824ce4db5fb4b76d4d SHA256 8ff511068c44f09fa9e9b0892323876373a0dd20cbdafab1847439fb7293228a
|
||||
MD5 9b00001fd17410a6c5c8d93e1d791a4f files/5004_apparmor-filesystem.patch 11823
|
||||
RMD160 c356279b0a7aa3c86b7e61fa4fd19fcae01e4e28 files/5004_apparmor-filesystem.patch 11823
|
||||
SHA256 8ff511068c44f09fa9e9b0892323876373a0dd20cbdafab1847439fb7293228a files/5004_apparmor-filesystem.patch 11823
|
||||
AUX 5005_apparmor-userspace-interface.patch 25246 RMD160 1aa62cbead83275308c9b2e5bf3658261d1a9381 SHA1 93a99de540ffbec0946192851832b823956cb3a6 SHA256 970934bf9e9d9a4e98e4d78eb4540d1b8d5409f5c97bbbd266ae473b7263d92f
|
||||
MD5 f9ca3674c76ad58917df78d9ca55a461 files/5005_apparmor-userspace-interface.patch 25246
|
||||
RMD160 1aa62cbead83275308c9b2e5bf3658261d1a9381 files/5005_apparmor-userspace-interface.patch 25246
|
||||
SHA256 970934bf9e9d9a4e98e4d78eb4540d1b8d5409f5c97bbbd266ae473b7263d92f files/5005_apparmor-userspace-interface.patch 25246
|
||||
AUX 5006_apparmor-misc.patch 16419 RMD160 7be689597785f339dd8d8d41fc46c48283acd329 SHA1 728e32285aeb1e8e7ef28c2d8aa8a775ad4b1ab2 SHA256 c44468fd5a698d11095cccb439541feac587388f348bec5f8105449294e1b8f6
|
||||
MD5 eda12351340ca5e03ce2df5be7ab1396 files/5006_apparmor-misc.patch 16419
|
||||
RMD160 7be689597785f339dd8d8d41fc46c48283acd329 files/5006_apparmor-misc.patch 16419
|
||||
SHA256 c44468fd5a698d11095cccb439541feac587388f348bec5f8105449294e1b8f6 files/5006_apparmor-misc.patch 16419
|
||||
AUX 5007_apparmor-pathname-matching-submodule.patch 7130 RMD160 53203c04619a1d1491f32af7b67d645cab2b42fd SHA1 f6e08796e9de778de5614f7dc0b3226ec3e0c886 SHA256 08f8cef053a986ac38130743cba28a584c0539f1e7d370cdff3e829e4cd48567
|
||||
MD5 2d77b49c08b0f975660174c410f57cfe files/5007_apparmor-pathname-matching-submodule.patch 7130
|
||||
RMD160 53203c04619a1d1491f32af7b67d645cab2b42fd files/5007_apparmor-pathname-matching-submodule.patch 7130
|
||||
SHA256 08f8cef053a986ac38130743cba28a584c0539f1e7d370cdff3e829e4cd48567 files/5007_apparmor-pathname-matching-submodule.patch 7130
|
||||
AUX 5008_apparmor-audit-changes.patch 2107 RMD160 d333371405ac7c595763bc35f312784cc811d366 SHA1 8801e85d409017c6693656b9e41973703170cad8 SHA256 adfed39273b71c470f8eebddf43f0eef2146b3114e517eb574f033005f5a95e5
|
||||
MD5 2a4a92e7b58dafaee09f69fa05ebd89a files/5008_apparmor-audit-changes.patch 2107
|
||||
RMD160 d333371405ac7c595763bc35f312784cc811d366 files/5008_apparmor-audit-changes.patch 2107
|
||||
SHA256 adfed39273b71c470f8eebddf43f0eef2146b3114e517eb574f033005f5a95e5 files/5008_apparmor-audit-changes.patch 2107
|
||||
AUX 5009_apparmor-add-flags.patch 5477 RMD160 fc48784cb74cba9cdbdf61c2f561e8951152344e SHA1 f70cad7a35362ff584991c70c1b481127e4b3799 SHA256 adae3a61e66d527586d8118b94843b3021b4c99224d2d8888e37f7dbed5ef783
|
||||
MD5 29efc91d396797479864537b9f1e1b6f files/5009_apparmor-add-flags.patch 5477
|
||||
RMD160 fc48784cb74cba9cdbdf61c2f561e8951152344e files/5009_apparmor-add-flags.patch 5477
|
||||
SHA256 adae3a61e66d527586d8118b94843b3021b4c99224d2d8888e37f7dbed5ef783 files/5009_apparmor-add-flags.patch 5477
|
||||
AUX 5010_apparmor-export-namespace-semaphor.patch 2052 RMD160 70bae68ca3aef38c9aea0b4add916fc759efb420 SHA1 4f553490593ebaddec1a8695e6da471466e4cc70 SHA256 42fd27dc8e65a450b6369638495ebcd1d615a23881f4ff7c4a8a334ac6e1e00a
|
||||
MD5 5d38d075644b24d5018152b2b4a29514 files/5010_apparmor-export-namespace-semaphor.patch 2052
|
||||
RMD160 70bae68ca3aef38c9aea0b4add916fc759efb420 files/5010_apparmor-export-namespace-semaphor.patch 2052
|
||||
SHA256 42fd27dc8e65a450b6369638495ebcd1d615a23881f4ff7c4a8a334ac6e1e00a files/5010_apparmor-export-namespace-semaphor.patch 2052
|
||||
AUX apparmor-sources-2.6.17-r1-apparmor_audit.patch 2247 RMD160 d6c5937273d30de4a83a42ad9256416bf2931a03 SHA1 113abbb7664e6cf205606c78c39086c4aea5883d SHA256 27b8c610ec1dd4b6b8474194061a6616359aa942f3dddf3ae197cadeea8e411c
|
||||
MD5 aa55bffe2d0bf05ef6b6281dfb4c459c files/apparmor-sources-2.6.17-r1-apparmor_audit.patch 2247
|
||||
RMD160 d6c5937273d30de4a83a42ad9256416bf2931a03 files/apparmor-sources-2.6.17-r1-apparmor_audit.patch 2247
|
||||
SHA256 27b8c610ec1dd4b6b8474194061a6616359aa942f3dddf3ae197cadeea8e411c files/apparmor-sources-2.6.17-r1-apparmor_audit.patch 2247
|
||||
AUX apparmor-sources-2.6.17-r1-apparmor_main.patch 219968 RMD160 8ac7a4ee65da4180684634b82bd468e2ff0ff790 SHA1 610451e2eb4c7b03ed4a37d527543dea8a0f6743 SHA256 f799f9f570dd1de355aad61a3583a6e06aba6138f4b7c064274ad524d4c6ab18
|
||||
MD5 665706462da47fc5dde62b016bb6af49 files/apparmor-sources-2.6.17-r1-apparmor_main.patch 219968
|
||||
RMD160 8ac7a4ee65da4180684634b82bd468e2ff0ff790 files/apparmor-sources-2.6.17-r1-apparmor_main.patch 219968
|
||||
SHA256 f799f9f570dd1de355aad61a3583a6e06aba6138f4b7c064274ad524d4c6ab18 files/apparmor-sources-2.6.17-r1-apparmor_main.patch 219968
|
||||
AUX apparmor-sources-2.6.17-r1-apparmor_namespacesem.patch 1197 RMD160 99acdb25d6384f650edb2914fb05205abe2a4f48 SHA1 21ee82c1bc2089f8af1985fcc57049422f5e02ba SHA256 1c6c97d3ef47c3b21e335246fabc4dbdb446e5fd638250a928ed62c8277ac015
|
||||
MD5 ebc4034d4b5410191a67a3d5f2e7d82b files/apparmor-sources-2.6.17-r1-apparmor_namespacesem.patch 1197
|
||||
RMD160 99acdb25d6384f650edb2914fb05205abe2a4f48 files/apparmor-sources-2.6.17-r1-apparmor_namespacesem.patch 1197
|
||||
SHA256 1c6c97d3ef47c3b21e335246fabc4dbdb446e5fd638250a928ed62c8277ac015 files/apparmor-sources-2.6.17-r1-apparmor_namespacesem.patch 1197
|
||||
DIST apparmor-kernel-patches-2.6.17.9.tar.gz 231231 RMD160 762d4b59aa508cfd82ebbeba4822ffb0551f5888 SHA1 bb754f57340ce90e25bb18be7030776ee4b9e823 SHA256 0884cd7bfdff4505fd5271ca68b72f74b352d209321ef60dc81620b0539f0ec7
|
||||
DIST apparmor-kernel-patches-2.6.18.tar.gz 231072 RMD160 f734125d986dcb3aec371f0e24126a5473d5637f SHA1 e6136d224d58ad90fd174d3c03290942644e5c45 SHA256 91224ff1f45de306c0720a5680a8f883888b52f296b0de24c63ec02668782b63
|
||||
DIST genpatches-2.6.17-1.base.tar.bz2 3337 RMD160 f9b5621fed8fcfee7da697d89097842287b41b24 SHA1 308e3daec11899f03103b5dcd2bfcff7e116c52c SHA256 2208b72729dce6daef7dc5700192aec0ae17327c794681621d2123f0c483ae21
|
||||
DIST genpatches-2.6.17-1.extras.tar.bz2 138704 RMD160 14b17e02b7893e6b023bee9e1b40f4bc85a30f05 SHA1 e671dbc29239116e627aea3d87ff7aefd8b5ca00 SHA256 fa10ec7d3d74c8bf57fb3bd01c33f83dcca3c1e4cd4601937cc2ef904cce1dfe
|
||||
DIST genpatches-2.6.18-1.base.tar.bz2 2397 RMD160 1b02d9e5adba7a9a17f85691f312ee2c870c9a48 SHA1 790186d9d44c358d05489cdff417beab03124708 SHA256 e87db440591d48f74b8d50f47bde55a1652c969626befa94aba48cee57aa5da8
|
||||
DIST genpatches-2.6.18-1.extras.tar.bz2 147040 RMD160 f62b371d522fa8978cee4e809baea364ed8e804a SHA1 e98309b0203bf2f41e8efe1cd396dcfd5aec483a SHA256 080b19f98ffa8f5edbccabfa9dd4ac845ecc1b21c7fba761ad3d011893117b01
|
||||
DIST linux-2.6.17.tar.bz2 41272919 RMD160 26aad30c9a6610665c6c7d62401d79bf56a6a699 SHA1 0605c975b9dead2af31a3decf09dd4138fadaf2b SHA256 ab0f647d52f124958439517df9e1ae0efda90cdb851f59f522fa1749f1d87d58
|
||||
DIST linux-2.6.18.tar.bz2 41863580 RMD160 f92283f956880676bfb1f1d5288325461e4e02e7 SHA1 178f7d5bb3af0978d42b37651b8753323c7129c2 SHA256 c95280ff6c5d2a17788f7cc582d23ae8a9a7ba3f202ec6e4238eaadfce7c163d
|
||||
EBUILD apparmor-sources-2.6.17-r1.ebuild 1142 RMD160 434a48918c3a4cff03e438c83918d7ba0d871311 SHA1 e8dc728915cf06e20da6dff8b10704f04be381d1 SHA256 48f9d6b7a3b8febc92fe5ef755e96d5d88354949947a355d77fce7300de7e332
|
||||
MD5 94d4c12fce6b5bb9e42a2d22942d7c61 apparmor-sources-2.6.17-r1.ebuild 1142
|
||||
RMD160 434a48918c3a4cff03e438c83918d7ba0d871311 apparmor-sources-2.6.17-r1.ebuild 1142
|
||||
SHA256 48f9d6b7a3b8febc92fe5ef755e96d5d88354949947a355d77fce7300de7e332 apparmor-sources-2.6.17-r1.ebuild 1142
|
||||
EBUILD apparmor-sources-2.6.17.ebuild 1233 RMD160 70a5b495ed179b57e825b99b26751725a6f12c8d SHA1 30744886818231b12ee378450aae835bb2ab35f9 SHA256 ddb3a0c0fa067b2ef1c32ad12925ee96c6467660e8f0ac896c56f8202ce40e5c
|
||||
MD5 e52d364ef1955d471e087f21fb2d3e3c apparmor-sources-2.6.17.ebuild 1233
|
||||
RMD160 70a5b495ed179b57e825b99b26751725a6f12c8d apparmor-sources-2.6.17.ebuild 1233
|
||||
SHA256 ddb3a0c0fa067b2ef1c32ad12925ee96c6467660e8f0ac896c56f8202ce40e5c apparmor-sources-2.6.17.ebuild 1233
|
||||
EBUILD apparmor-sources-2.6.18.ebuild 1229 RMD160 f3a233d92a3b085426e64129a46d4eeae762be45 SHA1 5d4206a1521d63c4df44a472f49933cce9fe82cc SHA256 d97f7607222cb43076f73e9a549384d55dbfc6470ac5be6d3ea0d5047c5fff68
|
||||
MD5 9aeafb7f5c77d3a0841c4e9fb71eeb5f apparmor-sources-2.6.18.ebuild 1229
|
||||
RMD160 f3a233d92a3b085426e64129a46d4eeae762be45 apparmor-sources-2.6.18.ebuild 1229
|
||||
SHA256 d97f7607222cb43076f73e9a549384d55dbfc6470ac5be6d3ea0d5047c5fff68 apparmor-sources-2.6.18.ebuild 1229
|
||||
MISC ChangeLog 1008 RMD160 88f5deb153f61b500a1eb1672d9f01c87ab553f9 SHA1 8478c09f09812bf558e31516c03e21ae4f493c35 SHA256 83a27b6318f963a9668ce161f8c57969d3d1fa066df89850d85b727566a14bdc
|
||||
MD5 2d787835eb0dc12e4feb5e29420c2927 ChangeLog 1008
|
||||
RMD160 88f5deb153f61b500a1eb1672d9f01c87ab553f9 ChangeLog 1008
|
||||
SHA256 83a27b6318f963a9668ce161f8c57969d3d1fa066df89850d85b727566a14bdc ChangeLog 1008
|
||||
MISC metadata.xml 478 RMD160 207b43ac7f50efbd5d3c8fdad96559adf422b0d2 SHA1 3adc61e526559bc5ac91aace569a588c4171e8cd SHA256 183e2d218aa6c62702bb9b81ee598eea27e51b6703b33fbf1a34d4b9674fd67a
|
||||
MD5 c2ac84763e2d8238dea3eb3ba93b59aa metadata.xml 478
|
||||
RMD160 207b43ac7f50efbd5d3c8fdad96559adf422b0d2 metadata.xml 478
|
||||
SHA256 183e2d218aa6c62702bb9b81ee598eea27e51b6703b33fbf1a34d4b9674fd67a metadata.xml 478
|
||||
MD5 fb69ab075d009cf49c155c082fe75937 files/digest-apparmor-sources-2.6.17 1099
|
||||
RMD160 4c24baa45ae97f17ed503bfc4f0ed6ae8db520b4 files/digest-apparmor-sources-2.6.17 1099
|
||||
SHA256 a2efb919c008a7777773d5faed808c1b64b7e5dd97408131904897c5154520ce files/digest-apparmor-sources-2.6.17 1099
|
||||
MD5 0e1ade0aa9228c7dad088db16e4f1d3a files/digest-apparmor-sources-2.6.17-r1 801
|
||||
RMD160 74e1080cfdd78f0b7cc0314a2822efbe02ec2333 files/digest-apparmor-sources-2.6.17-r1 801
|
||||
SHA256 482238abaafe1482e35b0de5d6fbde3cc5f3e307aa885f823693b5bf01edcc09 files/digest-apparmor-sources-2.6.17-r1 801
|
||||
MD5 e08285915ab6ffc164d7178cd2d01c59 files/digest-apparmor-sources-2.6.18 1093
|
||||
RMD160 2b50e09bbfb91bbb0b46974e7b22de322d3b8520 files/digest-apparmor-sources-2.6.18 1093
|
||||
SHA256 71f364dffa2f917a0ce28c423627808f06dd547bc7d3d0599ea13e6a28d94693 files/digest-apparmor-sources-2.6.18 1093
|
@ -1,43 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
ETYPE="sources"
|
||||
K_WANT_GENPATCHES="base extras"
|
||||
K_GENPATCHES_VER="1"
|
||||
inherit eutils kernel-2
|
||||
detect_version
|
||||
detect_arch
|
||||
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
DESCRIPTION="Full sources to provide the required AppArmor modules and kernel hooks. Based on the gentoo-sources tree."
|
||||
|
||||
SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}"
|
||||
|
||||
src_unpack() {
|
||||
ABI=${KERNEL_ABI}
|
||||
kernel-2_src_unpack
|
||||
|
||||
EPATCH_FORCE="yes"
|
||||
EPATCH_OPTS=""
|
||||
epatch ${FILESDIR}/${PF}*.patch
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
postinst_sources
|
||||
|
||||
einfo
|
||||
einfo "For more info on this patchset, and how to report problems, see:"
|
||||
einfo "${HOMEPAGE}"
|
||||
|
||||
einfo
|
||||
einfo "Make sure that your kernel configuration file is set with:"
|
||||
einfo " CONFIG_SECURITY=y"
|
||||
einfo " CONFIG_SECURITY_APPARMOR=m"
|
||||
einfo "Without these, apparmor will not function."
|
||||
einfo
|
||||
einfo "Apparmor can be sensitive to module load order. Make sure"
|
||||
einfo "it is listed before any other modules that rely on the "
|
||||
einfo "'capability' module."
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
# Copyright 1999-2005 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
ETYPE="sources"
|
||||
K_WANT_GENPATCHES="base extras"
|
||||
K_GENPATCHES_VER="1"
|
||||
inherit eutils kernel-2
|
||||
detect_version
|
||||
detect_arch
|
||||
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
DESCRIPTION="Full sources to provide the required AppArmor modules and kernel hooks. Based on the gentoo-sources tree."
|
||||
|
||||
MONTH="October"
|
||||
UP_KPVER="2.6.17.9"
|
||||
|
||||
AA_SRC="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/apparmor-kernel-patches-${UP_KPVER}.tar.gz"
|
||||
|
||||
SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI} ${AA_SRC}"
|
||||
|
||||
src_unpack() {
|
||||
unpack "apparmor-kernel-patches-${UP_KPVER}.tar.gz"
|
||||
|
||||
kernel-2_src_unpack
|
||||
|
||||
EPATCH_FORCE="yes"
|
||||
EPATCH_OPTS=""
|
||||
epatch ${WORKDIR}/${UP_KPVER}/current/apparmor-2.6.17.9-v154-fullseries.patch
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
postinst_sources
|
||||
|
||||
einfo
|
||||
einfo "For more info on this patchset, and how to report problems, see:"
|
||||
einfo "${HOMEPAGE}"
|
||||
einfo
|
||||
einfo "Make sure that your kernel configuration file is set with:"
|
||||
einfo " CONFIG_SECURITY=y"
|
||||
einfo " CONFIG_SECURITY_APPARMOR=m"
|
||||
einfo "Without these, apparmor will not function."
|
||||
einfo
|
||||
}
|
@ -1,45 +0,0 @@
|
||||
# Copyright 1999-2005 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
ETYPE="sources"
|
||||
K_WANT_GENPATCHES="base extras"
|
||||
K_GENPATCHES_VER="1"
|
||||
inherit eutils kernel-2
|
||||
detect_version
|
||||
detect_arch
|
||||
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
DESCRIPTION="Full sources to provide the required AppArmor modules and kernel hooks. Based on the gentoo-sources tree."
|
||||
|
||||
MONTH="October"
|
||||
UP_KPVER="2.6.18"
|
||||
|
||||
AA_SRC="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/apparmor-kernel-patches-${UP_KPVER}.tar.gz"
|
||||
|
||||
SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI} ${AA_SRC}"
|
||||
|
||||
src_unpack() {
|
||||
unpack "apparmor-kernel-patches-${UP_KPVER}.tar.gz"
|
||||
|
||||
kernel-2_src_unpack
|
||||
|
||||
EPATCH_FORCE="yes"
|
||||
EPATCH_OPTS=""
|
||||
epatch ${WORKDIR}/${UP_KPVER}/current/apparmor-2.6.18-v154-fullseries.patch
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
postinst_sources
|
||||
|
||||
einfo
|
||||
einfo "For more info on this patchset, and how to report problems, see:"
|
||||
einfo "${HOMEPAGE}"
|
||||
einfo
|
||||
einfo "Make sure that your kernel configuration file is set with:"
|
||||
einfo " CONFIG_SECURITY=y"
|
||||
einfo " CONFIG_SECURITY_APPARMOR=m"
|
||||
einfo "Without these, apparmor will not function."
|
||||
einfo
|
||||
}
|
@ -1,76 +0,0 @@
|
||||
This patch glues AppArmor into the security configuration and Makefile.
|
||||
It also creates the AppArmor configuration and Makefile.
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
MAINTAINERS | 7 +++++++
|
||||
security/Kconfig | 1 +
|
||||
security/Makefile | 1 +
|
||||
security/apparmor/Kconfig | 9 +++++++++
|
||||
security/apparmor/Makefile | 6 ++++++
|
||||
5 files changed, 24 insertions(+)
|
||||
|
||||
--- linux-2.6.17-rc1.orig/MAINTAINERS
|
||||
+++ linux-2.6.17-rc1/MAINTAINERS
|
||||
@@ -284,6 +284,13 @@
|
||||
W: http://www.canb.auug.org.au/~sfr/
|
||||
S: Supported
|
||||
|
||||
+APPARMOR SECURITY MODULE
|
||||
+P: Tony Jones
|
||||
+M: tonyj@suse.de
|
||||
+L: apparmor-dev@forge.novell.com
|
||||
+W: http://forge.novell.com/modules/xfmod/project/?apparmor
|
||||
+S: Supported
|
||||
+
|
||||
APPLETALK NETWORK LAYER
|
||||
P: Arnaldo Carvalho de Melo
|
||||
M: acme@conectiva.com.br
|
||||
--- linux-2.6.17-rc1.orig/security/Kconfig
|
||||
+++ linux-2.6.17-rc1/security/Kconfig
|
||||
@@ -100,6 +100,7 @@
|
||||
If you are unsure how to answer this question, answer N.
|
||||
|
||||
source security/selinux/Kconfig
|
||||
+source security/apparmor/Kconfig
|
||||
|
||||
endmenu
|
||||
|
||||
--- linux-2.6.17-rc1.orig/security/Makefile
|
||||
+++ linux-2.6.17-rc1/security/Makefile
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
obj-$(CONFIG_KEYS) += keys/
|
||||
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
||||
+subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
|
||||
|
||||
# if we don't select a security model, use the default capabilities
|
||||
ifneq ($(CONFIG_SECURITY),y)
|
||||
--- /dev/null
|
||||
+++ linux-2.6.17-rc1/security/apparmor/Kconfig
|
||||
@@ -0,0 +1,9 @@
|
||||
+config SECURITY_APPARMOR
|
||||
+ tristate "AppArmor support"
|
||||
+ depends on SECURITY!=n
|
||||
+ help
|
||||
+ This enables the AppArmor security module.
|
||||
+ Required userspace tools (if they are not included in your
|
||||
+ distribution) and further information may be found at
|
||||
+ <http://forge.novell.com/modules/xfmod/project/?apparmor>
|
||||
+ If you are unsure how to answer this question, answer N.
|
||||
--- /dev/null
|
||||
+++ linux-2.6.17-rc1/security/apparmor/Makefile
|
||||
@@ -0,0 +1,6 @@
|
||||
+# Makefile for AppArmor Linux Security Module
|
||||
+#
|
||||
+subdir-$(CONFIG_SECURITY_APPARMOR) += match
|
||||
+obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
|
||||
+
|
||||
+apparmor-y := main.o list.o procattr.o lsm.o apparmorfs.o capabilities.o module_interface.o
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,728 +0,0 @@
|
||||
This patch provides the various common headerfiles used by the AppArmor module.
|
||||
|
||||
apparmor.h contains the core data structures.
|
||||
shared.h contains definitions that are common to the userspace policy loader.
|
||||
inline.h implements various inline utility functions
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/apparmor.h | 325 +++++++++++++++++++++++++++++++++++++++++
|
||||
security/apparmor/inline.h | 333 +++++++++++++++++++++++++++++++++++++++++++
|
||||
security/apparmor/shared.h | 41 +++++
|
||||
3 files changed, 699 insertions(+)
|
||||
|
||||
--- security/apparmor/apparmor.h.orig
|
||||
+++ security/apparmor/apparmor.h
|
||||
@@ -0,0 +1,325 @@
|
||||
+/*
|
||||
+ * Copyright (C) 1998-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor internal prototypes
|
||||
+ */
|
||||
+
|
||||
+#ifndef __SUBDOMAIN_H
|
||||
+#define __SUBDOMAIN_H
|
||||
+
|
||||
+#include <linux/fs.h> /* Include for defn of iattr */
|
||||
+#include <linux/rcupdate.h>
|
||||
+
|
||||
+#include "shared.h"
|
||||
+
|
||||
+/* Control parameters (0 or 1), settable thru module/boot flags or
|
||||
+ * via /sys/kernel/security/apparmor/control */
|
||||
+extern int apparmor_complain;
|
||||
+extern int apparmor_debug;
|
||||
+extern int apparmor_audit;
|
||||
+extern int apparmor_logsyscall;
|
||||
+
|
||||
+/* PIPEFS_MAGIC */
|
||||
+#include <linux/pipe_fs_i.h>
|
||||
+/* from net/socket.c */
|
||||
+#define SOCKFS_MAGIC 0x534F434B
|
||||
+/* from inotify.c */
|
||||
+#define INOTIFYFS_MAGIC 0xBAD1DEA
|
||||
+
|
||||
+#define VALID_FSTYPE(inode) ((inode)->i_sb->s_magic != PIPEFS_MAGIC && \
|
||||
+ (inode)->i_sb->s_magic != SOCKFS_MAGIC && \
|
||||
+ (inode)->i_sb->s_magic != INOTIFYFS_MAGIC)
|
||||
+
|
||||
+#define PROFILE_COMPLAIN(_profile) \
|
||||
+ (apparmor_complain == 1 || ((_profile) && (_profile)->flags.complain))
|
||||
+
|
||||
+#define SUBDOMAIN_COMPLAIN(_sd) \
|
||||
+ (apparmor_complain == 1 || \
|
||||
+ ((_sd) && (_sd)->active && (_sd)->active->flags.complain))
|
||||
+
|
||||
+#define PROFILE_AUDIT(_profile) \
|
||||
+ (apparmor_audit == 1 || ((_profile) && (_profile)->flags.audit))
|
||||
+
|
||||
+#define SUBDOMAIN_AUDIT(_sd) \
|
||||
+ (apparmor_audit == 1 || \
|
||||
+ ((_sd) && (_sd)->active && (_sd)->active->flags.audit))
|
||||
+
|
||||
+/*
|
||||
+ * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
|
||||
+ * which is not related to profile accesses.
|
||||
+ */
|
||||
+
|
||||
+#define AA_DEBUG(fmt, args...) \
|
||||
+ do { \
|
||||
+ if (apparmor_debug) \
|
||||
+ printk(KERN_DEBUG "AppArmor: " fmt, ##args); \
|
||||
+ } while (0)
|
||||
+#define AA_INFO(fmt, args...) printk(KERN_INFO "AppArmor: " fmt, ##args)
|
||||
+#define AA_WARN(fmt, args...) printk(KERN_WARNING "AppArmor: " fmt, ##args)
|
||||
+#define AA_ERROR(fmt, args...) printk(KERN_ERR "AppArmor: " fmt, ##args)
|
||||
+
|
||||
+/* basic AppArmor data structures */
|
||||
+
|
||||
+struct flagval {
|
||||
+ int debug;
|
||||
+ int complain;
|
||||
+ int audit;
|
||||
+};
|
||||
+
|
||||
+enum entry_match_type {
|
||||
+ aa_entry_literal,
|
||||
+ aa_entry_tailglob,
|
||||
+ aa_entry_pattern,
|
||||
+ aa_entry_invalid
|
||||
+};
|
||||
+
|
||||
+/* struct aa_entry - file ACL *
|
||||
+ * @filename: filename controlled by this ACL
|
||||
+ * @mode: permissions granted by ACL
|
||||
+ * @type: type of match to perform against @filename
|
||||
+ * @extradata: any extra data needed by an extended matching type
|
||||
+ * @list: list the ACL is on
|
||||
+ * @listp: permission partitioned lists this ACL is on.
|
||||
+ *
|
||||
+ * Each entry describes a file and an allowed access mode.
|
||||
+ */
|
||||
+struct aa_entry {
|
||||
+ char *filename;
|
||||
+ int mode; /* mode is 'or' of READ, WRITE, EXECUTE,
|
||||
+ * INHERIT, UNCONSTRAINED, and LIBRARY
|
||||
+ * (meaning don't prefetch). */
|
||||
+
|
||||
+ enum entry_match_type type;
|
||||
+ void *extradata;
|
||||
+
|
||||
+ struct list_head list;
|
||||
+ struct list_head listp[POS_AA_FILE_MAX + 1];
|
||||
+};
|
||||
+
|
||||
+#define AA_EXEC_MODIFIER_MASK(mask) ((mask) & (AA_EXEC_UNCONSTRAINED |\
|
||||
+ AA_EXEC_INHERIT |\
|
||||
+ AA_EXEC_PROFILE))
|
||||
+
|
||||
+#define AA_EXEC_MASK(mask) ((mask) & (AA_MAY_EXEC |\
|
||||
+ AA_EXEC_UNCONSTRAINED |\
|
||||
+ AA_EXEC_INHERIT |\
|
||||
+ AA_EXEC_PROFILE))
|
||||
+
|
||||
+
|
||||
+/* struct aaprofile - basic confinement data
|
||||
+ * @parent: non refcounted pointer to parent profile
|
||||
+ * @name: the profiles name
|
||||
+ * @file_entry: file ACL
|
||||
+ * @file_entryp: vector of file ACL by permission granted
|
||||
+ * @list: list this profile is on
|
||||
+ * @sub: profiles list of subprofiles (HATS)
|
||||
+ * @flags: flags controlling profile behavior
|
||||
+ * @null_profile: if needed per profile learning and null confinement profile
|
||||
+ * @isstale: flag to indicate the profile is stale
|
||||
+ * @num_file_entries: number of file entries the profile contains
|
||||
+ * @num_file_pentries: number of file entries for each partitioned list
|
||||
+ * @capabilities: capabilities granted by the process
|
||||
+ * @rcu: rcu head used when freeing the profile
|
||||
+ * @count: reference count of the profile
|
||||
+ *
|
||||
+ * The AppArmor profile contains the basic confinement data. Each profile
|
||||
+ * has a name and potentially a list of profile entries. The profiles are
|
||||
+ * connected in a list
|
||||
+ */
|
||||
+struct aaprofile {
|
||||
+ struct aaprofile *parent;
|
||||
+ char *name;
|
||||
+
|
||||
+ struct list_head file_entry;
|
||||
+ struct list_head file_entryp[POS_AA_FILE_MAX + 1];
|
||||
+ struct list_head list;
|
||||
+ struct list_head sub;
|
||||
+ struct flagval flags;
|
||||
+ struct aaprofile *null_profile;
|
||||
+ int isstale;
|
||||
+
|
||||
+ int num_file_entries;
|
||||
+ int num_file_pentries[POS_AA_FILE_MAX + 1];
|
||||
+
|
||||
+ kernel_cap_t capabilities;
|
||||
+
|
||||
+ struct rcu_head rcu;
|
||||
+
|
||||
+ struct kref count;
|
||||
+};
|
||||
+
|
||||
+/**
|
||||
+ * struct subdomain - primary label for confined tasks
|
||||
+ * @active: the current active profile
|
||||
+ * @hat_magic: the magic token controling the ability to leave a hat
|
||||
+ * @list: list this subdomain is on
|
||||
+ * @task: task that the subdomain confines
|
||||
+ *
|
||||
+ * Contains the tasks current active profile (which could change due to
|
||||
+ * change_hat). Plus the hat_magic needed during change_hat.
|
||||
+ *
|
||||
+ * N.B AppArmor's previous product name SubDomain was derived from the name
|
||||
+ * of this structure/concept (changehat reducing a task into a sub-domain).
|
||||
+ */
|
||||
+struct subdomain {
|
||||
+ struct aaprofile *active; /* The current active profile */
|
||||
+ u32 hat_magic; /* used with change_hat */
|
||||
+ struct list_head list; /* list of subdomains */
|
||||
+ struct task_struct *task;
|
||||
+};
|
||||
+
|
||||
+typedef int (*aa_iter) (struct subdomain *, void *);
|
||||
+
|
||||
+/* aa_path_data
|
||||
+ * temp (cookie) data used by aa_path_* functions, see inline.h
|
||||
+ */
|
||||
+struct aa_path_data {
|
||||
+ struct dentry *root, *dentry;
|
||||
+ struct namespace *namespace;
|
||||
+ struct list_head *head, *pos;
|
||||
+ int errno;
|
||||
+};
|
||||
+
|
||||
+#define AA_SUBDOMAIN(sec) ((struct subdomain*)(sec))
|
||||
+#define AA_PROFILE(sec) ((struct aaprofile*)(sec))
|
||||
+
|
||||
+/* Lock protecting access to 'struct subdomain' accesses */
|
||||
+extern spinlock_t sd_lock;
|
||||
+
|
||||
+extern struct aaprofile *null_complain_profile;
|
||||
+
|
||||
+/* aa_audit - AppArmor auditing structure
|
||||
+ * Structure is populated by access control code and passed to aa_audit which
|
||||
+ * provides for a single point of logging.
|
||||
+ */
|
||||
+
|
||||
+struct aa_audit {
|
||||
+ unsigned short type, flags;
|
||||
+ unsigned int result;
|
||||
+ unsigned int gfp_mask;
|
||||
+ int error_code;
|
||||
+
|
||||
+ const char *name;
|
||||
+ unsigned int ival;
|
||||
+ union {
|
||||
+ const void *pval;
|
||||
+ va_list vaval;
|
||||
+ };
|
||||
+};
|
||||
+
|
||||
+/* audit types */
|
||||
+#define AA_AUDITTYPE_FILE 1
|
||||
+#define AA_AUDITTYPE_DIR 2
|
||||
+#define AA_AUDITTYPE_ATTR 3
|
||||
+#define AA_AUDITTYPE_XATTR 4
|
||||
+#define AA_AUDITTYPE_LINK 5
|
||||
+#define AA_AUDITTYPE_CAP 6
|
||||
+#define AA_AUDITTYPE_MSG 7
|
||||
+#define AA_AUDITTYPE_SYSCALL 8
|
||||
+#define AA_AUDITTYPE__END 9
|
||||
+
|
||||
+/* audit flags */
|
||||
+#define AA_AUDITFLAG_AUDITSS_SYSCALL 1 /* log syscall context */
|
||||
+#define AA_AUDITFLAG_LOGERR 2 /* log operations that failed due to
|
||||
+ non permission errors */
|
||||
+
|
||||
+#define HINT_UNKNOWN_HAT "unknown_hat"
|
||||
+#define HINT_FORK "fork"
|
||||
+#define HINT_MANDPROF "missing_mandatory_profile"
|
||||
+#define HINT_CHGPROF "changing_profile"
|
||||
+
|
||||
+#define LOG_HINT(p, gfp, hint, fmt, args...) \
|
||||
+ do {\
|
||||
+ aa_audit_message(p, gfp, 0, \
|
||||
+ "LOGPROF-HINT " hint " " fmt, ##args);\
|
||||
+ } while(0)
|
||||
+
|
||||
+/* directory op type, for aa_perm_dir */
|
||||
+enum aa_diroptype {
|
||||
+ aa_dir_mkdir,
|
||||
+ aa_dir_rmdir
|
||||
+};
|
||||
+
|
||||
+/* xattr op type, for aa_xattr */
|
||||
+enum aa_xattroptype {
|
||||
+ aa_xattr_get,
|
||||
+ aa_xattr_set,
|
||||
+ aa_xattr_list,
|
||||
+ aa_xattr_remove
|
||||
+};
|
||||
+
|
||||
+#define BASE_PROFILE(p) ((p)->parent ? (p)->parent : (p))
|
||||
+#define IN_SUBPROFILE(p) ((p)->parent)
|
||||
+
|
||||
+/* main.c */
|
||||
+extern int alloc_null_complain_profile(void);
|
||||
+extern void free_null_complain_profile(void);
|
||||
+extern int attach_nullprofile(struct aaprofile *profile);
|
||||
+extern int aa_audit_message(struct aaprofile *active, unsigned int gfp, int,
|
||||
+ const char *, ...);
|
||||
+extern int aa_audit_syscallreject(struct aaprofile *active, unsigned int gfp,
|
||||
+ const char *);
|
||||
+extern int aa_audit(struct aaprofile *active, const struct aa_audit *);
|
||||
+extern char *aa_get_name(struct dentry *dentry, struct vfsmount *mnt);
|
||||
+
|
||||
+extern int aa_attr(struct aaprofile *active, struct dentry *dentry,
|
||||
+ struct iattr *iattr);
|
||||
+extern int aa_xattr(struct aaprofile *active, struct dentry *dentry,
|
||||
+ const char *xattr, enum aa_xattroptype xattroptype);
|
||||
+extern int aa_capability(struct aaprofile *active, int cap);
|
||||
+extern int aa_perm(struct aaprofile *active, struct dentry *dentry,
|
||||
+ struct vfsmount *mnt, int mask);
|
||||
+extern int aa_perm_nameidata(struct aaprofile *active, struct nameidata *nd,
|
||||
+ int mask);
|
||||
+extern int aa_perm_dentry(struct aaprofile *active, struct dentry *dentry,
|
||||
+ int mask);
|
||||
+extern int aa_perm_dir(struct aaprofile *active, struct dentry *dentry,
|
||||
+ enum aa_diroptype diroptype);
|
||||
+extern int aa_link(struct aaprofile *active,
|
||||
+ struct dentry *link, struct dentry *target);
|
||||
+extern int aa_fork(struct task_struct *p);
|
||||
+extern int aa_register(struct file *file);
|
||||
+extern void aa_release(struct task_struct *p);
|
||||
+extern int aa_change_hat(const char *id, u32 hat_magic);
|
||||
+extern int aa_associate_filp(struct file *filp);
|
||||
+
|
||||
+/* list.c */
|
||||
+extern struct aaprofile *aa_profilelist_find(const char *name);
|
||||
+extern int aa_profilelist_add(struct aaprofile *profile);
|
||||
+extern struct aaprofile *aa_profilelist_remove(const char *name);
|
||||
+extern void aa_profilelist_release(void);
|
||||
+extern struct aaprofile *aa_profilelist_replace(struct aaprofile *profile);
|
||||
+extern void aa_profile_dump(struct aaprofile *);
|
||||
+extern void aa_profilelist_dump(void);
|
||||
+extern void aa_subdomainlist_add(struct subdomain *);
|
||||
+extern void aa_subdomainlist_remove(struct subdomain *);
|
||||
+extern void aa_subdomainlist_iterate(aa_iter, void *);
|
||||
+extern void aa_subdomainlist_iterateremove(aa_iter, void *);
|
||||
+extern void aa_subdomainlist_release(void);
|
||||
+
|
||||
+/* module_interface.c */
|
||||
+extern ssize_t aa_file_prof_add(void *, size_t);
|
||||
+extern ssize_t aa_file_prof_repl(void *, size_t);
|
||||
+extern ssize_t aa_file_prof_remove(const char *, size_t);
|
||||
+extern void free_aaprofile(struct aaprofile *profile);
|
||||
+extern void free_aaprofile_kref(struct kref *kref);
|
||||
+
|
||||
+/* procattr.c */
|
||||
+extern size_t aa_getprocattr(struct aaprofile *active, char *str, size_t size);
|
||||
+extern int aa_setprocattr_changehat(char *hatinfo, size_t infosize);
|
||||
+extern int aa_setprocattr_setprofile(struct task_struct *p, char *profilename,
|
||||
+ size_t profilesize);
|
||||
+
|
||||
+/* apparmorfs.c */
|
||||
+extern int create_apparmorfs(void);
|
||||
+extern void destroy_apparmorfs(void);
|
||||
+
|
||||
+/* capabilities.c */
|
||||
+extern const char *capability_to_name(unsigned int cap);
|
||||
+
|
||||
+#endif /* __SUBDOMAIN_H */
|
||||
--- security/apparmor/inline.h.orig
|
||||
+++ security/apparmor/inline.h
|
||||
@@ -0,0 +1,333 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __INLINE_H
|
||||
+#define __INLINE_H
|
||||
+
|
||||
+#include <linux/namespace.h>
|
||||
+
|
||||
+static inline int __aa_is_confined(struct subdomain *sd)
|
||||
+{
|
||||
+ return (sd && sd->active);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_is_confined
|
||||
+ * Determine whether current task contains a valid profile (confined).
|
||||
+ * Return %1 if confined, %0 otherwise.
|
||||
+ */
|
||||
+static inline int aa_is_confined(void)
|
||||
+{
|
||||
+ struct subdomain *sd = AA_SUBDOMAIN(current->security);
|
||||
+ return __aa_is_confined(sd);
|
||||
+}
|
||||
+
|
||||
+static inline int __aa_sub_defined(struct subdomain *sd)
|
||||
+{
|
||||
+ return __aa_is_confined(sd) && !list_empty(&BASE_PROFILE(sd->active)->sub);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_sub_defined - check to see if current task has any subprofiles
|
||||
+ * Return 1 if true, 0 otherwise
|
||||
+ */
|
||||
+static inline int aa_sub_defined(void)
|
||||
+{
|
||||
+ struct subdomain *sd = AA_SUBDOMAIN(current->security);
|
||||
+ return __aa_sub_defined(sd);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * get_aaprofile - increment refcount on profile @p
|
||||
+ * @p: profile
|
||||
+ */
|
||||
+static inline struct aaprofile *get_aaprofile(struct aaprofile *p)
|
||||
+{
|
||||
+ if (p)
|
||||
+ kref_get(&(BASE_PROFILE(p)->count));
|
||||
+
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * put_aaprofile - decrement refcount on profile @p
|
||||
+ * @p: profile
|
||||
+ */
|
||||
+static inline void put_aaprofile(struct aaprofile *p)
|
||||
+{
|
||||
+ if (p)
|
||||
+ kref_put(&BASE_PROFILE(p)->count, free_aaprofile_kref);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * get_task_activeptr_rcu - get pointer to @tsk's active profile.
|
||||
+ * @tsk: task to get active profile from
|
||||
+ *
|
||||
+ * Requires rcu_read_lock is held
|
||||
+ */
|
||||
+static inline struct aaprofile *get_task_activeptr_rcu(struct task_struct *tsk)
|
||||
+{
|
||||
+ struct subdomain *sd = AA_SUBDOMAIN(tsk->security);
|
||||
+ struct aaprofile *active = NULL;
|
||||
+
|
||||
+ if (sd)
|
||||
+ active = (struct aaprofile *) rcu_dereference(sd->active);
|
||||
+
|
||||
+ return active;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * get_activeptr_rcu - get pointer to current task's active profile
|
||||
+ * Requires rcu_read_lock is held
|
||||
+ */
|
||||
+static inline struct aaprofile *get_activeptr_rcu(void)
|
||||
+{
|
||||
+ return get_task_activeptr_rcu(current);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * get_task_active_aaprofile - get a reference to tsk's active profile.
|
||||
+ * @tsk: the task to get the active profile reference for
|
||||
+ */
|
||||
+static inline struct aaprofile *get_task_active_aaprofile(struct task_struct *tsk)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ rcu_read_lock();
|
||||
+ active = get_aaprofile(get_task_activeptr_rcu(tsk));
|
||||
+ rcu_read_unlock();
|
||||
+
|
||||
+ return active;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * get_active_aaprofile - get a reference to the current tasks active profile
|
||||
+ */
|
||||
+static inline struct aaprofile *get_active_aaprofile(void)
|
||||
+{
|
||||
+ return get_task_active_aaprofile(current);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_switch - change subdomain to use a new profile
|
||||
+ * @sd: subdomain to switch the active profile on
|
||||
+ * @newactive: new active profile
|
||||
+ *
|
||||
+ * aa_switch handles the changing of a subdomain's active profile. The
|
||||
+ * sd_lock must be held to ensure consistency against other writers.
|
||||
+ * Some write paths (ex. aa_register) require sd->active not to change
|
||||
+ * over several operations, so the calling function is responsible
|
||||
+ * for grabing the sd_lock to meet its consistency constraints before
|
||||
+ * calling aa_switch
|
||||
+ */
|
||||
+static inline void aa_switch(struct subdomain *sd, struct aaprofile *newactive)
|
||||
+{
|
||||
+ struct aaprofile *oldactive = sd->active;
|
||||
+
|
||||
+ /* noop if NULL */
|
||||
+ rcu_assign_pointer(sd->active, get_aaprofile(newactive));
|
||||
+ put_aaprofile(oldactive);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_switch_unconfined - change subdomain to be unconfined (no profile)
|
||||
+ * @sd: subdomain to switch
|
||||
+ *
|
||||
+ * aa_switch_unconfined handles the removal of a subdomain's active profile.
|
||||
+ * The sd_lock must be held to ensure consistency against other writers.
|
||||
+ * Like aa_switch the sd_lock is used to maintain consistency.
|
||||
+ */
|
||||
+static inline void aa_switch_unconfined(struct subdomain *sd)
|
||||
+{
|
||||
+ aa_switch(sd, NULL);
|
||||
+
|
||||
+ /* reset magic in case we were in a subhat before */
|
||||
+ sd->hat_magic = 0;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * alloc_subdomain - allocate a new subdomain
|
||||
+ * @tsk: task struct
|
||||
+ *
|
||||
+ * Allocate a new subdomain including a backpointer to it's referring task.
|
||||
+ */
|
||||
+static inline struct subdomain *alloc_subdomain(struct task_struct *tsk)
|
||||
+{
|
||||
+ struct subdomain *sd;
|
||||
+
|
||||
+ sd = kzalloc(sizeof(struct subdomain), GFP_KERNEL);
|
||||
+ if (!sd)
|
||||
+ goto out;
|
||||
+
|
||||
+ /* back pointer to task */
|
||||
+ sd->task = tsk;
|
||||
+
|
||||
+ /* any readers of the list must make sure that they can handle
|
||||
+ * case where sd->active is not yet set (null)
|
||||
+ */
|
||||
+ aa_subdomainlist_add(sd);
|
||||
+
|
||||
+out:
|
||||
+ return sd;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * free_subdomain - Free a subdomain previously allocated by alloc_subdomain
|
||||
+ * @sd: subdomain
|
||||
+ */
|
||||
+static inline void free_subdomain(struct subdomain *sd)
|
||||
+{
|
||||
+ aa_subdomainlist_remove(sd);
|
||||
+ kfree(sd);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * alloc_aaprofile - Allocate, initialize and return a new zeroed profile.
|
||||
+ * Returns NULL on failure.
|
||||
+ */
|
||||
+static inline struct aaprofile *alloc_aaprofile(void)
|
||||
+{
|
||||
+ struct aaprofile *profile;
|
||||
+
|
||||
+ profile = (struct aaprofile *)kzalloc(sizeof(struct aaprofile),
|
||||
+ GFP_KERNEL);
|
||||
+ AA_DEBUG("%s(%p)\n", __FUNCTION__, profile);
|
||||
+ if (profile) {
|
||||
+ int i;
|
||||
+
|
||||
+ INIT_LIST_HEAD(&profile->list);
|
||||
+ INIT_LIST_HEAD(&profile->sub);
|
||||
+ INIT_LIST_HEAD(&profile->file_entry);
|
||||
+ for (i = 0; i <= POS_AA_FILE_MAX; i++) {
|
||||
+ INIT_LIST_HEAD(&profile->file_entryp[i]);
|
||||
+ }
|
||||
+ INIT_RCU_HEAD(&profile->rcu);
|
||||
+ kref_init(&profile->count);
|
||||
+ }
|
||||
+ return profile;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_put_name
|
||||
+ * @name: name to release.
|
||||
+ *
|
||||
+ * Release space (free_page) allocated to hold pathname
|
||||
+ * name may be NULL (checked for by free_page)
|
||||
+ */
|
||||
+static inline void aa_put_name(const char *name)
|
||||
+{
|
||||
+ free_page((unsigned long)name);
|
||||
+}
|
||||
+
|
||||
+/** __aa_find_profile
|
||||
+ * @name: name of profile to find
|
||||
+ * @head: list to search
|
||||
+ *
|
||||
+ * Return reference counted copy of profile. NULL if not found
|
||||
+ * Caller must hold any necessary locks
|
||||
+ */
|
||||
+static inline struct aaprofile *__aa_find_profile(const char *name,
|
||||
+ struct list_head *head)
|
||||
+{
|
||||
+ struct aaprofile *p;
|
||||
+
|
||||
+ if (!name || !head)
|
||||
+ return NULL;
|
||||
+
|
||||
+ AA_DEBUG("%s: finding profile %s\n", __FUNCTION__, name);
|
||||
+ list_for_each_entry(p, head, list) {
|
||||
+ if (!strcmp(p->name, name)) {
|
||||
+ /* return refcounted object */
|
||||
+ p = get_aaprofile(p);
|
||||
+ return p;
|
||||
+ } else {
|
||||
+ AA_DEBUG("%s: skipping %s\n", __FUNCTION__, p->name);
|
||||
+ }
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/** __aa_path_begin
|
||||
+ * @rdentry: filesystem root dentry (searching for vfsmnts matching this)
|
||||
+ * @dentry: dentry object to obtain pathname from (relative to matched vfsmnt)
|
||||
+ *
|
||||
+ * Setup data for iterating over vfsmounts (in current tasks namespace).
|
||||
+ */
|
||||
+static inline void __aa_path_begin(struct dentry *rdentry,
|
||||
+ struct dentry *dentry,
|
||||
+ struct aa_path_data *data)
|
||||
+{
|
||||
+ data->dentry = dentry;
|
||||
+ data->root = dget(rdentry->d_sb->s_root);
|
||||
+ data->namespace = current->namespace;
|
||||
+ data->head = &data->namespace->list;
|
||||
+ data->pos = data->head->next;
|
||||
+ prefetch(data->pos->next);
|
||||
+ data->errno = 0;
|
||||
+
|
||||
+ down_read(&namespace_sem);
|
||||
+}
|
||||
+
|
||||
+/** aa_path_begin
|
||||
+ * @dentry: filesystem root dentry and object to obtain pathname from
|
||||
+ *
|
||||
+ * Utility function for calling _aa_path_begin for when the dentry we are
|
||||
+ * looking for and the root are the same (this is the usual case).
|
||||
+ */
|
||||
+static inline void aa_path_begin(struct dentry *dentry,
|
||||
+ struct aa_path_data *data)
|
||||
+{
|
||||
+ __aa_path_begin(dentry, dentry, data);
|
||||
+}
|
||||
+
|
||||
+/** aa_path_end
|
||||
+ * @data: data object previously initialized by aa_path_begin
|
||||
+ *
|
||||
+ * End iterating over vfsmounts.
|
||||
+ * If an error occured in begin or get, it is returned. Otherwise 0.
|
||||
+ */
|
||||
+static inline int aa_path_end(struct aa_path_data *data)
|
||||
+{
|
||||
+ up_read(&namespace_sem);
|
||||
+ dput(data->root);
|
||||
+
|
||||
+ return data->errno;
|
||||
+}
|
||||
+
|
||||
+/** aa_path_getname
|
||||
+ * @data: data object previously initialized by aa_path_begin
|
||||
+ *
|
||||
+ * Return the next mountpoint which has the same root dentry as data->root.
|
||||
+ * If no more mount points exist (or in case of error) NULL is returned
|
||||
+ * (caller should call aa_path_end() and inspect return code to differentiate)
|
||||
+ */
|
||||
+static inline char *aa_path_getname(struct aa_path_data *data)
|
||||
+{
|
||||
+ char *name = NULL;
|
||||
+ struct vfsmount *mnt;
|
||||
+
|
||||
+ while (data->pos != data->head) {
|
||||
+ mnt = list_entry(data->pos, struct vfsmount, mnt_list);
|
||||
+
|
||||
+ /* advance to next -- so that it is done before we break */
|
||||
+ data->pos = data->pos->next;
|
||||
+ prefetch(data->pos->next);
|
||||
+
|
||||
+ if (mnt->mnt_root == data->root) {
|
||||
+ name = aa_get_name(data->dentry, mnt);
|
||||
+ if (!name)
|
||||
+ data->errno = -ENOMEM;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return name;
|
||||
+}
|
||||
+
|
||||
+#endif /* __INLINE_H__ */
|
||||
--- security/apparmor/shared.h.orig
|
||||
+++ security/apparmor/shared.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2000, 2001, 2004, 2005 Novell/SUSE
|
||||
+ *
|
||||
+ * Immunix AppArmor LSM
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ */
|
||||
+
|
||||
+#ifndef _SHARED_H
|
||||
+#define _SHARED_H
|
||||
+
|
||||
+/* start of system offsets */
|
||||
+#define POS_AA_FILE_MIN 0
|
||||
+#define POS_AA_MAY_EXEC POS_AA_FILE_MIN
|
||||
+#define POS_AA_MAY_WRITE (POS_AA_MAY_EXEC + 1)
|
||||
+#define POS_AA_MAY_READ (POS_AA_MAY_WRITE + 1)
|
||||
+#define POS_AA_MAY_APPEND (POS_AA_MAY_READ + 1)
|
||||
+/* end of system offsets */
|
||||
+
|
||||
+#define POS_AA_MAY_LINK (POS_AA_MAY_APPEND + 1)
|
||||
+#define POS_AA_EXEC_INHERIT (POS_AA_MAY_LINK + 1)
|
||||
+#define POS_AA_EXEC_UNCONSTRAINED (POS_AA_EXEC_INHERIT + 1)
|
||||
+#define POS_AA_EXEC_PROFILE (POS_AA_EXEC_UNCONSTRAINED + 1)
|
||||
+#define POS_AA_FILE_MAX POS_AA_EXEC_PROFILE
|
||||
+
|
||||
+/* Modeled after MAY_READ, MAY_WRITE, MAY_EXEC def'ns */
|
||||
+#define AA_MAY_EXEC (0x01 << POS_AA_MAY_EXEC)
|
||||
+#define AA_MAY_WRITE (0x01 << POS_AA_MAY_WRITE)
|
||||
+#define AA_MAY_READ (0x01 << POS_AA_MAY_READ)
|
||||
+#define AA_MAY_LINK (0x01 << POS_AA_MAY_LINK)
|
||||
+#define AA_EXEC_INHERIT (0x01 << POS_AA_EXEC_INHERIT)
|
||||
+#define AA_EXEC_UNCONSTRAINED (0x01 << POS_AA_EXEC_UNCONSTRAINED)
|
||||
+#define AA_EXEC_PROFILE (0x01 << POS_AA_EXEC_PROFILE)
|
||||
+#define AA_EXEC_MODIFIERS(X) (X & (AA_EXEC_INHERIT | \
|
||||
+ A_EXEC_UNCONSTRAINED | \
|
||||
+ AA_EXEC_PROFILE))
|
||||
+
|
||||
+#endif /* _SHARED_H */
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,880 +0,0 @@
|
||||
Implements the lsm interface used by AppArmor.
|
||||
|
||||
The code composes the functionality provided by commoncap therefore there
|
||||
is no requirement for it to stack with the capability module.
|
||||
|
||||
See linux/include/security.h for a full description of all the LSM hooks.
|
||||
|
||||
Consistency of the subdomain (task) data is implemented on the reader side
|
||||
via rcu. Logical consistency across profile replacement/removal and change
|
||||
hat is provided via the spinlock sd_lock. Since profile manipulation and
|
||||
change_hat are infrequent, most syscall accesses requires no spin lock.
|
||||
|
||||
Certain syscalls are prevented for confined processes. These are:
|
||||
ptrace
|
||||
mount
|
||||
umount
|
||||
sysctl writes also require CAP_SYS_ADMIN
|
||||
|
||||
File access checks are performed when a file is initially opened
|
||||
(inode_permission) and cached to avoid revalidation unless where necessary
|
||||
(passing descriptors between tasks confined with differing profiles, and
|
||||
profile replacement, for example). Further patches are in development
|
||||
to support caching of multiple profiles against an open file to minimise
|
||||
the need for subsequent revalidation across profiles.
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/lsm.c | 840 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 files changed, 840 insertions(+)
|
||||
|
||||
--- security/apparmor/lsm.c.orig
|
||||
+++ security/apparmor/lsm.c
|
||||
@@ -0,0 +1,840 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2002-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * http://forge.novell.com/modules/xfmod/project/?apparmor
|
||||
+ *
|
||||
+ * Immunix AppArmor LSM interface
|
||||
+ */
|
||||
+
|
||||
+#include <linux/security.h>
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/mman.h>
|
||||
+
|
||||
+#include "apparmor.h"
|
||||
+#include "inline.h"
|
||||
+
|
||||
+/* struct subdomain write update lock (read side is RCU). */
|
||||
+spinlock_t sd_lock = SPIN_LOCK_UNLOCKED;
|
||||
+
|
||||
+/* Flag values, also controllable via apparmorfs/control.
|
||||
+ * We explicitly do not allow these to be modifiable when exported via
|
||||
+ * /sys/modules/parameters, as we want to do additional mediation and
|
||||
+ * don't want to add special path code. */
|
||||
+
|
||||
+/* Complain mode -- in complain mode access failures result in auditing only
|
||||
+ * and task is allowed access. audit events are processed by userspace to
|
||||
+ * generate policy. Default is 'enforce' (0).
|
||||
+ * Value is also togglable per profile and referenced when global value is
|
||||
+ * enforce.
|
||||
+ */
|
||||
+int apparmor_complain = 0;
|
||||
+module_param_named(complain, apparmor_complain, int, S_IRUSR);
|
||||
+MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode");
|
||||
+
|
||||
+/* Debug mode */
|
||||
+int apparmor_debug = 0;
|
||||
+module_param_named(debug, apparmor_debug, int, S_IRUSR);
|
||||
+MODULE_PARM_DESC(apparmor_debug, "Toggle AppArmor debug mode");
|
||||
+
|
||||
+/* Audit mode */
|
||||
+int apparmor_audit = 0;
|
||||
+module_param_named(audit, apparmor_audit, int, S_IRUSR);
|
||||
+MODULE_PARM_DESC(apparmor_audit, "Toggle AppArmor audit mode");
|
||||
+
|
||||
+/* Syscall logging mode */
|
||||
+int apparmor_logsyscall = 0;
|
||||
+module_param_named(logsyscall, apparmor_logsyscall, int, S_IRUSR);
|
||||
+MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode");
|
||||
+
|
||||
+#ifndef MODULE
|
||||
+static int __init aa_getopt_complain(char *str)
|
||||
+{
|
||||
+ get_option(&str, &apparmor_complain);
|
||||
+ return 1;
|
||||
+}
|
||||
+__setup("apparmor_complain=", aa_getopt_complain);
|
||||
+
|
||||
+static int __init aa_getopt_debug(char *str)
|
||||
+{
|
||||
+ get_option(&str, &apparmor_debug);
|
||||
+ return 1;
|
||||
+}
|
||||
+__setup("apparmor_debug=", aa_getopt_debug);
|
||||
+
|
||||
+static int __init aa_getopt_audit(char *str)
|
||||
+{
|
||||
+ get_option(&str, &apparmor_audit);
|
||||
+ return 1;
|
||||
+}
|
||||
+__setup("apparmor_audit=", aa_getopt_audit);
|
||||
+
|
||||
+static int __init aa_getopt_logsyscall(char *str)
|
||||
+{
|
||||
+ get_option(&str, &apparmor_logsyscall);
|
||||
+ return 1;
|
||||
+}
|
||||
+__setup("apparmor_logsyscall=", aa_getopt_logsyscall);
|
||||
+#endif
|
||||
+
|
||||
+static int apparmor_ptrace(struct task_struct *parent,
|
||||
+ struct task_struct *child)
|
||||
+{
|
||||
+ int error;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ error = cap_ptrace(parent, child);
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (!error && active) {
|
||||
+ error = aa_audit_syscallreject(active, GFP_KERNEL, "ptrace");
|
||||
+ WARN_ON(error != -EPERM);
|
||||
+ }
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_capget(struct task_struct *target,
|
||||
+ kernel_cap_t *effective,
|
||||
+ kernel_cap_t *inheritable,
|
||||
+ kernel_cap_t *permitted)
|
||||
+{
|
||||
+ return cap_capget(target, effective, inheritable, permitted);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_capset_check(struct task_struct *target,
|
||||
+ kernel_cap_t *effective,
|
||||
+ kernel_cap_t *inheritable,
|
||||
+ kernel_cap_t *permitted)
|
||||
+{
|
||||
+ return cap_capset_check(target, effective, inheritable, permitted);
|
||||
+}
|
||||
+
|
||||
+static void apparmor_capset_set(struct task_struct *target,
|
||||
+ kernel_cap_t *effective,
|
||||
+ kernel_cap_t *inheritable,
|
||||
+ kernel_cap_t *permitted)
|
||||
+{
|
||||
+ cap_capset_set(target, effective, inheritable, permitted);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_capable(struct task_struct *tsk, int cap)
|
||||
+{
|
||||
+ int error;
|
||||
+
|
||||
+ /* cap_capable returns 0 on success, else -EPERM */
|
||||
+ error = cap_capable(tsk, cap);
|
||||
+
|
||||
+ if (error == 0) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_task_active_aaprofile(tsk);
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_capability(active, cap);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_sysctl(struct ctl_table *table, int op)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if ((op & 002) && active && !capable(CAP_SYS_ADMIN)) {
|
||||
+ error = aa_audit_syscallreject(active, GFP_KERNEL,
|
||||
+ "sysctl (write)");
|
||||
+ WARN_ON(error != -EPERM);
|
||||
+ }
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_syslog(int type)
|
||||
+{
|
||||
+ return cap_syslog(type);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_netlink_send(struct sock *sk, struct sk_buff *skb)
|
||||
+{
|
||||
+ return cap_netlink_send(sk, skb);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_netlink_recv(struct sk_buff *skb)
|
||||
+{
|
||||
+ return cap_netlink_recv(skb);
|
||||
+}
|
||||
+
|
||||
+static void apparmor_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
|
||||
+{
|
||||
+ cap_bprm_apply_creds(bprm, unsafe);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_bprm_set_security(struct linux_binprm *bprm)
|
||||
+{
|
||||
+ /* handle capability bits with setuid, etc */
|
||||
+ cap_bprm_set_security(bprm);
|
||||
+ /* already set based on script name */
|
||||
+ if (bprm->sh_bang)
|
||||
+ return 0;
|
||||
+ return aa_register(bprm->file);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_sb_mount(char *dev_name, struct nameidata *nd, char *type,
|
||||
+ unsigned long flags, void *data)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active) {
|
||||
+ error = aa_audit_syscallreject(active, GFP_KERNEL, "mount");
|
||||
+ WARN_ON(error != -EPERM);
|
||||
+ }
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_umount(struct vfsmount *mnt, int flags)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active) {
|
||||
+ error = aa_audit_syscallreject(active, GFP_KERNEL, "umount");
|
||||
+ WARN_ON(error != -EPERM);
|
||||
+ }
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_mkdir(struct inode *inode, struct dentry *dentry,
|
||||
+ int mask)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_perm_dir(active, dentry, aa_dir_mkdir);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_rmdir(struct inode *inode, struct dentry *dentry)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_perm_dir(active, dentry, aa_dir_rmdir);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_create(struct inode *inode, struct dentry *dentry,
|
||||
+ int mask)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ /* At a minimum, need write perm to create */
|
||||
+ if (active)
|
||||
+ error = aa_perm_dentry(active, dentry, MAY_WRITE);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_link(struct dentry *old_dentry, struct inode *inode,
|
||||
+ struct dentry *new_dentry)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_link(active, new_dentry, old_dentry);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_unlink(struct inode *inode, struct dentry *dentry)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_perm_dentry(active, dentry, MAY_WRITE);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_mknod(struct inode *inode, struct dentry *dentry,
|
||||
+ int mode, dev_t dev)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active)
|
||||
+ error = aa_perm_dentry(active, dentry, MAY_WRITE);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_rename(struct inode *old_inode,
|
||||
+ struct dentry *old_dentry,
|
||||
+ struct inode *new_inode,
|
||||
+ struct dentry *new_dentry)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (active) {
|
||||
+ error = aa_perm_dentry(active, old_dentry, MAY_READ |
|
||||
+ MAY_WRITE);
|
||||
+
|
||||
+ if (!error)
|
||||
+ error = aa_perm_dentry(active, new_dentry,
|
||||
+ MAY_WRITE);
|
||||
+ }
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_permission(struct inode *inode, int mask,
|
||||
+ struct nameidata *nd)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ /* Do not perform check on pipes or sockets
|
||||
+ * Same as apparmor_file_permission
|
||||
+ */
|
||||
+ if (VALID_FSTYPE(inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active)
|
||||
+ error = aa_perm_nameidata(active, nd, mask);
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_setattr(struct dentry *dentry, struct iattr *iattr)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (VALID_FSTYPE(dentry->d_inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ /*
|
||||
+ * Mediate any attempt to change attributes of a file
|
||||
+ * (chmod, chown, chgrp, etc)
|
||||
+ */
|
||||
+ if (active)
|
||||
+ error = aa_attr(active, dentry, iattr);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_setxattr(struct dentry *dentry, char *name,
|
||||
+ void *value, size_t size, int flags)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (VALID_FSTYPE(dentry->d_inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active)
|
||||
+ error = aa_xattr(active, dentry, name, aa_xattr_set);
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_getxattr(struct dentry *dentry, char *name)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (VALID_FSTYPE(dentry->d_inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active)
|
||||
+ error = aa_xattr(active, dentry, name, aa_xattr_get);
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+static int apparmor_inode_listxattr(struct dentry *dentry)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (VALID_FSTYPE(dentry->d_inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active)
|
||||
+ error = aa_xattr(active, dentry, NULL, aa_xattr_list);
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_inode_removexattr(struct dentry *dentry, char *name)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (VALID_FSTYPE(dentry->d_inode)) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active)
|
||||
+ error = aa_xattr(active, dentry, name,
|
||||
+ aa_xattr_remove);
|
||||
+ put_aaprofile(active);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_file_permission(struct file *file, int mask)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ struct aaprofile *f_profile;
|
||||
+ int error = 0;
|
||||
+
|
||||
+ f_profile = AA_PROFILE(file->f_security);
|
||||
+ /* bail out early if this isn't a mediated file */
|
||||
+ if (!(f_profile && VALID_FSTYPE(file->f_dentry->d_inode)))
|
||||
+ goto out;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (active && f_profile != active)
|
||||
+ error = aa_perm(active, file->f_dentry, file->f_vfsmnt,
|
||||
+ mask & (MAY_EXEC | MAY_WRITE | MAY_READ));
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_file_alloc_security(struct file *file)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ file->f_security = get_aaprofile(active);
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void apparmor_file_free_security(struct file *file)
|
||||
+{
|
||||
+ struct aaprofile *p = AA_PROFILE(file->f_security);
|
||||
+ put_aaprofile(p);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
|
||||
+ unsigned long prot, unsigned long flags)
|
||||
+{
|
||||
+ int error = 0, mask = 0;
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ if (!file)
|
||||
+ goto out;
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+
|
||||
+ if (prot & PROT_READ)
|
||||
+ mask |= MAY_READ;
|
||||
+ /* Private mappings don't require write perms since they don't
|
||||
+ * write back to the files */
|
||||
+ if (prot & PROT_WRITE && !(flags & MAP_PRIVATE))
|
||||
+ mask |= MAY_WRITE;
|
||||
+ if (prot & PROT_EXEC)
|
||||
+ mask |= MAY_EXEC;
|
||||
+
|
||||
+ AA_DEBUG("%s: 0x%x\n", __FUNCTION__, mask);
|
||||
+
|
||||
+ error = aa_perm(active, file->f_dentry, file->f_vfsmnt, mask);
|
||||
+
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_task_alloc_security(struct task_struct *p)
|
||||
+{
|
||||
+ return aa_fork(p);
|
||||
+}
|
||||
+
|
||||
+static void apparmor_task_free_security(struct task_struct *p)
|
||||
+{
|
||||
+ aa_release(p);
|
||||
+}
|
||||
+
|
||||
+static int apparmor_task_post_setuid(uid_t id0, uid_t id1, uid_t id2,
|
||||
+ int flags)
|
||||
+{
|
||||
+ return cap_task_post_setuid(id0, id1, id2, flags);
|
||||
+}
|
||||
+
|
||||
+static void apparmor_task_reparent_to_init(struct task_struct *p)
|
||||
+{
|
||||
+ cap_task_reparent_to_init(p);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_getprocattr(struct task_struct *p, char *name, void *value,
|
||||
+ size_t size)
|
||||
+{
|
||||
+ int error;
|
||||
+ struct aaprofile *active;
|
||||
+ char *str = value;
|
||||
+
|
||||
+ /* Subdomain only supports the "current" process attribute */
|
||||
+ if (strcmp(name, "current") != 0) {
|
||||
+ error = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (!size) {
|
||||
+ error = -ERANGE;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* must be task querying itself or admin */
|
||||
+ if (current != p && !capable(CAP_SYS_ADMIN)) {
|
||||
+ error = -EPERM;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ active = get_task_active_aaprofile(p);
|
||||
+ error = aa_getprocattr(active, str, size);
|
||||
+ put_aaprofile(active);
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static int apparmor_setprocattr(struct task_struct *p, char *name, void *value,
|
||||
+ size_t size)
|
||||
+{
|
||||
+ const char *cmd_changehat = "changehat ",
|
||||
+ *cmd_setprofile = "setprofile ";
|
||||
+
|
||||
+ int error = -EACCES; /* default to a perm denied */
|
||||
+ char *cmd = (char *)value;
|
||||
+
|
||||
+ /* only support messages to current */
|
||||
+ if (strcmp(name, "current") != 0) {
|
||||
+ error = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (!size) {
|
||||
+ error = -ERANGE;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* CHANGE HAT -- switch task into a subhat (subprofile) if defined */
|
||||
+ if (size > strlen(cmd_changehat) &&
|
||||
+ strncmp(cmd, cmd_changehat, strlen(cmd_changehat)) == 0) {
|
||||
+ char *hatinfo = cmd + strlen(cmd_changehat);
|
||||
+ size_t infosize = size - strlen(cmd_changehat);
|
||||
+
|
||||
+ /* Only the current process may change it's hat */
|
||||
+ if (current != p) {
|
||||
+ AA_WARN("%s: Attempt by foreign task %s(%d) "
|
||||
+ "[user %d] to changehat of task %s(%d)\n",
|
||||
+ __FUNCTION__,
|
||||
+ current->comm,
|
||||
+ current->pid,
|
||||
+ current->uid,
|
||||
+ p->comm,
|
||||
+ p->pid);
|
||||
+
|
||||
+ error = -EACCES;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ error = aa_setprocattr_changehat(hatinfo, infosize);
|
||||
+ if (error == 0)
|
||||
+ /* success, set return to #bytes in orig request */
|
||||
+ error = size;
|
||||
+
|
||||
+ /* SET NEW PROFILE */
|
||||
+ } else if (size > strlen(cmd_setprofile) &&
|
||||
+ strncmp(cmd, cmd_setprofile, strlen(cmd_setprofile)) == 0) {
|
||||
+ struct aaprofile *active;
|
||||
+
|
||||
+ /* only an unconfined process with admin capabilities
|
||||
+ * may change the profile of another task
|
||||
+ */
|
||||
+
|
||||
+ if (!capable(CAP_SYS_ADMIN)) {
|
||||
+ AA_WARN("%s: Unprivileged attempt by task %s(%d) "
|
||||
+ "[user %d] to assign profile to task %s(%d)\n",
|
||||
+ __FUNCTION__,
|
||||
+ current->comm,
|
||||
+ current->pid,
|
||||
+ current->uid,
|
||||
+ p->comm,
|
||||
+ p->pid);
|
||||
+ error = -EACCES;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ active = get_active_aaprofile();
|
||||
+ if (!active) {
|
||||
+ char *profile = cmd + strlen(cmd_setprofile);
|
||||
+ size_t profilesize = size - strlen(cmd_setprofile);
|
||||
+
|
||||
+ error = aa_setprocattr_setprofile(p, profile, profilesize);
|
||||
+ if (error == 0)
|
||||
+ /* success,
|
||||
+ * set return to #bytes in orig request
|
||||
+ */
|
||||
+ error = size;
|
||||
+ } else {
|
||||
+ AA_WARN("%s: Attempt by confined task %s(%d) "
|
||||
+ "[user %d] to assign profile to task %s(%d)\n",
|
||||
+ __FUNCTION__,
|
||||
+ current->comm,
|
||||
+ current->pid,
|
||||
+ current->uid,
|
||||
+ p->comm,
|
||||
+ p->pid);
|
||||
+
|
||||
+ error = -EACCES;
|
||||
+ }
|
||||
+ put_aaprofile(active);
|
||||
+ } else {
|
||||
+ /* unknown operation */
|
||||
+ AA_WARN("%s: Unknown setprocattr command '%.*s' by task %s(%d) "
|
||||
+ "[user %d] for task %s(%d)\n",
|
||||
+ __FUNCTION__,
|
||||
+ size < 16 ? (int)size : 16,
|
||||
+ cmd,
|
||||
+ current->comm,
|
||||
+ current->pid,
|
||||
+ current->uid,
|
||||
+ p->comm,
|
||||
+ p->pid);
|
||||
+
|
||||
+ error = -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+struct security_operations apparmor_ops = {
|
||||
+ .ptrace = apparmor_ptrace,
|
||||
+ .capget = apparmor_capget,
|
||||
+ .capset_check = apparmor_capset_check,
|
||||
+ .capset_set = apparmor_capset_set,
|
||||
+ .sysctl = apparmor_sysctl,
|
||||
+ .capable = apparmor_capable,
|
||||
+ .syslog = apparmor_syslog,
|
||||
+
|
||||
+ .netlink_send = apparmor_netlink_send,
|
||||
+ .netlink_recv = apparmor_netlink_recv,
|
||||
+
|
||||
+ .bprm_apply_creds = apparmor_bprm_apply_creds,
|
||||
+ .bprm_set_security = apparmor_bprm_set_security,
|
||||
+
|
||||
+ .sb_mount = apparmor_sb_mount,
|
||||
+ .sb_umount = apparmor_umount,
|
||||
+
|
||||
+ .inode_mkdir = apparmor_inode_mkdir,
|
||||
+ .inode_rmdir = apparmor_inode_rmdir,
|
||||
+ .inode_create = apparmor_inode_create,
|
||||
+ .inode_link = apparmor_inode_link,
|
||||
+ .inode_unlink = apparmor_inode_unlink,
|
||||
+ .inode_mknod = apparmor_inode_mknod,
|
||||
+ .inode_rename = apparmor_inode_rename,
|
||||
+ .inode_permission = apparmor_inode_permission,
|
||||
+ .inode_setattr = apparmor_inode_setattr,
|
||||
+ .inode_setxattr = apparmor_inode_setxattr,
|
||||
+ .inode_getxattr = apparmor_inode_getxattr,
|
||||
+ .inode_listxattr = apparmor_inode_listxattr,
|
||||
+ .inode_removexattr = apparmor_inode_removexattr,
|
||||
+ .file_permission = apparmor_file_permission,
|
||||
+ .file_alloc_security = apparmor_file_alloc_security,
|
||||
+ .file_free_security = apparmor_file_free_security,
|
||||
+ .file_mmap = apparmor_file_mmap,
|
||||
+
|
||||
+ .task_alloc_security = apparmor_task_alloc_security,
|
||||
+ .task_free_security = apparmor_task_free_security,
|
||||
+ .task_post_setuid = apparmor_task_post_setuid,
|
||||
+ .task_reparent_to_init = apparmor_task_reparent_to_init,
|
||||
+
|
||||
+ .getprocattr = apparmor_getprocattr,
|
||||
+ .setprocattr = apparmor_setprocattr,
|
||||
+};
|
||||
+
|
||||
+static int __init apparmor_init(void)
|
||||
+{
|
||||
+ int error;
|
||||
+ const char *complainmsg = ": complainmode enabled";
|
||||
+
|
||||
+ if ((error = create_apparmorfs())) {
|
||||
+ AA_ERROR("Unable to activate AppArmor filesystem\n");
|
||||
+ goto createfs_out;
|
||||
+ }
|
||||
+
|
||||
+ if ((error = alloc_null_complain_profile())){
|
||||
+ AA_ERROR("Unable to allocate null complain profile\n");
|
||||
+ goto alloc_out;
|
||||
+ }
|
||||
+
|
||||
+ if ((error = register_security(&apparmor_ops))) {
|
||||
+ AA_ERROR("Unable to load AppArmor\n");
|
||||
+ goto register_security_out;
|
||||
+ }
|
||||
+
|
||||
+ AA_INFO("AppArmor initialized%s\n",
|
||||
+ apparmor_complain ? complainmsg : "");
|
||||
+ aa_audit_message(NULL, GFP_KERNEL, 0,
|
||||
+ "AppArmor initialized%s\n",
|
||||
+ apparmor_complain ? complainmsg : "");
|
||||
+
|
||||
+ return error;
|
||||
+
|
||||
+register_security_out:
|
||||
+ free_null_complain_profile();
|
||||
+
|
||||
+alloc_out:
|
||||
+ (void)destroy_apparmorfs();
|
||||
+
|
||||
+createfs_out:
|
||||
+ return error;
|
||||
+
|
||||
+}
|
||||
+
|
||||
+static int apparmor_exit_removeall_iter(struct subdomain *sd, void *cookie)
|
||||
+{
|
||||
+ /* spin_lock(&sd_lock) held here */
|
||||
+
|
||||
+ if (__aa_is_confined(sd)) {
|
||||
+ AA_DEBUG("%s: Dropping profiles %s(%d) "
|
||||
+ "profile %s(%p) active %s(%p)\n",
|
||||
+ __FUNCTION__,
|
||||
+ sd->task->comm, sd->task->pid,
|
||||
+ BASE_PROFILE(sd->active)->name,
|
||||
+ BASE_PROFILE(sd->active),
|
||||
+ sd->active->name, sd->active);
|
||||
+ aa_switch_unconfined(sd);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void __exit apparmor_exit(void)
|
||||
+{
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ /* Remove profiles from the global profile list.
|
||||
+ * This is just for tidyness as there is no way to reference this
|
||||
+ * list once the AppArmor lsm hooks are detached (below)
|
||||
+ */
|
||||
+ aa_profilelist_release();
|
||||
+
|
||||
+ /* Remove profiles from active tasks
|
||||
+ * If this is not done, if module is reloaded after being removed,
|
||||
+ * old profiles (still refcounted in memory) will become 'magically'
|
||||
+ * reattached
|
||||
+ */
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+ aa_subdomainlist_iterate(apparmor_exit_removeall_iter, NULL);
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+ /* Free up list of active subdomain */
|
||||
+ aa_subdomainlist_release();
|
||||
+
|
||||
+ free_null_complain_profile();
|
||||
+
|
||||
+ destroy_apparmorfs();
|
||||
+
|
||||
+ if (unregister_security(&apparmor_ops))
|
||||
+ AA_WARN("Unable to properly unregister AppArmor\n");
|
||||
+
|
||||
+ /* delay for an rcu cycle to make ensure that profiles pending
|
||||
+ * destruction in the rcu callback are freed.
|
||||
+ */
|
||||
+ synchronize_rcu();
|
||||
+
|
||||
+ AA_INFO("AppArmor protection removed\n");
|
||||
+ aa_audit_message(NULL, GFP_KERNEL, 0,
|
||||
+ "AppArmor protection removed\n");
|
||||
+}
|
||||
+
|
||||
+security_initcall(apparmor_init);
|
||||
+module_exit(apparmor_exit);
|
||||
+
|
||||
+MODULE_DESCRIPTION("AppArmor process confinement");
|
||||
+MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
|
||||
+MODULE_LICENSE("GPL");
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
File diff suppressed because it is too large
Load Diff
@ -1,472 +0,0 @@
|
||||
This patch implements the AppArmor file structure underneath securityfs.
|
||||
Securityfs is normally mounted as /sys/kernel/security
|
||||
|
||||
The following files are created under /sys/kernel/security/apparmor
|
||||
control
|
||||
audit - Controls the global setting for auditing all
|
||||
accesses.
|
||||
complain - Controls the global setting for learning mode
|
||||
(usually this is set per profile rather than
|
||||
globally)
|
||||
debug - Controls whether debugging is enabled.
|
||||
This needs to be made more fine grained
|
||||
logsyscall - Controls whether when logging to the audit
|
||||
subsystem full syscall auditing is enabled.
|
||||
|
||||
The values by default for all of the above are 0.
|
||||
|
||||
matching - Returns the features of the installed matching submodule
|
||||
profiles - Returns the profiles currently loaded and for each whether
|
||||
it is in complain (learning) or enforce mode.
|
||||
.load
|
||||
.remove
|
||||
.replace - Used by userspace tools to load, remove and replace new
|
||||
profiles.
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/apparmorfs.c | 432 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 files changed, 432 insertions(+)
|
||||
|
||||
--- security/apparmor/apparmorfs.c.orig
|
||||
+++ security/apparmor/apparmorfs.c
|
||||
@@ -0,0 +1,432 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor filesystem (part of securityfs)
|
||||
+ */
|
||||
+
|
||||
+#include <linux/security.h>
|
||||
+#include <linux/vmalloc.h>
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/seq_file.h>
|
||||
+#include <asm/uaccess.h>
|
||||
+
|
||||
+#include "apparmor.h"
|
||||
+#include "inline.h"
|
||||
+#include "match/match.h"
|
||||
+
|
||||
+#define SECFS_AA "apparmor"
|
||||
+static struct dentry *aafs_dentry = NULL;
|
||||
+
|
||||
+/* profile */
|
||||
+extern struct seq_operations apparmorfs_profiles_op;
|
||||
+static int aa_prof_open(struct inode *inode, struct file *file);
|
||||
+static int aa_prof_release(struct inode *inode, struct file *file);
|
||||
+
|
||||
+static struct file_operations apparmorfs_profiles_fops = {
|
||||
+ .open = aa_prof_open,
|
||||
+ .read = seq_read,
|
||||
+ .llseek = seq_lseek,
|
||||
+ .release = aa_prof_release,
|
||||
+};
|
||||
+
|
||||
+/* matching */
|
||||
+static ssize_t aa_matching_read(struct file *file, char __user *buf,
|
||||
+ size_t size, loff_t *ppos);
|
||||
+
|
||||
+static struct file_operations apparmorfs_matching_fops = {
|
||||
+ .read = aa_matching_read,
|
||||
+};
|
||||
+
|
||||
+
|
||||
+/* interface */
|
||||
+static ssize_t aa_profile_load(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos);
|
||||
+static ssize_t aa_profile_replace(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos);
|
||||
+static ssize_t aa_profile_remove(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos);
|
||||
+
|
||||
+static struct file_operations apparmorfs_profile_load = {
|
||||
+ .write = aa_profile_load
|
||||
+};
|
||||
+
|
||||
+static struct file_operations apparmorfs_profile_replace = {
|
||||
+ .write = aa_profile_replace
|
||||
+};
|
||||
+
|
||||
+static struct file_operations apparmorfs_profile_remove = {
|
||||
+ .write = aa_profile_remove
|
||||
+};
|
||||
+
|
||||
+
|
||||
+/* control */
|
||||
+static u64 aa_control_get(void *data);
|
||||
+static void aa_control_set(void *data, u64 val);
|
||||
+
|
||||
+DEFINE_SIMPLE_ATTRIBUTE(apparmorfs_control_fops, aa_control_get,
|
||||
+ aa_control_set, "%lld\n");
|
||||
+
|
||||
+
|
||||
+
|
||||
+/* table of static entries */
|
||||
+
|
||||
+static struct root_entry {
|
||||
+ const char *name;
|
||||
+ int mode;
|
||||
+ int access;
|
||||
+ struct file_operations *fops;
|
||||
+ void *data;
|
||||
+
|
||||
+ /* internal fields */
|
||||
+ struct dentry *dentry;
|
||||
+ int parent_index;
|
||||
+} root_entries[] = {
|
||||
+ /* our root, normally /sys/kernel/security/apparmor */
|
||||
+ {SECFS_AA, S_IFDIR, 0550}, /* DO NOT EDIT/MOVE */
|
||||
+
|
||||
+ /* interface for obtaining list of profiles currently loaded */
|
||||
+ {"profiles", S_IFREG, 0440, &apparmorfs_profiles_fops,
|
||||
+ NULL},
|
||||
+
|
||||
+ /* interface for obtaining matching features supported */
|
||||
+ {"matching", S_IFREG, 0440, &apparmorfs_matching_fops,
|
||||
+ NULL},
|
||||
+
|
||||
+ /* interface for loading/removing/replacing profiles */
|
||||
+ {".load", S_IFREG, 0640, &apparmorfs_profile_load,
|
||||
+ NULL},
|
||||
+ {".replace", S_IFREG, 0640, &apparmorfs_profile_replace,
|
||||
+ NULL},
|
||||
+ {".remove", S_IFREG, 0640, &apparmorfs_profile_remove,
|
||||
+ NULL},
|
||||
+
|
||||
+ /* interface for setting binary config values */
|
||||
+ {"control", S_IFDIR, 0550},
|
||||
+ {"complain", S_IFREG, 0640, &apparmorfs_control_fops,
|
||||
+ &apparmor_complain},
|
||||
+ {"audit", S_IFREG, 0640, &apparmorfs_control_fops,
|
||||
+ &apparmor_audit},
|
||||
+ {"debug", S_IFREG, 0640, &apparmorfs_control_fops,
|
||||
+ &apparmor_debug},
|
||||
+ {"logsyscall", S_IFREG, 0640, &apparmorfs_control_fops,
|
||||
+ &apparmor_logsyscall},
|
||||
+ {NULL, S_IFDIR, 0},
|
||||
+
|
||||
+ /* root end */
|
||||
+ {NULL, S_IFDIR, 0}
|
||||
+};
|
||||
+
|
||||
+#define AAFS_DENTRY root_entries[0].dentry
|
||||
+
|
||||
+static const unsigned int num_entries =
|
||||
+ sizeof(root_entries) / sizeof(struct root_entry);
|
||||
+
|
||||
+
|
||||
+
|
||||
+static int aa_prof_open(struct inode *inode, struct file *file)
|
||||
+{
|
||||
+ return seq_open(file, &apparmorfs_profiles_op);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int aa_prof_release(struct inode *inode, struct file *file)
|
||||
+{
|
||||
+ return seq_release(inode, file);
|
||||
+}
|
||||
+
|
||||
+static ssize_t aa_matching_read(struct file *file, char __user *buf,
|
||||
+ size_t size, loff_t *ppos)
|
||||
+{
|
||||
+ const char *matching = aamatch_features();
|
||||
+
|
||||
+ return simple_read_from_buffer(buf, size, ppos, matching,
|
||||
+ strlen(matching));
|
||||
+}
|
||||
+
|
||||
+static char *aa_simple_write_to_buffer(const char __user *userbuf,
|
||||
+ size_t alloc_size, size_t copy_size,
|
||||
+ loff_t *pos, const char *msg)
|
||||
+{
|
||||
+ struct aaprofile *active;
|
||||
+ char *data;
|
||||
+
|
||||
+ if (*pos != 0) {
|
||||
+ /* only writes from pos 0, that is complete writes */
|
||||
+ data = ERR_PTR(-ESPIPE);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* Don't allow confined processes to load/replace/remove profiles.
|
||||
+ * No sane person would add rules allowing this to a profile
|
||||
+ * but we enforce the restriction anyways.
|
||||
+ */
|
||||
+ rcu_read_lock();
|
||||
+ active = get_activeptr_rcu();
|
||||
+ if (active) {
|
||||
+ AA_WARN("REJECTING access to profile %s (%s(%d) "
|
||||
+ "profile %s active %s)\n",
|
||||
+ msg, current->comm, current->pid,
|
||||
+ BASE_PROFILE(active)->name, active->name);
|
||||
+
|
||||
+ data = ERR_PTR(-EPERM);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rcu_read_unlock();
|
||||
+
|
||||
+ data = vmalloc(alloc_size);
|
||||
+ if (data == NULL) {
|
||||
+ data = ERR_PTR(-ENOMEM);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (copy_from_user(data, userbuf, copy_size)) {
|
||||
+ vfree(data);
|
||||
+ data = ERR_PTR(-EFAULT);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
+ return data;
|
||||
+}
|
||||
+
|
||||
+static ssize_t aa_profile_load(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos)
|
||||
+{
|
||||
+ char *data;
|
||||
+ ssize_t error;
|
||||
+
|
||||
+ data = aa_simple_write_to_buffer(buf, size, size, pos, "load");
|
||||
+
|
||||
+ if (!IS_ERR(data)) {
|
||||
+ error = aa_file_prof_add(data, size);
|
||||
+ vfree(data);
|
||||
+ } else {
|
||||
+ error = PTR_ERR(data);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static ssize_t aa_profile_replace(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos)
|
||||
+{
|
||||
+ char *data;
|
||||
+ ssize_t error;
|
||||
+
|
||||
+ data = aa_simple_write_to_buffer(buf, size, size, pos, "replacement");
|
||||
+
|
||||
+ if (!IS_ERR(data)) {
|
||||
+ error = aa_file_prof_repl(data, size);
|
||||
+ vfree(data);
|
||||
+ } else {
|
||||
+ error = PTR_ERR(data);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static ssize_t aa_profile_remove(struct file *f, const char __user *buf,
|
||||
+ size_t size, loff_t *pos)
|
||||
+{
|
||||
+ char *data;
|
||||
+ ssize_t error;
|
||||
+
|
||||
+ /* aa_file_prof_remove needs a null terminated string so 1 extra
|
||||
+ * byte is allocated and null the copied data is then null terminated
|
||||
+ */
|
||||
+ data = aa_simple_write_to_buffer(buf, size+1, size, pos, "removal");
|
||||
+
|
||||
+ if (!IS_ERR(data)) {
|
||||
+ data[size] = 0;
|
||||
+ error = aa_file_prof_remove(data, size);
|
||||
+ vfree(data);
|
||||
+ } else {
|
||||
+ error = PTR_ERR(data);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+static u64 aa_control_get(void *data)
|
||||
+{
|
||||
+ return *(int *)data;
|
||||
+}
|
||||
+
|
||||
+static void aa_control_set(void *data, u64 val)
|
||||
+{
|
||||
+ if (val > 1)
|
||||
+ val = 1;
|
||||
+
|
||||
+ *(int*)data = (int)val;
|
||||
+}
|
||||
+
|
||||
+static void clear_apparmorfs(void)
|
||||
+{
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ for (i=0; i < num_entries;i++) {
|
||||
+ unsigned int index;
|
||||
+
|
||||
+ if (root_entries[i].mode == S_IFDIR) {
|
||||
+ if (root_entries[i].name)
|
||||
+ /* defer dir free till all sub-entries freed */
|
||||
+ continue;
|
||||
+ else
|
||||
+ /* cleanup parent */
|
||||
+ index = root_entries[i].parent_index;
|
||||
+ } else {
|
||||
+ index = i;
|
||||
+ }
|
||||
+
|
||||
+ if (root_entries[index].dentry) {
|
||||
+ securityfs_remove(root_entries[index].dentry);
|
||||
+
|
||||
+ AA_DEBUG("%s: deleted apparmorfs entry name=%s "
|
||||
+ "dentry=%p\n",
|
||||
+ __FUNCTION__,
|
||||
+ root_entries[index].name,
|
||||
+ root_entries[index].dentry);
|
||||
+
|
||||
+ root_entries[index].dentry = NULL;
|
||||
+ root_entries[index].parent_index = 0;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int populate_apparmorfs(struct dentry *root)
|
||||
+{
|
||||
+ unsigned int i, parent_index, depth;
|
||||
+
|
||||
+ for (i = 0; i < num_entries; i++) {
|
||||
+ root_entries[i].dentry = NULL;
|
||||
+ root_entries[i].parent_index = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* 1. Verify entry 0 is valid [sanity check] */
|
||||
+ if (num_entries == 0 ||
|
||||
+ !root_entries[0].name ||
|
||||
+ strcmp(root_entries[0].name, SECFS_AA) != 0 ||
|
||||
+ root_entries[0].mode != S_IFDIR) {
|
||||
+ AA_ERROR("%s: root entry 0 is not SECFS_AA/dir\n",
|
||||
+ __FUNCTION__);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ /* 2. Build back pointers */
|
||||
+ parent_index = 0;
|
||||
+ depth = 1;
|
||||
+
|
||||
+ for (i = 1; i < num_entries; i++) {
|
||||
+ root_entries[i].parent_index = parent_index;
|
||||
+
|
||||
+ if (root_entries[i].name &&
|
||||
+ root_entries[i].mode == S_IFDIR) {
|
||||
+ depth++;
|
||||
+ parent_index = i;
|
||||
+ } else if (!root_entries[i].name) {
|
||||
+ if (root_entries[i].mode != S_IFDIR || depth == 0) {
|
||||
+ AA_ERROR("%s: root_entry %d invalid (%u %d)",
|
||||
+ __FUNCTION__, i,
|
||||
+ root_entries[i].mode,
|
||||
+ root_entries[i].parent_index);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ depth--;
|
||||
+ parent_index = root_entries[parent_index].parent_index;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (depth != 0) {
|
||||
+ AA_ERROR("%s: root_entry table not correctly terminated\n",
|
||||
+ __FUNCTION__);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ /* 3. Create root (parent=NULL) */
|
||||
+ root_entries[0].dentry = securityfs_create_file(
|
||||
+ root_entries[0].name,
|
||||
+ root_entries[0].mode |
|
||||
+ root_entries[0].access,
|
||||
+ NULL, NULL, NULL);
|
||||
+
|
||||
+ if (IS_ERR(root_entries[0].dentry))
|
||||
+ goto error;
|
||||
+ else
|
||||
+ AA_DEBUG("%s: created securityfs/apparmor [dentry=%p]\n",
|
||||
+ __FUNCTION__, root_entries[0].dentry);
|
||||
+
|
||||
+
|
||||
+ /* 4. create remaining nodes */
|
||||
+ for (i = 1; i < num_entries; i++) {
|
||||
+ struct dentry *parent;
|
||||
+ void *data = NULL;
|
||||
+ struct file_operations *fops = NULL;
|
||||
+
|
||||
+ /* end of directory ? */
|
||||
+ if (!root_entries[i].name)
|
||||
+ continue;
|
||||
+
|
||||
+ parent = root_entries[root_entries[i].parent_index].dentry;
|
||||
+
|
||||
+ if (root_entries[i].mode != S_IFDIR) {
|
||||
+ data = root_entries[i].data;
|
||||
+ fops = root_entries[i].fops;
|
||||
+ }
|
||||
+
|
||||
+ root_entries[i].dentry = securityfs_create_file(
|
||||
+ root_entries[i].name,
|
||||
+ root_entries[i].mode |
|
||||
+ root_entries[i].access,
|
||||
+ parent,
|
||||
+ data,
|
||||
+ fops);
|
||||
+
|
||||
+ if (IS_ERR(root_entries[i].dentry))
|
||||
+ goto cleanup_error;
|
||||
+
|
||||
+ AA_DEBUG("%s: added apparmorfs entry "
|
||||
+ "name=%s mode=%x dentry=%p [parent %p]\n",
|
||||
+ __FUNCTION__, root_entries[i].name,
|
||||
+ root_entries[i].mode|root_entries[i].access,
|
||||
+ root_entries[i].dentry, parent);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+
|
||||
+cleanup_error:
|
||||
+ clear_apparmorfs();
|
||||
+
|
||||
+error:
|
||||
+ return -EINVAL;
|
||||
+}
|
||||
+
|
||||
+int create_apparmorfs(void)
|
||||
+{
|
||||
+ int error = 0;
|
||||
+
|
||||
+ if (AAFS_DENTRY) {
|
||||
+ error = -EEXIST;
|
||||
+ AA_ERROR("%s: Subdomain securityfs already exists\n",
|
||||
+ __FUNCTION__);
|
||||
+ } else {
|
||||
+ error = populate_apparmorfs(aafs_dentry);
|
||||
+ if (error != 0) {
|
||||
+ AA_ERROR("%s: Error populating Subdomain securityfs\n",
|
||||
+ __FUNCTION__);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+void destroy_apparmorfs(void)
|
||||
+{
|
||||
+ if (AAFS_DENTRY)
|
||||
+ clear_apparmorfs();
|
||||
+}
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,907 +0,0 @@
|
||||
This patch implements the interface between the userspace policy loader
|
||||
and the kernel module. It is called by the .load, .remove and .replace
|
||||
file_operations hooks implemented in apparmorfs.c.
|
||||
|
||||
The code is reponsible for serializing data in a platform independant
|
||||
manner from userspace and creating/activating the necessary apparmor
|
||||
profiles.
|
||||
|
||||
Certain aspects are delegated to the sub matching module which implements
|
||||
the aamatch_* functions.
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/module_interface.c | 840 +++++++++++++++++++++++++++++++++++
|
||||
security/apparmor/module_interface.h | 37 +
|
||||
2 files changed, 877 insertions(+)
|
||||
|
||||
--- security/apparmor/module_interface.c.orig
|
||||
+++ security/apparmor/module_interface.c
|
||||
@@ -0,0 +1,840 @@
|
||||
+/*
|
||||
+ * Copyright (C) 1998-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor userspace policy interface
|
||||
+ */
|
||||
+
|
||||
+#include <asm/unaligned.h>
|
||||
+
|
||||
+#include "apparmor.h"
|
||||
+#include "inline.h"
|
||||
+#include "module_interface.h"
|
||||
+#include "match/match.h"
|
||||
+
|
||||
+/* aa_code defined in module_interface.h */
|
||||
+
|
||||
+const int aacode_datasize[] = { 1, 2, 4, 8, 2, 2, 4, 0, 0, 0, 0, 0, 0 };
|
||||
+
|
||||
+struct aa_taskreplace_data {
|
||||
+ struct aaprofile *old_profile;
|
||||
+ struct aaprofile *new_profile;
|
||||
+};
|
||||
+
|
||||
+/* inlines must be forward of there use in newer version of gcc,
|
||||
+ just forward declaring with a prototype won't work anymore */
|
||||
+
|
||||
+static inline void free_aa_entry(struct aa_entry *entry)
|
||||
+{
|
||||
+ if (entry) {
|
||||
+ kfree(entry->filename);
|
||||
+ aamatch_free(entry->extradata);
|
||||
+ kfree(entry);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * alloc_aa_entry - create new empty aa_entry
|
||||
+ * This routine allocates, initializes, and returns a new aa_entry
|
||||
+ * file entry structure. Structure is zeroed. Returns new structure on
|
||||
+ * success, %NULL on failure.
|
||||
+ */
|
||||
+static inline struct aa_entry *alloc_aa_entry(void)
|
||||
+{
|
||||
+ struct aa_entry *entry;
|
||||
+
|
||||
+ AA_DEBUG("%s\n", __FUNCTION__);
|
||||
+ entry = kzalloc(sizeof(struct aa_entry), GFP_KERNEL);
|
||||
+ if (entry) {
|
||||
+ int i;
|
||||
+ INIT_LIST_HEAD(&entry->list);
|
||||
+ for (i = 0; i <= POS_AA_FILE_MAX; i++) {
|
||||
+ INIT_LIST_HEAD(&entry->listp[i]);
|
||||
+ }
|
||||
+ }
|
||||
+ return entry;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * free_aaprofile_rcu - rcu callback for free profiles
|
||||
+ * @head: rcu_head struct of the profile whose reference is being put.
|
||||
+ *
|
||||
+ * the rcu callback routine, which delays the freeing of a profile when
|
||||
+ * its last reference is put.
|
||||
+ */
|
||||
+static void free_aaprofile_rcu(struct rcu_head *head)
|
||||
+{
|
||||
+ struct aaprofile *p = container_of(head, struct aaprofile, rcu);
|
||||
+ free_aaprofile(p);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * task_remove - remove profile from a task's subdomain
|
||||
+ * @sd: task's subdomain
|
||||
+ *
|
||||
+ * remove the active profile from a task's subdomain, switching the task
|
||||
+ * to an unconfined state.
|
||||
+ */
|
||||
+static inline void task_remove(struct subdomain *sd)
|
||||
+{
|
||||
+ /* spin_lock(&sd_lock) held here */
|
||||
+ AA_DEBUG("%s: removing profile from task %s(%d) profile %s active %s\n",
|
||||
+ __FUNCTION__,
|
||||
+ sd->task->comm,
|
||||
+ sd->task->pid,
|
||||
+ BASE_PROFILE(sd->active)->name,
|
||||
+ sd->active->name);
|
||||
+
|
||||
+ aa_switch_unconfined(sd);
|
||||
+}
|
||||
+
|
||||
+/** taskremove_iter - Iterator to unconfine subdomains which match cookie
|
||||
+ * @sd: subdomain to consider for profile removal
|
||||
+ * @cookie: pointer to the oldprofile which is being removed
|
||||
+ *
|
||||
+ * If the subdomain's active profile matches old_profile, then call
|
||||
+ * task_remove() to remove the profile leaving the task (subdomain) unconfined.
|
||||
+ */
|
||||
+static int taskremove_iter(struct subdomain *sd, void *cookie)
|
||||
+{
|
||||
+ struct aaprofile *old_profile = (struct aaprofile *)cookie;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+
|
||||
+ if (__aa_is_confined(sd) && BASE_PROFILE(sd->active) == old_profile) {
|
||||
+ task_remove(sd);
|
||||
+ }
|
||||
+
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/** task_replace - replace subdomain's current profile with a new profile
|
||||
+ * @sd: subdomain to replace the profile on
|
||||
+ * @new: new profile
|
||||
+ *
|
||||
+ * Replace a task's (subdomain's) active profile with a new profile. If
|
||||
+ * task was in a hat then the new profile will also be in the equivalent
|
||||
+ * hat in the new profile if it exists. If it doesn't exist the
|
||||
+ * task will be placed in the special null_profile state.
|
||||
+ */
|
||||
+static inline void task_replace(struct subdomain *sd, struct aaprofile *new)
|
||||
+{
|
||||
+ AA_DEBUG("%s: replacing profile for task %s(%d) "
|
||||
+ "profile=%s (%p) active=%s (%p)\n",
|
||||
+ __FUNCTION__,
|
||||
+ sd->task->comm, sd->task->pid,
|
||||
+ BASE_PROFILE(sd->active)->name, BASE_PROFILE(sd->active),
|
||||
+ sd->active->name, sd->active);
|
||||
+
|
||||
+ if (!sd->active)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (IN_SUBPROFILE(sd->active)) {
|
||||
+ struct aaprofile *nactive;
|
||||
+
|
||||
+ /* The old profile was in a hat, check to see if the new
|
||||
+ * profile has an equivalent hat */
|
||||
+ nactive = __aa_find_profile(sd->active->name, &new->sub);
|
||||
+
|
||||
+ if (!nactive)
|
||||
+ nactive = get_aaprofile(new->null_profile);
|
||||
+
|
||||
+ aa_switch(sd, nactive);
|
||||
+ put_aaprofile(nactive);
|
||||
+ } else {
|
||||
+ aa_switch(sd, new);
|
||||
+ }
|
||||
+
|
||||
+ out:
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+/** taskreplace_iter - Iterator to replace a subdomain's profile
|
||||
+ * @sd: subdomain to consider for profile replacement
|
||||
+ * @cookie: pointer to the old profile which is being replaced.
|
||||
+ *
|
||||
+ * If the subdomain's active profile matches old_profile call
|
||||
+ * task_replace() to replace with the subdomain's active profile with
|
||||
+ * the new profile.
|
||||
+ */
|
||||
+static int taskreplace_iter(struct subdomain *sd, void *cookie)
|
||||
+{
|
||||
+ struct aa_taskreplace_data *data = (struct aa_taskreplace_data *)cookie;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+
|
||||
+ if (__aa_is_confined(sd) &&
|
||||
+ BASE_PROFILE(sd->active) == data->old_profile)
|
||||
+ task_replace(sd, data->new_profile);
|
||||
+
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static inline int aa_inbounds(struct aa_ext *e, size_t size)
|
||||
+{
|
||||
+ return (e->pos + size <= e->end);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aaconvert - convert trailing values of serialized type codes
|
||||
+ * @code: type code
|
||||
+ * @dest: pointer to object to receive the converted value
|
||||
+ * @src: pointer to value to convert
|
||||
+ *
|
||||
+ * for serialized type codes which have a trailing value, convert it
|
||||
+ * and place it in @dest. If a code does not have a trailing value nop.
|
||||
+ */
|
||||
+static void aaconvert(enum aa_code code, void *dest, void *src)
|
||||
+{
|
||||
+ switch (code) {
|
||||
+ case AA_U8:
|
||||
+ *(u8 *)dest = *(u8 *) src;
|
||||
+ break;
|
||||
+ case AA_U16:
|
||||
+ case AA_NAME:
|
||||
+ case AA_DYN_STRING:
|
||||
+ *(u16 *)dest = le16_to_cpu(get_unaligned((u16 *)src));
|
||||
+ break;
|
||||
+ case AA_U32:
|
||||
+ case AA_STATIC_BLOB:
|
||||
+ *(u32 *)dest = le32_to_cpu(get_unaligned((u32 *)src));
|
||||
+ break;
|
||||
+ case AA_U64:
|
||||
+ *(u64 *)dest = le64_to_cpu(get_unaligned((u64 *)src));
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* nop - all other type codes do not have a trailing value */
|
||||
+ ;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_is_X - check if the next element is of type X
|
||||
+ * @e: serialized data extent information
|
||||
+ * @code: type code
|
||||
+ * @data: object located at @e->pos (of type @code) is written into @data
|
||||
+ * if @data is non-null. if data is null it means skip this
|
||||
+ * entry
|
||||
+ * check to see if the next element in the serialized data stream is of type
|
||||
+ * X and check that it is with in bounds, if so put the associated value in
|
||||
+ * @data.
|
||||
+ * return the size of bytes associated with the returned data
|
||||
+ * for complex object like blob and string a pointer to the allocated
|
||||
+ * data is returned in data, but the size of the blob or string is
|
||||
+ * returned.
|
||||
+ */
|
||||
+static u32 aa_is_X(struct aa_ext *e, enum aa_code code, void *data)
|
||||
+{
|
||||
+ void *pos = e->pos;
|
||||
+ int ret = 0;
|
||||
+ if (!aa_inbounds(e, AA_CODE_BYTE + aacode_datasize[code]))
|
||||
+ goto fail;
|
||||
+ if (code != *(u8 *)e->pos)
|
||||
+ goto out;
|
||||
+ e->pos += AA_CODE_BYTE;
|
||||
+ if (code == AA_NAME) {
|
||||
+ u16 size;
|
||||
+ /* name codes are followed by X bytes */
|
||||
+ size = le16_to_cpu(get_unaligned((u16 *)e->pos));
|
||||
+ if (!aa_inbounds(e, (size_t) size))
|
||||
+ goto fail;
|
||||
+ if (data)
|
||||
+ *(u16 *)data = size;
|
||||
+ e->pos += aacode_datasize[code];
|
||||
+ ret = 1 + aacode_datasize[code];
|
||||
+ } else if (code == AA_DYN_STRING) {
|
||||
+ u16 size;
|
||||
+ char *str;
|
||||
+ /* strings codes are followed by X bytes */
|
||||
+ size = le16_to_cpu(get_unaligned((u16 *)e->pos));
|
||||
+ e->pos += aacode_datasize[code];
|
||||
+ if (!aa_inbounds(e, (size_t) size))
|
||||
+ goto fail;
|
||||
+ if (data) {
|
||||
+ * (char **)data = NULL;
|
||||
+ str = kmalloc(size, GFP_KERNEL);
|
||||
+ if (!str)
|
||||
+ goto fail;
|
||||
+ memcpy(str, e->pos, (size_t) size);
|
||||
+ str[size-1] = '\0';
|
||||
+ * (char **)data = str;
|
||||
+ }
|
||||
+ e->pos += size;
|
||||
+ ret = size;
|
||||
+ } else if (code == AA_STATIC_BLOB) {
|
||||
+ u32 size;
|
||||
+ /* blobs are followed by X bytes, that can be 2^32 */
|
||||
+ size = le32_to_cpu(get_unaligned((u32 *)e->pos));
|
||||
+ e->pos += aacode_datasize[code];
|
||||
+ if (!aa_inbounds(e, (size_t) size))
|
||||
+ goto fail;
|
||||
+ if (data)
|
||||
+ memcpy(data, e->pos, (size_t) size);
|
||||
+ e->pos += size;
|
||||
+ ret = size;
|
||||
+ } else {
|
||||
+ if (data)
|
||||
+ aaconvert(code, data, e->pos);
|
||||
+ e->pos += aacode_datasize[code];
|
||||
+ ret = 1 + aacode_datasize[code];
|
||||
+ }
|
||||
+out:
|
||||
+ return ret;
|
||||
+fail:
|
||||
+ e->pos = pos;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_is_nameX - check is the next element is of type X with a name of @name
|
||||
+ * @e: serialized data extent information
|
||||
+ * @code: type code
|
||||
+ * @data: location to store deserialized data if match isX criteria
|
||||
+ * @name: name to match to the serialized element.
|
||||
+ *
|
||||
+ * check that the next serialized data element is of type X and has a tag
|
||||
+ * name @name. If the code matches and name (if specified) matches then
|
||||
+ * the packed data is unpacked into *data. (Note for strings this is the
|
||||
+ * size, and the next data in the stream is the string data)
|
||||
+ * returns %0 if either match failes
|
||||
+ */
|
||||
+static int aa_is_nameX(struct aa_ext *e, enum aa_code code, void *data,
|
||||
+ const char *name)
|
||||
+{
|
||||
+ void *pos = e->pos;
|
||||
+ u16 size;
|
||||
+ u32 ret;
|
||||
+ /* check for presence of a tagname, and if present name size
|
||||
+ * AA_NAME tag value is a u16 */
|
||||
+ if (aa_is_X(e, AA_NAME, &size)) {
|
||||
+ /* if a name is specified it must match. otherwise skip tag */
|
||||
+ if (name && ((strlen(name) != size-1) ||
|
||||
+ strncmp(name, (char *)e->pos, (size_t)size-1)))
|
||||
+ goto fail;
|
||||
+ e->pos += size;
|
||||
+ }
|
||||
+ /* now check if data actually matches */
|
||||
+ ret = aa_is_X(e, code, data);
|
||||
+ if (!ret)
|
||||
+ goto fail;
|
||||
+ return ret;
|
||||
+
|
||||
+fail:
|
||||
+ e->pos = pos;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* macro to wrap error case to make a block of reads look nicer */
|
||||
+#define AA_READ_X(E, C, D, N) \
|
||||
+ do { \
|
||||
+ u32 __ret; \
|
||||
+ __ret = aa_is_nameX((E), (C), (D), (N)); \
|
||||
+ if (!__ret) \
|
||||
+ goto fail; \
|
||||
+ } while (0)
|
||||
+
|
||||
+/**
|
||||
+ * aa_activate_net_entry - unpacked serialized net entries
|
||||
+ * @e: serialized data extent information
|
||||
+ *
|
||||
+ * Ignore/skips net entries if they are present in the serialized data
|
||||
+ * stream. Network confinement rules are currently unsupported but some
|
||||
+ * user side tools can generate them so they are currently ignored.
|
||||
+ */
|
||||
+static inline int aa_activate_net_entry(struct aa_ext *e)
|
||||
+{
|
||||
+ AA_READ_X(e, AA_STRUCT, NULL, "ne");
|
||||
+ AA_READ_X(e, AA_U32, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U32, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U32, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U16, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U16, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U32, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U32, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U16, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_U16, NULL, NULL);
|
||||
+ /* interface name is optional so just ignore return code */
|
||||
+ aa_is_nameX(e, AA_DYN_STRING, NULL, NULL);
|
||||
+ AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
|
||||
+
|
||||
+ return 1;
|
||||
+fail:
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_activate_file_entry - unpack serialized file entry
|
||||
+ * @e: serialized data extent information
|
||||
+ *
|
||||
+ * unpack the information used for a file ACL entry.
|
||||
+ */
|
||||
+static inline struct aa_entry *aa_activate_file_entry(struct aa_ext *e)
|
||||
+{
|
||||
+ struct aa_entry *entry = NULL;
|
||||
+
|
||||
+ if (!(entry = alloc_aa_entry()))
|
||||
+ goto fail;
|
||||
+
|
||||
+ AA_READ_X(e, AA_STRUCT, NULL, "fe");
|
||||
+ AA_READ_X(e, AA_DYN_STRING, &entry->filename, NULL);
|
||||
+ AA_READ_X(e, AA_U32, &entry->mode, "file.mode");
|
||||
+ AA_READ_X(e, AA_U32, &entry->type, "file.pattern_type");
|
||||
+
|
||||
+ entry->extradata = aamatch_alloc(entry->type);
|
||||
+ if (IS_ERR(entry->extradata)) {
|
||||
+ entry->extradata = NULL;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (entry->extradata &&
|
||||
+ aamatch_serialize(entry->extradata, e, aa_is_nameX) != 0) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
|
||||
+
|
||||
+ switch (entry->type) {
|
||||
+ case aa_entry_literal:
|
||||
+ AA_DEBUG("%s: %s [no pattern] mode=0x%x\n",
|
||||
+ __FUNCTION__,
|
||||
+ entry->filename,
|
||||
+ entry->mode);
|
||||
+ break;
|
||||
+ case aa_entry_tailglob:
|
||||
+ AA_DEBUG("%s: %s [tailglob] mode=0x%x\n",
|
||||
+ __FUNCTION__,
|
||||
+ entry->filename,
|
||||
+ entry->mode);
|
||||
+ break;
|
||||
+ case aa_entry_pattern:
|
||||
+ AA_DEBUG("%s: %s mode=0x%x\n",
|
||||
+ __FUNCTION__,
|
||||
+ entry->filename,
|
||||
+ entry->mode);
|
||||
+ break;
|
||||
+ default:
|
||||
+ AA_WARN("%s: INVALID entry_match_type %d\n",
|
||||
+ __FUNCTION__,
|
||||
+ (int)entry->type);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ return entry;
|
||||
+
|
||||
+fail:
|
||||
+ aamatch_free(entry->extradata);
|
||||
+ free_aa_entry(entry);
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * check_rule_and_add - check a file rule is valid and add to a profile
|
||||
+ * @file_entry: file rule to add
|
||||
+ * @profile: profile to add the rule to
|
||||
+ * @message: error message returned if the addition failes.
|
||||
+ *
|
||||
+ * perform consistency check to ensure that a file rule entry is valid.
|
||||
+ * If the rule is valid it is added to the profile.
|
||||
+ */
|
||||
+static inline int check_rule_and_add(struct aa_entry *file_entry,
|
||||
+ struct aaprofile *profile,
|
||||
+ const char **message)
|
||||
+{
|
||||
+ /* verify consistency of x, px, ix, ux for entry against
|
||||
+ possible duplicates for this entry */
|
||||
+ int mode = AA_EXEC_MODIFIER_MASK(file_entry->mode);
|
||||
+ int i;
|
||||
+
|
||||
+ if (mode && !(AA_MAY_EXEC & file_entry->mode)) {
|
||||
+ *message = "inconsistent rule, x modifiers without x";
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* check that only 1 of the modifiers is set */
|
||||
+ if (mode && (mode & (mode - 1))) {
|
||||
+ *message = "inconsistent rule, multiple x modifiers";
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ list_add(&file_entry->list, &profile->file_entry);
|
||||
+ profile->num_file_entries++;
|
||||
+
|
||||
+ mode = file_entry->mode;
|
||||
+
|
||||
+ /* Handle partitioned lists
|
||||
+ * Chain entries onto sublists based on individual
|
||||
+ * permission bits. This allows more rapid searching.
|
||||
+ */
|
||||
+ for (i = 0; i <= POS_AA_FILE_MAX; i++) {
|
||||
+ if (mode & (1 << i))
|
||||
+ /* profile->file_entryp[i] initially set to
|
||||
+ * NULL in alloc_aaprofile() */
|
||||
+ list_add(&file_entry->listp[i],
|
||||
+ &profile->file_entryp[i]);
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+
|
||||
+out:
|
||||
+ free_aa_entry(file_entry);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define AA_ENTRY_LIST(NAME) \
|
||||
+ do { \
|
||||
+ if (aa_is_nameX(e, AA_LIST, NULL, (NAME))) { \
|
||||
+ rulename = ""; \
|
||||
+ error_string = "Invalid file entry"; \
|
||||
+ while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) { \
|
||||
+ struct aa_entry *file_entry; \
|
||||
+ file_entry = aa_activate_file_entry(e); \
|
||||
+ if (!file_entry) \
|
||||
+ goto fail; \
|
||||
+ if (!check_rule_and_add(file_entry, profile, \
|
||||
+ &error_string)) { \
|
||||
+ rulename = file_entry->filename; \
|
||||
+ goto fail; \
|
||||
+ } \
|
||||
+ } \
|
||||
+ } \
|
||||
+ } while (0)
|
||||
+
|
||||
+/**
|
||||
+ * aa_activate_profile - unpack a serialized profile
|
||||
+ * @e: serialized data extent information
|
||||
+ * @error: error code returned if unpacking fails
|
||||
+ */
|
||||
+static struct aaprofile *aa_activate_profile(struct aa_ext *e, ssize_t *error)
|
||||
+{
|
||||
+ struct aaprofile *profile = NULL;
|
||||
+ const char *rulename = "";
|
||||
+ const char *error_string = "Invalid Profile";
|
||||
+
|
||||
+ *error = -EPROTO;
|
||||
+
|
||||
+ profile = alloc_aaprofile();
|
||||
+ if (!profile) {
|
||||
+ error_string = "Could not allocate profile";
|
||||
+ *error = -ENOMEM;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ /* check that we have the right struct being passed */
|
||||
+ AA_READ_X(e, AA_STRUCT, NULL, "profile");
|
||||
+ AA_READ_X(e, AA_DYN_STRING, &profile->name, NULL);
|
||||
+
|
||||
+ error_string = "Invalid flags";
|
||||
+ /* per profile debug flags (debug, complain, audit) */
|
||||
+ AA_READ_X(e, AA_STRUCT, NULL, "flags");
|
||||
+ AA_READ_X(e, AA_U32, &(profile->flags.debug), "profile.flags.debug");
|
||||
+ AA_READ_X(e, AA_U32, &(profile->flags.complain),
|
||||
+ "profile.flags.complain");
|
||||
+ AA_READ_X(e, AA_U32, &(profile->flags.audit), "profile.flags.audit");
|
||||
+ AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
|
||||
+
|
||||
+ error_string = "Invalid capabilities";
|
||||
+ AA_READ_X(e, AA_U32, &(profile->capabilities), "profile.capabilities");
|
||||
+
|
||||
+ /* get the file entries. */
|
||||
+ AA_ENTRY_LIST("pgent"); /* pcre rules */
|
||||
+ AA_ENTRY_LIST("sgent"); /* simple globs */
|
||||
+ AA_ENTRY_LIST("fent"); /* regular file entries */
|
||||
+
|
||||
+ /* get the net entries */
|
||||
+ if (aa_is_nameX(e, AA_LIST, NULL, "net")) {
|
||||
+ error_string = "Invalid net entry";
|
||||
+ while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
|
||||
+ if (!aa_activate_net_entry(e))
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
+ rulename = "";
|
||||
+
|
||||
+ /* get subprofiles */
|
||||
+ if (aa_is_nameX(e, AA_LIST, NULL, "hats")) {
|
||||
+ error_string = "Invalid profile hat";
|
||||
+ while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
|
||||
+ struct aaprofile *subprofile;
|
||||
+ subprofile = aa_activate_profile(e, error);
|
||||
+ if (!subprofile)
|
||||
+ goto fail;
|
||||
+ subprofile->parent = profile;
|
||||
+ list_add(&subprofile->list, &profile->sub);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ error_string = "Invalid end of profile";
|
||||
+ AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
|
||||
+
|
||||
+ return profile;
|
||||
+
|
||||
+fail:
|
||||
+ AA_WARN("%s: %s %s in profile %s\n", INTERFACE_ID, rulename,
|
||||
+ error_string, profile && profile->name ? profile->name
|
||||
+ : "unknown");
|
||||
+
|
||||
+ if (profile) {
|
||||
+ free_aaprofile(profile);
|
||||
+ profile = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_activate_top_profile - unpack a serialized base profile
|
||||
+ * @e: serialized data extent information
|
||||
+ * @error: error code returned if unpacking fails
|
||||
+ *
|
||||
+ * check interface version unpack a profile and all its hats and patch
|
||||
+ * in any extra information that the profile needs.
|
||||
+ */
|
||||
+static void *aa_activate_top_profile(struct aa_ext *e, ssize_t *error)
|
||||
+{
|
||||
+ struct aaprofile *profile = NULL;
|
||||
+
|
||||
+ /* get the interface version */
|
||||
+ if (!aa_is_nameX(e, AA_U32, &e->version, "version")) {
|
||||
+ AA_WARN("%s: version missing\n", INTERFACE_ID);
|
||||
+ *error = -EPROTONOSUPPORT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ /* check that the interface version is currently supported */
|
||||
+ if (e->version != 2) {
|
||||
+ AA_WARN("%s: unsupported interface version (%d)\n",
|
||||
+ INTERFACE_ID, e->version);
|
||||
+ *error = -EPROTONOSUPPORT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ profile = aa_activate_profile(e, error);
|
||||
+ if (!profile)
|
||||
+ goto fail;
|
||||
+
|
||||
+ if (!list_empty(&profile->sub) || profile->flags.complain) {
|
||||
+ if (attach_nullprofile(profile))
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ return profile;
|
||||
+
|
||||
+fail:
|
||||
+ free_aaprofile(profile);
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_file_prof_add - add a new profile to the profile list
|
||||
+ * @data: serialized data stream
|
||||
+ * @size: size of the serialized data stream
|
||||
+ *
|
||||
+ * unpack and add a profile to the profile list. Return %0 or error
|
||||
+ */
|
||||
+ssize_t aa_file_prof_add(void *data, size_t size)
|
||||
+{
|
||||
+ struct aaprofile *profile = NULL;
|
||||
+
|
||||
+ struct aa_ext e = {
|
||||
+ .start = data,
|
||||
+ .end = data + size,
|
||||
+ .pos = data
|
||||
+ };
|
||||
+ ssize_t error;
|
||||
+
|
||||
+ profile = aa_activate_top_profile(&e, &error);
|
||||
+ if (!profile) {
|
||||
+ AA_DEBUG("couldn't activate profile\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* aa_activate_top_profile allocates profile with initial 1 count
|
||||
+ * aa_profilelist_add transfers that ref to profile list without
|
||||
+ * further incrementing
|
||||
+ */
|
||||
+ if (aa_profilelist_add(profile)) {
|
||||
+ error = size;
|
||||
+ } else {
|
||||
+ AA_WARN("trying to add profile (%s) that already exists.\n",
|
||||
+ profile->name);
|
||||
+ put_aaprofile(profile);
|
||||
+ error = -EEXIST;
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_file_prof_repl - replace a profile on the profile list
|
||||
+ * @udata: serialized data stream
|
||||
+ * @size: size of the serialized data stream
|
||||
+ *
|
||||
+ * unpack and replace a profile on the profile list and uses of that profile
|
||||
+ * by any subdomain. If the profile does not exist on the profile list
|
||||
+ * it is added. Return %0 or error.
|
||||
+ */
|
||||
+ssize_t aa_file_prof_repl(void *udata, size_t size)
|
||||
+{
|
||||
+ struct aa_taskreplace_data data;
|
||||
+ struct aa_ext e = {
|
||||
+ .start = udata,
|
||||
+ .end = udata + size,
|
||||
+ .pos = udata
|
||||
+ };
|
||||
+
|
||||
+ ssize_t error;
|
||||
+
|
||||
+ data.new_profile = aa_activate_top_profile(&e, &error);
|
||||
+ if (!data.new_profile) {
|
||||
+ AA_DEBUG("couldn't activate profile\n");
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* Refcount on data.new_profile is 1 (aa_activate_top_profile).
|
||||
+ *
|
||||
+ * This reference will be inherited by aa_profilelist_replace for it's
|
||||
+ * profile list reference but this isn't sufficient.
|
||||
+ *
|
||||
+ * Another replace (*for-same-profile*) may race us here.
|
||||
+ * Task A calls aa_profilelist_replace(new_profile) and is interrupted.
|
||||
+ * Task B old_profile = aa_profilelist_replace() will return task A's
|
||||
+ * new_profile with the count of 1. If task B proceeeds to put this
|
||||
+ * profile it will dissapear from under task A.
|
||||
+ *
|
||||
+ * Grab extra reference on new_profile to prevent this
|
||||
+ */
|
||||
+
|
||||
+ get_aaprofile(data.new_profile);
|
||||
+
|
||||
+ data.old_profile = aa_profilelist_replace(data.new_profile);
|
||||
+
|
||||
+ /* If there was an old profile, find all currently executing tasks
|
||||
+ * using this profile and replace the old profile with the new.
|
||||
+ */
|
||||
+ if (data.old_profile) {
|
||||
+ AA_DEBUG("%s: try to replace profile (%p)%s\n",
|
||||
+ __FUNCTION__,
|
||||
+ data.old_profile,
|
||||
+ data.old_profile->name);
|
||||
+
|
||||
+ aa_subdomainlist_iterate(taskreplace_iter, (void *)&data);
|
||||
+
|
||||
+ /* it's off global list, and we are done replacing */
|
||||
+ put_aaprofile(data.old_profile);
|
||||
+ }
|
||||
+
|
||||
+ /* release extra reference obtained above (race) */
|
||||
+ put_aaprofile(data.new_profile);
|
||||
+
|
||||
+ error = size;
|
||||
+
|
||||
+out:
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_file_prof_remove - remove a profile from the system
|
||||
+ * @name: name of the profile to remove
|
||||
+ * @size: size of the name
|
||||
+ *
|
||||
+ * remove a profile from the profile list and all subdomain references
|
||||
+ * to said profile. Return %0 on success, else error.
|
||||
+ */
|
||||
+ssize_t aa_file_prof_remove(const char *name, size_t size)
|
||||
+{
|
||||
+ struct aaprofile *old_profile;
|
||||
+
|
||||
+ /* if the old profile exists it will be removed from the list and
|
||||
+ * a reference is returned.
|
||||
+ */
|
||||
+ old_profile = aa_profilelist_remove(name);
|
||||
+
|
||||
+ if (old_profile) {
|
||||
+ /* remove profile from any tasks using it */
|
||||
+ aa_subdomainlist_iterate(taskremove_iter, (void *)old_profile);
|
||||
+
|
||||
+ /* drop reference obtained by aa_profilelist_remove */
|
||||
+ put_aaprofile(old_profile);
|
||||
+ } else {
|
||||
+ AA_WARN("%s: trying to remove profile (%s) that "
|
||||
+ "doesn't exist - skipping.\n", __FUNCTION__, name);
|
||||
+ return -ENOENT;
|
||||
+ }
|
||||
+
|
||||
+ return size;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * free_aaprofile_kref - free aaprofile by kref (called by put_aaprofile)
|
||||
+ * @kr: kref callback for freeing of a profile
|
||||
+ */
|
||||
+void free_aaprofile_kref(struct kref *kr)
|
||||
+{
|
||||
+ struct aaprofile *p=container_of(kr, struct aaprofile, count);
|
||||
+
|
||||
+ call_rcu(&p->rcu, free_aaprofile_rcu);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * free_aaprofile - free aaprofile structure
|
||||
+ * @profile: the profile to free
|
||||
+ *
|
||||
+ * free a profile, its file entries hats and null_profile. All references
|
||||
+ * to the profile, its hats and null_profile must have been put.
|
||||
+ * If the profile was referenced by a subdomain free_aaprofile should be
|
||||
+ * called from an rcu callback routine.
|
||||
+ */
|
||||
+void free_aaprofile(struct aaprofile *profile)
|
||||
+{
|
||||
+ struct aa_entry *ent, *tmp;
|
||||
+ struct aaprofile *p, *ptmp;
|
||||
+
|
||||
+ AA_DEBUG("%s(%p)\n", __FUNCTION__, profile);
|
||||
+
|
||||
+ if (!profile)
|
||||
+ return;
|
||||
+
|
||||
+ /* profile is still on global profile list -- invalid */
|
||||
+ if (!list_empty(&profile->list)) {
|
||||
+ AA_ERROR("%s: internal error, "
|
||||
+ "profile '%s' still on global list\n",
|
||||
+ __FUNCTION__,
|
||||
+ profile->name);
|
||||
+ BUG();
|
||||
+ }
|
||||
+
|
||||
+ list_for_each_entry_safe(ent, tmp, &profile->file_entry, list) {
|
||||
+ if (ent->filename)
|
||||
+ AA_DEBUG("freeing aa_entry: %p %s\n",
|
||||
+ ent->filename, ent->filename);
|
||||
+ list_del_init(&ent->list);
|
||||
+ free_aa_entry(ent);
|
||||
+ }
|
||||
+
|
||||
+ /* use free_aaprofile instead of put_aaprofile to destroy the
|
||||
+ * null_profile, because the null_profile use the same reference
|
||||
+ * counting as hats, ie. the count goes to the base profile.
|
||||
+ */
|
||||
+ free_aaprofile(profile->null_profile);
|
||||
+ list_for_each_entry_safe(p, ptmp, &profile->sub, list) {
|
||||
+ list_del_init(&p->list);
|
||||
+ p->parent = NULL;
|
||||
+ put_aaprofile(p);
|
||||
+ }
|
||||
+
|
||||
+ if (profile->name) {
|
||||
+ AA_DEBUG("%s: %s\n", __FUNCTION__, profile->name);
|
||||
+ kfree(profile->name);
|
||||
+ }
|
||||
+
|
||||
+ kfree(profile);
|
||||
+}
|
||||
--- security/apparmor/module_interface.h.orig
|
||||
+++ security/apparmor/module_interface.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+#ifndef __MODULEINTERFACE_H
|
||||
+#define __MODULEINTERFACE_H
|
||||
+
|
||||
+/* Codes of the types of basic structures that are understood */
|
||||
+#define AA_CODE_BYTE (sizeof(u8))
|
||||
+#define INTERFACE_ID "INTERFACE"
|
||||
+
|
||||
+#define SUBDOMAIN_INTERFACE_VERSION 2
|
||||
+
|
||||
+enum aa_code {
|
||||
+ AA_U8,
|
||||
+ AA_U16,
|
||||
+ AA_U32,
|
||||
+ AA_U64,
|
||||
+ AA_NAME, /* same as string except it is items name */
|
||||
+ AA_DYN_STRING,
|
||||
+ AA_STATIC_BLOB,
|
||||
+ AA_STRUCT,
|
||||
+ AA_STRUCTEND,
|
||||
+ AA_LIST,
|
||||
+ AA_LISTEND,
|
||||
+ AA_OFFSET,
|
||||
+ AA_BAD
|
||||
+};
|
||||
+
|
||||
+/* aa_ext tracks the kernel buffer and read position in it. The interface
|
||||
+ * data is copied into a kernel buffer in apparmorfs and then handed off to
|
||||
+ * the activate routines.
|
||||
+ */
|
||||
+struct aa_ext {
|
||||
+ void *start;
|
||||
+ void *end;
|
||||
+ void *pos; /* pointer to current position in the buffer */
|
||||
+ u32 version;
|
||||
+};
|
||||
+
|
||||
+#endif /* __MODULEINTERFACE_H */
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,681 +0,0 @@
|
||||
This patch implements three distinct chunks.
|
||||
- list management, for profiles loaded into the system (profile_list) and for
|
||||
the set of confined tasks (subdomain_list)
|
||||
- the proc/pid/attr interface used by userspace for setprofile (forcing
|
||||
a task into a new profile) and changehat (switching a task into one of it's
|
||||
defined sub profiles). Access to change_hat is normally via code provided
|
||||
in libapparmor. See the overview posting for more information in change hat.
|
||||
- capability utility functions (for displaying capability names)
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/capabilities.c | 54 ++++++
|
||||
security/apparmor/list.c | 268 +++++++++++++++++++++++++++++++
|
||||
security/apparmor/procattr.c | 327 +++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 649 insertions(+)
|
||||
|
||||
--- security/apparmor/capabilities.c.orig
|
||||
+++ security/apparmor/capabilities.c
|
||||
@@ -0,0 +1,54 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor capability definitions
|
||||
+ */
|
||||
+
|
||||
+#include "apparmor.h"
|
||||
+
|
||||
+static const char *cap_names[] = {
|
||||
+ "chown",
|
||||
+ "dac_override",
|
||||
+ "dac_read_search",
|
||||
+ "fowner",
|
||||
+ "fsetid",
|
||||
+ "kill",
|
||||
+ "setgid",
|
||||
+ "setuid",
|
||||
+ "setpcap",
|
||||
+ "linux_immutable",
|
||||
+ "net_bind_service",
|
||||
+ "net_broadcast",
|
||||
+ "net_admin",
|
||||
+ "net_raw",
|
||||
+ "ipc_lock",
|
||||
+ "ipc_owner",
|
||||
+ "sys_module",
|
||||
+ "sys_rawio",
|
||||
+ "sys_chroot",
|
||||
+ "sys_ptrace",
|
||||
+ "sys_pacct",
|
||||
+ "sys_admin",
|
||||
+ "sys_boot",
|
||||
+ "sys_nice",
|
||||
+ "sys_resource",
|
||||
+ "sys_time",
|
||||
+ "sys_tty_config",
|
||||
+ "mknod",
|
||||
+ "lease"
|
||||
+};
|
||||
+
|
||||
+const char *capability_to_name(unsigned int cap)
|
||||
+{
|
||||
+ const char *name;
|
||||
+
|
||||
+ name = (cap < (sizeof(cap_names) / sizeof(char *))
|
||||
+ ? cap_names[cap] : "invalid-capability");
|
||||
+
|
||||
+ return name;
|
||||
+}
|
||||
--- security/apparmor/list.c.orig
|
||||
+++ security/apparmor/list.c
|
||||
@@ -0,0 +1,268 @@
|
||||
+/*
|
||||
+ * Copyright (C) 1998-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor Profile List Management
|
||||
+ */
|
||||
+
|
||||
+#include <linux/seq_file.h>
|
||||
+#include "apparmor.h"
|
||||
+#include "inline.h"
|
||||
+
|
||||
+/* list of all profiles and lock */
|
||||
+static LIST_HEAD(profile_list);
|
||||
+static rwlock_t profile_lock = RW_LOCK_UNLOCKED;
|
||||
+
|
||||
+/* list of all subdomains and lock */
|
||||
+static LIST_HEAD(subdomain_list);
|
||||
+static rwlock_t subdomain_lock = RW_LOCK_UNLOCKED;
|
||||
+
|
||||
+/**
|
||||
+ * aa_profilelist_find
|
||||
+ * @name: profile name (program name)
|
||||
+ *
|
||||
+ * Search the profile list for profile @name. Return refcounted profile on
|
||||
+ * success, NULL on failure.
|
||||
+ */
|
||||
+struct aaprofile *aa_profilelist_find(const char *name)
|
||||
+{
|
||||
+ struct aaprofile *p = NULL;
|
||||
+ if (name) {
|
||||
+ read_lock(&profile_lock);
|
||||
+ p = __aa_find_profile(name, &profile_list);
|
||||
+ read_unlock(&profile_lock);
|
||||
+ }
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_profilelist_add - add new profile to list
|
||||
+ * @profile: new profile to add to list
|
||||
+ *
|
||||
+ * NOTE: Caller must allocate necessary reference count that will be used
|
||||
+ * by the profile_list. This is because profile allocation alloc_aaprofile()
|
||||
+ * returns an unreferenced object with a initial count of %1.
|
||||
+ *
|
||||
+ * Return %1 on success, %0 on failure (already exists)
|
||||
+ */
|
||||
+int aa_profilelist_add(struct aaprofile *profile)
|
||||
+{
|
||||
+ struct aaprofile *old_profile;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (!profile)
|
||||
+ goto out;
|
||||
+
|
||||
+ write_lock(&profile_lock);
|
||||
+ old_profile = __aa_find_profile(profile->name, &profile_list);
|
||||
+ if (old_profile) {
|
||||
+ put_aaprofile(old_profile);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ list_add(&profile->list, &profile_list);
|
||||
+ ret = 1;
|
||||
+ out:
|
||||
+ write_unlock(&profile_lock);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_profilelist_remove - remove a profile from the list by name
|
||||
+ * @name: name of profile to be removed
|
||||
+ *
|
||||
+ * If the profile exists remove profile from list and return its reference.
|
||||
+ * The reference count on profile is not decremented and should be decremented
|
||||
+ * when the profile is no longer needed
|
||||
+ */
|
||||
+struct aaprofile *aa_profilelist_remove(const char *name)
|
||||
+{
|
||||
+ struct aaprofile *profile = NULL;
|
||||
+ struct aaprofile *p, *tmp;
|
||||
+
|
||||
+ if (!name)
|
||||
+ goto out;
|
||||
+
|
||||
+ write_lock(&profile_lock);
|
||||
+ list_for_each_entry_safe(p, tmp, &profile_list, list) {
|
||||
+ if (!strcmp(p->name, name)) {
|
||||
+ list_del_init(&p->list);
|
||||
+ /* mark old profile as stale */
|
||||
+ p->isstale = 1;
|
||||
+ profile = p;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ write_unlock(&profile_lock);
|
||||
+
|
||||
+out:
|
||||
+ return profile;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_profilelist_replace - replace a profile on the list
|
||||
+ * @profile: new profile
|
||||
+ *
|
||||
+ * Replace a profile on the profile list. Find the old profile by name in
|
||||
+ * the list, and replace it with the new profile. NOTE: Caller must allocate
|
||||
+ * necessary initial reference count for new profile as aa_profilelist_add().
|
||||
+ *
|
||||
+ * This is an atomic list operation. Returns the old profile (which is still
|
||||
+ * refcounted) if there was one, or NULL.
|
||||
+ */
|
||||
+struct aaprofile *aa_profilelist_replace(struct aaprofile *profile)
|
||||
+{
|
||||
+ struct aaprofile *oldprofile;
|
||||
+
|
||||
+ write_lock(&profile_lock);
|
||||
+ oldprofile = __aa_find_profile(profile->name, &profile_list);
|
||||
+ if (oldprofile) {
|
||||
+ list_del_init(&oldprofile->list);
|
||||
+ /* mark old profile as stale */
|
||||
+ oldprofile->isstale = 1;
|
||||
+
|
||||
+ /* __aa_find_profile incremented count, so adjust down */
|
||||
+ put_aaprofile(oldprofile);
|
||||
+ }
|
||||
+
|
||||
+ list_add(&profile->list, &profile_list);
|
||||
+ write_unlock(&profile_lock);
|
||||
+
|
||||
+ return oldprofile;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_profilelist_release - Remove all profiles from profile_list
|
||||
+ */
|
||||
+void aa_profilelist_release(void)
|
||||
+{
|
||||
+ struct aaprofile *p, *tmp;
|
||||
+
|
||||
+ write_lock(&profile_lock);
|
||||
+ list_for_each_entry_safe(p, tmp, &profile_list, list) {
|
||||
+ list_del_init(&p->list);
|
||||
+ put_aaprofile(p);
|
||||
+ }
|
||||
+ write_unlock(&profile_lock);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_subdomainlist_add - Add subdomain to subdomain_list
|
||||
+ * @sd: new subdomain
|
||||
+ */
|
||||
+void aa_subdomainlist_add(struct subdomain *sd)
|
||||
+{
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ if (!sd) {
|
||||
+ AA_INFO("%s: bad subdomain\n", __FUNCTION__);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ write_lock_irqsave(&subdomain_lock, flags);
|
||||
+ /* new subdomains must be added to the end of the list due to a
|
||||
+ * subtle interaction between fork and profile replacement.
|
||||
+ */
|
||||
+ list_add_tail(&sd->list, &subdomain_list);
|
||||
+ write_unlock_irqrestore(&subdomain_lock, flags);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_subdomainlist_remove - Remove subdomain from subdomain_list
|
||||
+ * @sd: subdomain to be removed
|
||||
+ */
|
||||
+void aa_subdomainlist_remove(struct subdomain *sd)
|
||||
+{
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ if (sd) {
|
||||
+ write_lock_irqsave(&subdomain_lock, flags);
|
||||
+ list_del_init(&sd->list);
|
||||
+ write_unlock_irqrestore(&subdomain_lock, flags);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_subdomainlist_iterate - iterate over the subdomain list applying @func
|
||||
+ * @func: method to be called for each element
|
||||
+ * @cookie: user passed data
|
||||
+ *
|
||||
+ * Iterate over subdomain list applying @func, stop when @func returns
|
||||
+ * non zero
|
||||
+ */
|
||||
+void aa_subdomainlist_iterate(aa_iter func, void *cookie)
|
||||
+{
|
||||
+ struct subdomain *node;
|
||||
+ int ret = 0;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ read_lock_irqsave(&subdomain_lock, flags);
|
||||
+ list_for_each_entry(node, &subdomain_list, list) {
|
||||
+ ret = (*func) (node, cookie);
|
||||
+ if (ret != 0)
|
||||
+ break;
|
||||
+ }
|
||||
+ read_unlock_irqrestore(&subdomain_lock, flags);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aa_subdomainlist_release - Remove all subdomains from subdomain_list
|
||||
+ */
|
||||
+void aa_subdomainlist_release()
|
||||
+{
|
||||
+ struct subdomain *node, *tmp;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ write_lock_irqsave(&subdomain_lock, flags);
|
||||
+ list_for_each_entry_safe(node, tmp, &subdomain_list, list) {
|
||||
+ list_del_init(&node->list);
|
||||
+ }
|
||||
+ write_unlock_irqrestore(&subdomain_lock, flags);
|
||||
+}
|
||||
+
|
||||
+/* seq_file helper routines
|
||||
+ * Used by apparmorfs.c to iterate over profile_list
|
||||
+ */
|
||||
+static void *p_start(struct seq_file *f, loff_t *pos)
|
||||
+{
|
||||
+ struct aaprofile *node;
|
||||
+ loff_t l = *pos;
|
||||
+
|
||||
+ read_lock(&profile_lock);
|
||||
+ list_for_each_entry(node, &profile_list, list)
|
||||
+ if (!l--)
|
||||
+ return node;
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+static void *p_next(struct seq_file *f, void *p, loff_t *pos)
|
||||
+{
|
||||
+ struct list_head *lh = ((struct aaprofile *)p)->list.next;
|
||||
+ (*pos)++;
|
||||
+ return lh == &profile_list ?
|
||||
+ NULL : list_entry(lh, struct aaprofile, list);
|
||||
+}
|
||||
+
|
||||
+static void p_stop(struct seq_file *f, void *v)
|
||||
+{
|
||||
+ read_unlock(&profile_lock);
|
||||
+}
|
||||
+
|
||||
+static int seq_show_profile(struct seq_file *f, void *v)
|
||||
+{
|
||||
+ struct aaprofile *profile = (struct aaprofile *)v;
|
||||
+ seq_printf(f, "%s (%s)\n", profile->name,
|
||||
+ PROFILE_COMPLAIN(profile) ? "complain" : "enforce");
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+struct seq_operations apparmorfs_profiles_op = {
|
||||
+ .start = p_start,
|
||||
+ .next = p_next,
|
||||
+ .stop = p_stop,
|
||||
+ .show = seq_show_profile,
|
||||
+};
|
||||
--- security/apparmor/procattr.c.orig
|
||||
+++ security/apparmor/procattr.c
|
||||
@@ -0,0 +1,327 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor /proc/pid/attr handling
|
||||
+ */
|
||||
+
|
||||
+/* for isspace */
|
||||
+#include <linux/ctype.h>
|
||||
+
|
||||
+#include "apparmor.h"
|
||||
+#include "inline.h"
|
||||
+
|
||||
+size_t aa_getprocattr(struct aaprofile *active, char *str, size_t size)
|
||||
+{
|
||||
+ int error = -EACCES; /* default to a perm denied */
|
||||
+ size_t len;
|
||||
+
|
||||
+ if (active) {
|
||||
+ size_t lena, lenm, lenp = 0;
|
||||
+ const char *enforce_str = " (enforce)";
|
||||
+ const char *complain_str = " (complain)";
|
||||
+ const char *mode_str =
|
||||
+ PROFILE_COMPLAIN(active) ? complain_str : enforce_str;
|
||||
+
|
||||
+ lenm = strlen(mode_str);
|
||||
+
|
||||
+ lena = strlen(active->name);
|
||||
+
|
||||
+ len = lena;
|
||||
+ if (IN_SUBPROFILE(active)) {
|
||||
+ lenp = strlen(BASE_PROFILE(active)->name);
|
||||
+ len += (lenp + 1); /* +1 for ^ */
|
||||
+ }
|
||||
+ /* DONT null terminate strings we output via proc */
|
||||
+ len += (lenm + 1); /* for \n */
|
||||
+
|
||||
+ if (len <= size) {
|
||||
+ if (lenp) {
|
||||
+ memcpy(str, BASE_PROFILE(active)->name,
|
||||
+ lenp);
|
||||
+ str += lenp;
|
||||
+ *str++ = '^';
|
||||
+ }
|
||||
+
|
||||
+ memcpy(str, active->name, lena);
|
||||
+ str += lena;
|
||||
+ memcpy(str, mode_str, lenm);
|
||||
+ str += lenm;
|
||||
+ *str++ = '\n';
|
||||
+ error = len;
|
||||
+ } else {
|
||||
+ error = -ERANGE;
|
||||
+ }
|
||||
+ } else {
|
||||
+ const char *unconstrained_str = "unconstrained\n";
|
||||
+ len = strlen(unconstrained_str);
|
||||
+
|
||||
+ /* DONT null terminate strings we output via proc */
|
||||
+ if (len <= size) {
|
||||
+ memcpy(str, unconstrained_str, len);
|
||||
+ error = len;
|
||||
+ } else {
|
||||
+ error = -ERANGE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+
|
||||
+}
|
||||
+
|
||||
+int aa_setprocattr_changehat(char *hatinfo, size_t infosize)
|
||||
+{
|
||||
+ int error = -EINVAL;
|
||||
+ char *token = NULL, *hat, *smagic, *tmp;
|
||||
+ u32 magic;
|
||||
+ int rc, len, consumed;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ AA_DEBUG("%s: %p %zd\n", __FUNCTION__, hatinfo, infosize);
|
||||
+
|
||||
+ /* strip leading white space */
|
||||
+ while (infosize && isspace(*hatinfo)) {
|
||||
+ hatinfo++;
|
||||
+ infosize--;
|
||||
+ }
|
||||
+
|
||||
+ if (infosize == 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ /*
|
||||
+ * Copy string to a new buffer so we can play with it
|
||||
+ * It may be zero terminated but we add a trailing 0
|
||||
+ * for 100% safety
|
||||
+ */
|
||||
+ token = kmalloc(infosize + 1, GFP_KERNEL);
|
||||
+
|
||||
+ if (!token) {
|
||||
+ error = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(token, hatinfo, infosize);
|
||||
+ token[infosize] = 0;
|
||||
+
|
||||
+ /* error is INVAL until we have at least parsed something */
|
||||
+ error = -EINVAL;
|
||||
+
|
||||
+ tmp = token;
|
||||
+ while (*tmp && *tmp != '^') {
|
||||
+ tmp++;
|
||||
+ }
|
||||
+
|
||||
+ if (!*tmp || tmp == token) {
|
||||
+ AA_WARN("%s: Invalid input '%s'\n", __FUNCTION__, token);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* split magic and hat into two strings */
|
||||
+ *tmp = 0;
|
||||
+ smagic = token;
|
||||
+
|
||||
+ /*
|
||||
+ * Initially set consumed=strlen(magic), as if sscanf
|
||||
+ * consumes all input via the %x it will not process the %n
|
||||
+ * directive. Otherwise, if sscanf does not consume all the
|
||||
+ * input it will process the %n and update consumed.
|
||||
+ */
|
||||
+ consumed = len = strlen(smagic);
|
||||
+
|
||||
+ rc = sscanf(smagic, "%x%n", &magic, &consumed);
|
||||
+
|
||||
+ if (rc != 1 || consumed != len) {
|
||||
+ AA_WARN("%s: Invalid hex magic %s\n",
|
||||
+ __FUNCTION__,
|
||||
+ smagic);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ hat = tmp + 1;
|
||||
+
|
||||
+ if (!*hat)
|
||||
+ hat = NULL;
|
||||
+
|
||||
+ if (!hat && !magic) {
|
||||
+ AA_WARN("%s: Invalid input, NULL hat and NULL magic\n",
|
||||
+ __FUNCTION__);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ AA_DEBUG("%s: Magic 0x%x Hat '%s'\n",
|
||||
+ __FUNCTION__, magic, hat ? hat : NULL);
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+ error = aa_change_hat(hat, magic);
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+out:
|
||||
+ if (token) {
|
||||
+ memset(token, 0, infosize);
|
||||
+ kfree(token);
|
||||
+ }
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
+
|
||||
+int aa_setprocattr_setprofile(struct task_struct *p, char *profilename,
|
||||
+ size_t profilesize)
|
||||
+{
|
||||
+ int error = -EINVAL;
|
||||
+ struct aaprofile *profile = NULL;
|
||||
+ struct subdomain *sd;
|
||||
+ char *name = NULL;
|
||||
+ unsigned long flags;
|
||||
+
|
||||
+ AA_DEBUG("%s: current %s(%d)\n",
|
||||
+ __FUNCTION__, current->comm, current->pid);
|
||||
+
|
||||
+ /* strip leading white space */
|
||||
+ while (profilesize && isspace(*profilename)) {
|
||||
+ profilename++;
|
||||
+ profilesize--;
|
||||
+ }
|
||||
+
|
||||
+ if (profilesize == 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ /*
|
||||
+ * Copy string to a new buffer so we guarantee it is zero
|
||||
+ * terminated
|
||||
+ */
|
||||
+ name = kmalloc(profilesize + 1, GFP_KERNEL);
|
||||
+
|
||||
+ if (!name) {
|
||||
+ error = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ strncpy(name, profilename, profilesize);
|
||||
+ name[profilesize] = 0;
|
||||
+
|
||||
+ repeat:
|
||||
+ if (strcmp(name, "unconstrained") != 0) {
|
||||
+ profile = aa_profilelist_find(name);
|
||||
+ if (!profile) {
|
||||
+ AA_WARN("%s: Unable to switch task %s(%d) to profile"
|
||||
+ "'%s'. No such profile.\n",
|
||||
+ __FUNCTION__,
|
||||
+ p->comm, p->pid,
|
||||
+ name);
|
||||
+
|
||||
+ error = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+
|
||||
+ sd = AA_SUBDOMAIN(p->security);
|
||||
+
|
||||
+ /* switch to unconstrained */
|
||||
+ if (!profile) {
|
||||
+ if (__aa_is_confined(sd)) {
|
||||
+ AA_WARN("%s: Unconstraining task %s(%d) "
|
||||
+ "profile %s active %s\n",
|
||||
+ __FUNCTION__,
|
||||
+ p->comm, p->pid,
|
||||
+ BASE_PROFILE(sd->active)->name,
|
||||
+ sd->active->name);
|
||||
+
|
||||
+ aa_switch_unconfined(sd);
|
||||
+ } else {
|
||||
+ AA_WARN("%s: task %s(%d) "
|
||||
+ "is already unconstrained\n",
|
||||
+ __FUNCTION__, p->comm, p->pid);
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!sd) {
|
||||
+ /* this task was created before module was
|
||||
+ * loaded, allocate a subdomain
|
||||
+ */
|
||||
+ AA_WARN("%s: task %s(%d) has no subdomain\n",
|
||||
+ __FUNCTION__, p->comm, p->pid);
|
||||
+
|
||||
+ /* unlock so we can safely GFP_KERNEL */
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+ sd = alloc_subdomain(p);
|
||||
+ if (!sd) {
|
||||
+ AA_WARN("%s: Unable to allocate subdomain for "
|
||||
+ "task %s(%d). Cannot confine task to "
|
||||
+ "profile %s\n",
|
||||
+ __FUNCTION__,
|
||||
+ p->comm, p->pid,
|
||||
+ name);
|
||||
+
|
||||
+ error = -ENOMEM;
|
||||
+ put_aaprofile(profile);
|
||||
+
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ spin_lock_irqsave(&sd_lock, flags);
|
||||
+ if (!AA_SUBDOMAIN(p->security)) {
|
||||
+ p->security = sd;
|
||||
+ } else { /* race */
|
||||
+ free_subdomain(sd);
|
||||
+ sd = AA_SUBDOMAIN(p->security);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* ensure the profile hasn't been replaced */
|
||||
+
|
||||
+ if (unlikely(profile->isstale)) {
|
||||
+ WARN_ON(profile == null_complain_profile);
|
||||
+
|
||||
+ /* drop refcnt obtained from earlier get_aaprofile */
|
||||
+ put_aaprofile(profile);
|
||||
+ profile = aa_profilelist_find(name);
|
||||
+
|
||||
+ if (!profile) {
|
||||
+ /* Race, profile was removed. */
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+ goto repeat;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* we do not do a normal task replace since we are not
|
||||
+ * replacing with the same profile.
|
||||
+ * If existing process is in a hat, it will be moved
|
||||
+ * into the new parent profile, even if this new
|
||||
+ * profile has a identical named hat.
|
||||
+ */
|
||||
+
|
||||
+ AA_WARN("%s: Switching task %s(%d) "
|
||||
+ "profile %s active %s to new profile %s\n",
|
||||
+ __FUNCTION__,
|
||||
+ p->comm, p->pid,
|
||||
+ sd->active ? BASE_PROFILE(sd->active)->name :
|
||||
+ "unconstrained",
|
||||
+ sd->active ? sd->active->name : "unconstrained",
|
||||
+ name);
|
||||
+
|
||||
+ aa_switch(sd, profile);
|
||||
+
|
||||
+ put_aaprofile(profile); /* drop ref we obtained above
|
||||
+ * from aa_profilelist_find
|
||||
+ */
|
||||
+
|
||||
+ /* Reset magic in case we were in a subhat before
|
||||
+ * This is the only case where we zero the magic after
|
||||
+ * calling aa_switch
|
||||
+ */
|
||||
+ sd->hat_magic = 0;
|
||||
+ }
|
||||
+
|
||||
+ spin_unlock_irqrestore(&sd_lock, flags);
|
||||
+
|
||||
+out:
|
||||
+ kfree(name);
|
||||
+
|
||||
+ return error;
|
||||
+}
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,246 +0,0 @@
|
||||
The file match.h specifies a sub module interface consisting of the following
|
||||
functions:
|
||||
|
||||
aamatch_alloc
|
||||
aamatch_free
|
||||
Allocates/deallocates submodule specific data used by each
|
||||
loaded profile (policy).
|
||||
|
||||
aamatch_features
|
||||
Returns the list of features implemented by the submodule.
|
||||
These are literal, tailglob ("/path/**" match all paths
|
||||
below /path) and pattern (full shell based pathname expansion).
|
||||
|
||||
aamatch_serialize
|
||||
Called by the module interface to serialize submodule specific
|
||||
data from userspace.
|
||||
|
||||
aamatch_match
|
||||
Called to perform matching on a generated pathname.
|
||||
|
||||
|
||||
The submodule submitted here implements only "literal" and "tailglob".
|
||||
The version included with SuSE Linux implements "pattern" but via a method
|
||||
that is not acceptable for mainline inclusion. We plan on developing
|
||||
a new submodule as soon as possible that will implement the missing
|
||||
functionality of the SuSE release using the textsearch framework and
|
||||
a new bounded textsearch algorithm acceptable for subsequent inclusion
|
||||
into the mainline kernel.
|
||||
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
security/apparmor/match/Makefile | 5 +
|
||||
security/apparmor/match/match.h | 132 ++++++++++++++++++++++++++++++++
|
||||
security/apparmor/match/match_default.c | 57 +++++++++++++
|
||||
3 files changed, 194 insertions(+)
|
||||
|
||||
--- security/apparmor/match/Makefile.orig
|
||||
+++ security/apparmor/match/Makefile
|
||||
@@ -0,0 +1,5 @@
|
||||
+# Makefile for AppArmor aamatch submodule
|
||||
+#
|
||||
+obj-$(CONFIG_SECURITY_APPARMOR) += aamatch_default.o
|
||||
+
|
||||
+aamatch_default-y := match_default.o
|
||||
--- security/apparmor/match/match.h.orig
|
||||
+++ security/apparmor/match/match.h
|
||||
@@ -0,0 +1,132 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2002-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * AppArmor submodule (match) prototypes
|
||||
+ */
|
||||
+
|
||||
+#ifndef __MATCH_H
|
||||
+#define __MATCH_H
|
||||
+
|
||||
+#include "../module_interface.h"
|
||||
+#include "../apparmor.h"
|
||||
+
|
||||
+/* The following functions implement an interface used by the primary
|
||||
+ * AppArmor module to perform name matching (n.b. "AppArmor" was previously
|
||||
+ * called "SubDomain").
|
||||
+
|
||||
+ * aamatch_alloc
|
||||
+ * aamatch_free
|
||||
+ * aamatch_features
|
||||
+ * aamatch_serialize
|
||||
+ * aamatch_match
|
||||
+ *
|
||||
+ * The intent is for the primary module to export (via virtual fs entries)
|
||||
+ * the features provided by the submodule (aamatch_features) so that the
|
||||
+ * parser may only load policy that can be supported.
|
||||
+ *
|
||||
+ * The primary module will call aamatch_serialize to allow the submodule
|
||||
+ * to consume submodule specific data from parser data stream and will call
|
||||
+ * aamatch_match to determine if a pathname matches an aa_entry.
|
||||
+ */
|
||||
+
|
||||
+typedef int (*aamatch_serializecb)
|
||||
+ (struct aa_ext *, enum aa_code, void *, const char *);
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_alloc: allocate extradata (if necessary)
|
||||
+ * @type: type of entry being allocated
|
||||
+ * Return value: NULL indicates no data was allocated (ERR_PTR(x) on error)
|
||||
+ */
|
||||
+extern void* aamatch_alloc(enum entry_match_type type);
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_free: release data allocated by aamatch_alloc
|
||||
+ * @entry_extradata: data previously allocated by aamatch_alloc
|
||||
+ */
|
||||
+extern void aamatch_free(void *entry_extradata);
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_features: return match types supported
|
||||
+ * Return value: space seperated string (of types supported - use type=value
|
||||
+ * to indicate variants of a type)
|
||||
+ */
|
||||
+extern const char* aamatch_features(void);
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_serialize: serialize extradata
|
||||
+ * @entry_extradata: data previously allocated by aamatch_alloc
|
||||
+ * @e: input stream
|
||||
+ * @cb: callback fn (consume incoming data stream)
|
||||
+ * Return value: 0 success, -ve error
|
||||
+ */
|
||||
+extern int aamatch_serialize(void *entry_extradata, struct aa_ext *e,
|
||||
+ aamatch_serializecb cb);
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_match: determine if pathname matches entry
|
||||
+ * @pathname: pathname to verify
|
||||
+ * @entry_name: entry name
|
||||
+ * @type: type of entry
|
||||
+ * @entry_extradata: data previously allocated by aamatch_alloc
|
||||
+ * Return value: 1 match, 0 othersise
|
||||
+ */
|
||||
+extern unsigned int aamatch_match(const char *pathname, const char *entry_name,
|
||||
+ enum entry_match_type type,
|
||||
+ void *entry_extradata);
|
||||
+
|
||||
+
|
||||
+/**
|
||||
+ * sd_getmatch_type - return string representation of entry_match_type
|
||||
+ * @type: entry match type
|
||||
+ */
|
||||
+static inline const char *sd_getmatch_type(enum entry_match_type type)
|
||||
+{
|
||||
+ const char *names[] = {
|
||||
+ "aa_entry_literal",
|
||||
+ "aa_entry_tailglob",
|
||||
+ "aa_entry_pattern",
|
||||
+ "aa_entry_invalid"
|
||||
+ };
|
||||
+
|
||||
+ if (type >= aa_entry_invalid) {
|
||||
+ type = aa_entry_invalid;
|
||||
+ }
|
||||
+
|
||||
+ return names[type];
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * aamatch_match_common - helper function to check if a pathname matches
|
||||
+ * a literal/tailglob
|
||||
+ * @path: path requested to search for
|
||||
+ * @entry_name: name from aa_entry
|
||||
+ * @type: type of entry
|
||||
+ */
|
||||
+static inline int aamatch_match_common(const char *path,
|
||||
+ const char *entry_name,
|
||||
+ enum entry_match_type type)
|
||||
+{
|
||||
+ int retval;
|
||||
+
|
||||
+ /* literal, no pattern matching characters */
|
||||
+ if (type == aa_entry_literal) {
|
||||
+ retval = (strcmp(entry_name, path) == 0);
|
||||
+ /* trailing ** glob pattern */
|
||||
+ } else if (type == aa_entry_tailglob) {
|
||||
+ retval = (strncmp(entry_name, path,
|
||||
+ strlen(entry_name) - 2) == 0);
|
||||
+ } else {
|
||||
+ AA_WARN("%s: Invalid entry_match_type %d\n",
|
||||
+ __FUNCTION__, type);
|
||||
+ retval = 0;
|
||||
+ }
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+#endif /* __MATCH_H */
|
||||
--- security/apparmor/match/match_default.c.orig
|
||||
+++ security/apparmor/match/match_default.c
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2002-2005 Novell/SUSE
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU General Public License as
|
||||
+ * published by the Free Software Foundation, version 2 of the
|
||||
+ * License.
|
||||
+ *
|
||||
+ * http://forge.novell.com/modules/xfmod/project/?apparmor
|
||||
+ *
|
||||
+ * AppArmor default match submodule (literal and tailglob)
|
||||
+ */
|
||||
+
|
||||
+#include <linux/module.h>
|
||||
+#include "match.h"
|
||||
+
|
||||
+static const char *features="literal tailglob";
|
||||
+
|
||||
+void* aamatch_alloc(enum entry_match_type type)
|
||||
+{
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+void aamatch_free(void *ptr)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
+const char *aamatch_features(void)
|
||||
+{
|
||||
+ return features;
|
||||
+}
|
||||
+
|
||||
+int aamatch_serialize(void *entry_extradata, struct aa_ext *e,
|
||||
+ aamatch_serializecb cb)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+unsigned int aamatch_match(const char *pathname, const char *entry_name,
|
||||
+ enum entry_match_type type, void *entry_extradata)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = aamatch_match_common(pathname, entry_name, type);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+EXPORT_SYMBOL_GPL(aamatch_alloc);
|
||||
+EXPORT_SYMBOL_GPL(aamatch_free);
|
||||
+EXPORT_SYMBOL_GPL(aamatch_features);
|
||||
+EXPORT_SYMBOL_GPL(aamatch_serialize);
|
||||
+EXPORT_SYMBOL_GPL(aamatch_match);
|
||||
+
|
||||
+MODULE_DESCRIPTION("AppArmor match module (aamatch) [default]");
|
||||
+MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
|
||||
+MODULE_LICENSE("GPL");
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,58 +0,0 @@
|
||||
This patch adds AppArmor support to the audit subsystem.
|
||||
|
||||
It creates id 1500 (already included in the the upstream auditd package) for
|
||||
AppArmor messages.
|
||||
|
||||
It also exports the audit_log_vformat function (analagous to having both
|
||||
printk and vprintk exported).
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
include/linux/audit.h | 5 +++++
|
||||
kernel/audit.c | 3 ++-
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
--- linux-2.6.17-rc1.orig/include/linux/audit.h
|
||||
+++ linux-2.6.17-rc1/include/linux/audit.h
|
||||
@@ -95,6 +95,8 @@
|
||||
#define AUDIT_LAST_KERN_ANOM_MSG 1799
|
||||
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
|
||||
|
||||
+#define AUDIT_AA 1500 /* AppArmor audit */
|
||||
+
|
||||
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
|
||||
|
||||
/* Rule flags */
|
||||
@@ -349,6 +351,9 @@
|
||||
__attribute__((format(printf,4,5)));
|
||||
|
||||
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
|
||||
+extern void audit_log_vformat(struct audit_buffer *ab,
|
||||
+ const char *fmt, va_list args)
|
||||
+ __attribute__((format(printf,2,0)));
|
||||
extern void audit_log_format(struct audit_buffer *ab,
|
||||
const char *fmt, ...)
|
||||
__attribute__((format(printf,2,3)));
|
||||
--- linux-2.6.17-rc1.orig/kernel/audit.c
|
||||
+++ linux-2.6.17-rc1/kernel/audit.c
|
||||
@@ -797,7 +797,7 @@
|
||||
* will be called a second time. Currently, we assume that a printk
|
||||
* can't format message larger than 1024 bytes, so we don't either.
|
||||
*/
|
||||
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
|
||||
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
|
||||
va_list args)
|
||||
{
|
||||
int len, avail;
|
||||
@@ -999,4 +999,5 @@
|
||||
EXPORT_SYMBOL(audit_log_start);
|
||||
EXPORT_SYMBOL(audit_log_end);
|
||||
EXPORT_SYMBOL(audit_log_format);
|
||||
+EXPORT_SYMBOL(audit_log_vformat);
|
||||
EXPORT_SYMBOL(audit_log);
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,170 +0,0 @@
|
||||
This patch adds a new function d_path_flags which takes an additional flags
|
||||
parameter. Adding a new function rather than ammending the existing d_path
|
||||
was done to avoid impact on the current users.
|
||||
|
||||
It is not essential for inclusion with AppArmor (the apparmor_mediation.patch
|
||||
can easily be revised to use plain d_path) but it enables cleaner code
|
||||
["(delete)" handling] and closes a loophole with pathname generation for
|
||||
chrooted tasks.
|
||||
|
||||
It currently adds two flags:
|
||||
|
||||
DPATH_SYSROOT:
|
||||
d_path should generate a path from the system root rather than the
|
||||
task's current root.
|
||||
|
||||
For AppArmor this enables generation of absolute pathnames in all
|
||||
cases. Currently when a task is chrooted, file access is reported
|
||||
relative to the chroot. Because it is currently not possible to
|
||||
obtain the absolute path in an SMP safe way, without this patch
|
||||
AppArmor will have to report chroot-relative pathnames.
|
||||
|
||||
DPATH_NODELETED:
|
||||
d_path should not append "(deleted)" to unhashed entries. Sometimes
|
||||
this information is not useful for the caller and the string can
|
||||
exist as the suffix of a valid pathname.
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
fs/dcache.c | 48 ++++++++++++++++++++++++++++++++----------------
|
||||
include/linux/dcache.h | 7 +++++++
|
||||
2 files changed, 39 insertions(+), 16 deletions(-)
|
||||
|
||||
--- linux-2.6.17-rc1.orig/fs/dcache.c
|
||||
+++ linux-2.6.17-rc1/fs/dcache.c
|
||||
@@ -1381,9 +1381,11 @@
|
||||
* @rootmnt: vfsmnt to which the root dentry belongs
|
||||
* @buffer: buffer to return value in
|
||||
* @buflen: buffer length
|
||||
+ * @flags: control flags
|
||||
*
|
||||
* Convert a dentry into an ASCII path name. If the entry has been deleted
|
||||
- * the string " (deleted)" is appended. Note that this is ambiguous.
|
||||
+ * and DPATH_NODELETED is not specified in flags then the string " (deleted)"
|
||||
+ * is appended. Note that this is ambiguous.
|
||||
*
|
||||
* Returns the buffer or an error code if the path was too long.
|
||||
*
|
||||
@@ -1391,7 +1393,7 @@
|
||||
*/
|
||||
static char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
|
||||
struct dentry *root, struct vfsmount *rootmnt,
|
||||
- char *buffer, int buflen)
|
||||
+ char *buffer, int buflen, unsigned int flags)
|
||||
{
|
||||
char * end = buffer+buflen;
|
||||
char * retval;
|
||||
@@ -1399,7 +1401,8 @@
|
||||
|
||||
*--end = '\0';
|
||||
buflen--;
|
||||
- if (!IS_ROOT(dentry) && d_unhashed(dentry)) {
|
||||
+ if (!(flags & DPATH_NODELETED) &&
|
||||
+ !IS_ROOT(dentry) && d_unhashed(dentry)) {
|
||||
buflen -= 10;
|
||||
end -= 10;
|
||||
if (buflen < 0)
|
||||
@@ -1416,7 +1419,8 @@
|
||||
for (;;) {
|
||||
struct dentry * parent;
|
||||
|
||||
- if (dentry == root && vfsmnt == rootmnt)
|
||||
+ if (!(flags & DPATH_SYSROOT) &&
|
||||
+ dentry == root && vfsmnt == rootmnt)
|
||||
break;
|
||||
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
|
||||
/* Global root? */
|
||||
@@ -1458,25 +1462,36 @@
|
||||
}
|
||||
|
||||
/* write full pathname into buffer and return start of pathname */
|
||||
-char * d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
|
||||
- char *buf, int buflen)
|
||||
+char * d_path_flags(struct dentry *dentry, struct vfsmount *vfsmnt,
|
||||
+ char *buf, int buflen, unsigned int flags)
|
||||
{
|
||||
char *res;
|
||||
- struct vfsmount *rootmnt;
|
||||
- struct dentry *root;
|
||||
+ struct vfsmount *rootmnt = NULL;
|
||||
+ struct dentry *root = NULL;
|
||||
|
||||
- read_lock(¤t->fs->lock);
|
||||
- rootmnt = mntget(current->fs->rootmnt);
|
||||
- root = dget(current->fs->root);
|
||||
- read_unlock(¤t->fs->lock);
|
||||
+ if (!(flags & DPATH_SYSROOT)){
|
||||
+ read_lock(¤t->fs->lock);
|
||||
+ rootmnt = mntget(current->fs->rootmnt);
|
||||
+ root = dget(current->fs->root);
|
||||
+ read_unlock(¤t->fs->lock);
|
||||
+ }
|
||||
spin_lock(&dcache_lock);
|
||||
- res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
|
||||
+ res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen, flags);
|
||||
spin_unlock(&dcache_lock);
|
||||
- dput(root);
|
||||
- mntput(rootmnt);
|
||||
+ if (!(flags & DPATH_SYSROOT)){
|
||||
+ dput(root);
|
||||
+ mntput(rootmnt);
|
||||
+ }
|
||||
return res;
|
||||
}
|
||||
|
||||
+/* original d_path without support for flags */
|
||||
+char * d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
|
||||
+ char *buf, int buflen)
|
||||
+{
|
||||
+ return d_path_flags(dentry, vfsmnt, buf, buflen, 0);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* NOTE! The user-level library version returns a
|
||||
* character pointer. The kernel system call just
|
||||
@@ -1519,7 +1534,7 @@
|
||||
unsigned long len;
|
||||
char * cwd;
|
||||
|
||||
- cwd = __d_path(pwd, pwdmnt, root, rootmnt, page, PAGE_SIZE);
|
||||
+ cwd = __d_path(pwd, pwdmnt, root, rootmnt, page, PAGE_SIZE, 0);
|
||||
spin_unlock(&dcache_lock);
|
||||
|
||||
error = PTR_ERR(cwd);
|
||||
@@ -1771,6 +1786,7 @@
|
||||
EXPORT_SYMBOL(d_invalidate);
|
||||
EXPORT_SYMBOL(d_lookup);
|
||||
EXPORT_SYMBOL(d_move);
|
||||
+EXPORT_SYMBOL(d_path_flags);
|
||||
EXPORT_SYMBOL(d_path);
|
||||
EXPORT_SYMBOL(d_prune_aliases);
|
||||
EXPORT_SYMBOL(d_rehash);
|
||||
--- linux-2.6.17-rc1.orig/include/linux/dcache.h
|
||||
+++ linux-2.6.17-rc1/include/linux/dcache.h
|
||||
@@ -164,6 +164,10 @@
|
||||
|
||||
#define DCACHE_INOTIFY_PARENT_WATCHED 0x0020 /* Parent inode is watched */
|
||||
|
||||
+/* dpath flags */
|
||||
+#define DPATH_SYSROOT 0x0001 /* continue past fsroot (chroot) */
|
||||
+#define DPATH_NODELETED 0x0002 /* do not append " (deleted)" */
|
||||
+
|
||||
extern spinlock_t dcache_lock;
|
||||
|
||||
/**
|
||||
@@ -281,6 +285,9 @@
|
||||
extern int d_validate(struct dentry *, struct dentry *);
|
||||
|
||||
extern char * d_path(struct dentry *, struct vfsmount *, char *, int);
|
||||
+
|
||||
+extern char * d_path_flags(struct dentry *, struct vfsmount *, char *, int,
|
||||
+ unsigned int);
|
||||
|
||||
/* Allocation counts.. */
|
||||
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,53 +0,0 @@
|
||||
This patch exports the namespace_sem semaphore.
|
||||
|
||||
The shared subtree patches which went into 2.6.15-rc1 replaced the old
|
||||
namespace semaphore which used to be per namespace (and visible) with a
|
||||
new single static semaphore.
|
||||
|
||||
The reason for this change is that currently visibility of vfsmount information
|
||||
to the LSM hooks is fairly patchy. Either there is no passed parameter or
|
||||
it can be NULL. For the case of the former, several LSM hooks that we
|
||||
require to mediate have no vfsmount/nameidata passed. We previously (mis)used
|
||||
the visibility of the old per namespace semaphore to walk the processes
|
||||
namespace looking for vfsmounts with a root dentry matching the dentry we were
|
||||
trying to mediate.
|
||||
|
||||
Clearly this is not viable long term strategy and changes working towards
|
||||
passing a vfsmount to all relevant LSM hooks would seem necessary (and also
|
||||
useful for other users of LSM). Alternative suggestions and ideas are welcomed.
|
||||
|
||||
Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
---
|
||||
fs/namespace.c | 3 ++-
|
||||
include/linux/namespace.h | 2 ++
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- linux-2.6.17-rc1.orig/fs/namespace.c
|
||||
+++ linux-2.6.17-rc1/fs/namespace.c
|
||||
@@ -46,7 +46,8 @@
|
||||
static struct list_head *mount_hashtable __read_mostly;
|
||||
static int hash_mask __read_mostly, hash_bits __read_mostly;
|
||||
static kmem_cache_t *mnt_cache __read_mostly;
|
||||
-static struct rw_semaphore namespace_sem;
|
||||
+struct rw_semaphore namespace_sem;
|
||||
+EXPORT_SYMBOL_GPL(namespace_sem);
|
||||
|
||||
/* /sys/fs */
|
||||
decl_subsys(fs, NULL, NULL);
|
||||
--- linux-2.6.17-rc1.orig/include/linux/namespace.h
|
||||
+++ linux-2.6.17-rc1/include/linux/namespace.h
|
||||
@@ -5,6 +5,8 @@
|
||||
#include <linux/mount.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
+extern struct rw_semaphore namespace_sem;
|
||||
+
|
||||
struct namespace {
|
||||
atomic_t count;
|
||||
struct vfsmount * root;
|
||||
-
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
@ -1,59 +0,0 @@
|
||||
Subject: Export audit subsystem for use by modules
|
||||
Patch-mainline: no
|
||||
|
||||
Adds necessary export symbols for audit subsystem routines.
|
||||
Changes audit_log_vformat to be externally visible (analagous to vprintf)
|
||||
Patch is not in mainline -- pending AppArmor code submission to lkml
|
||||
|
||||
Index: linux-2.6.17/include/linux/audit.h
|
||||
===================================================================
|
||||
--- linux-2.6.17.orig/include/linux/audit.h
|
||||
+++ linux-2.6.17/include/linux/audit.h
|
||||
@@ -92,6 +92,8 @@
|
||||
#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
|
||||
#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
|
||||
|
||||
+#define AUDIT_SD 1500 /* AppArmor (SubDomain) audit */
|
||||
+
|
||||
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
|
||||
#define AUDIT_LAST_KERN_ANOM_MSG 1799
|
||||
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
|
||||
@@ -357,6 +359,9 @@
|
||||
__attribute__((format(printf,4,5)));
|
||||
|
||||
extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
|
||||
+extern void audit_log_vformat(struct audit_buffer *ab,
|
||||
+ const char *fmt, va_list args)
|
||||
+ __attribute__((format(printf,2,0)));
|
||||
extern void audit_log_format(struct audit_buffer *ab,
|
||||
const char *fmt, ...)
|
||||
__attribute__((format(printf,2,3)));
|
||||
|
||||
Index: linux-2.6.17/kernel/audit.c
|
||||
===================================================================
|
||||
--- linux-2.6.17.orig/kernel/audit.c
|
||||
+++ linux-2.6.17/kernel/audit.c
|
||||
@@ -893,7 +893,7 @@
|
||||
* will be called a second time. Currently, we assume that a printk
|
||||
* can't format message larger than 1024 bytes, so we don't either.
|
||||
*/
|
||||
-static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
|
||||
+void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
|
||||
va_list args)
|
||||
{
|
||||
int len, avail;
|
||||
@@ -1092,7 +1092,10 @@
|
||||
}
|
||||
}
|
||||
|
||||
-EXPORT_SYMBOL(audit_log_start);
|
||||
-EXPORT_SYMBOL(audit_log_end);
|
||||
-EXPORT_SYMBOL(audit_log_format);
|
||||
-EXPORT_SYMBOL(audit_log);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_start);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_vformat);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_format);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_untrustedstring);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_d_path);
|
||||
+EXPORT_SYMBOL_GPL(audit_log_end);
|
||||
+EXPORT_SYMBOL_GPL(audit_log);
|
File diff suppressed because it is too large
Load Diff
@ -1,36 +0,0 @@
|
||||
Subject: Export namespace semaphore
|
||||
Patch-mainline: no
|
||||
|
||||
Export global namespace_sem (this used to be a per namespace semaphore).
|
||||
Alas, this isn't going to win _any_ points for style.
|
||||
Patch is not in mainline -- pending AppArmor code submission to lkml
|
||||
|
||||
Index: linux-2.6.17/fs/namespace.c
|
||||
===================================================================
|
||||
--- linux-2.6.17.orig/fs/namespace.c
|
||||
+++ linux-2.6.17/fs/namespace.c
|
||||
@@ -46,7 +46,8 @@
|
||||
static struct list_head *mount_hashtable __read_mostly;
|
||||
static int hash_mask __read_mostly, hash_bits __read_mostly;
|
||||
static kmem_cache_t *mnt_cache __read_mostly;
|
||||
-static struct rw_semaphore namespace_sem;
|
||||
+struct rw_semaphore namespace_sem;
|
||||
+EXPORT_SYMBOL_GPL(namespace_sem);
|
||||
|
||||
/* /sys/fs */
|
||||
decl_subsys(fs, NULL, NULL);
|
||||
|
||||
Index: linux-2.6.17/include/linux/namespace.h
|
||||
===================================================================
|
||||
--- linux-2.6.17.orig/include/linux/namespace.h
|
||||
+++ linux-2.6.17/include/linux/namespace.h
|
||||
@@ -5,6 +5,9 @@
|
||||
#include <linux/mount.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
+/* exported for AppArmor (SubDomain) */
|
||||
+extern struct rw_semaphore namespace_sem;
|
||||
+
|
||||
struct namespace {
|
||||
atomic_t count;
|
||||
struct vfsmount * root;
|
@ -1,12 +0,0 @@
|
||||
MD5 a6a5ccde0c291921c155a74da36463a2 apparmor-kernel-patches-2.6.17.9.tar.gz 231231
|
||||
RMD160 762d4b59aa508cfd82ebbeba4822ffb0551f5888 apparmor-kernel-patches-2.6.17.9.tar.gz 231231
|
||||
SHA256 0884cd7bfdff4505fd5271ca68b72f74b352d209321ef60dc81620b0539f0ec7 apparmor-kernel-patches-2.6.17.9.tar.gz 231231
|
||||
MD5 cd5d67dc1d3514ec240497efff0f8726 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
RMD160 f9b5621fed8fcfee7da697d89097842287b41b24 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
SHA256 2208b72729dce6daef7dc5700192aec0ae17327c794681621d2123f0c483ae21 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
MD5 0b6385904bccbd9d6c5508565e5c76ff genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
RMD160 14b17e02b7893e6b023bee9e1b40f4bc85a30f05 genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
SHA256 fa10ec7d3d74c8bf57fb3bd01c33f83dcca3c1e4cd4601937cc2ef904cce1dfe genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
MD5 37ddefe96625502161f075b9d907f21e linux-2.6.17.tar.bz2 41272919
|
||||
RMD160 26aad30c9a6610665c6c7d62401d79bf56a6a699 linux-2.6.17.tar.bz2 41272919
|
||||
SHA256 ab0f647d52f124958439517df9e1ae0efda90cdb851f59f522fa1749f1d87d58 linux-2.6.17.tar.bz2 41272919
|
@ -1,9 +0,0 @@
|
||||
MD5 cd5d67dc1d3514ec240497efff0f8726 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
RMD160 f9b5621fed8fcfee7da697d89097842287b41b24 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
SHA256 2208b72729dce6daef7dc5700192aec0ae17327c794681621d2123f0c483ae21 genpatches-2.6.17-1.base.tar.bz2 3337
|
||||
MD5 0b6385904bccbd9d6c5508565e5c76ff genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
RMD160 14b17e02b7893e6b023bee9e1b40f4bc85a30f05 genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
SHA256 fa10ec7d3d74c8bf57fb3bd01c33f83dcca3c1e4cd4601937cc2ef904cce1dfe genpatches-2.6.17-1.extras.tar.bz2 138704
|
||||
MD5 37ddefe96625502161f075b9d907f21e linux-2.6.17.tar.bz2 41272919
|
||||
RMD160 26aad30c9a6610665c6c7d62401d79bf56a6a699 linux-2.6.17.tar.bz2 41272919
|
||||
SHA256 ab0f647d52f124958439517df9e1ae0efda90cdb851f59f522fa1749f1d87d58 linux-2.6.17.tar.bz2 41272919
|
@ -1,12 +0,0 @@
|
||||
MD5 523e91619920dea824a35bf813db1b67 apparmor-kernel-patches-2.6.18.tar.gz 231072
|
||||
RMD160 f734125d986dcb3aec371f0e24126a5473d5637f apparmor-kernel-patches-2.6.18.tar.gz 231072
|
||||
SHA256 91224ff1f45de306c0720a5680a8f883888b52f296b0de24c63ec02668782b63 apparmor-kernel-patches-2.6.18.tar.gz 231072
|
||||
MD5 0c1cd82748c5d2207fa034e32686bca7 genpatches-2.6.18-1.base.tar.bz2 2397
|
||||
RMD160 1b02d9e5adba7a9a17f85691f312ee2c870c9a48 genpatches-2.6.18-1.base.tar.bz2 2397
|
||||
SHA256 e87db440591d48f74b8d50f47bde55a1652c969626befa94aba48cee57aa5da8 genpatches-2.6.18-1.base.tar.bz2 2397
|
||||
MD5 f565ec95a1f2ac1b675f9a126c27c3c1 genpatches-2.6.18-1.extras.tar.bz2 147040
|
||||
RMD160 f62b371d522fa8978cee4e809baea364ed8e804a genpatches-2.6.18-1.extras.tar.bz2 147040
|
||||
SHA256 080b19f98ffa8f5edbccabfa9dd4ac845ecc1b21c7fba761ad3d011893117b01 genpatches-2.6.18-1.extras.tar.bz2 147040
|
||||
MD5 296a6d150d260144639c3664d127d174 linux-2.6.18.tar.bz2 41863580
|
||||
RMD160 f92283f956880676bfb1f1d5288325461e4e02e7 linux-2.6.18.tar.bz2 41863580
|
||||
SHA256 c95280ff6c5d2a17788f7cc582d23ae8a9a7ba3f202ec6e4238eaadfce7c163d linux-2.6.18.tar.bz2 41863580
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Patched kernel sources containing the proper symbol exports, and the full apparmor module suite. Based on gentoo-sources kernel.</longdescription>
|
||||
</pkgmetadata>
|
@ -1,10 +0,0 @@
|
||||
# ChangeLog for sys-libs/libapparmor
|
||||
# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
|
||||
# $Header: $
|
||||
|
||||
13 Aug 2006; Mario Fetka <mario-fetka@gmx.at>
|
||||
+libapparmor-2.0_p6288.ebuild:
|
||||
Initial Import of
|
||||
Matthew Snelham <zeypher@sigalrm.com>
|
||||
Apparmor ebuilds
|
||||
|
@ -1,24 +0,0 @@
|
||||
DIST libapparmor-2.0-132.tar.gz 16744 RMD160 c174a530fadb8c33f2858160f2cdcf5b76289940 SHA1 953851b4079ff864bd9679c2f62b18c424662cb8 SHA256 b4ac4f208b1db08339effaf3362da0e3b240e1b6126b8a367d54006b23ae1b17
|
||||
DIST libapparmor-2.0-6288.tar.gz 20725 RMD160 5f4b8a443a23d4cd4a16b35ae8ebf65647683b2e SHA1 cd75d8631bdddb9e873cee5c6b3b45d12d94d416 SHA256 0aebaae48f1917a65c43683ad8f332301fcf46d4dcb392177a4750b245f42882
|
||||
EBUILD libapparmor-2.0_p132.ebuild 832 RMD160 b0dc473a86806f47adb4f7d18ad2b084764f2971 SHA1 a322be109eeb3bb78333b59183704b20c54c0960 SHA256 69087039002aa33d329eb1dbeab51b3fb638dde18afc1c3bf0683cd261b5df51
|
||||
MD5 29b073603effc975e61720b86b04644f libapparmor-2.0_p132.ebuild 832
|
||||
RMD160 b0dc473a86806f47adb4f7d18ad2b084764f2971 libapparmor-2.0_p132.ebuild 832
|
||||
SHA256 69087039002aa33d329eb1dbeab51b3fb638dde18afc1c3bf0683cd261b5df51 libapparmor-2.0_p132.ebuild 832
|
||||
EBUILD libapparmor-2.0_p6288.ebuild 833 RMD160 2cb68e615d17cb3a8d2dec04eb3e7591ff0b7b0c SHA1 a532c94dad06f14345b10056425eb7a83f86fede SHA256 62b95ca2859d69d52a6c61953323a436445de006e99f696bac2372652c805a62
|
||||
MD5 3211838fc17b65a3c9802623a6c7bf26 libapparmor-2.0_p6288.ebuild 833
|
||||
RMD160 2cb68e615d17cb3a8d2dec04eb3e7591ff0b7b0c libapparmor-2.0_p6288.ebuild 833
|
||||
SHA256 62b95ca2859d69d52a6c61953323a436445de006e99f696bac2372652c805a62 libapparmor-2.0_p6288.ebuild 833
|
||||
MISC ChangeLog 284 RMD160 1553535ff05f46ae92828147a583f2f0d5402eee SHA1 343d3606e800346037da0a81e214300916e46917 SHA256 5353c6e36136b7e1b35a257611658d4d61e38f6c534b66d4eeb32bbef767c72a
|
||||
MD5 ab9f8c5f4d1aa1b4e3591adb277b2b63 ChangeLog 284
|
||||
RMD160 1553535ff05f46ae92828147a583f2f0d5402eee ChangeLog 284
|
||||
SHA256 5353c6e36136b7e1b35a257611658d4d61e38f6c534b66d4eeb32bbef767c72a ChangeLog 284
|
||||
MISC metadata.xml 450 RMD160 d535fe106e302ca44b57bb84c908879597d95391 SHA1 d1ab915420fa81974724847d4e1dbbcb4b6a2cd6 SHA256 ee835dc483681371f197a3a46241f0fc7ce54869b2578132c268a4dc171cf015
|
||||
MD5 61f0a7a9d59cc054a3542313d1515744 metadata.xml 450
|
||||
RMD160 d535fe106e302ca44b57bb84c908879597d95391 metadata.xml 450
|
||||
SHA256 ee835dc483681371f197a3a46241f0fc7ce54869b2578132c268a4dc171cf015 metadata.xml 450
|
||||
MD5 9913e4e3a663787501f86fe85c989cc6 files/digest-libapparmor-2.0_p132 256
|
||||
RMD160 efca71ce6079f9be02ca6bec4d0a3edea523f00a files/digest-libapparmor-2.0_p132 256
|
||||
SHA256 4d5fbabd865d64ab586b53e90f1fb7ad0ca8ac03dcb69e93fa6a105b7bdf8a9a files/digest-libapparmor-2.0_p132 256
|
||||
MD5 b2a797f50971ce7df339c695782874b2 files/digest-libapparmor-2.0_p6288 259
|
||||
RMD160 7088ab92b7dc5c741357ca3184eb79575a0832de files/digest-libapparmor-2.0_p6288 259
|
||||
SHA256 ae7d5dd76d792a1ff7ee7817846dff1402573c7fee7b19a45120086dac49e898 files/digest-libapparmor-2.0_p6288 259
|
@ -1,3 +0,0 @@
|
||||
MD5 6f62215d4e8d54ac1f79fd8d39c3bbd3 libapparmor-2.0-132.tar.gz 16744
|
||||
RMD160 c174a530fadb8c33f2858160f2cdcf5b76289940 libapparmor-2.0-132.tar.gz 16744
|
||||
SHA256 b4ac4f208b1db08339effaf3362da0e3b240e1b6126b8a367d54006b23ae1b17 libapparmor-2.0-132.tar.gz 16744
|
@ -1,3 +0,0 @@
|
||||
MD5 e7f5e6f8663919d5998469e842442509 libapparmor-2.0-6288.tar.gz 20725
|
||||
RMD160 5f4b8a443a23d4cd4a16b35ae8ebf65647683b2e libapparmor-2.0-6288.tar.gz 20725
|
||||
SHA256 0aebaae48f1917a65c43683ad8f332301fcf46d4dcb392177a4750b245f42882 libapparmor-2.0-6288.tar.gz 20725
|
@ -1,39 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils toolchain-funcs
|
||||
|
||||
MY_P="${P/_p/-}"
|
||||
MONTH="October"
|
||||
DESCRIPTION="Primary support library and headers for AppArmor userspace"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forgeftp.novell.com/apparmor/Development%20-%20${MONTH}%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="LGPL-2.1"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86 ~amd64"
|
||||
IUSE=""
|
||||
|
||||
DEPEND="virtual/libc"
|
||||
RDEPEND="${DEPEND}"
|
||||
|
||||
MY_S=${WORKDIR}/${P/_*/}
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
cd ${MY_S}
|
||||
# the Make.rules isn't needed for Gentoo
|
||||
sed -i "s/^include Make.rules//g" Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
make DESTDIR="${D}" install || die
|
||||
}
|
@ -1,38 +0,0 @@
|
||||
# Copyright 1999-2006 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: $
|
||||
|
||||
inherit eutils toolchain-funcs
|
||||
|
||||
MY_P="${P/_p/-}"
|
||||
DESCRIPTION="Primary support library and headers for AppArmor userspace"
|
||||
HOMEPAGE="http://forge.novell.com/modules/xfmod/project/?apparmor"
|
||||
SRC_URI="http://forge.novell.com/modules/xfcontent/private.php/apparmor/Development%20-%20April%20Snapshot/${MY_P}.tar.gz"
|
||||
|
||||
LICENSE="LGPL-2.1"
|
||||
SLOT="0"
|
||||
KEYWORDS="~x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND="virtual/libc"
|
||||
RDEPEND="${DEPEND}"
|
||||
|
||||
MY_S=${WORKDIR}/${P/_*/}
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
|
||||
cd ${MY_S}
|
||||
# the Make.rules isn't needed for Gentoo
|
||||
sed -i "s/^include Make.rules//g" Makefile
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
cd ${MY_S}
|
||||
emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}" || die
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cd ${MY_S}
|
||||
make DESTDIR="${D}" install || die
|
||||
}
|
@ -1,11 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<herd>apparmor</herd>
|
||||
<maintainer>
|
||||
<email>zepher@sigalrm.com</email>
|
||||
<name>Matthew Snelham</name>
|
||||
<description>Primary Maintainer</description>
|
||||
</maintainer>
|
||||
<longdescription lang="en">Apparmor shared libraries. Packaged separately due to license difference from primary apparmor code.</longdescription>
|
||||
</pkgmetadata>
|
Loading…
Reference in New Issue
Block a user