[apparmor] 4.7 upstream kernel patches

John Johansen john.johansen at canonical.com
Fri Jul 29 02:45:22 UTC 2016 

I have pushed updated 4.7 upstream kernel patches to

git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v4.7-aa2.8-out-of-tree
I will attach the full request-pull text below

the patches have also been pushed to the bzr tree
bzr lp:apparmor kernel-patches/4.7/

the patches
0001-0022 are backports of fixes from the 4.8 pull-request
0023-0025 are the out of tree feature patches

the backport of bug fix patches are of course not required, in the sense that you can just apply 0023-0025 to get the out of tree feature patches however then you won't have several important bug fixes.

backported/update patches for 4.4-4.6 will follow later tonight in branches
v4.4-aa2.8-out-of-tree
v4.5-aa2.8-out-of-tree
v4.6-aa2.8-out-of-tree

As noted above all the fixes have been upstream and will show up in the 4.8 version of the kernel, once that happens I can go back and annotate the set with proper backport sha1s


And now to the pull request text with the start and end shas of the series

---

The following changes since commit 523d939ef98fd712632d93a5a2b588e477a7565e:

  Linux 4.7 (2016-07-24 12:23:50 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v4.7-aa2.8-out-of-tree

for you to fetch changes up to f7cef61751a2382fb4ea26c18736d7552ffdb24a:

  UBUNTU: SAUCE: apparmor: Add the ability to mediate mount (2016-07-28 17:54:20 -0700)

----------------------------------------------------------------
Geliang Tang (1):
      apparmor: use list_next_entry instead of list_entry_next

Heinrich Schuchardt (1):
      apparmor: do not expose kernel stack

Jeff Mahoney (1):
      apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task

John Johansen (22):
      apparmor: fix refcount bug in profile replacement
      apparmor: fix replacement bug that adds new child to old parent
      apparmor: fix uninitialized lsm_audit member
      apparmor: exec should not be returning ENOENT when it denies
      apparmor: fix update the mtime of the profile file on replacement
      apparmor: fix disconnected bind mnts reconnection
      apparmor: internal paths should be treated as disconnected
      apparmor: fix put() parent ref after updating the active ref
      apparmor: fix log failures for all profiles in a set
      apparmor: fix audit full profile hname on successful load
      apparmor: ensure the target profile name is always audited
      apparmor: check that xindex is in trans_table bounds
      apparmor: fix ref count leak when profile sha1 hash is read
      apparmor: fix refcount race when finding a child profile
      apparmor: add missing id bounds check on dfa verification
      apparmor: don't check for vmalloc_addr if kvzalloc() failed
      apparmor: fix oops in profile_unpack() when policy_db is not present
      apparmor: fix module parameters can be changed after policy is locked
      apparmor: fix arg_size computation for when setprocattr is null terminated
      UBUNTU: SAUCE: AppArmor: basic networking rules
      apparmor: Fix quieting of audit messages for network mediation
      UBUNTU: SAUCE: apparmor: Add the ability to mediate mount

 security/apparmor/.gitignore         |   1 +
 security/apparmor/Makefile           |  42 ++-
 security/apparmor/apparmorfs.c       |  27 +-
 security/apparmor/audit.c            |   7 +-
 security/apparmor/domain.c           |  24 +-
 security/apparmor/file.c             |   3 +-
 security/apparmor/include/apparmor.h |   3 +-
 security/apparmor/include/audit.h    |  15 +
 security/apparmor/include/domain.h   |   2 +
 security/apparmor/include/match.h    |   1 +
 security/apparmor/include/mount.h    |  54 +++
 security/apparmor/include/net.h      |  44 +++
 security/apparmor/include/policy.h   |   5 +
 security/apparmor/lsm.c              | 196 ++++++++++-
 security/apparmor/match.c            |  16 +-
 security/apparmor/mount.c            | 620 +++++++++++++++++++++++++++++++++++
 security/apparmor/net.c              | 162 +++++++++
 security/apparmor/path.c             |  61 ++--
 security/apparmor/policy.c           |  62 +++-
 security/apparmor/policy_unpack.c    |  51 ++-
 security/apparmor/resource.c         |   6 +-
 21 files changed, 1314 insertions(+), 88 deletions(-)
 create mode 100644 security/apparmor/include/mount.h
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/mount.c
 create mode 100644 security/apparmor/net.c

More information about the AppArmor mailing list