linux/security/apparmor, branch v3.4.81

lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'

2012-04-03T16:49:59Z

It just bloats the audit data structure for no good reason, since the only time those fields are filled are just before calling the common_lsm_audit() function, which is also the only user of those fields. So just make them be the arguments to common_lsm_audit(), rather than bloating that structure that is passed around everywhere, and is initialized in hot paths. Signed-off-by: Linus Torvalds

LSM: shrink sizeof LSM specific portion of common_audit_data

2012-04-03T16:48:40Z

Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris Signed-off-by: Linus Torvalds

apparmor: Fix change_onexec when called from a confined task

2012-03-27T14:00:05Z

Fix failure in aa_change_onexec api when the request is made from a confined task. This failure was caused by two problems The AA_MAY_ONEXEC perm was not being mapped correctly for this case. The executable name was being checked as second time instead of using the requested onexec profile name, which may not be the same as the exec profile name. This mistake can not be exploited to grant extra permission because of the above flaw where the ONEXEC permission was not being mapped so it will not be granted. BugLink: http://bugs.launchpad.net/bugs/963756 Signed-off-by: John Johansen Signed-off-by: James Morris

AppArmor: Fix location of const qualifier on generated string tables

2012-03-20T01:22:46Z

Signed-off-by: Tetsuo Handa Signed-off-by: John Johansen

AppArmor: add const qualifiers to string arrays

2012-03-15T02:09:13Z

Signed-off-by: Jan Engelhardt Signed-off-by: John Johansen

AppArmor: Add ability to load extended policy

2012-03-15T02:09:03Z

Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen Acked-by: Kees Cook

AppArmor: Move path failure information into aa_get_name and rename

2012-03-14T13:15:25Z

Move the path name lookup failure messages into the main path name lookup routine, as the information is useful in more than just aa_path_perm. Also rename aa_get_name to aa_path_name as it is not getting a reference counted object with a corresponding put fn. Signed-off-by: John Johansen Acked-by: Kees Cook

AppArmor: Update dfa matching routines.

2012-03-14T13:15:24Z

Update aa_dfa_match so that it doesn't result in an input string being walked twice (once to get its length and another time to match) Add a single step functions aa_dfa_next Signed-off-by: John Johansen Acked-by: Kees Cook

AppArmor: Minor cleanup of d_namespace_path to consolidate error handling

2012-03-14T13:15:23Z

Signed-off-by: John Johansen Acked-by: Kees Cook

AppArmor: Retrieve the dentry_path for error reporting when path lookup fails

2012-03-14T13:15:22Z

When __d_path and d_absolute_path fail due to the name being outside of the current namespace no name is reported. Use dentry_path to provide some hint as to which file was being accessed. Signed-off-by: John Johansen Acked-by: Kees Cook