| Message ID | 4F47C139.8030908@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 02/24/2012 08:56 AM, John Johansen wrote: > This apparmor update is to meet the requirements of the following blue-prints > https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers > https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework > https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu > > it also contains the fix for > BugLink: http://bugs.launchpad.net/bugs/925028 > > > The following changes since commit 00e2d7f3bcaf0cbb3d93defce24106966b6d017d: > > UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800) > > are available in the git repository at: > > ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git apparmor > > for you to fetch changes up to 183a6edfaf235fafec23ee6ec608306f94cd5bd5: > > UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs (2012-02-24 05:50:47 -0800) > > ---------------------------------------------------------------- > John Johansen (19): > Revert "UBUNTU: SAUCE: AppArmor: Fix unpack of network tables." > Revert "AppArmor: compatibility patch for v5 interface" > Revert "AppArmor: compatibility patch for v5 network controll" > Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace" > UBUNTU: SAUCE: AppArmor: Add mising end of structure test to caps unpacking > UBUNTU: SAUCE: AppArmor: Fix dropping of allowed operations that are force audited > UBUNTU: SAUCE: AppArmor: Fix underflow in xindex calculation > UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to audit and quiet flags > UBUNTU: SAUCE: AppArmor: Fix the error case for chroot relative path name lookup > UBUNTU: SAUCE: AppArmor: Retrieve the dentry_path for error reporting when path lookup fails > UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path to consolidate error handling > UBUNTU: SAUCE: AppArmor: Update dfa matching routines. > UBUNTU: SAUCE: AppArmor: Move path failure information into aa_get_name and rename > UBUNTU: SAUCE: AppArmor: Make chroot relative the default path lookup type > UBUNTU: SAUCE: AppArmor: Add ability to load extended policy > UBUNTU: SAUCE: AppArmor: basic networking rules > UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface > UBUNTU: SAUCE: AppArmor: Add the ability to mediate mount > UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs > > Kees Cook (4): > UBUNTU: SAUCE: AppArmor: refactor securityfs to use structures > UBUNTU: SAUCE: AppArmor: add initial "features" directory to securityfs > UBUNTU: SAUCE: AppArmor: add "file" details to securityfs > UBUNTU: SAUCE: AppArmor: export known rlimit names/value mappings in securityfs > > include/linux/lsm_audit.h | 7 + > security/apparmor/.gitignore | 2 +- > security/apparmor/Kconfig | 9 - > security/apparmor/Makefile | 71 +++- > security/apparmor/apparmorfs-24.c | 287 --------------- > security/apparmor/apparmorfs.c | 450 +++++++++++++++++++++--- > security/apparmor/audit.c | 5 + > security/apparmor/domain.c | 7 +- > security/apparmor/file.c | 21 +- > security/apparmor/include/apparmor.h | 16 +- > security/apparmor/include/apparmorfs.h | 50 +++- > security/apparmor/include/audit.h | 9 +- > security/apparmor/include/domain.h | 2 + > security/apparmor/include/file.h | 2 +- > security/apparmor/include/match.h | 3 + > security/apparmor/include/mount.h | 53 +++ > security/apparmor/include/net.h | 6 +- > security/apparmor/include/path.h | 3 +- > security/apparmor/include/policy.h | 13 + > security/apparmor/include/resource.h | 4 + > security/apparmor/lsm.c | 59 ++++ > security/apparmor/match.c | 97 ++++- > security/apparmor/mount.c | 600 ++++++++++++++++++++++++++++++++ > security/apparmor/net.c | 25 +- > security/apparmor/path.c | 54 ++-- > security/apparmor/policy.c | 4 + > security/apparmor/policy_unpack.c | 35 ++- > security/apparmor/resource.c | 5 + > 28 files changed, 1438 insertions(+), 461 deletions(-) > delete mode 100644 security/apparmor/apparmorfs-24.c > create mode 100644 security/apparmor/include/mount.h > create mode 100644 security/apparmor/mount.c > John - this is kind of late in the game for such a large patch set. Have you extracted a feature freeze exception from the release team? Where are these patches with regard to the upstream process? Why shouldn't we wait and backport them from the 3.4 merge window? rtg
On 02/24/2012 02:03 PM, Tim Gardner wrote: > On 02/24/2012 08:56 AM, John Johansen wrote: >> This apparmor update is to meet the requirements of the following blue-prints >> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers >> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework >> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu >> >> it also contains the fix for >> BugLink: http://bugs.launchpad.net/bugs/925028 >> >> >> The following changes since commit 00e2d7f3bcaf0cbb3d93defce24106966b6d017d: >> >> UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800) >> >> are available in the git repository at: >> >> ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git apparmor >> >> for you to fetch changes up to 183a6edfaf235fafec23ee6ec608306f94cd5bd5: >> >> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs (2012-02-24 05:50:47 -0800) >> >> ---------------------------------------------------------------- >> John Johansen (19): >> Revert "UBUNTU: SAUCE: AppArmor: Fix unpack of network tables." >> Revert "AppArmor: compatibility patch for v5 interface" >> Revert "AppArmor: compatibility patch for v5 network controll" >> Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace" >> UBUNTU: SAUCE: AppArmor: Add mising end of structure test to caps unpacking >> UBUNTU: SAUCE: AppArmor: Fix dropping of allowed operations that are force audited >> UBUNTU: SAUCE: AppArmor: Fix underflow in xindex calculation >> UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to audit and quiet flags >> UBUNTU: SAUCE: AppArmor: Fix the error case for chroot relative path name lookup >> UBUNTU: SAUCE: AppArmor: Retrieve the dentry_path for error reporting when path lookup fails >> UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path to consolidate error handling >> UBUNTU: SAUCE: AppArmor: Update dfa matching routines. >> UBUNTU: SAUCE: AppArmor: Move path failure information into aa_get_name and rename >> UBUNTU: SAUCE: AppArmor: Make chroot relative the default path lookup type >> UBUNTU: SAUCE: AppArmor: Add ability to load extended policy >> UBUNTU: SAUCE: AppArmor: basic networking rules >> UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface >> UBUNTU: SAUCE: AppArmor: Add the ability to mediate mount >> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs >> >> Kees Cook (4): >> UBUNTU: SAUCE: AppArmor: refactor securityfs to use structures >> UBUNTU: SAUCE: AppArmor: add initial "features" directory to securityfs >> UBUNTU: SAUCE: AppArmor: add "file" details to securityfs >> UBUNTU: SAUCE: AppArmor: export known rlimit names/value mappings in securityfs >> >> include/linux/lsm_audit.h | 7 + >> security/apparmor/.gitignore | 2 +- >> security/apparmor/Kconfig | 9 - >> security/apparmor/Makefile | 71 +++- >> security/apparmor/apparmorfs-24.c | 287 --------------- >> security/apparmor/apparmorfs.c | 450 +++++++++++++++++++++--- >> security/apparmor/audit.c | 5 + >> security/apparmor/domain.c | 7 +- >> security/apparmor/file.c | 21 +- >> security/apparmor/include/apparmor.h | 16 +- >> security/apparmor/include/apparmorfs.h | 50 +++- >> security/apparmor/include/audit.h | 9 +- >> security/apparmor/include/domain.h | 2 + >> security/apparmor/include/file.h | 2 +- >> security/apparmor/include/match.h | 3 + >> security/apparmor/include/mount.h | 53 +++ >> security/apparmor/include/net.h | 6 +- >> security/apparmor/include/path.h | 3 +- >> security/apparmor/include/policy.h | 13 + >> security/apparmor/include/resource.h | 4 + >> security/apparmor/lsm.c | 59 ++++ >> security/apparmor/match.c | 97 ++++- >> security/apparmor/mount.c | 600 ++++++++++++++++++++++++++++++++ >> security/apparmor/net.c | 25 +- >> security/apparmor/path.c | 54 ++-- >> security/apparmor/policy.c | 4 + >> security/apparmor/policy_unpack.c | 35 ++- >> security/apparmor/resource.c | 5 + >> 28 files changed, 1438 insertions(+), 461 deletions(-) >> delete mode 100644 security/apparmor/apparmorfs-24.c >> create mode 100644 security/apparmor/include/mount.h >> create mode 100644 security/apparmor/mount.c >> > > John - this is kind of late in the game for such a large patch set. Have you extracted a feature freeze exception from the release team? Where are these patches with regard to the upstream process? Why shouldn't we wait and backport them from the 3.4 merge window? > yes, its lat and yes there was a feature freeze exception the userspace components went in today and the kernel patch submission waited on the acceptance of that. About the first half of these patches (kees's fs changes and the set of bug fixes) are going out as pull request today. The other half are going up for further review, but have been through a round of review within the apparmor list already, we will be working on getting the patches upstream, and the current set can be replaced as they land in the security tree.
On 02/24/2012 02:15 PM, John Johansen wrote: > On 02/24/2012 02:03 PM, Tim Gardner wrote: >> On 02/24/2012 08:56 AM, John Johansen wrote: >>> This apparmor update is to meet the requirements of the following >>> blue-prints >>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers >>> >>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework >>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu >>> >>> >>> it also contains the fix for >>> BugLink: http://bugs.launchpad.net/bugs/925028 >>> >>> >>> The following changes since commit >>> 00e2d7f3bcaf0cbb3d93defce24106966b6d017d: >>> >>> UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800) >>> >>> are available in the git repository at: >>> >>> ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git >>> apparmor >>> >>> for you to fetch changes up to >>> 183a6edfaf235fafec23ee6ec608306f94cd5bd5: >>> >>> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs >>> (2012-02-24 05:50:47 -0800) >>> >>> ---------------------------------------------------------------- >>> John Johansen (19): Revert "UBUNTU: SAUCE: AppArmor: Fix unpack >>> of network tables." Revert "AppArmor: compatibility patch for v5 >>> interface" Revert "AppArmor: compatibility patch for v5 network >>> controll" Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward >>> compatibility with broken userspace" UBUNTU: SAUCE: AppArmor: Add >>> mising end of structure test to caps unpacking UBUNTU: SAUCE: >>> AppArmor: Fix dropping of allowed operations that are force >>> audited UBUNTU: SAUCE: AppArmor: Fix underflow in xindex >>> calculation UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to >>> audit and quiet flags UBUNTU: SAUCE: AppArmor: Fix the error case >>> for chroot relative path name lookup UBUNTU: SAUCE: AppArmor: >>> Retrieve the dentry_path for error reporting when path lookup >>> fails UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path >>> to consolidate error handling UBUNTU: SAUCE: AppArmor: Update dfa >>> matching routines. UBUNTU: SAUCE: AppArmor: Move path failure >>> information into aa_get_name and rename UBUNTU: SAUCE: AppArmor: >>> Make chroot relative the default path lookup type UBUNTU: SAUCE: >>> AppArmor: Add ability to load extended policy UBUNTU: SAUCE: >>> AppArmor: basic networking rules UBUNTU: SAUCE: AppArmor: Add >>> profile introspection file to interface UBUNTU: SAUCE: AppArmor: >>> Add the ability to mediate mount UBUNTU: SAUCE: AppArmor: Add >>> mount information to apparmorfs >>> >>> Kees Cook (4): UBUNTU: SAUCE: AppArmor: refactor securityfs to >>> use structures UBUNTU: SAUCE: AppArmor: add initial "features" >>> directory to securityfs UBUNTU: SAUCE: AppArmor: add "file" >>> details to securityfs UBUNTU: SAUCE: AppArmor: export known >>> rlimit names/value mappings in securityfs >>> >>> include/linux/lsm_audit.h | 7 + >>> security/apparmor/.gitignore | 2 +- >>> security/apparmor/Kconfig | 9 - >>> security/apparmor/Makefile | 71 +++- >>> security/apparmor/apparmorfs-24.c | 287 --------------- >>> security/apparmor/apparmorfs.c | 450 >>> +++++++++++++++++++++--- security/apparmor/audit.c | >>> 5 + security/apparmor/domain.c | 7 +- >>> security/apparmor/file.c | 21 +- >>> security/apparmor/include/apparmor.h | 16 +- >>> security/apparmor/include/apparmorfs.h | 50 +++- >>> security/apparmor/include/audit.h | 9 +- >>> security/apparmor/include/domain.h | 2 + >>> security/apparmor/include/file.h | 2 +- >>> security/apparmor/include/match.h | 3 + >>> security/apparmor/include/mount.h | 53 +++ >>> security/apparmor/include/net.h | 6 +- >>> security/apparmor/include/path.h | 3 +- >>> security/apparmor/include/policy.h | 13 + >>> security/apparmor/include/resource.h | 4 + >>> security/apparmor/lsm.c | 59 ++++ >>> security/apparmor/match.c | 97 ++++- >>> security/apparmor/mount.c | 600 >>> ++++++++++++++++++++++++++++++++ security/apparmor/net.c >>> | 25 +- security/apparmor/path.c | 54 ++-- >>> security/apparmor/policy.c | 4 + >>> security/apparmor/policy_unpack.c | 35 ++- >>> security/apparmor/resource.c | 5 + 28 files changed, >>> 1438 insertions(+), 461 deletions(-) delete mode 100644 >>> security/apparmor/apparmorfs-24.c create mode 100644 >>> security/apparmor/include/mount.h create mode 100644 >>> security/apparmor/mount.c >>> >> >> John - this is kind of late in the game for such a large patch set. >> Have you extracted a feature freeze exception from the release >> team? Where are these patches with regard to the upstream process? >> Why shouldn't we wait and backport them from the 3.4 merge window? >> > yes, its lat and yes there was a feature freeze exception the > userspace components went in today and the kernel patch submission > waited on the acceptance of that. > > About the first half of these patches (kees's fs changes and the set > of bug fixes) are going out as pull request today. > > The other half are going up for further review, but have been through > a round of review within the apparmor list already, we will be > working on getting the patches upstream, and the current set can be > replaced as they land in the security tree. > > > > Kernel freeze isn't until April 5. If we pull these now, are you OK with dropping them in favor of the patches that make the 3.4 merge window ? rtg
On 02/24/2012 02:27 PM, Tim Gardner wrote: > On 02/24/2012 02:15 PM, John Johansen wrote: >> On 02/24/2012 02:03 PM, Tim Gardner wrote: >>> On 02/24/2012 08:56 AM, John Johansen wrote: >>>> This apparmor update is to meet the requirements of the following >>>> blue-prints >>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers >>>> >>>> > https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework >>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu >>>> >>>> >>>> > it also contains the fix for >>>> BugLink: http://bugs.launchpad.net/bugs/925028 >>>> >>>> >>>> The following changes since commit >>>> 00e2d7f3bcaf0cbb3d93defce24106966b6d017d: >>>> >>>> UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800) >>>> >>>> are available in the git repository at: >>>> >>>> ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git >>>> apparmor >>>> >>>> for you to fetch changes up to >>>> 183a6edfaf235fafec23ee6ec608306f94cd5bd5: >>>> >>>> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs >>>> (2012-02-24 05:50:47 -0800) >>>> >>>> ---------------------------------------------------------------- >>>> John Johansen (19): Revert "UBUNTU: SAUCE: AppArmor: Fix unpack >>>> of network tables." Revert "AppArmor: compatibility patch for v5 >>>> interface" Revert "AppArmor: compatibility patch for v5 network >>>> controll" Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward >>>> compatibility with broken userspace" UBUNTU: SAUCE: AppArmor: Add >>>> mising end of structure test to caps unpacking UBUNTU: SAUCE: >>>> AppArmor: Fix dropping of allowed operations that are force >>>> audited UBUNTU: SAUCE: AppArmor: Fix underflow in xindex >>>> calculation UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to >>>> audit and quiet flags UBUNTU: SAUCE: AppArmor: Fix the error case >>>> for chroot relative path name lookup UBUNTU: SAUCE: AppArmor: >>>> Retrieve the dentry_path for error reporting when path lookup >>>> fails UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path >>>> to consolidate error handling UBUNTU: SAUCE: AppArmor: Update dfa >>>> matching routines. UBUNTU: SAUCE: AppArmor: Move path failure >>>> information into aa_get_name and rename UBUNTU: SAUCE: AppArmor: >>>> Make chroot relative the default path lookup type UBUNTU: SAUCE: >>>> AppArmor: Add ability to load extended policy UBUNTU: SAUCE: >>>> AppArmor: basic networking rules UBUNTU: SAUCE: AppArmor: Add >>>> profile introspection file to interface UBUNTU: SAUCE: AppArmor: >>>> Add the ability to mediate mount UBUNTU: SAUCE: AppArmor: Add >>>> mount information to apparmorfs >>>> >>>> Kees Cook (4): UBUNTU: SAUCE: AppArmor: refactor securityfs to >>>> use structures UBUNTU: SAUCE: AppArmor: add initial "features" >>>> directory to securityfs UBUNTU: SAUCE: AppArmor: add "file" >>>> details to securityfs UBUNTU: SAUCE: AppArmor: export known >>>> rlimit names/value mappings in securityfs >>>> >>>> include/linux/lsm_audit.h | 7 + >>>> security/apparmor/.gitignore | 2 +- >>>> security/apparmor/Kconfig | 9 - >>>> security/apparmor/Makefile | 71 +++- >>>> security/apparmor/apparmorfs-24.c | 287 --------------- >>>> security/apparmor/apparmorfs.c | 450 >>>> +++++++++++++++++++++--- security/apparmor/audit.c | >>>> 5 + security/apparmor/domain.c | 7 +- >>>> security/apparmor/file.c | 21 +- >>>> security/apparmor/include/apparmor.h | 16 +- >>>> security/apparmor/include/apparmorfs.h | 50 +++- >>>> security/apparmor/include/audit.h | 9 +- >>>> security/apparmor/include/domain.h | 2 + >>>> security/apparmor/include/file.h | 2 +- >>>> security/apparmor/include/match.h | 3 + >>>> security/apparmor/include/mount.h | 53 +++ >>>> security/apparmor/include/net.h | 6 +- >>>> security/apparmor/include/path.h | 3 +- >>>> security/apparmor/include/policy.h | 13 + >>>> security/apparmor/include/resource.h | 4 + >>>> security/apparmor/lsm.c | 59 ++++ >>>> security/apparmor/match.c | 97 ++++- >>>> security/apparmor/mount.c | 600 >>>> ++++++++++++++++++++++++++++++++ security/apparmor/net.c >>>> | 25 +- security/apparmor/path.c | 54 ++-- >>>> security/apparmor/policy.c | 4 + >>>> security/apparmor/policy_unpack.c | 35 ++- >>>> security/apparmor/resource.c | 5 + 28 files changed, >>>> 1438 insertions(+), 461 deletions(-) delete mode 100644 >>>> security/apparmor/apparmorfs-24.c create mode 100644 >>>> security/apparmor/include/mount.h create mode 100644 >>>> security/apparmor/mount.c >>>> >>> >>> John - this is kind of late in the game for such a large patch set. >>> Have you extracted a feature freeze exception from the release >>> team? Where are these patches with regard to the upstream process? >>> Why shouldn't we wait and backport them from the 3.4 merge window? >>> >> yes, its lat and yes there was a feature freeze exception the >> userspace components went in today and the kernel patch submission >> waited on the acceptance of that. >> >> About the first half of these patches (kees's fs changes and the set >> of bug fixes) are going out as pull request today. >> >> The other half are going up for further review, but have been through >> a round of review within the apparmor list already, we will be >> working on getting the patches upstream, and the current set can be >> replaced as they land in the security tree. >> >> >> >> > > Kernel freeze isn't until April 5. If we pull these now, are you OK with dropping them in favor of the patches that make the 3.4 merge window ? > yes, any patch that goes up should replace these, they will be the same except for any changes made to address review. However there is a caveat that if something doesn't make it into 3.4 we will likely have to carry a patch.
This apparmor update is to meet the requirements of the following blue-prints https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu it also contains the fix for BugLink: http://bugs.launchpad.net/bugs/925028 The following changes since commit 00e2d7f3bcaf0cbb3d93defce24106966b6d017d: UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800) are available in the git repository at: ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git apparmor for you to fetch changes up to 183a6edfaf235fafec23ee6ec608306f94cd5bd5: UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs (2012-02-24 05:50:47 -0800) ---------------------------------------------------------------- John Johansen (19): Revert "UBUNTU: SAUCE: AppArmor: Fix unpack of network tables." Revert "AppArmor: compatibility patch for v5 interface" Revert "AppArmor: compatibility patch for v5 network controll" Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace" UBUNTU: SAUCE: AppArmor: Add mising end of structure test to caps unpacking UBUNTU: SAUCE: AppArmor: Fix dropping of allowed operations that are force audited UBUNTU: SAUCE: AppArmor: Fix underflow in xindex calculation UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to audit and quiet flags UBUNTU: SAUCE: AppArmor: Fix the error case for chroot relative path name lookup UBUNTU: SAUCE: AppArmor: Retrieve the dentry_path for error reporting when path lookup fails UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path to consolidate error handling UBUNTU: SAUCE: AppArmor: Update dfa matching routines. UBUNTU: SAUCE: AppArmor: Move path failure information into aa_get_name and rename UBUNTU: SAUCE: AppArmor: Make chroot relative the default path lookup type UBUNTU: SAUCE: AppArmor: Add ability to load extended policy UBUNTU: SAUCE: AppArmor: basic networking rules UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface UBUNTU: SAUCE: AppArmor: Add the ability to mediate mount UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs Kees Cook (4): UBUNTU: SAUCE: AppArmor: refactor securityfs to use structures UBUNTU: SAUCE: AppArmor: add initial "features" directory to securityfs UBUNTU: SAUCE: AppArmor: add "file" details to securityfs UBUNTU: SAUCE: AppArmor: export known rlimit names/value mappings in securityfs include/linux/lsm_audit.h | 7 + security/apparmor/.gitignore | 2 +- security/apparmor/Kconfig | 9 - security/apparmor/Makefile | 71 +++- security/apparmor/apparmorfs-24.c | 287 --------------- security/apparmor/apparmorfs.c | 450 +++++++++++++++++++++--- security/apparmor/audit.c | 5 + security/apparmor/domain.c | 7 +- security/apparmor/file.c | 21 +- security/apparmor/include/apparmor.h | 16 +- security/apparmor/include/apparmorfs.h | 50 +++- security/apparmor/include/audit.h | 9 +- security/apparmor/include/domain.h | 2 + security/apparmor/include/file.h | 2 +- security/apparmor/include/match.h | 3 + security/apparmor/include/mount.h | 53 +++ security/apparmor/include/net.h | 6 +- security/apparmor/include/path.h | 3 +- security/apparmor/include/policy.h | 13 + security/apparmor/include/resource.h | 4 + security/apparmor/lsm.c | 59 ++++ security/apparmor/match.c | 97 ++++- security/apparmor/mount.c | 600 ++++++++++++++++++++++++++++++++ security/apparmor/net.c | 25 +- security/apparmor/path.c | 54 ++-- security/apparmor/policy.c | 4 + security/apparmor/policy_unpack.c | 35 ++- security/apparmor/resource.c | 5 + 28 files changed, 1438 insertions(+), 461 deletions(-) delete mode 100644 security/apparmor/apparmorfs-24.c create mode 100644 security/apparmor/include/mount.h create mode 100644 security/apparmor/mount.c