Merge branch 'for-security' of...

# to

#    [1] = "dac_override",

quiet_cmd_make-caps = GEN     $@

cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\

cmd_make-caps = echo "static const char const *capability_names[] = {" > $@ ;\

	sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \

	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\

	echo "};" >> $@

# to

# #define AA_FS_RLIMIT_MASK "fsize stack"

quiet_cmd_make-rlim = GEN     $@

cmd_make-rlim = echo "static const char *rlim_names[RLIM_NLIMITS] = {" > $@ ;\

cmd_make-rlim = echo "static const char const *rlim_names[RLIM_NLIMITS] = {" \

	> $@ ;\

	sed $< >> $@ -r -n \

	    -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\

	echo "};" >> $@ ;\

#include "include/audit.h"

#include "include/policy.h"

const char *op_table[] = {

const char *const op_table[] = {

	"null",

	"sysctl",

	"profile_remove"

};

const char *audit_mode_names[] = {

const char *const audit_mode_names[] = {

	"normal",

	"quiet_denied",

	"quiet",

	"all"

};

static char *aa_audit_type[] = {

static const char *const aa_audit_type[] = {

	"AUDIT",

	"ALLOWED",

	"DENIED",

	state = profile->file.start;

	/* buffer freed below, name is pointer into buffer */

	error = aa_get_name(&bprm->file->f_path, profile->path_flags, &buffer,

			    &name);

	error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,

			     &name, &info);

	if (error) {

		if (profile->flags &

		    (PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED))

			error = 0;

		info = "Exec failed name resolution";

		name = bprm->filename;

		goto audit;

	}

	int error;

	flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0);

	error = aa_get_name(path, flags, &buffer, &name);

	error = aa_path_name(path, flags, &buffer, &name, &info);

	if (error) {

		if (error == -ENOENT && is_deleted(path->dentry)) {

			/* Access to open files that are deleted are

			 * give a pass (implicit delegation)

			 */

			error = 0;

			info = NULL;

			perms.allow = request;

		} else if (error == -ENOENT)

			info = "Failed name lookup - deleted entry";

		else if (error == -ESTALE)

			info = "Failed name lookup - disconnected path";

		else if (error == -ENAMETOOLONG)

			info = "Failed name lookup - name too long";

		else

			info = "Failed name lookup";

		}

	} else {

		aa_str_perms(profile->file.dfa, profile->file.start, name, cond,

			     &perms);

	lperms = nullperms;

	/* buffer freed below, lname is pointer in buffer */

	error = aa_get_name(&link, profile->path_flags, &buffer, &lname);

	error = aa_path_name(&link, profile->path_flags, &buffer, &lname,

			     &info);

	if (error)

		goto audit;

	/* buffer2 freed below, tname is pointer in buffer2 */

	error = aa_get_name(&target, profile->path_flags, &buffer2, &tname);

	error = aa_path_name(&target, profile->path_flags, &buffer2, &tname,

			     &info);

	if (error)

		goto audit;

#include "match.h"

/*

 * Class of mediation types in the AppArmor policy db

 */

#define AA_CLASS_ENTRY		0

#define AA_CLASS_UNKNOWN	1

#define AA_CLASS_FILE		2

#define AA_CLASS_CAP		3

#define AA_CLASS_NET		4

#define AA_CLASS_RLIMITS	5

#define AA_CLASS_DOMAIN		6

#define AA_CLASS_LAST		AA_CLASS_DOMAIN

/* Control parameters settable through module/boot flags */

extern enum audit_mode aa_g_audit;

extern bool aa_g_audit_header;

						  unsigned int start)

{

	/* the null transition only needs the string's null terminator byte */

	return aa_dfa_match_len(dfa, start, "", 1);

	return aa_dfa_next(dfa, start, 0);

}

static inline bool mediated_filesystem(struct inode *inode)