RELEASE=4.0
KERNEL_VER=3.10.0
-PKGREL=31
+PKGREL=32
# also include firmware of previous versrion into
# the fw package: fwlist-2.6.32-PREV-pve
KREL=8
cd ${KERNEL_SRC}; patch -p1 <../add-empty-ndo_poll_controller-to-veth.patch
cd ${KERNEL_SRC}; patch -p1 <../override_for_missing_acs_capabilities.patch
cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
+ cd ${KERNEL_SRC}; patch -p1 <../apparmor-01-add-kvzalloc-to-handle-zeroing-for-kvmalloc.patch
+ cd ${KERNEL_SRC}; patch -p1 <../apparmor-02-fix-fully-qualified-name-parsing.patch
+ cd ${KERNEL_SRC}; patch -p1 <../apparmor-03-no-need-to-delay-vfree.patch
+ cd ${KERNEL_SRC}; patch -p1 <../apparmor-04-remove-minimum-size-check-for-vmalloc.patch
+ cd ${KERNEL_SRC}; patch -p1 <../apparmor-05-nick-kvfree-from-apparmor.patch
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
touch $@
--- /dev/null
+From 0ca554b9fca425eb58325a36290deef698cef34b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 18 Feb 2013 16:04:34 -0800
+Subject: apparmor: add kvzalloc to handle zeroing for kvmalloc
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Steve Beattie <sbeattie@ubuntu.com>
+
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 40aedd9..1ba2ca5 100644
+--- a/security/apparmor/include/apparmor.h
++++ b/security/apparmor/include/apparmor.h
+@@ -15,6 +15,7 @@
+ #ifndef __APPARMOR_H
+ #define __APPARMOR_H
+
++#include <linux/slab.h>
+ #include <linux/fs.h>
+
+ #include "match.h"
+@@ -64,9 +65,18 @@ extern int apparmor_initialized __initdata;
+ /* fn's in lib */
+ char *aa_split_fqname(char *args, char **ns_name);
+ void aa_info_message(const char *str);
+-void *kvmalloc(size_t size);
++void *__aa_kvmalloc(size_t size, gfp_t flags);
+ void kvfree(void *buffer);
+
++static inline void *kvmalloc(size_t size)
++{
++ return __aa_kvmalloc(size, 0);
++}
++
++static inline void *kvzalloc(size_t size)
++{
++ return __aa_kvmalloc(size, __GFP_ZERO);
++}
+
+ /**
+ * aa_strneq - compare null terminated @str to a non null terminated substring
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index 7430298..d6e1f21 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -75,15 +75,16 @@ void aa_info_message(const char *str)
+ }
+
+ /**
+- * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
+- * @size: size of allocation
++ * __aa_kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
++ * @size: how many bytes of memory are required
++ * @flags: the type of memory to allocate (see kmalloc).
+ *
+ * Return: allocated buffer or NULL if failed
+ *
+ * It is possible that policy being loaded from the user is larger than
+ * what can be allocated by kmalloc, in those cases fall back to vmalloc.
+ */
+-void *kvmalloc(size_t size)
++void *__aa_kvmalloc(size_t size, gfp_t flags)
+ {
+ void *buffer = NULL;
+
+@@ -92,14 +93,17 @@ void *kvmalloc(size_t size)
+
+ /* do not attempt kmalloc if we need more than 16 pages at once */
+ if (size <= (16*PAGE_SIZE))
+- buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN);
++ buffer = kmalloc(size, flags | GFP_NOIO | __GFP_NOWARN);
+ if (!buffer) {
+ /* see kvfree for why size must be at least work_struct size
+ * when allocated via vmalloc
+ */
+ if (size < sizeof(struct work_struct))
+ size = sizeof(struct work_struct);
+- buffer = vmalloc(size);
++ if (flags & __GFP_ZERO)
++ buffer = vzalloc(size);
++ else
++ buffer = vmalloc(size);
+ }
+ return buffer;
+ }
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 90971a8..dfd25a9 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -30,7 +30,7 @@
+ *
+ * Returns: pointer to table else NULL on failure
+ *
+- * NOTE: must be freed by kvfree (not kmalloc)
++ * NOTE: must be freed by kvfree (not kfree)
+ */
+ static struct table_header *unpack_table(char *blob, size_t bsize)
+ {
+@@ -57,7 +57,7 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ if (bsize < tsize)
+ goto out;
+
+- table = kvmalloc(tsize);
++ table = kvzalloc(tsize);
+ if (table) {
+ *table = th;
+ if (th.td_flags == YYTD_DATA8)
+--
+cgit v0.10.2
+
--- /dev/null
+From 2654bfbc2bd0e1e64f0b257c21da23f6cec32c6c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 27 Feb 2013 03:45:05 -0800
+Subject: apparmor: fix fully qualified name parsing
+
+currently apparmor name parsing is only correctly handling
+:<NS>:<profile>
+
+but
+:<NS>://<profile>
+
+is also a valid form and what is exported to userspace.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index d6e1f21..d40bc59 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -45,8 +45,10 @@ char *aa_split_fqname(char *fqname, char **ns_name)
+ *ns_name = skip_spaces(&name[1]);
+ if (split) {
+ /* overwrite ':' with \0 */
+- *split = 0;
+- name = skip_spaces(split + 1);
++ *split++ = 0;
++ if (strncmp(split, "//", 2) == 0)
++ split += 2;
++ name = skip_spaces(split);
+ } else
+ /* a ns name without a following profile is allowed */
+ name = NULL;
+--
+cgit v0.10.2
+
--- /dev/null
+From b5b3ee6c9cca8b6e1aa8c757e570f08f802c5573 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon, 6 May 2013 03:10:35 +0100
+Subject: apparmor: no need to delay vfree()
+
+vfree() can be called from interrupt contexts now
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index d40bc59..fcfe023 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -111,19 +111,6 @@ void *__aa_kvmalloc(size_t size, gfp_t flags)
+ }
+
+ /**
+- * do_vfree - workqueue routine for freeing vmalloced memory
+- * @work: data to be freed
+- *
+- * The work_struct is overlaid to the data being freed, as at the point
+- * the work is scheduled the data is no longer valid, be its freeing
+- * needs to be delayed until safe.
+- */
+-static void do_vfree(struct work_struct *work)
+-{
+- vfree(work);
+-}
+-
+-/**
+ * kvfree - free an allocation do by kvmalloc
+ * @buffer: buffer to free (MAYBE_NULL)
+ *
+@@ -131,13 +118,8 @@ static void do_vfree(struct work_struct *work)
+ */
+ void kvfree(void *buffer)
+ {
+- if (is_vmalloc_addr(buffer)) {
+- /* Data is no longer valid so just use the allocated space
+- * as the work_struct
+- */
+- struct work_struct *work = (struct work_struct *) buffer;
+- INIT_WORK(work, do_vfree);
+- schedule_work(work);
+- } else
++ if (is_vmalloc_addr(buffer))
++ vfree(buffer);
++ else
+ kfree(buffer);
+ }
+--
+cgit v0.10.2
+
--- /dev/null
+From dfe4ac28be73833556756dca6771d4274a7f1157 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 17 Jun 2013 21:25:08 +0900
+Subject: apparmor: remove minimum size check for vmalloc()
+
+This is a follow-up to commit b5b3ee6c "apparmor: no need to delay vfree()".
+
+Since vmalloc() will do "size = PAGE_ALIGN(size);",
+we don't need to check for "size >= sizeof(struct work_struct)".
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index fcfe023..6968992 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -97,11 +97,6 @@ void *__aa_kvmalloc(size_t size, gfp_t flags)
+ if (size <= (16*PAGE_SIZE))
+ buffer = kmalloc(size, flags | GFP_NOIO | __GFP_NOWARN);
+ if (!buffer) {
+- /* see kvfree for why size must be at least work_struct size
+- * when allocated via vmalloc
+- */
+- if (size < sizeof(struct work_struct))
+- size = sizeof(struct work_struct);
+ if (flags & __GFP_ZERO)
+ buffer = vzalloc(size);
+ else
+--
+cgit v0.10.2
+
--- /dev/null
+From 39f1f78d53b9bcbca91967380c5f0f2305a5c55f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 6 May 2014 14:02:53 -0400
+Subject: nick kvfree() from apparmor
+
+too many places open-code it
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 8fb1488..97130f8 100644
+--- a/security/apparmor/include/apparmor.h
++++ b/security/apparmor/include/apparmor.h
+@@ -66,7 +66,6 @@ extern int apparmor_initialized __initdata;
+ char *aa_split_fqname(char *args, char **ns_name);
+ void aa_info_message(const char *str);
+ void *__aa_kvmalloc(size_t size, gfp_t flags);
+-void kvfree(void *buffer);
+
+ static inline void *kvmalloc(size_t size)
+ {
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index 6968992..c1827e0 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -104,17 +104,3 @@ void *__aa_kvmalloc(size_t size, gfp_t flags)
+ }
+ return buffer;
+ }
+-
+-/**
+- * kvfree - free an allocation do by kvmalloc
+- * @buffer: buffer to free (MAYBE_NULL)
+- *
+- * Free a buffer allocated by kvmalloc
+- */
+-void kvfree(void *buffer)
+-{
+- if (is_vmalloc_addr(buffer))
+- vfree(buffer);
+- else
+- kfree(buffer);
+-}
+--
+cgit v0.10.2
+
+pve-kernel-3.10.0 (3.10.0-32) unstable; urgency=medium
+
+ * use apparmor as default security module
+
+ -- Proxmox Support Team <support@proxmox.com> Sun, 05 Apr 2015 10:12:49 +0200
+
pve-kernel-3.10.0 (3.10.0-31) unstable; urgency=medium
* include latest DRBD 9.0 driver
---- rh-kernel-src/kernel-3.10.0-x86_64.config 2015-03-14 10:29:17.996963858 +0100
-+++ config-3.10.0.new 2015-03-14 11:28:50.364833361 +0100
+--- rh-kernel-src/kernel-3.10.0-x86_64.config 2015-03-14 14:15:00.347227546 +0100
++++ config-3.10.0 2015-04-04 19:17:16.553879288 +0200
@@ -1,7 +1,6 @@
-# x86_64
#
CONFIG_DLM=m
CONFIG_DLM_DEBUG=y
-@@ -5017,8 +5016,8 @@
+@@ -5017,29 +5016,29 @@
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
-@@ -5030,9 +5029,8 @@
+ CONFIG_SECURITYFS=y
+ CONFIG_SECURITY_NETWORK=y
+ CONFIG_SECURITY_NETWORK_XFRM=y
+-# CONFIG_SECURITY_PATH is not set
++CONFIG_SECURITY_PATH=y
+ CONFIG_SECURITY_SECURELEVEL=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65535
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-@@ -5053,8 +5051,9 @@
- CONFIG_EVM=y
- CONFIG_EVM_HMAC_VERSION=2
- CONFIG_DEFAULT_SECURITY_SELINUX=y
--# CONFIG_DEFAULT_SECURITY_DAC is not set
+ # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
+ # CONFIG_SECURITY_SMACK is not set
+ # CONFIG_SECURITY_TOMOYO is not set
+-# CONFIG_SECURITY_APPARMOR is not set
++CONFIG_SECURITY_APPARMOR=y
++CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
+ # CONFIG_SECURITY_YAMA is not set
+ CONFIG_INTEGRITY=y
+ CONFIG_INTEGRITY_SIGNATURE=y
+@@ -5050,11 +5049,10 @@
+ CONFIG_IMA_LSM_RULES=y
+ CONFIG_IMA_APPRAISE=y
+ CONFIG_IMA_TRUSTED_KEYRING=y
+-CONFIG_EVM=y
+-CONFIG_EVM_HMAC_VERSION=2
+-CONFIG_DEFAULT_SECURITY_SELINUX=y
++# CONFIG_DEFAULT_SECURITY_SELINUX is not set
++CONFIG_DEFAULT_SECURITY_APPARMOR=y
+ # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_DEFAULT_SECURITY="selinux"
-+CONFIG_DEFAULT_SECURITY_DAC=y
-+CONFIG_DEFAULT_SECURITY=""
-+#CONFIG_DEFAULT_SECURITY="selinux"
++CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
-@@ -5126,7 +5125,7 @@
+@@ -5066,7 +5064,6 @@
+ #
+ # Crypto core or helper
+ #
+-CONFIG_CRYPTO_FIPS=y
+ CONFIG_CRYPTO_ALGAPI=y
+ CONFIG_CRYPTO_ALGAPI2=y
+ CONFIG_CRYPTO_AEAD=y
+@@ -5126,7 +5123,7 @@
CONFIG_CRYPTO_CRC32C_INTEL=m
CONFIG_CRYPTO_CRC32=m
CONFIG_CRYPTO_CRC32_PCLMUL=m
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
CONFIG_CRYPTO_GHASH=m
CONFIG_CRYPTO_MD4=m
-@@ -5252,7 +5251,7 @@
+@@ -5252,7 +5249,7 @@
CONFIG_CMPXCHG_LOCKREF=y
CONFIG_CRC_CCITT=m
CONFIG_CRC16=y
CONFIG_CRC_ITU_T=m
CONFIG_CRC32=y
# CONFIG_CRC32_SELFTEST is not set
-@@ -5301,6 +5300,7 @@
+@@ -5301,6 +5298,7 @@
CONFIG_DQL=y
CONFIG_NLATTR=y
CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y