5 files changed, 45 insertions, 52 deletions
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index de8dc78b6144..136f2a047836 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
 char *aa_calc_hash(void *data, size_t len)
 {
-        struct {
+        SHASH_DESC_ON_STACK(desc, apparmor_tfm);
-                struct shash_desc shash;
-                char ctx[crypto_shash_descsize(apparmor_tfm)];
-        } desc;
        char *hash = NULL;
        int error = -ENOMEM;
@@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len)
        if (!hash)
                goto fail;
-        desc.shash.tfm = apparmor_tfm;
+        desc->tfm = apparmor_tfm;
-        desc.shash.flags = 0;
+        desc->flags = 0;
-        error = crypto_shash_init(&desc.shash);
+        error = crypto_shash_init(desc);
        if (error)
                goto fail;
-        error = crypto_shash_update(&desc.shash, (u8 *) data, len);
+        error = crypto_shash_update(desc, (u8 *) data, len);
        if (error)
                goto fail;
-        error = crypto_shash_final(&desc.shash, hash);
+        error = crypto_shash_final(desc, hash);
        if (error)
                goto fail;
@@ -69,10 +66,7 @@ fail:
 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
                         size_t len)
 {
-        struct {
+        SHASH_DESC_ON_STACK(desc, apparmor_tfm);
-                struct shash_desc shash;
-                char ctx[crypto_shash_descsize(apparmor_tfm)];
-        } desc;
        int error = -ENOMEM;
        __le32 le32_version = cpu_to_le32(version);
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
        if (!profile->hash)
                goto fail;
-        desc.shash.tfm = apparmor_tfm;
+        desc->tfm = apparmor_tfm;
-        desc.shash.flags = 0;
+        desc->flags = 0;
-        error = crypto_shash_init(&desc.shash);
+        error = crypto_shash_init(desc);
        if (error)
                goto fail;
-        error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
+        error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
        if (error)
                goto fail;
-        error = crypto_shash_update(&desc.shash, (u8 *) start, len);
+        error = crypto_shash_update(desc, (u8 *) start, len);
        if (error)
                goto fail;
-        error = crypto_shash_final(&desc.shash, profile->hash);
+        error = crypto_shash_final(desc, profile->hash);
        if (error)
                goto fail;
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 65ff492a9807..0291ff3902f9 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -57,7 +57,7 @@
        pr_err_ratelimited("AppArmor: " fmt, ##args)
 /* Flag indicating whether initialization completed */
-extern int apparmor_initialized __initdata;
+extern int apparmor_initialized;
 /* fn's in lib */
 char *aa_split_fqname(char *args, char **ns_name);
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 66475bda6f72..32cafc12593e 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -180,13 +180,13 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
        } else
                policy->hname = kstrdup(name, gfp);
        if (!policy->hname)
-                return 0;
+                return false;
        /* base.name is a substring of fqname */
        policy->name = basename(policy->hname);
        INIT_LIST_HEAD(&policy->list);
        INIT_LIST_HEAD(&policy->profiles);
-        return 1;
+        return true;
 }
 /**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 709eacd23909..8f3c0f7aca5a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -39,7 +39,7 @@
 #include "include/procattr.h"
 /* Flag indicating whether initialization completed */
-int apparmor_initialized __initdata;
+int apparmor_initialized;
 DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
@@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
        return error;
 }
-static struct security_hook_list apparmor_hooks[] = {
+static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
        LSM_HOOK_INIT(capget, apparmor_capget),
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 #endif
 /* Debug mode */
-bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 /* Audit mode */
@@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
 /* Maximum pathname length before accesses will start getting rejected */
 unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
 /* Determines how paranoid loading of policy is and how much verification
 * on the loaded policy is done.
@@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup);
 /* set global flag turning off the ability to load policy */
 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 {
-        if (!policy_admin_capable(NULL))
+        if (!apparmor_enabled)
+                return -EINVAL;
+        if (apparmor_initialized && !policy_admin_capable(NULL))
                return -EPERM;
        return param_set_bool(val, kp);
 }
 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 {
-        if (!policy_view_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_view_capable(NULL))
+                return -EPERM;
        return param_get_bool(buffer, kp);
 }
 static int param_set_aabool(const char *val, const struct kernel_param *kp)
 {
-        if (!policy_admin_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_admin_capable(NULL))
+                return -EPERM;
        return param_set_bool(val, kp);
 }
 static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 {
-        if (!policy_view_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_view_capable(NULL))
+                return -EPERM;
        return param_get_bool(buffer, kp);
 }
 static int param_set_aauint(const char *val, const struct kernel_param *kp)
 {
-        if (!policy_admin_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_admin_capable(NULL))
+                return -EPERM;
        return param_set_uint(val, kp);
 }
 static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 {
-        if (!policy_view_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_view_capable(NULL))
+                return -EPERM;
        return param_get_uint(buffer, kp);
 }
 static int param_get_audit(char *buffer, struct kernel_param *kp)
 {
-        if (!policy_view_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_view_capable(NULL))
+                return -EPERM;
        return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
 }
 static int param_set_audit(const char *val, struct kernel_param *kp)
 {
        int i;
-        if (!policy_admin_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
        if (!val)
                return -EINVAL;
+        if (apparmor_initialized && !policy_admin_capable(NULL))
+                return -EPERM;
        for (i = 0; i < AUDIT_MAX_INDEX; i++) {
                if (strcmp(val, audit_mode_names[i]) == 0) {
@@ -823,11 +822,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
 static int param_get_mode(char *buffer, struct kernel_param *kp)
 {
-        if (!policy_view_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
+        if (apparmor_initialized && !policy_view_capable(NULL))
+                return -EPERM;
        return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
 }
@@ -835,14 +833,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
 static int param_set_mode(const char *val, struct kernel_param *kp)
 {
        int i;
-        if (!policy_admin_capable(NULL))
-                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;
        if (!val)
                return -EINVAL;
+        if (apparmor_initialized && !policy_admin_capable(NULL))
+                return -EPERM;
        for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
                if (strcmp(val, aa_profile_mode_names[i]) == 0) {
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index def1fbd6bdfd..cf9d670dca94 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
        if (ns_name) {
                ns = aa_prepare_ns(view, ns_name);
                if (IS_ERR(ns)) {
+                        op = OP_PROF_LOAD;
                        info = "failed to prepare namespace";
                        error = PTR_ERR(ns);
                        ns = NULL;
+                        ent = NULL;
                        goto fail;
                }
        } else
@@ -1013,7 +1015,7 @@ fail_lock:
        /* audit cause of failure */
        op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
 fail:
-        audit_policy(profile, op, ns_name, ent->new->base.hname,
+        audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
                     info, error);
        /* audit status that rest of profiles in the atomic set failed too */
        info = "valid profile in failed atomic policy load";
@@ -1023,7 +1025,7 @@ fail:
                        /* skip entry that caused failure */
                        continue;
                }
-                op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+                op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
                audit_policy(profile, op, ns_name,
                             tmp->new->base.hname, info, error);
        }

diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index de8dc78b6144..136f2a047836 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
31		31
32	char aa_calc_hash(void data, size_t len)	32	char aa_calc_hash(void data, size_t len)
33	{	33	{
34	struct {	34	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
35	struct shash_desc shash;
36	char ctx[crypto_shash_descsize(apparmor_tfm)];
37	} desc;
38	char *hash = NULL;	35	char *hash = NULL;
39	int error = -ENOMEM;	36	int error = -ENOMEM;
40		37
@@ -45,16 +42,16 @@ char aa_calc_hash(void data, size_t len)
45	if (!hash)	42	if (!hash)
46	goto fail;	43	goto fail;
47		44
48	desc.shash.tfm = apparmor_tfm;	45	desc->tfm = apparmor_tfm;
49	desc.shash.flags = 0;	46	desc->flags = 0;
50		47
51	error = crypto_shash_init(&desc.shash);	48	error = crypto_shash_init(desc);
52	if (error)	49	if (error)
53	goto fail;	50	goto fail;
54	error = crypto_shash_update(&desc.shash, (u8 *) data, len);	51	error = crypto_shash_update(desc, (u8 *) data, len);
55	if (error)	52	if (error)
56	goto fail;	53	goto fail;
57	error = crypto_shash_final(&desc.shash, hash);	54	error = crypto_shash_final(desc, hash);
58	if (error)	55	if (error)
59	goto fail;	56	goto fail;
60		57
@@ -69,10 +66,7 @@ fail:
69	int aa_calc_profile_hash(struct aa_profile profile, u32 version, void start,	66	int aa_calc_profile_hash(struct aa_profile profile, u32 version, void start,
70	size_t len)	67	size_t len)
71	{	68	{
72	struct {	69	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
73	struct shash_desc shash;
74	char ctx[crypto_shash_descsize(apparmor_tfm)];
75	} desc;
76	int error = -ENOMEM;	70	int error = -ENOMEM;
77	__le32 le32_version = cpu_to_le32(version);	71	__le32 le32_version = cpu_to_le32(version);
78		72
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile profile, u32 version, void start,
86	if (!profile->hash)	80	if (!profile->hash)
87	goto fail;	81	goto fail;
88		82
89	desc.shash.tfm = apparmor_tfm;	83	desc->tfm = apparmor_tfm;
90	desc.shash.flags = 0;	84	desc->flags = 0;
91		85
92	error = crypto_shash_init(&desc.shash);	86	error = crypto_shash_init(desc);
93	if (error)	87	if (error)
94	goto fail;	88	goto fail;
95	error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);	89	error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
96	if (error)	90	if (error)
97	goto fail;	91	goto fail;
98	error = crypto_shash_update(&desc.shash, (u8 *) start, len);	92	error = crypto_shash_update(desc, (u8 *) start, len);
99	if (error)	93	if (error)
100	goto fail;	94	goto fail;
101	error = crypto_shash_final(&desc.shash, profile->hash);	95	error = crypto_shash_final(desc, profile->hash);
102	if (error)	96	if (error)
103	goto fail;	97	goto fail;
104		98


diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 65ff492a9807..0291ff3902f9 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h
@@ -57,7 +57,7 @@
57	pr_err_ratelimited("AppArmor: " fmt, ##args)	57	pr_err_ratelimited("AppArmor: " fmt, ##args)
58		58
59	/* Flag indicating whether initialization completed */	59	/* Flag indicating whether initialization completed */
60	extern int apparmor_initialized __initdata;	60	extern int apparmor_initialized;
61		61
62	/* fn's in lib */	62	/* fn's in lib */
63	char aa_split_fqname(char args, char **ns_name);	63	char aa_split_fqname(char args, char **ns_name);


diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 66475bda6f72..32cafc12593e 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c
@@ -180,13 +180,13 @@ bool aa_policy_init(struct aa_policy policy, const char prefix,
180	} else	180	} else
181	policy->hname = kstrdup(name, gfp);	181	policy->hname = kstrdup(name, gfp);
182	if (!policy->hname)	182	if (!policy->hname)
183	return 0;	183	return false;
184	/* base.name is a substring of fqname */	184	/* base.name is a substring of fqname */
185	policy->name = basename(policy->hname);	185	policy->name = basename(policy->hname);
186	INIT_LIST_HEAD(&policy->list);	186	INIT_LIST_HEAD(&policy->list);
187	INIT_LIST_HEAD(&policy->profiles);	187	INIT_LIST_HEAD(&policy->profiles);
188		188
189	return 1;	189	return true;
190	}	190	}
191		191
192	/**	192	/**


diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 709eacd23909..8f3c0f7aca5a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c
@@ -39,7 +39,7 @@
39	#include "include/procattr.h"	39	#include "include/procattr.h"
40		40
41	/* Flag indicating whether initialization completed */	41	/* Flag indicating whether initialization completed */
42	int apparmor_initialized __initdata;	42	int apparmor_initialized;
43		43
44	DEFINE_PER_CPU(struct aa_buffers, aa_buffers);	44	DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
45		45
@@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
587	return error;	587	return error;
588	}	588	}
589		589
590	static struct security_hook_list apparmor_hooks[] = {	590	static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
591	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),	591	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
592	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),	592	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
593	LSM_HOOK_INIT(capget, apparmor_capget),	593	LSM_HOOK_INIT(capget, apparmor_capget),
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR \| S_IWUSR);
681	#endif	681	#endif
682		682
683	/* Debug mode */	683	/* Debug mode */
684	bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);	684	bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
685	module_param_named(debug, aa_g_debug, aabool, S_IRUSR \| S_IWUSR);	685	module_param_named(debug, aa_g_debug, aabool, S_IRUSR \| S_IWUSR);
686		686
687	/* Audit mode */	687	/* Audit mode */
@@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR \| S_IWUSR);
710		710
711	/* Maximum pathname length before accesses will start getting rejected */	711	/* Maximum pathname length before accesses will start getting rejected */
712	unsigned int aa_g_path_max = 2 * PATH_MAX;	712	unsigned int aa_g_path_max = 2 * PATH_MAX;
713	module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR \| S_IWUSR);	713	module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
714		714
715	/* Determines how paranoid loading of policy is and how much verification	715	/* Determines how paranoid loading of policy is and how much verification
716	* on the loaded policy is done.	716	* on the loaded policy is done.
@@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup);
738	/* set global flag turning off the ability to load policy */	738	/* set global flag turning off the ability to load policy */
739	static int param_set_aalockpolicy(const char val, const struct kernel_param kp)	739	static int param_set_aalockpolicy(const char val, const struct kernel_param kp)
740	{	740	{
741	if (!policy_admin_capable(NULL))	741	if (!apparmor_enabled)
		742	return -EINVAL;
		743	if (apparmor_initialized && !policy_admin_capable(NULL))
742	return -EPERM;	744	return -EPERM;
743	return param_set_bool(val, kp);	745	return param_set_bool(val, kp);
744	}	746	}
745		747
746	static int param_get_aalockpolicy(char buffer, const struct kernel_param kp)	748	static int param_get_aalockpolicy(char buffer, const struct kernel_param kp)
747	{	749	{
748	if (!policy_view_capable(NULL))
749	return -EPERM;
750	if (!apparmor_enabled)	750	if (!apparmor_enabled)
751	return -EINVAL;	751	return -EINVAL;
		752	if (apparmor_initialized && !policy_view_capable(NULL))
		753	return -EPERM;
752	return param_get_bool(buffer, kp);	754	return param_get_bool(buffer, kp);
753	}	755	}
754		756
755	static int param_set_aabool(const char val, const struct kernel_param kp)	757	static int param_set_aabool(const char val, const struct kernel_param kp)
756	{	758	{
757	if (!policy_admin_capable(NULL))
758	return -EPERM;
759	if (!apparmor_enabled)	759	if (!apparmor_enabled)
760	return -EINVAL;	760	return -EINVAL;
		761	if (apparmor_initialized && !policy_admin_capable(NULL))
		762	return -EPERM;
761	return param_set_bool(val, kp);	763	return param_set_bool(val, kp);
762	}	764	}
763		765
764	static int param_get_aabool(char buffer, const struct kernel_param kp)	766	static int param_get_aabool(char buffer, const struct kernel_param kp)
765	{	767	{
766	if (!policy_view_capable(NULL))
767	return -EPERM;
768	if (!apparmor_enabled)	768	if (!apparmor_enabled)
769	return -EINVAL;	769	return -EINVAL;
		770	if (apparmor_initialized && !policy_view_capable(NULL))
		771	return -EPERM;
770	return param_get_bool(buffer, kp);	772	return param_get_bool(buffer, kp);
771	}	773	}
772		774
773	static int param_set_aauint(const char val, const struct kernel_param kp)	775	static int param_set_aauint(const char val, const struct kernel_param kp)
774	{	776	{
775	if (!policy_admin_capable(NULL))
776	return -EPERM;
777	if (!apparmor_enabled)	777	if (!apparmor_enabled)
778	return -EINVAL;	778	return -EINVAL;
		779	if (apparmor_initialized && !policy_admin_capable(NULL))
		780	return -EPERM;
779	return param_set_uint(val, kp);	781	return param_set_uint(val, kp);
780	}	782	}
781		783
782	static int param_get_aauint(char buffer, const struct kernel_param kp)	784	static int param_get_aauint(char buffer, const struct kernel_param kp)
783	{	785	{
784	if (!policy_view_capable(NULL))
785	return -EPERM;
786	if (!apparmor_enabled)	786	if (!apparmor_enabled)
787	return -EINVAL;	787	return -EINVAL;
		788	if (apparmor_initialized && !policy_view_capable(NULL))
		789	return -EPERM;
788	return param_get_uint(buffer, kp);	790	return param_get_uint(buffer, kp);
789	}	791	}
790		792
791	static int param_get_audit(char buffer, struct kernel_param kp)	793	static int param_get_audit(char buffer, struct kernel_param kp)
792	{	794	{
793	if (!policy_view_capable(NULL))
794	return -EPERM;
795
796	if (!apparmor_enabled)	795	if (!apparmor_enabled)
797	return -EINVAL;	796	return -EINVAL;
798		797	if (apparmor_initialized && !policy_view_capable(NULL))
		798	return -EPERM;
799	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);	799	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
800	}	800	}
801		801
802	static int param_set_audit(const char val, struct kernel_param kp)	802	static int param_set_audit(const char val, struct kernel_param kp)
803	{	803	{
804	int i;	804	int i;
805	if (!policy_admin_capable(NULL))
806	return -EPERM;
807		805
808	if (!apparmor_enabled)	806	if (!apparmor_enabled)
809	return -EINVAL;	807	return -EINVAL;
810
811	if (!val)	808	if (!val)
812	return -EINVAL;	809	return -EINVAL;
		810	if (apparmor_initialized && !policy_admin_capable(NULL))
		811	return -EPERM;
813		812
814	for (i = 0; i < AUDIT_MAX_INDEX; i++) {	813	for (i = 0; i < AUDIT_MAX_INDEX; i++) {
815	if (strcmp(val, audit_mode_names[i]) == 0) {	814	if (strcmp(val, audit_mode_names[i]) == 0) {
@@ -823,11 +822,10 @@ static int param_set_audit(const char val, struct kernel_param kp)
823		822
824	static int param_get_mode(char buffer, struct kernel_param kp)	823	static int param_get_mode(char buffer, struct kernel_param kp)
825	{	824	{
826	if (!policy_view_capable(NULL))
827	return -EPERM;
828
829	if (!apparmor_enabled)	825	if (!apparmor_enabled)
830	return -EINVAL;	826	return -EINVAL;
		827	if (apparmor_initialized && !policy_view_capable(NULL))
		828	return -EPERM;
831		829
832	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);	830	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
833	}	831	}
@@ -835,14 +833,13 @@ static int param_get_mode(char buffer, struct kernel_param kp)
835	static int param_set_mode(const char val, struct kernel_param kp)	833	static int param_set_mode(const char val, struct kernel_param kp)
836	{	834	{
837	int i;	835	int i;
838	if (!policy_admin_capable(NULL))
839	return -EPERM;
840		836
841	if (!apparmor_enabled)	837	if (!apparmor_enabled)
842	return -EINVAL;	838	return -EINVAL;
843
844	if (!val)	839	if (!val)
845	return -EINVAL;	840	return -EINVAL;
		841	if (apparmor_initialized && !policy_admin_capable(NULL))
		842	return -EPERM;
846		843
847	for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {	844	for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
848	if (strcmp(val, aa_profile_mode_names[i]) == 0) {	845	if (strcmp(val, aa_profile_mode_names[i]) == 0) {


diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index def1fbd6bdfd..cf9d670dca94 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c
@@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns view, struct aa_profile profile,
876	if (ns_name) {	876	if (ns_name) {
877	ns = aa_prepare_ns(view, ns_name);	877	ns = aa_prepare_ns(view, ns_name);
878	if (IS_ERR(ns)) {	878	if (IS_ERR(ns)) {
		879	op = OP_PROF_LOAD;
879	info = "failed to prepare namespace";	880	info = "failed to prepare namespace";
880	error = PTR_ERR(ns);	881	error = PTR_ERR(ns);
881	ns = NULL;	882	ns = NULL;
		883	ent = NULL;
882	goto fail;	884	goto fail;
883	}	885	}
884	} else	886	} else
@@ -1013,7 +1015,7 @@ fail_lock:
1013	/* audit cause of failure */	1015	/* audit cause of failure */
1014	op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;	1016	op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1015	fail:	1017	fail:
1016	audit_policy(profile, op, ns_name, ent->new->base.hname,	1018	audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
1017	info, error);	1019	info, error);
1018	/* audit status that rest of profiles in the atomic set failed too */	1020	/* audit status that rest of profiles in the atomic set failed too */
1019	info = "valid profile in failed atomic policy load";	1021	info = "valid profile in failed atomic policy load";
@@ -1023,7 +1025,7 @@ fail:
1023	/* skip entry that caused failure */	1025	/* skip entry that caused failure */
1024	continue;	1026	continue;
1025	}	1027	}
1026	op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;	1028	op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1027	audit_policy(profile, op, ns_name,	1029	audit_policy(profile, op, ns_name,
1028	tmp->new->base.hname, info, error);	1030	tmp->new->base.hname, info, error);
1029	}	1031	}