@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        The Behavioral Activity Monitor With Container Support

 Name:           falco

-Version:        0.8.1

+Version:        0.12.1

 Release:        1%{?kernelsubrelease}%{?dist}

 License:        GPLv2

 URL:            http://www.sysdig.org/falco/

@@ -9,9 +9,9 @@ Group:          Applications/System

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://github.com/draios/%{name}/archive/%{name}-%{version}.tar.gz

-%define sha1    falco=7873d34769656349678584502296b147aa5445fa

-Source1:        https://github.com/draios/sysdig/archive/sysdig-0.19.1.tar.gz

-%define sha1    sysdig=425ea9fab8e831274626a9c9e65f0dfb4f9bc019

+%define sha1    falco=f0b18777d990bd325c712ceca67fe49d6b71b0e9

+Source1:        https://github.com/draios/sysdig/archive/sysdig-0.23.1.tar.gz

+%define sha1    sysdig=8d1ce894c8fcd8a1939c28adbfb661ad82110bde

 Source2:        http://libvirt.org/sources/libvirt-2.0.0.tar.xz

 %define sha1    libvirt=9a923b06df23f7a5526e4ec679cdadf4eb35a38f

 BuildRequires:  cmake

@@ -50,7 +50,7 @@ Sysdig falco is an open source, behavioral activity monitor designed to detect a

 tar xf %{SOURCE2} --no-same-owner

 %build

-mv sysdig-0.19.1 ../sysdig

+mv sysdig-0.23.1 ../sysdig

 sed -i 's|../falco/rules|rules|g' userspace/engine/CMakeLists.txt

 sed -i 's|../falco/userspace|userspace|g' userspace/engine/config_falco_engine.h.in

 cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} CMakeLists.txt

@@ -84,6 +84,8 @@ rm -rf %{buildroot}/*

 /lib/modules/%{KERNEL_VERSION}-%{KERNEL_RELEASE}/extra/falco-probe.ko

 %changelog

+*   Mon Sep 24 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 0.12.1-1

+-   Update falco and sysdig versions to fix build error with linux 4.18

 *   Tue Jan 02 2018 Alexey Makhalov <amakhalov@vmware.com> 0.8.1-1

 -   Version update to build against linux-4.14.y kernel

 *   Thu Aug 24 2017 Rui Gu <ruig@vmware.com> 0.6.0-3

@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.14.67

+Version:	4.18.9

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=4a6aa8d8a5190dbf1a835a5171609f02b27809e1

+%define sha1 linux=229ed4bedc5b8256bdd761845b1d7e20e1df12d7

 BuildArch:	noarch

 %description

 The Linux API Headers expose the kernel's API for use by Glibc.

@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Thu Sep 20 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1

+-   Update to version 4.18.9

 *   Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1

 -   Update to version 4.14.67

 *   Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1

new file mode 100644

@@ -0,0 +1,249 @@

+From 02e2bc1b330f7e15dba671547a256a6f900f6e5d Mon Sep 17 00:00:00 2001

+From: John Johansen <john.johansen@canonical.com>

+Date: Sun, 17 Jun 2018 03:56:25 -0700

+Subject: [PATCH 1/3] apparmor: patch to provide compatibility with v2.x net

+ rules

+

+The networking rules upstreamed in 4.17 have a deliberate abi break

+with the older 2.x network rules.

+

+This patch provides compatibility with the older rules for those

+still using an apparmor 2.x userspace and still want network rules

+to work on a newer kernel.

+

+Signed-off-by: John Johansen <john.johansen@canonical.com>

+---

+ security/apparmor/apparmorfs.c       |  1 +

+ security/apparmor/include/apparmor.h |  2 +-

+ security/apparmor/include/net.h      | 11 ++++++++

+ security/apparmor/include/policy.h   |  2 ++

+ security/apparmor/net.c              | 31 ++++++++++++++++-----

+ security/apparmor/policy.c           |  1 +

+ security/apparmor/policy_unpack.c    | 54 ++++++++++++++++++++++++++++++++++--

+ 7 files changed, 92 insertions(+), 10 deletions(-)

+

+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c

+index 1fdcc7d5a977..32f0e660ffd0 100644

+--- a/security/apparmor/apparmorfs.c

+@@ -2272,6 +2272,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {

+ 	AA_SFS_DIR("domain",			aa_sfs_entry_domain),

+ 	AA_SFS_DIR("file",			aa_sfs_entry_file),

+ 	AA_SFS_DIR("network_v8",		aa_sfs_entry_network),

++	AA_SFS_DIR("network",			aa_sfs_entry_network_compat),

+ 	AA_SFS_DIR("mount",			aa_sfs_entry_mount),

+ 	AA_SFS_DIR("namespaces",		aa_sfs_entry_ns),

+ 	AA_SFS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),

+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h

+index 73d63b58d875..17d89f3badc6 100644

+--- a/security/apparmor/include/apparmor.h

+@@ -24,7 +24,7 @@

+ #define AA_CLASS_UNKNOWN	1

+ #define AA_CLASS_FILE		2

+ #define AA_CLASS_CAP		3

+-#define AA_CLASS_DEPRECATED	4

++#define AA_CLASS_NET_COMPAT	4

+ #define AA_CLASS_RLIMITS	5

+ #define AA_CLASS_DOMAIN		6

+ #define AA_CLASS_MOUNT		7

+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h

+index ec7228e857a9..579b59a40ea4 100644

+--- a/security/apparmor/include/net.h

+@@ -72,6 +72,16 @@ struct aa_sk_ctx {

+ 	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,	\

+ 			 (SK)->sk_protocol)

+ 

++/* struct aa_net - network confinement data

++ * @allow: basic network families permissions

++ * @audit: which network permissions to force audit

++ * @quiet: which network permissions to quiet rejects

++ */

++struct aa_net_compat {

++	u16 allow[AF_MAX];

++	u16 audit[AF_MAX];

++	u16 quiet[AF_MAX];

++};

+ 

+ #define af_select(FAMILY, FN, DEF_FN)		\

+ ({						\

+@@ -84,6 +94,7 @@ struct aa_sk_ctx {

+ })

+ 

+ extern struct aa_sfs_entry aa_sfs_entry_network[];

++extern struct aa_sfs_entry aa_sfs_entry_network_compat[];

+ 

+ void audit_net_cb(struct audit_buffer *ab, void *va);

+ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,

+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h

+index 6c93e62383e6..4006fa9fc9f1 100644

+--- a/security/apparmor/include/policy.h

+@@ -112,6 +112,7 @@ struct aa_data {

+  * @policy: general match rules governing policy

+  * @file: The set of rules governing basic file access and domain transitions

+  * @caps: capabilities for the profile

++ * @net_compat: v2 compat network controls for the profile

+  * @rlimits: rlimits for the profile

+  *

+  * @dents: dentries for the profiles file entries in apparmorfs

+@@ -149,6 +150,7 @@ struct aa_profile {

+ 	struct aa_policydb policy;

+ 	struct aa_file_rules file;

+ 	struct aa_caps caps;

++	struct aa_net_compat *net_compat;

+ 

+ 	int xattr_count;

+ 	char **xattrs;

+diff --git a/security/apparmor/net.c b/security/apparmor/net.c

+index bb24cfa0a164..bf6aaefc3a5f 100644

+--- a/security/apparmor/net.c

+@@ -27,6 +27,11 @@ struct aa_sfs_entry aa_sfs_entry_network[] = {

+ 	{ }

+ };

+ 

++struct aa_sfs_entry aa_sfs_entry_network_compat[] = {

++	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),

++	{ }

++};

++

+ static const char * const net_mask_names[] = {

+ 	"unknown",

+ 	"send",

+@@ -119,14 +124,26 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,

+ 	if (profile_unconfined(profile))

+ 		return 0;

+ 	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);

+-	if (!state)

++	if (state) {

++		if (!state)

++			return 0;

++		buffer[0] = cpu_to_be16(family);

++		buffer[1] = cpu_to_be16((u16) type);

++		state = aa_dfa_match_len(profile->policy.dfa, state,

++					 (char *) &buffer, 4);

++		aa_compute_perms(profile->policy.dfa, state, &perms);

++	} else if (profile->net_compat) {

++		/* 2.x socket mediation compat */

++		perms.allow = (profile->net_compat->allow[family] & (1 << type)) ?

++			ALL_PERMS_MASK : 0;

++		perms.audit = (profile->net_compat->audit[family] & (1 << type)) ?

++			ALL_PERMS_MASK : 0;

++		perms.quiet = (profile->net_compat->quiet[family] & (1 << type)) ?

++			ALL_PERMS_MASK : 0;

++

++	} else {

+ 		return 0;

+-

+-	buffer[0] = cpu_to_be16(family);

+-	buffer[1] = cpu_to_be16((u16) type);

+-	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,

+-				 4);

+-	aa_compute_perms(profile->policy.dfa, state, &perms);

++	}

+ 	aa_apply_modes_to_perms(profile, &perms);

+ 

+ 	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);

+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c

+index c07493ce2376..d1a869699040 100644

+--- a/security/apparmor/policy.c

+@@ -227,6 +227,7 @@ void aa_free_profile(struct aa_profile *profile)

+ 	aa_free_file_rules(&profile->file);

+ 	aa_free_cap_rules(&profile->caps);

+ 	aa_free_rlimit_rules(&profile->rlimits);

++	kzfree(profile->net_compat);

+ 

+ 	for (i = 0; i < profile->xattr_count; i++)

+ 		kzfree(profile->xattrs[i]);

+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c

+index b9e6b2cafa69..a1b07e6c163d 100644

+--- a/security/apparmor/policy_unpack.c

+@@ -37,7 +37,7 @@

+ 

+ #define v5	5	/* base version */

+ #define v6	6	/* per entry policydb mediation check */

+-#define v7	7

++#define v7	7	/* v2 compat networking */

+ #define v8	8	/* full network masking */

+ 

+ /*

+@@ -292,6 +292,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)

+ 	return 0;

+ }

+ 

++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)

++{

++	if (unpack_nameX(e, AA_U16, name)) {

++		if (!inbounds(e, sizeof(u16)))

++			return 0;

++		if (data)

++			*data = le16_to_cpu(get_unaligned((__le16 *) e->pos));

++		e->pos += sizeof(u16);

++		return 1;

++	}

++	return 0;

++}

++

+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)

+ {

+ 	if (unpack_nameX(e, AA_U32, name)) {

+@@ -621,7 +634,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)

+ 	struct aa_profile *profile = NULL;

+ 	const char *tmpname, *tmpns = NULL, *name = NULL;

+ 	const char *info = "failed to unpack profile";

+-	size_t ns_len;

++	size_t size = 0, ns_len;

+ 	struct rhashtable_params params = { 0 };

+ 	char *key = NULL;

+ 	struct aa_data *data;

+@@ -759,6 +772,43 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)

+ 		goto fail;

+ 	}

+ 

++	size = unpack_array(e, "net_allowed_af");

++	if (size || VERSION_LT(e->version, v8)) {

++		profile->net_compat = kzalloc(sizeof(struct aa_net_compat), GFP_KERNEL);

++		if (!profile->net_compat) {

++			info = "out of memory";

++			goto fail;

++		}

++		for (i = 0; i < size; i++) {

++			/* discard extraneous rules that this kernel will

++			 * never request

++			 */

++			if (i >= AF_MAX) {

++				u16 tmp;

++

++				if (!unpack_u16(e, &tmp, NULL) ||

++				    !unpack_u16(e, &tmp, NULL) ||

++				    !unpack_u16(e, &tmp, NULL))

++					goto fail;

++				continue;

++			}

++			if (!unpack_u16(e, &profile->net_compat->allow[i], NULL))

++				goto fail;

++			if (!unpack_u16(e, &profile->net_compat->audit[i], NULL))

++				goto fail;

++			if (!unpack_u16(e, &profile->net_compat->quiet[i], NULL))

++				goto fail;

++		}

++		if (size && !unpack_nameX(e, AA_ARRAYEND, NULL))

++			goto fail;

++		if (VERSION_LT(e->version, v7)) {

++			/* pre v7 policy always allowed these */

++			profile->net_compat->allow[AF_UNIX] = 0xffff;

++			profile->net_compat->allow[AF_NETLINK] = 0xffff;

++		}

++	}

++

++

+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {

+ 		/* generic policy dfa - optional and may be NULL */

+ 		info = "failed to unpack policydb";

+-- 

+2.14.1

+

new file mode 100644

@@ -0,0 +1,1191 @@

+From 1aae75e96831bb26d1ced782c633c39c877c252f Mon Sep 17 00:00:00 2001

+From: John Johansen <john.johansen@canonical.com>

+Date: Tue, 18 Jul 2017 23:27:23 -0700

+Subject: [PATCH 2/3] apparmor: af_unix mediation

+

+af_socket mediation did not make it into 4.17 so add remaining out

+of tree patch

+

+Signed-off-by: John Johansen <john.johansen@canonical.com>

+---

+ security/apparmor/Makefile          |   3 +-

+ security/apparmor/af_unix.c         | 652 ++++++++++++++++++++++++++++++++++++

+ security/apparmor/apparmorfs.c      |   6 +

+ security/apparmor/file.c            |   4 +-

+ security/apparmor/include/af_unix.h | 114 +++++++

+ security/apparmor/include/net.h     |   4 +

+ security/apparmor/include/path.h    |   1 +

+ security/apparmor/include/policy.h  |  10 +-

+ security/apparmor/lsm.c             | 113 +++++++

+ security/apparmor/net.c             |  53 ++-

+ security/apparmor/policy_unpack.c   |   6 +-

+ 11 files changed, 957 insertions(+), 9 deletions(-)

+ create mode 100644 security/apparmor/af_unix.c

+ create mode 100644 security/apparmor/include/af_unix.h

+

+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile

+index ff23fcfefe19..fad407f6f62c 100644

+--- a/security/apparmor/Makefile

+@@ -5,7 +5,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o

+ 

+ apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \

+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \

+-              resource.o secid.o file.o policy_ns.o label.o mount.o net.o

++              resource.o secid.o file.o policy_ns.o label.o mount.o net.o \

++              af_unix.o

+ apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o

+ 

+ clean-files := capability_names.h rlim_names.h net_names.h

+diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c

+new file mode 100644

+index 000000000000..54b3796f63d0

+--- /dev/null

+@@ -0,0 +1,652 @@

++/*

++ * AppArmor security module

++ *

++ * This file contains AppArmor af_unix fine grained mediation

++ *

++ * Copyright 2018 Canonical Ltd.

++ *

++ * This program is free software; you can redistribute it and/or

++ * modify it under the terms of the GNU General Public License as

++ * published by the Free Software Foundation, version 2 of the

++ * License.

++ */

++

++#include <net/tcp_states.h>

++

++#include "include/audit.h"

++#include "include/af_unix.h"

++#include "include/apparmor.h"

++#include "include/file.h"

++#include "include/label.h"

++#include "include/path.h"

++#include "include/policy.h"

++#include "include/cred.h"

++

++static inline struct sock *aa_sock(struct unix_sock *u)

++{

++	return &u->sk;

++}

++

++static inline int unix_fs_perm(const char *op, u32 mask, struct aa_label *label,

++			       struct unix_sock *u, int flags)

++{

++	AA_BUG(!label);

++	AA_BUG(!u);

++	AA_BUG(!UNIX_FS(aa_sock(u)));

++

++	if (unconfined(label) || !LABEL_MEDIATES(label, AA_CLASS_FILE))

++		return 0;

++

++	mask &= NET_FS_PERMS;

++	if (!u->path.dentry) {

++		struct path_cond cond = { };

++		struct aa_perms perms = { };

++		struct aa_profile *profile;

++

++		/* socket path has been cleared because it is being shutdown

++		 * can only fall back to original sun_path request

++		 */

++		struct aa_sk_ctx *ctx = SK_CTX(&u->sk);

++		if (ctx->path.dentry)

++			return aa_path_perm(op, label, &ctx->path, flags, mask,

++					    &cond);

++		return fn_for_each_confined(label, profile,

++			((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?

++				__aa_path_perm(op, profile,

++					       u->addr->name->sun_path, mask,

++					       &cond, flags, &perms) :

++				aa_audit_file(profile, &nullperms, op, mask,

++					      u->addr->name->sun_path, NULL,

++					      NULL, cond.uid,

++					      "Failed name lookup - "

++					      "deleted entry", -EACCES));

++	} else {

++		/* the sunpath may not be valid for this ns so use the path */

++		struct path_cond cond = { u->path.dentry->d_inode->i_uid,

++					  u->path.dentry->d_inode->i_mode

++		};

++

++		return aa_path_perm(op, label, &u->path, flags, mask, &cond);

++	}

++

++	return 0;

++}

++

++/* passing in state returned by PROFILE_MEDIATES_AF */

++static unsigned int match_to_prot(struct aa_profile *profile,

++				  unsigned int state, int type, int protocol,

++				  const char **info)

++{

++	__be16 buffer[2];

++	buffer[0] = cpu_to_be16(type);

++	buffer[1] = cpu_to_be16(protocol);

++	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,

++				 4);

++	if (!state)

++		*info = "failed type and protocol match";

++	return state;

++}

++

++static unsigned int match_addr(struct aa_profile *profile, unsigned int state,

++			       struct sockaddr_un *addr, int addrlen)

++{

++	if (addr)

++		/* include leading \0 */

++		state = aa_dfa_match_len(profile->policy.dfa, state,

++					 addr->sun_path,

++					 unix_addr_len(addrlen));

++	else

++		/* anonymous end point */

++		state = aa_dfa_match_len(profile->policy.dfa, state, "\x01",

++					 1);

++	/* todo change to out of band */

++	state = aa_dfa_null_transition(profile->policy.dfa, state);

++	return state;

++}

++

++static unsigned int match_to_local(struct aa_profile *profile,

++				   unsigned int state, int type, int protocol,

++				   struct sockaddr_un *addr, int addrlen,

++				   const char **info)

++{

++	state = match_to_prot(profile, state, type, protocol, info);

++	if (state) {

++		state = match_addr(profile, state, addr, addrlen);

++		if (state) {

++			/* todo: local label matching */

++			state = aa_dfa_null_transition(profile->policy.dfa,

++						       state);

++			if (!state)

++				*info = "failed local label match";

++		} else

++			*info = "failed local address match";

++	}

++

++	return state;

++}

++

++static unsigned int match_to_sk(struct aa_profile *profile,

++				unsigned int state, struct unix_sock *u,

++				const char **info)

++{

++	struct sockaddr_un *addr = NULL;

++	int addrlen = 0;

++

++	if (u->addr) {

++		addr = u->addr->name;

++		addrlen = u->addr->len;

++	}

++

++	return match_to_local(profile, state, u->sk.sk_type, u->sk.sk_protocol,

++			      addr, addrlen, info);

++}

++

++#define CMD_ADDR	1

++#define CMD_LISTEN	2

++#define CMD_OPT		4

++

++static inline unsigned int match_to_cmd(struct aa_profile *profile,

++					unsigned int state, struct unix_sock *u,

++					char cmd, const char **info)

++{

++	state = match_to_sk(profile, state, u, info);

++	if (state) {

++		state = aa_dfa_match_len(profile->policy.dfa, state, &cmd, 1);

++		if (!state)

++			*info = "failed cmd selection match";

++	}

++

++	return state;

++}

++

++static inline unsigned int match_to_peer(struct aa_profile *profile,

++					 unsigned int state,

++					 struct unix_sock *u,

++					 struct sockaddr_un *peer_addr,

++					 int peer_addrlen,

++					 const char **info)

++{

++	state = match_to_cmd(profile, state, u, CMD_ADDR, info);

++	if (state) {

++		state = match_addr(profile, state, peer_addr, peer_addrlen);

++		if (!state)

++			*info = "failed peer address match";

++	}

++	return state;

++}

++

++static int do_perms(struct aa_profile *profile, unsigned int state, u32 request,

++		    struct common_audit_data *sa)

++{

++	struct aa_perms perms;

++

++	AA_BUG(!profile);

++

++	aa_compute_perms(profile->policy.dfa, state, &perms);

++	aa_apply_modes_to_perms(profile, &perms);

++	return aa_check_perms(profile, &perms, request, sa,

++			      audit_net_cb);

++}

++

++static int match_label(struct aa_profile *profile, struct aa_profile *peer,

++			      unsigned int state, u32 request,

++			      struct common_audit_data *sa)

++{

++	AA_BUG(!profile);

++	AA_BUG(!peer);

++

++	aad(sa)->peer = &peer->label;

++

++	if (state) {

++		state = aa_dfa_match(profile->policy.dfa, state,

++				     peer->base.hname);

++		if (!state)

++			aad(sa)->info = "failed peer label match";

++	}

++	return do_perms(profile, state, request, sa);

++}

++

++

++/* unix sock creation comes before we know if the socket will be an fs

++ * socket

++ * v6 - semantics are handled by mapping in profile load

++ * v7 - semantics require sock create for tasks creating an fs socket.

++ */

++static int profile_create_perm(struct aa_profile *profile, int family,

++			       int type, int protocol)

++{

++	unsigned int state;

++	DEFINE_AUDIT_NET(sa, OP_CREATE, NULL, family, type, protocol);

++

++	AA_BUG(!profile);

++	AA_BUG(profile_unconfined(profile));

++

++	if ((state = PROFILE_MEDIATES_AF(profile, AF_UNIX))) {

++		state = match_to_prot(profile, state, type, protocol,

++				      &aad(&sa)->info);

++		return do_perms(profile, state, AA_MAY_CREATE, &sa);

++	}

++

++	return aa_profile_af_perm(profile, &sa, AA_MAY_CREATE, family, type);

++}

++

++int aa_unix_create_perm(struct aa_label *label, int family, int type,

++			int protocol)

++{

++	struct aa_profile *profile;

++

++	if (unconfined(label))

++		return 0;

++

++	return fn_for_each_confined(label, profile,

++			profile_create_perm(profile, family, type, protocol));

++}

++

++

++static inline int profile_sk_perm(struct aa_profile *profile, const char *op,

++				  u32 request, struct sock *sk)

++{

++	unsigned int state;

++	DEFINE_AUDIT_SK(sa, op, sk);

++

++	AA_BUG(!profile);

++	AA_BUG(!sk);

++	AA_BUG(UNIX_FS(sk));

++	AA_BUG(profile_unconfined(profile));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		state = match_to_sk(profile, state, unix_sk(sk),

++				    &aad(&sa)->info);

++		return do_perms(profile, state, request, &sa);

++	}

++

++	return aa_profile_af_sk_perm(profile, &sa, request, sk);

++}

++

++int aa_unix_label_sk_perm(struct aa_label *label, const char *op, u32 request,

++			  struct sock *sk)

++{

++	struct aa_profile *profile;

++

++	return fn_for_each_confined(label, profile,

++			profile_sk_perm(profile, op, request, sk));

++}

++

++static int unix_label_sock_perm(struct aa_label *label, const char *op, u32 request,

++				struct socket *sock)

++{

++	if (unconfined(label))

++		return 0;

++	if (UNIX_FS(sock->sk))

++		return unix_fs_perm(op, request, label, unix_sk(sock->sk), 0);

++

++	return aa_unix_label_sk_perm(label, op, request, sock->sk);

++}

++

++/* revaliation, get/set attr */

++int aa_unix_sock_perm(const char *op, u32 request, struct socket *sock)

++{

++	struct aa_label *label;

++	int error;

++

++	label = begin_current_label_crit_section();

++	error = unix_label_sock_perm(label, op, request, sock);

++	end_current_label_crit_section(label);

++

++	return error;

++}

++

++static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,

++			     struct sockaddr *addr, int addrlen)

++{

++	unsigned int state;

++	DEFINE_AUDIT_SK(sa, OP_BIND, sk);

++

++	AA_BUG(!profile);

++	AA_BUG(!sk);

++	AA_BUG(addr->sa_family != AF_UNIX);

++	AA_BUG(profile_unconfined(profile));

++	AA_BUG(unix_addr_fs(addr, addrlen));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		/* bind for abstract socket */

++		aad(&sa)->net.addr = unix_addr(addr);

++		aad(&sa)->net.addrlen = addrlen;

++

++		state = match_to_local(profile, state,

++				       sk->sk_type, sk->sk_protocol,

++				       unix_addr(addr), addrlen,

++				       &aad(&sa)->info);

++		return do_perms(profile, state, AA_MAY_BIND, &sa);

++	}

++

++	return aa_profile_af_sk_perm(profile, &sa, AA_MAY_BIND, sk);

++}

++

++int aa_unix_bind_perm(struct socket *sock, struct sockaddr *address,

++		      int addrlen)

++{

++	struct aa_profile *profile;

++	struct aa_label *label;

++	int error = 0;

++

++	 label = begin_current_label_crit_section();

++	 /* fs bind is handled by mknod */

++	if (!(unconfined(label) || unix_addr_fs(address, addrlen)))

++		error = fn_for_each_confined(label, profile,

++				profile_bind_perm(profile, sock->sk, address,

++						  addrlen));

++	end_current_label_crit_section(label);

++

++	return error;

++}

++

++int aa_unix_connect_perm(struct socket *sock, struct sockaddr *address,

++			 int addrlen)

++{

++	/* unix connections are covered by the

++	 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)

++	 * - fs connect is handled by open

++	 */

++	return 0;

++}

++

++static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,

++			       int backlog)

++{

++	unsigned int state;

++	DEFINE_AUDIT_SK(sa, OP_LISTEN, sk);

++

++	AA_BUG(!profile);

++	AA_BUG(!sk);

++	AA_BUG(UNIX_FS(sk));

++	AA_BUG(profile_unconfined(profile));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		__be16 b = cpu_to_be16(backlog);

++

++		state = match_to_cmd(profile, state, unix_sk(sk), CMD_LISTEN,

++				     &aad(&sa)->info);

++		if (state) {

++			state = aa_dfa_match_len(profile->policy.dfa, state,

++						 (char *) &b, 2);

++			if (!state)

++				aad(&sa)->info = "failed listen backlog match";

++		}

++		return do_perms(profile, state, AA_MAY_LISTEN, &sa);

++	}

++

++	return aa_profile_af_sk_perm(profile, &sa, AA_MAY_LISTEN, sk);

++}

++

++int aa_unix_listen_perm(struct socket *sock, int backlog)

++{

++	struct aa_profile *profile;

++	struct aa_label *label;

++	int error = 0;

++

++	label = begin_current_label_crit_section();

++	if (!(unconfined(label) || UNIX_FS(sock->sk)))

++		error = fn_for_each_confined(label, profile,

++				profile_listen_perm(profile, sock->sk,

++						    backlog));

++	end_current_label_crit_section(label);

++

++	return error;

++}

++

++

++static inline int profile_accept_perm(struct aa_profile *profile,

++				      struct sock *sk,

++				      struct sock *newsk)

++{

++	unsigned int state;

++	DEFINE_AUDIT_SK(sa, OP_ACCEPT, sk);

++

++	AA_BUG(!profile);

++	AA_BUG(!sk);

++	AA_BUG(UNIX_FS(sk));

++	AA_BUG(profile_unconfined(profile));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		state = match_to_sk(profile, state, unix_sk(sk),

++				    &aad(&sa)->info);

++		return do_perms(profile, state, AA_MAY_ACCEPT, &sa);

++	}

++

++	return aa_profile_af_sk_perm(profile, &sa, AA_MAY_ACCEPT, sk);

++}

++

++/* ability of sock to connect, not peer address binding */

++int aa_unix_accept_perm(struct socket *sock, struct socket *newsock)

++{

++	struct aa_profile *profile;

++	struct aa_label *label;

++	int error = 0;

++

++	label = begin_current_label_crit_section();

++	if (!(unconfined(label) || UNIX_FS(sock->sk)))

++		error = fn_for_each_confined(label, profile,

++				profile_accept_perm(profile, sock->sk,

++						    newsock->sk));

++	end_current_label_crit_section(label);

++

++	return error;

++}

++

++

++/* dgram handled by unix_may_sendmsg, right to send on stream done at connect

++ * could do per msg unix_stream here

++ */

++/* sendmsg, recvmsg */

++int aa_unix_msg_perm(const char *op, u32 request, struct socket *sock,

++		     struct msghdr *msg, int size)

++{

++	return 0;

++}

++

++

++static int profile_opt_perm(struct aa_profile *profile, const char *op, u32 request,

++			    struct sock *sk, int level, int optname)

++{

++	unsigned int state;

++	DEFINE_AUDIT_SK(sa, op, sk);

++

++	AA_BUG(!profile);

++	AA_BUG(!sk);

++	AA_BUG(UNIX_FS(sk));

++	AA_BUG(profile_unconfined(profile));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		__be16 b = cpu_to_be16(optname);

++

++		state = match_to_cmd(profile, state, unix_sk(sk), CMD_OPT,

++				     &aad(&sa)->info);

++		if (state) {

++			state = aa_dfa_match_len(profile->policy.dfa, state,

++						 (char *) &b, 2);

++			if (!state)

++				aad(&sa)->info = "failed sockopt match";

++		}

++		return do_perms(profile, state, request, &sa);

++	}

++

++	return aa_profile_af_sk_perm(profile, &sa, request, sk);

++}

++

++int aa_unix_opt_perm(const char *op, u32 request, struct socket *sock, int level,

++		     int optname)

++{

++	struct aa_profile *profile;

++	struct aa_label *label;

++	int error = 0;

++

++	label = begin_current_label_crit_section();

++	if (!(unconfined(label) || UNIX_FS(sock->sk)))

++		error = fn_for_each_confined(label, profile,

++				profile_opt_perm(profile, op, request,

++						 sock->sk, level, optname));

++	end_current_label_crit_section(label);

++

++	return error;

++}

++

++/* null peer_label is allowed, in which case the peer_sk label is used */

++static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 request,

++			     struct sock *sk, struct sock *peer_sk,

++			     struct aa_label *peer_label,

++			     struct common_audit_data *sa)

++{

++	unsigned int state;

++

++	AA_BUG(!profile);

++	AA_BUG(profile_unconfined(profile));

++	AA_BUG(!sk);

++	AA_BUG(!peer_sk);

++	AA_BUG(UNIX_FS(peer_sk));

++

++	state = PROFILE_MEDIATES_AF(profile, AF_UNIX);

++	if (state) {

++		struct aa_sk_ctx *peer_ctx = SK_CTX(peer_sk);

++		struct aa_profile *peerp;

++		struct sockaddr_un *addr = NULL;

++		int len = 0;

++		if (unix_sk(peer_sk)->addr) {

++			addr = unix_sk(peer_sk)->addr->name;

++			len = unix_sk(peer_sk)->addr->len;