UBUNTU: SAUCE: LSM: Infrastructure management of the sock security

[mirror_ubuntu-jammy-kernel.git] / security / apparmor / lsm.c

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 855b865a0bbad48b8a118e26f014637ab39d5cb5..9baae86ec5efebf175b6a105d04eaa84e7606e60 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -776,34 +776,16 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo
        return error;
 }
 
-/**
- * apparmor_sk_alloc_security - allocate and attach the sk_security field
- */
-static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
-{
-       struct aa_sk_ctx *ctx;
-
-       ctx = kzalloc(sizeof(*ctx), flags);
-       if (!ctx)
-               return -ENOMEM;
-
-       SK_CTX(sk) = ctx;
-
-       return 0;
-}
-
 /**
  * apparmor_sk_free_security - free the sk_security field
  */
 static void apparmor_sk_free_security(struct sock *sk)
 {
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
 
-       SK_CTX(sk) = NULL;
        aa_put_label(ctx->label);
        aa_put_label(ctx->peer);
        path_put(&ctx->path);
-       kfree(ctx);
 }
 
 /**
@@ -812,8 +794,8 @@ static void apparmor_sk_free_security(struct sock *sk)
 static void apparmor_sk_clone_security(const struct sock *sk,
                                       struct sock *newsk)
 {
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
-       struct aa_sk_ctx *new = SK_CTX(newsk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
+       struct aa_sk_ctx *new = aa_sock(newsk);
 
        if (new->label)
                aa_put_label(new->label);
@@ -962,7 +944,7 @@ static int apparmor_socket_post_create(struct socket *sock, int family,
                label = aa_get_current_label();
 
        if (sock->sk) {
-               struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
+               struct aa_sk_ctx *ctx = aa_sock(sock->sk);
 
                aa_put_label(ctx->label);
                ctx->label = aa_get_label(label);
@@ -1147,7 +1129,7 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
  */
 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
 
        if (!skb->secmark)
                return 0;
@@ -1161,7 +1143,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 static struct aa_label *sk_peer_label(struct sock *sk)
 {
        struct sock *peer_sk;
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
        struct aa_label *label = ERR_PTR(-ENOPROTOOPT);
 
        if (ctx->peer)
@@ -1261,7 +1243,7 @@ static int apparmor_socket_getpeersec_dgram(struct socket *sock,
  */
 static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
 {
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
 
        if (!ctx->label)
                ctx->label = aa_get_current_label();
@@ -1271,7 +1253,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
 static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
                                      struct request_sock *req)
 {
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
+       struct aa_sk_ctx *ctx = aa_sock(sk);
 
        if (!skb->secmark)
                return 0;
@@ -1288,6 +1270,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
        .lbs_cred = sizeof(struct aa_task_ctx *),
        .lbs_file = sizeof(struct aa_file_ctx),
        .lbs_task = sizeof(struct aa_task_ctx),
+       .lbs_sock = sizeof(struct aa_sk_ctx),
 };
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
@@ -1324,7 +1307,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
        LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 
-       LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
        LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
        LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
 
@@ -1887,7 +1869,7 @@ static unsigned int apparmor_ip_postroute(void *priv,
        if (sk == NULL)
                return NF_ACCEPT;
 
-       ctx = SK_CTX(sk);
+       ctx = aa_sock(sk);
        if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
                                    skb->secmark, sk))
                return NF_ACCEPT;