The stacking patches weren't developed against apparmor networking hooks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
#include <net/sock.h>
#include <linux/path.h>
#include <net/sock.h>
#include <linux/path.h>
+#include <linux/lsm_hooks.h>
#include "apparmorfs.h"
#include "label.h"
#include "apparmorfs.h"
#include "label.h"
-#define SK_CTX(X) ((X)->sk_security)
+extern struct lsm_blob_sizes apparmor_blob_sizes;
+static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sk->sk_security + apparmor_blob_sizes.lbs_sock;
+#else
+ return sk->sk_security;
+#endif
+}
+#define SK_CTX(X) apparmor_sock(X)
#define SOCK_ctx(X) SOCK_INODE(X)->i_security
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
#define SOCK_ctx(X) SOCK_INODE(X)->i_security
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
*/
static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
{
*/
static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
{
- struct aa_sk_ctx *ctx;
-
- ctx = kzalloc(sizeof(*ctx), flags);
- if (!ctx)
- return -ENOMEM;
-
- SK_CTX(sk) = ctx;
+ /* allocated and cleared by LSM */
{
struct aa_sk_ctx *ctx = SK_CTX(sk);
{
struct aa_sk_ctx *ctx = SK_CTX(sk);
aa_put_label(ctx->label);
aa_put_label(ctx->label);
+ ctx->path.dentry = NULL;
+ ctx->path.mnt = NULL;
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
.lbs_file = sizeof(struct aa_file_ctx),
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
.lbs_file = sizeof(struct aa_file_ctx),
+ .lbs_sock = sizeof(struct aa_sk_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {