Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks"

BugLink: http://bugs.launchpad.net/bugs/1734327
Commit ac8f82a0b6d9 introduced a regression identified in bug 1734327.  The regression
causes a kernel panic to occur after multiple TCP connection creations/closures
to the localhost.  The bug was found using STAF RPC calls, but is easily reproducible with SSH.

The patch author for commit ac8f82a0b6d9 has been notificed of this revert.
For now stacking is just a technology preview, which is why we are reverting the patch.
There is a new revision of the stacking patches the jjohansen is working on,
and he will try to see if we can't get it resolved there.

This commit also needs to be reverted because it depends on commit ac8f82a0b6d9.

This reverts commit 4ae2508f0bedb1acddf1ef2f474d8105cf003f80.

Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index d378b5fde4faee3562cd5e18069c1c001b445580..0ae45240c352f6b37c2867edff3bad6c679f3e31 100644 (file)
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -17,7 +17,6 @@
 
 #include <net/sock.h>
 #include <linux/path.h>
-#include <linux/lsm_hooks.h>
 
 #include "apparmorfs.h"
 #include "label.h"
@@ -57,16 +56,7 @@ struct aa_sk_ctx {
        struct path path;
 };
 
-extern struct lsm_blob_sizes apparmor_blob_sizes;
-static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk)
-{
-#ifdef CONFIG_SECURITY_STACKING
-       return sk->sk_security + apparmor_blob_sizes.lbs_sock;
-#else
-       return sk->sk_security;
-#endif
-}
-#define SK_CTX(X) apparmor_sock(X)
+#define SK_CTX(X) ((X)->sk_security)
 #define SOCK_ctx(X) SOCK_INODE(X)->i_security
 #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)                                  \
        struct lsm_network_audit NAME ## _net = { .sk = (SK),             \

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 792264c0ae1d8cf7c0da474fb0fd3545d9fdbe3f..8ccbf04d0cfcf85c5cf9cabdf393f8c35ff5ed0c 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -748,7 +748,13 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
  */
 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
 {
-       /* allocated and cleared by LSM */
+       struct aa_sk_ctx *ctx;
+
+       ctx = kzalloc(sizeof(*ctx), flags);
+       if (!ctx)
+               return -ENOMEM;
+
+       SK_CTX(sk) = ctx;
 
        return 0;
 }
@@ -760,13 +766,11 @@ static void apparmor_sk_free_security(struct sock *sk)
 {
        struct aa_sk_ctx *ctx = SK_CTX(sk);
 
+       SK_CTX(sk) = NULL;
        aa_put_label(ctx->label);
-       ctx->label = NULL;
        aa_put_label(ctx->peer);
-       ctx->peer = NULL;
        path_put(&ctx->path);
-       ctx->path.dentry = NULL;
-       ctx->path.mnt = NULL;
+       kfree(ctx);
 }
 
 /**
@@ -1147,7 +1151,6 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
 struct lsm_blob_sizes apparmor_blob_sizes = {
        .lbs_cred = sizeof(struct aa_task_ctx),
        .lbs_file = sizeof(struct aa_file_ctx),
-       .lbs_sock = sizeof(struct aa_sk_ctx),
 };
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {