UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks

BugLink: http://bugs.launchpad.net/bugs/1763062
The stacking patches weren't developed against apparmor networking hooks.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index 0ae45240c352f6b37c2867edff3bad6c679f3e31..d378b5fde4faee3562cd5e18069c1c001b445580 100644 (file)
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -17,6 +17,7 @@
 
 #include <net/sock.h>
 #include <linux/path.h>
+#include <linux/lsm_hooks.h>
 
 #include "apparmorfs.h"
 #include "label.h"
@@ -56,7 +57,16 @@ struct aa_sk_ctx {
        struct path path;
 };
 
-#define SK_CTX(X) ((X)->sk_security)
+extern struct lsm_blob_sizes apparmor_blob_sizes;
+static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk)
+{
+#ifdef CONFIG_SECURITY_STACKING
+       return sk->sk_security + apparmor_blob_sizes.lbs_sock;
+#else
+       return sk->sk_security;
+#endif
+}
+#define SK_CTX(X) apparmor_sock(X)
 #define SOCK_ctx(X) SOCK_INODE(X)->i_security
 #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)                                  \
        struct lsm_network_audit NAME ## _net = { .sk = (SK),             \

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cf2ef94f3d1b54feb1ae3109ef9bfeee7249a7bc..d7fa61ab8d642de5705f0a627221b122a008a3cf 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -720,13 +720,7 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
  */
 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
 {
-       struct aa_sk_ctx *ctx;
-
-       ctx = kzalloc(sizeof(*ctx), flags);
-       if (!ctx)
-               return -ENOMEM;
-
-       SK_CTX(sk) = ctx;
+       /* allocated and cleared by LSM */
 
        return 0;
 }
@@ -738,11 +732,13 @@ static void apparmor_sk_free_security(struct sock *sk)
 {
        struct aa_sk_ctx *ctx = SK_CTX(sk);
 
-       SK_CTX(sk) = NULL;
        aa_put_label(ctx->label);
+       ctx->label = NULL;
        aa_put_label(ctx->peer);
+       ctx->peer = NULL;
        path_put(&ctx->path);
-       kfree(ctx);
+       ctx->path.dentry = NULL;
+       ctx->path.mnt = NULL;
 }
 
 /**
@@ -1123,6 +1119,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
 struct lsm_blob_sizes apparmor_blob_sizes = {
        .lbs_cred = sizeof(struct aa_task_ctx),
        .lbs_file = sizeof(struct aa_file_ctx),
+       .lbs_sock = sizeof(struct aa_sk_ctx),
 };
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {