[SRU][Artful][v2][PATCH 1/2] Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks"

Mon Dec 11 19:04:00 UTC 2017

BugLink: http://bugs.launchpad.net/bugs/1734327

Commit ac8f82a0b6d9 introduced a regression identified in bug 1734327.  The regression
causes a kernel panic to occur after multiple TCP connection creations/closures
to the localhost.  The bug was found using STAF RPC calls, but is easily reproducible with SSH.

The patch author for commit ac8f82a0b6d9 has been notificed of this revert.
For now stacking is just a technology preview, which is why we are reverting the patch. 
There is a new revision of the stacking patches the jjohansen is working on, 
and he will try to see if we can't get it resolved there.

This commit also needs to be reverted because it depends on commit ac8f82a0b6d9.

This reverts commit 4ae2508f0bedb1acddf1ef2f474d8105cf003f80.

Signed-off-by: Joseph Salisbury <joseph.salisbury at canonical.com>
---
 security/apparmor/include/net.h | 12 +-----------
 security/apparmor/lsm.c         | 15 +++++++++------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index d378b5f..0ae4524 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -17,7 +17,6 @@
 
 #include <net/sock.h>
 #include <linux/path.h>
-#include <linux/lsm_hooks.h>
 
 #include "apparmorfs.h"
 #include "label.h"
@@ -57,16 +56,7 @@ struct aa_sk_ctx {
 	struct path path;
 };
 
-extern struct lsm_blob_sizes apparmor_blob_sizes;
-static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk)
-{
-#ifdef CONFIG_SECURITY_STACKING
-	return sk->sk_security + apparmor_blob_sizes.lbs_sock;
-#else
-	return sk->sk_security;
-#endif
-}
-#define SK_CTX(X) apparmor_sock(X)
+#define SK_CTX(X) ((X)->sk_security)
 #define SOCK_ctx(X) SOCK_INODE(X)->i_security
 #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)				  \
 	struct lsm_network_audit NAME ## _net = { .sk = (SK),		  \
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 792264c..8ccbf04 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -748,7 +748,13 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
  */
 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
 {
-	/* allocated and cleared by LSM */
+	struct aa_sk_ctx *ctx;
+
+	ctx = kzalloc(sizeof(*ctx), flags);
+	if (!ctx)
+		return -ENOMEM;
+
+	SK_CTX(sk) = ctx;
 
 	return 0;
 }
@@ -760,13 +766,11 @@ static void apparmor_sk_free_security(struct sock *sk)
 {
 	struct aa_sk_ctx *ctx = SK_CTX(sk);
 
+	SK_CTX(sk) = NULL;
 	aa_put_label(ctx->label);
-	ctx->label = NULL;
 	aa_put_label(ctx->peer);
-	ctx->peer = NULL;
 	path_put(&ctx->path);
-	ctx->path.dentry = NULL;
-	ctx->path.mnt = NULL;
+	kfree(ctx);
 }
 
 /**
@@ -1147,7 +1151,6 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
 struct lsm_blob_sizes apparmor_blob_sizes = {
 	.lbs_cred = sizeof(struct aa_task_ctx),
 	.lbs_file = sizeof(struct aa_file_ctx),
-	.lbs_sock = sizeof(struct aa_sk_ctx),
 };
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
-- 
2.7.4



