tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: fix fast path cache check for unix sockets

The fast path cache check is incorrect forcing more slow path
revalidations than necessary, because the unix logic check is inverted.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 9f79b1ce 6ca56813

+21 -14
+21 -14
security/apparmor/file.c
··· 572 572 return unconfined(obj_label); 573 573 } 574 574 575 - static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, 576 - u32 request) 575 + static bool __is_unix_file(struct file *file) 577 576 { 578 577 struct socket *sock = (struct socket *) file->private_data; 579 578 ··· 580 581 581 582 if (!S_ISSOCK(file_inode(file)->i_mode)) 582 583 return false; 583 - if (request & NET_PEER_MASK) 584 - return false; 585 584 /* sock and sock->sk can be NULL for sockets being set up or torn down */ 586 585 if (!sock || !sock->sk) 587 586 return false; 588 - if (sock->sk->sk_family == PF_UNIX) { 589 - struct aa_sk_ctx *ctx = aa_sock(sock->sk); 590 - 591 - if (rcu_access_pointer(ctx->peer) != 592 - rcu_access_pointer(ctx->peer_lastupdate)) 593 - return true; 594 - return !__aa_subj_label_is_cached(rcu_dereference(ctx->label), 595 - label); 596 - } 587 + if (sock->sk->sk_family == PF_UNIX) 588 + return true; 597 589 return false; 590 + } 591 + 592 + static bool __unix_needs_revalidation(struct file *file, struct aa_label *label, 593 + u32 request) 594 + { 595 + struct socket *sock = (struct socket *) file->private_data; 596 + 597 + AA_BUG(!__is_unix_file(file)); 598 + lockdep_assert_in_rcu_read_lock(); 599 + 600 + struct aa_sk_ctx *skctx = aa_sock(sock->sk); 601 + 602 + if (rcu_access_pointer(skctx->peer) != 603 + rcu_access_pointer(skctx->peer_lastupdate)) 604 + return true; 605 + 606 + return !__aa_subj_label_is_cached(rcu_dereference(skctx->label), label); 598 607 } 599 608 600 609 /** ··· 647 640 */ 648 641 denied = request & ~fctx->allow; 649 642 if (unconfined(label) || __file_is_delegated(flabel) || 650 - __unix_needs_revalidation(file, label, request) || 643 + (!denied && __is_unix_file(file) && !__unix_needs_revalidation(file, label, request)) || 651 644 (!denied && __aa_subj_label_is_cached(label, flabel))) { 652 645 rcu_read_unlock(); 653 646 goto done;