Commit 6cc6a052 authored by John Johansen's avatar John Johansen
Browse files

apparmor: lift kernel socket check out of critical section 



There is no need for the kern check to be in the critical section,
it only complicates the code and slows down the case where the
socket is being created by the kernel.

Lifting it out will also allow socket_create to share common template
code, with other socket_permission checks.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 9045aa25

security/apparmor/lsm.c

+5 −1
Original line number Diff line number Diff line
@@ -1095,10 +1095,14 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern) 


	AA_BUG(in_interrupt());



	if (kern)

		return 0;



	label = begin_current_label_crit_section();

	if (!(kern || unconfined(label)))

	if (!unconfined(label)) {

		error = aa_af_perm(current_cred(), label, OP_CREATE,

				   AA_MAY_CREATE, family, type, protocol);

	}

	end_current_label_crit_section(label);



	return error;