apparmor: lift kernel socket check out of critical section

There is no need for the kern check to be in the critical section, it only complicates the code and slows down the case where the socket is being created by the kernel. Lifting it out will also allow socket_create to share common template code, with other socket_permission checks. Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-05-30 01:53:29 +02:00 · 2024-04-10 14:49:43 -07:00 · 2024-04-10 14:49:43 -07:00 · 6cc6a0523d
commit 6cc6a0523d
parent 9045aa25d1
1 changed files with 5 additions and 1 deletions
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@ -1095,10 +1095,14 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)

 	AA_BUG(in_interrupt());

+	if (kern)
+		return 0;
+
 	label = begin_current_label_crit_section();
-	if (!(kern || unconfined(label)))
+	if (!unconfined(label)) {
 		error = aa_af_perm(current_cred(), label, OP_CREATE,
 				   AA_MAY_CREATE, family, type, protocol);
+	}
 	end_current_label_crit_section(label);

 	return error;