forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-05-13 9d77db3c730780c8ef5ccd4b66403ff5675cfe4e 
 kernel/security/apparmor/lsm.c
....@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
12 /*
23  * AppArmor security module
34  *
....@@ -5,11 +6,6 @@
56  *
67  * Copyright (C) 1998-2008 Novell/SUSE
78  * Copyright 2009-2010 Canonical Ltd.
8
- *
9
- * This program is free software; you can redistribute it and/or
10
- * modify it under the terms of the GNU General Public License as
11
- * published by the Free Software Foundation, version 2 of the
12
- * License.
139  */
1410 
1511 #include <linux/lsm_hooks.h>
....@@ -23,7 +19,11 @@
2319 #include <linux/sysctl.h>
2420 #include <linux/audit.h>
2521 #include <linux/user_namespace.h>
22
+#include <linux/netfilter_ipv4.h>
23
+#include <linux/netfilter_ipv6.h>
24
+#include <linux/zlib.h>
2625 #include <net/sock.h>
26
+#include <uapi/linux/mount.h>
2727 
2828 #include "include/apparmor.h"
2929 #include "include/apparmorfs.h"
....@@ -44,8 +44,17 @@
4444 /* Flag indicating whether initialization completed */
4545 int apparmor_initialized;
4646 
47
-DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
48
-DEFINE_LOCAL_IRQ_LOCK(aa_buffers_lock);
47
+union aa_buffer {
48
+	struct list_head list;
49
+	char buffer[1];
50
+};
51
+
52
+#define RESERVE_COUNT 2
53
+static int reserve_count = RESERVE_COUNT;
54
+static int buffer_count;
55
+
56
+static LIST_HEAD(aa_global_buffers);
57
+static DEFINE_SPINLOCK(aa_buffers_lock);
4958 
5059 /*
5160  * LSM hook functions
....@@ -57,7 +66,7 @@
5766 static void apparmor_cred_free(struct cred *cred)
5867 {
5968 	aa_put_label(cred_label(cred));
60
-	cred_label(cred) = NULL;
69
+	set_cred_label(cred, NULL);
6170 }
6271 
6372 /*
....@@ -65,7 +74,7 @@
6574  */
6675 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
6776 {
68
-	cred_label(cred) = NULL;
77
+	set_cred_label(cred, NULL);
6978 	return 0;
7079 }
7180 
....@@ -75,7 +84,7 @@
7584 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
7685 				 gfp_t gfp)
7786 {
78
-	cred_label(new) = aa_get_newest_label(cred_label(old));
87
+	set_cred_label(new, aa_get_newest_label(cred_label(old)));
7988 	return 0;
8089 }
8190 
....@@ -84,26 +93,21 @@
8493  */
8594 static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
8695 {
87
-	cred_label(new) = aa_get_newest_label(cred_label(old));
96
+	set_cred_label(new, aa_get_newest_label(cred_label(old)));
8897 }
8998 
9099 static void apparmor_task_free(struct task_struct *task)
91100 {
92101 
93102 	aa_free_task_ctx(task_ctx(task));
94
-	task_ctx(task) = NULL;
95103 }
96104 
97105 static int apparmor_task_alloc(struct task_struct *task,
98106 			       unsigned long clone_flags)
99107 {
100
-	struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL);
101
-
102
-	if (!new)
103
-		return -ENOMEM;
108
+	struct aa_task_ctx *new = task_ctx(task);
104109 
105110 	aa_dup_task_ctx(new, task_ctx(current));
106
-	task_ctx(task) = new;
107111 
108112 	return 0;
109113 }
....@@ -431,24 +435,25 @@
431435 
432436 static int apparmor_file_alloc_security(struct file *file)
433437 {
434
-	int error = 0;
435
-
436
-	/* freed by apparmor_file_free_security */
438
+	struct aa_file_ctx *ctx = file_ctx(file);
437439 	struct aa_label *label = begin_current_label_crit_section();
438
-	file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
439
-	if (!file_ctx(file))
440
-		error = -ENOMEM;
441
-	end_current_label_crit_section(label);
442440 
443
-	return error;
441
+	spin_lock_init(&ctx->lock);
442
+	rcu_assign_pointer(ctx->label, aa_get_label(label));
443
+	end_current_label_crit_section(label);
444
+	return 0;
444445 }
445446 
446447 static void apparmor_file_free_security(struct file *file)
447448 {
448
-	aa_free_file_ctx(file_ctx(file));
449
+	struct aa_file_ctx *ctx = file_ctx(file);
450
+
451
+	if (ctx)
452
+		aa_put_label(rcu_access_pointer(ctx->label));
449453 }
450454 
451
-static int common_file_perm(const char *op, struct file *file, u32 mask)
455
+static int common_file_perm(const char *op, struct file *file, u32 mask,
456
+			    bool in_atomic)
452457 {
453458 	struct aa_label *label;
454459 	int error = 0;
....@@ -458,7 +463,7 @@
458463 		return -EACCES;
459464 
460465 	label = __begin_current_label_crit_section();
461
-	error = aa_file_perm(op, label, file, mask);
466
+	error = aa_file_perm(op, label, file, mask, in_atomic);
462467 	__end_current_label_crit_section(label);
463468 
464469 	return error;
....@@ -466,12 +471,13 @@
466471 
467472 static int apparmor_file_receive(struct file *file)
468473 {
469
-	return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
474
+	return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file),
475
+				false);
470476 }
471477 
472478 static int apparmor_file_permission(struct file *file, int mask)
473479 {
474
-	return common_file_perm(OP_FPERM, file, mask);
480
+	return common_file_perm(OP_FPERM, file, mask, false);
475481 }
476482 
477483 static int apparmor_file_lock(struct file *file, unsigned int cmd)
....@@ -481,11 +487,11 @@
481487 	if (cmd == F_WRLCK)
482488 		mask |= MAY_WRITE;
483489 
484
-	return common_file_perm(OP_FLOCK, file, mask);
490
+	return common_file_perm(OP_FLOCK, file, mask, false);
485491 }
486492 
487493 static int common_mmap(const char *op, struct file *file, unsigned long prot,
488
-		       unsigned long flags)
494
+		       unsigned long flags, bool in_atomic)
489495 {
490496 	int mask = 0;
491497 
....@@ -503,20 +509,21 @@
503509 	if (prot & PROT_EXEC)
504510 		mask |= AA_EXEC_MMAP;
505511 
506
-	return common_file_perm(op, file, mask);
512
+	return common_file_perm(op, file, mask, in_atomic);
507513 }
508514 
509515 static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
510516 			      unsigned long prot, unsigned long flags)
511517 {
512
-	return common_mmap(OP_FMMAP, file, prot, flags);
518
+	return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC);
513519 }
514520 
515521 static int apparmor_file_mprotect(struct vm_area_struct *vma,
516522 				  unsigned long reqprot, unsigned long prot)
517523 {
518524 	return common_mmap(OP_FMPROT, vma->vm_file, prot,
519
-			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
525
+			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0,
526
+			   false);
520527 }
521528 
522529 static int apparmor_sb_mount(const char *dev_name, const struct path *path,
....@@ -732,7 +739,7 @@
732739 	return error;
733740 }
734741 
735
-static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
742
+static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
736743 			      int sig, const struct cred *cred)
737744 {
738745 	struct aa_label *cl, *tl;
....@@ -1025,6 +1032,7 @@
10251032 	return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
10261033 }
10271034 
1035
+#ifdef CONFIG_NETWORK_SECMARK
10281036 /**
10291037  * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
10301038  *
....@@ -1035,8 +1043,15 @@
10351043  */
10361044 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
10371045 {
1038
-	return 0;
1046
+	struct aa_sk_ctx *ctx = SK_CTX(sk);
1047
+
1048
+	if (!skb->secmark)
1049
+		return 0;
1050
+
1051
+	return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
1052
+				      skb->secmark, sk);
10391053 }
1054
+#endif
10401055 
10411056 
10421057 static struct aa_label *sk_peer_label(struct sock *sk)
....@@ -1131,6 +1146,29 @@
11311146 		ctx->label = aa_get_current_label();
11321147 }
11331148 
1149
+#ifdef CONFIG_NETWORK_SECMARK
1150
+static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb,
1151
+				      struct request_sock *req)
1152
+{
1153
+	struct aa_sk_ctx *ctx = SK_CTX(sk);
1154
+
1155
+	if (!skb->secmark)
1156
+		return 0;
1157
+
1158
+	return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
1159
+				      skb->secmark, sk);
1160
+}
1161
+#endif
1162
+
1163
+/*
1164
+ * The cred blob is a pointer to, not an instance of, an aa_label.
1165
+ */
1166
+struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
1167
+	.lbs_cred = sizeof(struct aa_label *),
1168
+	.lbs_file = sizeof(struct aa_file_ctx),
1169
+	.lbs_task = sizeof(struct aa_task_ctx),
1170
+};
1171
+
11341172 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
11351173 	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
11361174 	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
....@@ -1182,19 +1220,24 @@
11821220 	LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
11831221 	LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
11841222 	LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
1223
+#ifdef CONFIG_NETWORK_SECMARK
11851224 	LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
1225
+#endif
11861226 	LSM_HOOK_INIT(socket_getpeersec_stream,
11871227 		      apparmor_socket_getpeersec_stream),
11881228 	LSM_HOOK_INIT(socket_getpeersec_dgram,
11891229 		      apparmor_socket_getpeersec_dgram),
11901230 	LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
1231
+#ifdef CONFIG_NETWORK_SECMARK
1232
+	LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
1233
+#endif
11911234 
11921235 	LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
11931236 	LSM_HOOK_INIT(cred_free, apparmor_cred_free),
11941237 	LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
11951238 	LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
11961239 
1197
-	LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
1240
+	LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec),
11981241 	LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
11991242 	LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
12001243 
....@@ -1237,6 +1280,16 @@
12371280 	.get = param_get_aauint
12381281 };
12391282 
1283
+static int param_set_aacompressionlevel(const char *val,
1284
+					const struct kernel_param *kp);
1285
+static int param_get_aacompressionlevel(char *buffer,
1286
+					const struct kernel_param *kp);
1287
+#define param_check_aacompressionlevel param_check_int
1288
+static const struct kernel_param_ops param_ops_aacompressionlevel = {
1289
+	.set = param_set_aacompressionlevel,
1290
+	.get = param_get_aacompressionlevel
1291
+};
1292
+
12401293 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
12411294 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
12421295 #define param_check_aalockpolicy param_check_bool
....@@ -1266,6 +1319,11 @@
12661319 #ifdef CONFIG_SECURITY_APPARMOR_HASH
12671320 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
12681321 #endif
1322
+
1323
+/* policy loaddata compression level */
1324
+int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION;
1325
+module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
1326
+		   aacompressionlevel, 0400);
12691327 
12701328 /* Debug mode */
12711329 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
....@@ -1307,9 +1365,16 @@
13071365 bool aa_g_paranoid_load = true;
13081366 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
13091367 
1368
+static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
1369
+static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
1370
+#define param_check_aaintbool param_check_int
1371
+static const struct kernel_param_ops param_ops_aaintbool = {
1372
+	.set = param_set_aaintbool,
1373
+	.get = param_get_aaintbool
1374
+};
13101375 /* Boot time disable flag */
1311
-static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
1312
-module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
1376
+static int apparmor_enabled __lsm_ro_after_init = 1;
1377
+module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
13131378 
13141379 static int __init apparmor_enabled_setup(char *str)
13151380 {
....@@ -1370,6 +1435,7 @@
13701435 		return -EPERM;
13711436 
13721437 	error = param_set_uint(val, kp);
1438
+	aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
13731439 	pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
13741440 
13751441 	return error;
....@@ -1382,6 +1448,77 @@
13821448 	if (apparmor_initialized && !policy_view_capable(NULL))
13831449 		return -EPERM;
13841450 	return param_get_uint(buffer, kp);
1451
+}
1452
+
1453
+/* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1454
+static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
1455
+{
1456
+	struct kernel_param kp_local;
1457
+	bool value;
1458
+	int error;
1459
+
1460
+	if (apparmor_initialized)
1461
+		return -EPERM;
1462
+
1463
+	/* Create local copy, with arg pointing to bool type. */
1464
+	value = !!*((int *)kp->arg);
1465
+	memcpy(&kp_local, kp, sizeof(kp_local));
1466
+	kp_local.arg = &value;
1467
+
1468
+	error = param_set_bool(val, &kp_local);
1469
+	if (!error)
1470
+		*((int *)kp->arg) = *((bool *)kp_local.arg);
1471
+	return error;
1472
+}
1473
+
1474
+/*
1475
+ * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
1476
+ * 1/0, this converts the "int that is actually bool" back to bool for
1477
+ * display in the /sys filesystem, while keeping it "int" for the LSM
1478
+ * infrastructure.
1479
+ */
1480
+static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
1481
+{
1482
+	struct kernel_param kp_local;
1483
+	bool value;
1484
+
1485
+	/* Create local copy, with arg pointing to bool type. */
1486
+	value = !!*((int *)kp->arg);
1487
+	memcpy(&kp_local, kp, sizeof(kp_local));
1488
+	kp_local.arg = &value;
1489
+
1490
+	return param_get_bool(buffer, &kp_local);
1491
+}
1492
+
1493
+static int param_set_aacompressionlevel(const char *val,
1494
+					const struct kernel_param *kp)
1495
+{
1496
+	int error;
1497
+
1498
+	if (!apparmor_enabled)
1499
+		return -EINVAL;
1500
+	if (apparmor_initialized)
1501
+		return -EPERM;
1502
+
1503
+	error = param_set_int(val, kp);
1504
+
1505
+	aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level,
1506
+					       Z_NO_COMPRESSION,
1507
+					       Z_BEST_COMPRESSION);
1508
+	pr_info("AppArmor: policy rawdata compression level set to %u\n",
1509
+		aa_g_rawdata_compression_level);
1510
+
1511
+	return error;
1512
+}
1513
+
1514
+static int param_get_aacompressionlevel(char *buffer,
1515
+					const struct kernel_param *kp)
1516
+{
1517
+	if (!apparmor_enabled)
1518
+		return -EINVAL;
1519
+	if (apparmor_initialized && !policy_view_capable(NULL))
1520
+		return -EPERM;
1521
+	return param_get_int(buffer, kp);
13851522 }
13861523 
13871524 static int param_get_audit(char *buffer, const struct kernel_param *kp)
....@@ -1442,6 +1579,61 @@
14421579 	return 0;
14431580 }
14441581 
1582
+char *aa_get_buffer(bool in_atomic)
1583
+{
1584
+	union aa_buffer *aa_buf;
1585
+	bool try_again = true;
1586
+	gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1587
+
1588
+retry:
1589
+	spin_lock(&aa_buffers_lock);
1590
+	if (buffer_count > reserve_count ||
1591
+	    (in_atomic && !list_empty(&aa_global_buffers))) {
1592
+		aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1593
+					  list);
1594
+		list_del(&aa_buf->list);
1595
+		buffer_count--;
1596
+		spin_unlock(&aa_buffers_lock);
1597
+		return &aa_buf->buffer[0];
1598
+	}
1599
+	if (in_atomic) {
1600
+		/*
1601
+		 * out of reserve buffers and in atomic context so increase
1602
+		 * how many buffers to keep in reserve
1603
+		 */
1604
+		reserve_count++;
1605
+		flags = GFP_ATOMIC;
1606
+	}
1607
+	spin_unlock(&aa_buffers_lock);
1608
+
1609
+	if (!in_atomic)
1610
+		might_sleep();
1611
+	aa_buf = kmalloc(aa_g_path_max, flags);
1612
+	if (!aa_buf) {
1613
+		if (try_again) {
1614
+			try_again = false;
1615
+			goto retry;
1616
+		}
1617
+		pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
1618
+		return NULL;
1619
+	}
1620
+	return &aa_buf->buffer[0];
1621
+}
1622
+
1623
+void aa_put_buffer(char *buf)
1624
+{
1625
+	union aa_buffer *aa_buf;
1626
+
1627
+	if (!buf)
1628
+		return;
1629
+	aa_buf = container_of(buf, union aa_buffer, buffer[0]);
1630
+
1631
+	spin_lock(&aa_buffers_lock);
1632
+	list_add(&aa_buf->list, &aa_global_buffers);
1633
+	buffer_count++;
1634
+	spin_unlock(&aa_buffers_lock);
1635
+}
1636
+
14451637 /*
14461638  * AppArmor init functions
14471639  */
....@@ -1453,59 +1645,63 @@
14531645  */
14541646 static int __init set_init_ctx(void)
14551647 {
1456
-	struct cred *cred = (struct cred *)current->real_cred;
1457
-	struct aa_task_ctx *ctx;
1648
+	struct cred *cred = (__force struct cred *)current->real_cred;
14581649 
1459
-	ctx = aa_alloc_task_ctx(GFP_KERNEL);
1460
-	if (!ctx)
1461
-		return -ENOMEM;
1462
-
1463
-	cred_label(cred) = aa_get_label(ns_unconfined(root_ns));
1464
-	task_ctx(current) = ctx;
1650
+	set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
14651651 
14661652 	return 0;
14671653 }
14681654 
14691655 static void destroy_buffers(void)
14701656 {
1471
-	u32 i, j;
1657
+	union aa_buffer *aa_buf;
14721658 
1473
-	for_each_possible_cpu(i) {
1474
-		for_each_cpu_buffer(j) {
1475
-			kfree(per_cpu(aa_buffers, i).buf[j]);
1476
-			per_cpu(aa_buffers, i).buf[j] = NULL;
1477
-		}
1659
+	spin_lock(&aa_buffers_lock);
1660
+	while (!list_empty(&aa_global_buffers)) {
1661
+		aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1662
+					 list);
1663
+		list_del(&aa_buf->list);
1664
+		spin_unlock(&aa_buffers_lock);
1665
+		kfree(aa_buf);
1666
+		spin_lock(&aa_buffers_lock);
14781667 	}
1668
+	spin_unlock(&aa_buffers_lock);
14791669 }
14801670 
14811671 static int __init alloc_buffers(void)
14821672 {
1483
-	u32 i, j;
1673
+	union aa_buffer *aa_buf;
1674
+	int i, num;
14841675 
1485
-	for_each_possible_cpu(i) {
1486
-		for_each_cpu_buffer(j) {
1487
-			char *buffer;
1676
+	/*
1677
+	 * A function may require two buffers at once. Usually the buffers are
1678
+	 * used for a short period of time and are shared. On UP kernel buffers
1679
+	 * two should be enough, with more CPUs it is possible that more
1680
+	 * buffers will be used simultaneously. The preallocated pool may grow.
1681
+	 * This preallocation has also the side-effect that AppArmor will be
1682
+	 * disabled early at boot if aa_g_path_max is extremly high.
1683
+	 */
1684
+	if (num_online_cpus() > 1)
1685
+		num = 4 + RESERVE_COUNT;
1686
+	else
1687
+		num = 2 + RESERVE_COUNT;
14881688 
1489
-			if (cpu_to_node(i) > num_online_nodes())
1490
-				/* fallback to kmalloc for offline nodes */
1491
-				buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
1492
-			else
1493
-				buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
1494
-						      cpu_to_node(i));
1495
-			if (!buffer) {
1496
-				destroy_buffers();
1497
-				return -ENOMEM;
1498
-			}
1499
-			per_cpu(aa_buffers, i).buf[j] = buffer;
1689
+	for (i = 0; i < num; i++) {
1690
+
1691
+		aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL |
1692
+				 __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1693
+		if (!aa_buf) {
1694
+			destroy_buffers();
1695
+			return -ENOMEM;
15001696 		}
1697
+		aa_put_buffer(&aa_buf->buffer[0]);
15011698 	}
1502
-
15031699 	return 0;
15041700 }
15051701 
15061702 #ifdef CONFIG_SYSCTL
15071703 static int apparmor_dointvec(struct ctl_table *table, int write,
1508
-			     void __user *buffer, size_t *lenp, loff_t *ppos)
1704
+			     void *buffer, size_t *lenp, loff_t *ppos)
15091705 {
15101706 	if (!policy_admin_capable(NULL))
15111707 		return -EPERM;
....@@ -1543,15 +1739,102 @@
15431739 }
15441740 #endif /* CONFIG_SYSCTL */
15451741 
1742
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
1743
+static unsigned int apparmor_ip_postroute(void *priv,
1744
+					  struct sk_buff *skb,
1745
+					  const struct nf_hook_state *state)
1746
+{
1747
+	struct aa_sk_ctx *ctx;
1748
+	struct sock *sk;
1749
+
1750
+	if (!skb->secmark)
1751
+		return NF_ACCEPT;
1752
+
1753
+	sk = skb_to_full_sk(skb);
1754
+	if (sk == NULL)
1755
+		return NF_ACCEPT;
1756
+
1757
+	ctx = SK_CTX(sk);
1758
+	if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
1759
+				    skb->secmark, sk))
1760
+		return NF_ACCEPT;
1761
+
1762
+	return NF_DROP_ERR(-ECONNREFUSED);
1763
+
1764
+}
1765
+
1766
+static unsigned int apparmor_ipv4_postroute(void *priv,
1767
+					    struct sk_buff *skb,
1768
+					    const struct nf_hook_state *state)
1769
+{
1770
+	return apparmor_ip_postroute(priv, skb, state);
1771
+}
1772
+
1773
+#if IS_ENABLED(CONFIG_IPV6)
1774
+static unsigned int apparmor_ipv6_postroute(void *priv,
1775
+					    struct sk_buff *skb,
1776
+					    const struct nf_hook_state *state)
1777
+{
1778
+	return apparmor_ip_postroute(priv, skb, state);
1779
+}
1780
+#endif
1781
+
1782
+static const struct nf_hook_ops apparmor_nf_ops[] = {
1783
+	{
1784
+		.hook =         apparmor_ipv4_postroute,
1785
+		.pf =           NFPROTO_IPV4,
1786
+		.hooknum =      NF_INET_POST_ROUTING,
1787
+		.priority =     NF_IP_PRI_SELINUX_FIRST,
1788
+	},
1789
+#if IS_ENABLED(CONFIG_IPV6)
1790
+	{
1791
+		.hook =         apparmor_ipv6_postroute,
1792
+		.pf =           NFPROTO_IPV6,
1793
+		.hooknum =      NF_INET_POST_ROUTING,
1794
+		.priority =     NF_IP6_PRI_SELINUX_FIRST,
1795
+	},
1796
+#endif
1797
+};
1798
+
1799
+static int __net_init apparmor_nf_register(struct net *net)
1800
+{
1801
+	int ret;
1802
+
1803
+	ret = nf_register_net_hooks(net, apparmor_nf_ops,
1804
+				    ARRAY_SIZE(apparmor_nf_ops));
1805
+	return ret;
1806
+}
1807
+
1808
+static void __net_exit apparmor_nf_unregister(struct net *net)
1809
+{
1810
+	nf_unregister_net_hooks(net, apparmor_nf_ops,
1811
+				ARRAY_SIZE(apparmor_nf_ops));
1812
+}
1813
+
1814
+static struct pernet_operations apparmor_net_ops = {
1815
+	.init = apparmor_nf_register,
1816
+	.exit = apparmor_nf_unregister,
1817
+};
1818
+
1819
+static int __init apparmor_nf_ip_init(void)
1820
+{
1821
+	int err;
1822
+
1823
+	if (!apparmor_enabled)
1824
+		return 0;
1825
+
1826
+	err = register_pernet_subsys(&apparmor_net_ops);
1827
+	if (err)
1828
+		panic("Apparmor: register_pernet_subsys: error %d\n", err);
1829
+
1830
+	return 0;
1831
+}
1832
+__initcall(apparmor_nf_ip_init);
1833
+#endif
1834
+
15461835 static int __init apparmor_init(void)
15471836 {
15481837 	int error;
1549
-
1550
-	if (!apparmor_enabled || !security_module_enable("apparmor")) {
1551
-		aa_info_message("AppArmor disabled by boot time parameter");
1552
-		apparmor_enabled = false;
1553
-		return 0;
1554
-	}
15551838 
15561839 	aa_secids_init();
15571840 
....@@ -1577,7 +1860,7 @@
15771860 	error = alloc_buffers();
15781861 	if (error) {
15791862 		AA_ERROR("Unable to allocate work buffers\n");
1580
-		goto buffers_out;
1863
+		goto alloc_out;
15811864 	}
15821865 
15831866 	error = set_init_ctx();
....@@ -1602,7 +1885,6 @@
16021885 
16031886 buffers_out:
16041887 	destroy_buffers();
1605
-
16061888 alloc_out:
16071889 	aa_destroy_aafs();
16081890 	aa_teardown_dfa_engine();
....@@ -1611,4 +1893,10 @@
16111893 	return error;
16121894 }
16131895 
1614
-security_initcall(apparmor_init);
1896
+DEFINE_LSM(apparmor) = {
1897
+	.name = "apparmor",
1898
+	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
1899
+	.enabled = &apparmor_enabled,
1900
+	.blobs = &apparmor_blob_sizes,
1901
+	.init = apparmor_init,
1902
+};