Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGoldwyn Rodrigues <rgoldwyn@suse.com>2018-11-20 07:26:50 -0600
committerGoldwyn Rodrigues <rgoldwyn@suse.com>2018-11-20 07:26:50 -0600
commitf5cf767c07e09d0b130995e6fda7d70d4b7baa40 (patch)
tree117180ec513723676aa9cdd014aeeceae5a9cad2
parent81d20d2b3406e621393dce5cc2f6b293cc1c4cc4 (diff)
apparmor: fix unnecessary creation of net-compat (bsc#1116724).
-rw-r--r--patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch49
-rw-r--r--series.conf1
2 files changed, 50 insertions, 0 deletions
diff --git a/patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch b/patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch
new file mode 100644
index 0000000000..0a127cae67
--- /dev/null
+++ b/patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch
@@ -0,0 +1,49 @@
+From 0256a7f382670a4f07b6b6068371f1463c251325 Mon Sep 17 00:00:00 2001
+From: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Date: Tue, 20 Nov 2018 06:36:26 -0600
+Subject: [PATCH] apparmor: fix unnecessary creation of net-compat
+Patch-mainline: Never, fixes a compat patch
+References: bsc#1116724
+
+We do not want to create net-compat all of the time,
+only when there are rules in profile AND version is less
+than 8. This will improve performance for cases which
+does not have net rules in profile but uses networking.
+
+Also, remove a bogus condition.
+
+Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+---
+ security/apparmor/net.c | 2 --
+ security/apparmor/policy_unpack.c | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index 042aee4408c1..b19778a1798d 100644
+--- a/security/apparmor/net.c
++++ b/security/apparmor/net.c
+@@ -174,8 +174,6 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
+ return 0;
+ state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+ if (state) {
+- if (!state)
+- return 0;
+ buffer[0] = cpu_to_be16(family);
+ buffer[1] = cpu_to_be16((u16) type);
+ state = aa_dfa_match_len(profile->policy.dfa, state,
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 9c9a329fd2d7..3d6fa51178c4 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -773,7 +773,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+ }
+
+ size = unpack_array(e, "net_allowed_af");
+- if (size || VERSION_LT(e->version, v8)) {
++ if (size && VERSION_LT(e->version, v8)) {
+ profile->net_compat = kzalloc(sizeof(struct aa_net_compat), GFP_KERNEL);
+ if (!profile->net_compat) {
+ info = "out of memory";
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 18730de8e0..2ba3ba5534 100644
--- a/series.conf
+++ b/series.conf
@@ -385,6 +385,7 @@
# AppArmor
##########################################################
patches.suse/apparmor-compatibility-with-v2.x-net.patch
+ patches.suse/0001-apparmor-fix-unnecessary-creation-of-net-compat.patch
########################################################
# Address space layout randomization