apparmor: lift kernel socket check out of critical section

There is no need for the kern check to be in the critical section,
it only complicates the code and slows down the case where the
socket is being created by the kernel.

Lifting it out will also allow socket_create to share common template
code, with other socket_permission checks.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 1246115b7435bd0d4e57f0d0ff02f02c36b277ee..f7b2d4bb1d978b74c857a7e05162f6521c1c7db7 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1095,10 +1095,14 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
 
        AA_BUG(in_interrupt());
 
+       if (kern)
+               return 0;
+
        label = begin_current_label_crit_section();
-       if (!(kern || unconfined(label)))
+       if (!unconfined(label)) {
                error = aa_af_perm(current_cred(), label, OP_CREATE,
                                   AA_MAY_CREATE, family, type, protocol);
+       }
        end_current_label_crit_section(label);
 
        return error;