Commit 41dd9596 authored Nov 30, 2020 by Florian Westphal Committed by Jakub Kicinski Dec 03, 2020

security: add const qualifier to struct sock in various places



A followup change to tcp_request_sock_op would have to drop the 'const'
qualifier from the 'route_req' function as the
'security_inet_conn_request' call is moved there - and that function
expects a 'struct sock *'.

However, it turns out its also possible to add a const qualifier to
security_inet_conn_request instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent d4bff72c

include/linux/lsm_audit.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -26,7 +26,7 @@

		struct lsm_network_audit {
		int netif;
		struct sock *sk;
		const struct sock *sk;
		u16 family;
		__be16 dport;
		__be16 sport;

include/linux/lsm_hook_defs.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -301,7 +301,7 @@ LSM_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk,
		struct sock *newsk)
		LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, struct sock sk, u32 secid)
		LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock sk, struct socket parent)
		LSM_HOOK(int, 0, inet_conn_request, struct sock sk, struct sk_buff skb,
		LSM_HOOK(int, 0, inet_conn_request, const struct sock sk, struct sk_buff skb,
		struct request_sock *req)
		LSM_HOOK(void, LSM_RET_VOID, inet_csk_clone, struct sock *newsk,
		const struct request_sock *req)

include/linux/security.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -1358,7 +1358,7 @@ void security_sk_clone(const struct sock sk, struct sock newsk);
		void security_sk_classify_flow(struct sock sk, struct flowi fl);
		void security_req_classify_flow(const struct request_sock req, struct flowi fl);
		void security_sock_graft(struct socksk, struct socket parent);
		int security_inet_conn_request(struct sock *sk,
		int security_inet_conn_request(const struct sock *sk,
		struct sk_buff skb, struct request_sock req);
		void security_inet_csk_clone(struct sock *newsk,
		const struct request_sock *req);
		@@ -1519,7 +1519,7 @@ static inline void security_sock_graft(struct sock sk, struct socket parent)
		{
		}

		static inline int security_inet_conn_request(struct sock *sk,
		static inline int security_inet_conn_request(const struct sock *sk,
		struct sk_buff skb, struct request_sock req)
		{
		return 0;

security/apparmor/include/net.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -107,6 +107,6 @@ int aa_sock_file_perm(struct aa_label label, const char op, u32 request,
		struct socket *sock);

		int apparmor_secmark_check(struct aa_label label, char op, u32 request,
		u32 secid, struct sock *sk);
		u32 secid, const struct sock *sk);

		#endif /* __AA_NET_H */

security/apparmor/lsm.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1147,7 +1147,7 @@ static void apparmor_sock_graft(struct sock sk, struct socket parent)
		}

		#ifdef CONFIG_NETWORK_SECMARK
		static int apparmor_inet_conn_request(struct sock sk, struct sk_buff skb,
		static int apparmor_inet_conn_request(const struct sock sk, struct sk_buff skb,
		struct request_sock *req)
		{
		struct aa_sk_ctx *ctx = SK_CTX(sk);