apparmor: fix regression in fs based unix sockets when using old abi

Policy loaded using abi 7 socket mediation was not being applied
correctly in all cases. In some cases with fs based unix sockets a
subset of permissions where allowed when they should have been denied.

This was happening because the check for if the socket was an fs based
unix socket came before the abi check. But the abi check is where the
correct path is selected, so having the fs unix socket check occur
early would cause the wrong code path to be used.

Fix this by pushing the fs unix to be done after the abi check.

Fixes: dcd7a559411e ("apparmor: gate make fine grained unix mediation behind v9 abi")
Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 0 insertions, 3 deletions

diff --git a/security/apparmor/include/af_unix.h b/security/apparmor/include/af_unix.h
index 760d98132392..4a62e600d82b 100644
--- a/security/apparmor/include/af_unix.h
+++ b/security/apparmor/include/af_unix.h
@@ -36,9 +36,6 @@ int aa_unix_peer_perm(const struct cred *subj_cred,
 		      struct aa_label *label, const char *op, u32 request,
 		      struct sock *sk, struct sock *peer_sk,
 		      struct aa_label *peer_label);
-int aa_unix_label_sk_perm(const struct cred *subj_cred,
-			  struct aa_label *label, const char *op, u32 request,
-			  struct sock *sk);
 int aa_unix_sock_perm(const char *op, u32 request, struct socket *sock);
 int aa_unix_create_perm(struct aa_label *label, int family, int type,
 			int protocol);