From: John Johansen <john.johansen@canonical.com>
Date: Wed, 30 Jul 2025 10:08:29 +0000 (-0700)
Subject: apparmor: fix test error: WARNING in apparmor_unix_stream_connect
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3c0675bb9e0a3a472dd519ec7ccde23bdcf180b;p=thirdparty%2Fkernel%2Flinux.git

apparmor: fix test error: WARNING in apparmor_unix_stream_connect

commit 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly updated.")
added the use of security_sk_alloc() which ensures the sk label is
initialized.

This means that the AA_BUG in apparmor_unix_stream_connect() is no
longer correct, because while the sk is still not being initialized
by going through post_create, it is now initialize in sk_alloc().
Remove the now invalid check.

Reported-by: syzbot+cd38ee04bcb3866b0c6d@syzkaller.appspotmail.com
Fixes: 88fec3526e84 ("apparmor: make sure unix socket labeling is correctly updated.")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 9a64b2db02672..e4b2944431e49 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1205,8 +1205,9 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 	if (error)
 		return error;
 
-	/* newsk doesn't go through post_create */
-	AA_BUG(rcu_access_pointer(new_ctx->label));
+	/* newsk doesn't go through post_create, but does go through
+	 * security_sk_alloc()
+	 */
 	rcu_assign_pointer(new_ctx->label,
 			   aa_get_label(rcu_dereference_protected(peer_ctx->label,
 								  true)));