From 6cc6a0523dde5b1f001d559d0e034494bc8b0db0 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 10 Apr 2024 14:49:43 -0700
Subject: [PATCH] apparmor: lift kernel socket check out of critical section

There is no need for the kern check to be in the critical section,
it only complicates the code and slows down the case where the
socket is being created by the kernel.

Lifting it out will also allow socket_create to share common template
code, with other socket_permission checks.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 1246115b7435b..f7b2d4bb1d978 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1095,10 +1095,14 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
 
 	AA_BUG(in_interrupt());
 
+	if (kern)
+		return 0;
+
 	label = begin_current_label_crit_section();
-	if (!(kern || unconfined(label)))
+	if (!unconfined(label)) {
 		error = aa_af_perm(current_cred(), label, OP_CREATE,
 				   AA_MAY_CREATE, family, type, protocol);
+	}
 	end_current_label_crit_section(label);
 
 	return error;
-- 
2.47.2