apparmor: gate make fine grained unix mediation behind v9 abi

Fine grained unix mediation in Ubuntu used ABI v7, and policy using
this has propogated onto systems where fine grained unix mediation was
not supported. The userspace policy compiler supports downgrading
policy so the policy could be shared without changes.

Unfortunately this had the side effect that policy was not updated for
the none Ubuntu systems and enabling fine grained unix mediation on
those systems means that a new kernel can break a system with existing
policy that worked with the previous kernel. With fine grained af_unix
mediation this regression can easily break the system causing boot to
fail, as it affect unix socket files, non-file based unix sockets, and
dbus communication.

To aoid this regression move fine grained af_unix mediation behind
a new abi. This means that the system's userspace and policy must
be updated to support the new policy before it takes affect and
dropping a new kernel on existing system will not result in a
regression.

The abi bump is done in such a way as existing policy can be activated
on the system by changing the policy abi declaration and existing unix
policy rules will apply. Policy then only needs to be incrementally
updated, can even be backported to existing Ubuntu policy.

Signed-off-by: John Johansen <[email protected]>

1 files changed, 7 insertions, 7 deletions

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index ce7dc9d98fb1..ed4b34b88e38 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -197,7 +197,7 @@ static int profile_create_perm(struct aa_profile *profile, int family,
 	AA_BUG(!profile);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = aa_match_to_prot(rules->policy, state, AA_MAY_CREATE,
 					 PF_UNIX, type, protocol, NULL,
@@ -226,7 +226,7 @@ static int profile_sk_perm(struct aa_profile *profile,
 	AA_BUG(is_unix_fs(sk));
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = match_to_sk(rules->policy, state, request, unix_sk(sk),
 				    &p, &ad->info);
@@ -251,7 +251,7 @@ static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		/* bind for abstract socket */
 		state = match_to_local(rules->policy, state, AA_MAY_BIND,
@@ -281,7 +281,7 @@ static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		__be16 b = cpu_to_be16(backlog);
 
@@ -315,7 +315,7 @@ static int profile_accept_perm(struct aa_profile *profile,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT,
 				    unix_sk(sk), &p, &ad->info);
@@ -342,7 +342,7 @@ static int profile_opt_perm(struct aa_profile *profile, u32 request,
 	AA_BUG(!ad);
 	AA_BUG(profile_unconfined(profile));
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		__be16 b = cpu_to_be16(optname);
 
@@ -379,7 +379,7 @@ static int profile_peer_perm(struct aa_profile *profile, u32 request,
 	AA_BUG(!ad);
 	AA_BUG(is_unix_fs(peer_sk)); /* currently always calls unix_fs_perm */
 
-	state = RULE_MEDIATES_NET(rules);
+	state = RULE_MEDIATES_v9NET(rules);
 	if (state) {
 		struct aa_sk_ctx *peer_ctx = aa_sock(peer_sk);
 		struct aa_profile *peerp;