UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check

[mirror_ubuntu-zesty-kernel.git] / security / apparmor / file.c

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 546f7688416b104f2376551d28f25a6afac64137..ae0b7c74a9ea686f808069162718ddb4fe757208 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label,
        error = fn_for_each_not_in_set(flabel, label, profile,
                        profile_path_perm(op, profile, &file->f_path, buffer,
                                          request, &cond, flags, &perms));
-       if (denied) {
+       if (denied && !error) {
                /* check every profile in file label that was not tested
                 * in the initial check above.
                 */
                /* TODO: cache full perms so this only happens because of
                 * conditionals */
                /* TODO: don't audit here */
-               last_error(error,
-                       fn_for_each_not_in_set(label, flabel, profile,
+               if (label == flabel)
+                       error = fn_for_each(label, profile,
+                               profile_path_perm(op, profile, &file->f_path,
+                                                 buffer, request, &cond, flags,
+                                                 &perms));
+               else
+                       error = fn_for_each_not_in_set(label, flabel, profile,
                                profile_path_perm(op, profile, &file->f_path,
                                                  buffer, request, &cond, flags,
-                                                 &perms)));
+                                                 &perms));
        }
        if (!error)
                update_file_ctx(file_ctx(file), label, request);