Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check"

This reverts commit 1d96b90faafab843e3a61d037fc286dd17ef6b61.

BugLink: https://bugs.launchpad.net/bugs/1666897
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 1d049da7cc37a72c766c91b4e02a7774e6b5f8d6..95bb2eb7183acea11bb8a8f3625ee464819d5f56 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -536,23 +536,18 @@ static int __file_path_perm(const char *op, struct aa_label *label,
        error = fn_for_each_not_in_set(flabel, label, profile,
                        profile_path_perm(op, profile, &file->f_path, buffer,
                                          request, &cond, flags, &perms));
-       if (denied && !error) {
+       if (denied) {
                /* check every profile in file label that was not tested
                 * in the initial check above.
                 */
                /* TODO: cache full perms so this only happens because of
                 * conditionals */
                /* TODO: don't audit here */
-               if (label == flabel)
-                       error = fn_for_each(label, profile,
-                               profile_path_perm(op, profile, &file->f_path,
-                                                 buffer, request, &cond, flags,
-                                                 &perms));
-               else
-                       error = fn_for_each_not_in_set(label, flabel, profile,
+               last_error(error,
+                       fn_for_each_not_in_set(label, flabel, profile,
                                profile_path_perm(op, profile, &file->f_path,
                                                  buffer, request, &cond, flags,
-                                                 &perms));
+                                                 &perms)));
        }
        if (!error)
                update_file_ctx(file_ctx(file), label, request);