pivotroot medition may change the tasks current cred if the a transition
rule is defined. However aa_begin_current_label(), and
aa_end_current_label() define a critical section block where the tasks
cred label are not allowed to be updated. Specifically they do not take
a refcount on the tasks cred, but will return a refcounted label IF
there is an updated version of the label that can not be immediately
updated. The aa_end_current_label() fn detects whether the label used
has a refcount to put by comparing the label to the task's cred label,
and if its different putting label.

When the task cred's label is changed within this critical section,
the cred update will put the creds label reference, and then the
aa_begin_current_label() fn will detect the difference in the cred
and working label and subsequentially do an extra put on the label.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>