UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check

When an open file with cached permissions is checked for the flock
permission. The cache check fails and falls through to no error instead
of auditing, and returning an error.

For the fall through to do a permission check, so it will audit the
failed flock permission check.

BugLink: http://bugs.launchpad.net/bugs/1658219Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

security/apparmor/file.c

@@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label,
 	error = fn_for_each_not_in_set(flabel, label, profile,
 			profile_path_perm(op, profile, &file->f_path, buffer,
 					  request, &cond, flags, &perms));
-	if (denied) {
+	if (denied && !error) {
 		/* check every profile in file label that was not tested
 		 * in the initial check above.
 		 */
 		/* TODO: cache full perms so this only happens because of
 		 * conditionals */
 		/* TODO: don't audit here */
-		last_error(error,
-			fn_for_each_not_in_set(label, flabel, profile,
+		if (label == flabel)
+			error = fn_for_each(label, profile,
+				profile_path_perm(op, profile, &file->f_path,
+						  buffer, request, &cond, flags,
+						  &perms));
+		else
+			error = fn_for_each_not_in_set(label, flabel, profile,
 				profile_path_perm(op, profile, &file->f_path,
 						  buffer, request, &cond, flags,
-						  &perms)));
+						  &perms));
 	}
 	if (!error)
 		update_file_ctx(file_ctx(file), label, request);