UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation

pivotroot medition may change the tasks current cred if the a transition
rule is defined. However aa_begin_current_label(), and
aa_end_current_label() define a critical section block where the tasks
cred label are not allowed to be updated. Specifically they do not take
a refcount on the tasks cred, but will return a refcounted label IF
there is an updated version of the label that can not be immediately
updated. The aa_end_current_label() fn detects whether the label used
has a refcount to put by comparing the label to the task's cred label,
and if its different putting label.

When the task cred's label is changed within this critical section,
the cred update will put the creds label reference, and then the
aa_begin_current_label() fn will detect the difference in the cred
and working label and subsequentially do an extra put on the label.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

security/apparmor/include/context.h

@@ -162,6 +162,8 @@ static inline void aa_end_current_label(struct aa_label *label)
  *   just return the up to date label
  *
  * The returned reference must be put with aa_end_current_label()
+ * This must NOT be used if the task cred could be updated within the
+ * critical section between aa_begin_current_label() .. aa_end_current_label()
  */
 static inline struct aa_label *aa_begin_current_label(bool update)
 {

security/apparmor/lsm.c

@@ -580,10 +580,10 @@ static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
 	struct aa_label *label;
 	int error = 0;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_get_current_label();
 	if (!unconfined(label))
 		error = aa_pivotroot(label, old_path, new_path);
-	aa_end_current_label(label);
+	aa_put_label(label);
 
 	return error;
 }