Revert "UBUNTU: SAUCE: apparmor: rework retrieval of the current label in the profile update case"

BugLink: http://bugs.launchpad.net/bugs/1379535

This reverts commit 8a6a317400fcd5e4eebfc20665ca0b3e8dbc8217.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

security/apparmor/lsm.c

@@ -105,12 +105,11 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
 	struct aa_label *tracer, *tracee;
 	int error;
 	
-	tracer = aa_begin_current_label(DO_UPDATE);
+	tracer = aa_current_label();
 	tracee = aa_get_task_label(child);
 	error = aa_may_ptrace(tracer, tracee,
 		  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
 	aa_put_label(tracee);
-	aa_end_current_label(tracer);
 	return error;
 }
 
@@ -119,12 +118,10 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
 	struct aa_label *tracer, *tracee;
 	int error;
 	
-	tracee = aa_begin_current_label(DO_UPDATE);
+	tracee = aa_current_label();
 	tracer = aa_get_task_label(parent);
 	error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
 	aa_put_label(tracer);
-	aa_end_current_label(tracee);
-
 	return error;
 }
 
@@ -190,7 +187,7 @@ static int common_perm(int op, struct path *path, u32 mask,
 	struct aa_label *label;
 	int error = 0;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	if (!unconfined(label))
 		error = aa_path_perm(op, label, path, 0, mask, cond);
 	aa_end_current_label(label);
@@ -345,11 +342,9 @@ static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir,
 	if (!path_mediated_fs(old_dentry))
 		return 0;
 
-	label = aa_begin_current_label(DO_UPDATE);
+	label = aa_current_label();
 	if (!unconfined(label))
 		error = aa_path_link(label, old_dentry, new_dir, new_dentry);
-	aa_end_current_label(label);
-
 	return error;
 }
 
@@ -362,7 +357,7 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
 	if (!path_mediated_fs(old_dentry))
 		return 0;
 
-	label = aa_begin_current_label(DO_UPDATE);
+	label = aa_current_label();
 	if (!unconfined(label)) {
 		struct path old_path = { old_dir->mnt, old_dentry };
 		struct path new_path = { new_dir->mnt, new_dentry };
@@ -380,8 +375,6 @@ static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
 					     AA_MAY_CREATE, &cond);
 
 	}
-	aa_end_current_label(label);
-
 	return error;
 }
 
@@ -446,16 +439,12 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
 
 static int apparmor_file_alloc_security(struct file *file)
 {
-	int error = 0;
-
 	/* freed by apparmor_file_free_security */
-	struct aa_label *label = aa_begin_current_label(DO_UPDATE);
-	file->f_security = aa_alloc_file_cxt(label, GFP_KERNEL);
+	file->f_security = aa_alloc_file_cxt(aa_current_label(), GFP_KERNEL);
 	if (!file_cxt(file))
-		error = -ENOMEM;
-	aa_end_current_label(label);
+		return -ENOMEM;
+	return 0;
 
-	return error;
 }
 
 static void apparmor_file_free_security(struct file *file)
@@ -468,7 +457,7 @@ static int common_file_perm(int op, struct file *file, u32 mask)
 	struct aa_label *label;
 	int error = 0;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	error = aa_file_perm(op, label, file, mask);
 	aa_end_current_label(label);
 
@@ -542,7 +531,7 @@ static int apparmor_sb_mount(const char *dev_name, struct path *path,
 
 	flags &= ~AA_MS_IGNORE_MASK;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	if (!unconfined(label)) {
 		if (flags & MS_REMOUNT)
 			error = aa_remount(label, path, flags, data);
@@ -567,7 +556,7 @@ static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
 	struct aa_label *label;
 	int error = 0;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	if (!unconfined(label))
 		error = aa_umount(label, mnt, flags);
 	aa_end_current_label(label);
@@ -580,7 +569,7 @@ static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
 	struct aa_label *label;
 	int error = 0;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	if (!unconfined(label))
 		error = aa_pivotroot(label, old_path, new_path);
 	aa_end_current_label(label);
@@ -679,11 +668,10 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
 	return error;
 
 fail:
-	aad(&sa)->label = aa_begin_current_label(DO_UPDATE);
+	aad(&sa)->label = aa_current_label();
 	aad(&sa)->info = name;
 	aad(&sa)->error = -EINVAL;
 	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
-	aa_end_current_label(aad(&sa)->label);
 	return -EINVAL;
 }
 
@@ -722,7 +710,7 @@ void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
 static int apparmor_task_setrlimit(struct task_struct *task,
 		unsigned int resource, struct rlimit *new_rlim)
 {
-	struct aa_label *label = aa_begin_current_label(NO_UPDATE);
+	struct aa_label *label = aa_begin_current_label();
 	int error = 0;
 
 	if (!unconfined(label))
@@ -802,7 +790,7 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 	struct path *path;
 	int error;
 
-	label = aa_begin_current_label(NO_UPDATE);
+	label = aa_begin_current_label();
 	error = aa_unix_peer_perm(label, OP_CONNECT,
 				(AA_MAY_CONNECT | AA_MAY_SEND | AA_MAY_RECEIVE),
 				  sk, peer_sk, NULL);
@@ -855,7 +843,7 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 static int apparmor_unix_may_send(struct socket *sock, struct socket *peer)
 {
 	struct aa_sk_cxt *peer_cxt = SK_CXT(peer->sk);
-	struct aa_label *label = aa_begin_current_label(NO_UPDATE);
+	struct aa_label *label = aa_begin_current_label();
 	int error;
 
 	error = xcheck(aa_unix_peer_perm(label, OP_SENDMSG, AA_MAY_SEND,
@@ -873,14 +861,12 @@ static int apparmor_unix_may_send(struct socket *sock, struct socket *peer)
 static int apparmor_socket_create(int family, int type, int protocol, int kern)
 {
 	struct aa_label *label;
-	int error = 0;
 
-	label = aa_begin_current_label(DO_UPDATE);
-	if (!(kern || unconfined(label)))
-		error = aa_sock_create_perm(label, family, type, protocol);
-	aa_end_current_label(label);
+	label = aa_current_label();
+	if (kern || unconfined(label))
+		return 0;
 
-	return error;
+	return aa_sock_create_perm(label, family, type, protocol);
 }
 
 /**
@@ -901,7 +887,7 @@ static int apparmor_socket_post_create(struct socket *sock, int family,
 	if (kern)
 		label = aa_get_label(&current_ns()->unconfined->label);
 	else
-		label = aa_get_current_label();
+		label = aa_get_label(aa_current_label());
 
 	if (sock->sk) {
 		struct aa_sk_cxt *cxt = SK_CXT(sock->sk);
@@ -1070,7 +1056,7 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
 {
 	char *name;
 	int slen, error = 0;
-	struct aa_label *label = aa_begin_current_label(DO_UPDATE);
+	struct aa_label *label = aa_current_label();
 	struct aa_label *peer = sk_peer_label(sock->sk);
 
 	if (IS_ERR(peer))
@@ -1093,7 +1079,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
 		kfree(name);
 
 	}
-	aa_end_current_label(label);
 
 	return error;
 }
@@ -1143,7 +1128,7 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
 		 *  Dealing with USB IO specific behavior
 		 */
 		return 0;
-	cl = aa_begin_current_label(NO_UPDATE);
+	cl = aa_begin_current_label();
 	tl = aa_get_task_label(target);
 	error = aa_may_signal(cl, tl, sig);
 	aa_put_label(tl);