apparmor: ensure labels with more than one entry have correct flags

labels containing more than one entry need to accumulate flag info
from profiles that the label is constructed from. This is done
correctly for labels created by a merge but is not being done for
labels created by an update or directly created via a parse.

This technically is a bug fix, however the effect in current code is
to cause early unconfined bail out to not happen (ie. without the fix
it is slower) on labels that were created via update or a parse.

Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index f950dcc1842b..868874ef3d35 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -645,6 +645,7 @@ static bool __label_replace(struct aa_label *old, struct aa_label *new)
 		rb_replace_node(&old->node, &new->node, &ls->root);
 		old->flags &= ~FLAG_IN_TREE;
 		new->flags |= FLAG_IN_TREE;
+		new->flags |= accum_vec_flags(new->vec, new->size);
 		return true;
 	}
 
@@ -705,6 +706,7 @@ static struct aa_label *__label_insert(struct aa_labelset *ls,
 	rb_link_node(&label->node, parent, new);
 	rb_insert_color(&label->node, &ls->root);
 	label->flags |= FLAG_IN_TREE;
+	label->flags |= accum_vec_flags(label->vec, label->size);
 
 	return aa_get_label(label);
 }
@@ -1085,7 +1087,6 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
 		else if (k == b->size)
 			return aa_get_label(b);
 	}
-	new->flags |= accum_vec_flags(new->vec, new->size);
 	ls = labels_set(new);
 	write_lock_irqsave(&ls->lock, flags);
 	label = __label_insert(labels_set(new), new, false);