apparmor: remove redundant perms.allow MAY_EXEC bitflag set

This section of profile_transition that occurs after x_to_label only
happens if perms.allow already has the MAY_EXEC bit set, so we don't need
to set it again.

Fixes: 16916b17b4f8 ("apparmor: force auditing of conflicting attachment execs from confined")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index f9370a63a83c0a79efa510dfcc3ce9eba4c98cad..d689597f253b4bdd555ef733688171f24f35f423 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -734,10 +734,8 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
                         * we don't need to care about clobbering it
                         */
                        if (info == CONFLICTING_ATTACH_STR_IX
-                           || info == CONFLICTING_ATTACH_STR_UX) {
+                           || info == CONFLICTING_ATTACH_STR_UX)
                                perms.audit |= MAY_EXEC;
-                               perms.allow |= MAY_EXEC;
-                       }
                        /* hack ix fallback - improve how this is detected */
                        goto audit;
                } else if (!new) {