apparmor: remove apply_modes_to_perms from label_match

The modes shouldn't be applied at the point of label match, it just
results in them being applied multiple times. Instead they should be
applied after which is already being done by all callers so it can
just be dropped from label_match.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 913678f199c35867f13d33334dcd04d6d950a5fa..02ee128f53d13f4b0d5609441906e1c80994fcdc 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1317,7 +1317,6 @@ next:
                        goto fail;
        }
        *perms = *aa_lookup_perms(rules->policy, state);
-       aa_apply_modes_to_perms(profile, perms);
        if ((perms->allow & request) != request)
                return -EACCES;
 
@@ -1370,7 +1369,6 @@ static int label_components_match(struct aa_profile *profile,
 
 next:
        tmp = *aa_lookup_perms(rules->policy, state);
-       aa_apply_modes_to_perms(profile, &tmp);
        aa_perms_accum(perms, &tmp);
        label_for_each_cont(i, label, tp) {
                if (!aa_ns_visible(profile->ns, tp->ns, subns))
@@ -1379,7 +1377,6 @@ next:
                if (!state)
                        goto fail;
                tmp = *aa_lookup_perms(rules->policy, state);
-               aa_apply_modes_to_perms(profile, &tmp);
                aa_perms_accum(perms, &tmp);
        }