apparmor: switch from profiles to using labels on contexts

Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.

Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index b26f1dac5106..ab8e104c1970 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -86,11 +86,11 @@ int aa_map_resource(int resource)
 int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
 		      unsigned int resource, struct rlimit *new_rlim)
 {
-	struct aa_profile *task_profile;
+	struct aa_label *task_label;
 	int error = 0;
 
 	rcu_read_lock();
-	task_profile = aa_get_newest_cred_profile((__task_cred(task)));
+	task_label = aa_get_newest_cred_label((__task_cred(task)));
 	rcu_read_unlock();
 
 	/* TODO: extend resource control to handle other (non current)
@@ -99,13 +99,13 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
 	 * the same profile or that the task setting the resource of another
 	 * task has CAP_SYS_RESOURCE.
 	 */
-	if ((profile != task_profile &&
+	if ((profile != labels_profile(task_label) &&
 	     aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
 	    (profile->rlimits.mask & (1 << resource) &&
 	     new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
 		error = -EACCES;
 
-	aa_put_profile(task_profile);
+	aa_put_label(task_label);
 
 	return audit_resource(profile, resource, new_rlim->rlim_max, error);
 }