UBUNTU: SAUCE: apparmor4.0.0 [77/90]: apparmor: ensure labels with more than one entry have correct flags

BugLink: http://bugs.launchpad.net/bugs/2028253

labels containing more than one entry need to accumulate flag info
from profiles that the label is constructed from. This is done
correctly for labels created by a merge but is not being done for
labels created by an update or directly created via a parse.

This technically is a bug fix, however the effect in current code is
to cause early unconfined bail out to not happen (ie. its slower) on
labels that were created via update or a parse.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 057bf67d3bd3cd439d9917c94ed1dc146e6ff91a
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

security/apparmor/label.c

@@ -645,6 +645,7 @@ static bool __label_replace(struct aa_label *old, struct aa_label *new)
 		rb_replace_node(&old->node, &new->node, &ls->root);
 		old->flags &= ~FLAG_IN_TREE;
 		new->flags |= FLAG_IN_TREE;
+		new->flags |= accum_vec_flags(new->vec, new->size);
 		return true;
 	}
 
@@ -705,6 +706,7 @@ static struct aa_label *__label_insert(struct aa_labelset *ls,
 	rb_link_node(&label->node, parent, new);
 	rb_insert_color(&label->node, &ls->root);
 	label->flags |= FLAG_IN_TREE;
+	label->flags |= accum_vec_flags(label->vec, label->size);
 
 	return aa_get_label(label);
 }
@@ -1102,7 +1104,6 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
 		else if (k == b->size)
 			return aa_get_label(b);
 	}
-	new->flags |= accum_vec_flags(new->vec, new->size);
 	ls = labels_set(new);
 	write_lock_irqsave(&ls->lock, flags);
 	label = __label_insert(labels_set(new), new, false);