apparmor: remove apply_modes_to_perms from label_match

The modes shouldn't be applied at the point of label match, it just results in them being applied multiple times. Instead they should be applied after which is already being done by all callers so it can just be dropped from label_match. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2025-11-14 00:14:36 -0800
committer: John Johansen <john.johansen@canonical.com> 2026-01-29 01:27:54 -0800
commit: b2e27be2948f2f8c38421cd554b5fc9383215648 (patch)
tree: 526b27da1a4ada763d0aa9a34ae84717623e90f0 /security
parent: 9f79b1cee91b3591a9b8fc0b3534ec966b8e463f (diff)
1 files changed, 0 insertions, 3 deletions
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 913678f199c3..02ee128f53d1 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1317,7 +1317,6 @@ next:
 			goto fail;
 	}
 	*perms = *aa_lookup_perms(rules->policy, state);
-	aa_apply_modes_to_perms(profile, perms);
 	if ((perms->allow & request) != request)
 		return -EACCES;
 
@@ -1370,7 +1369,6 @@ static int label_components_match(struct aa_profile *profile,
 
 next:
 	tmp = *aa_lookup_perms(rules->policy, state);
-	aa_apply_modes_to_perms(profile, &tmp);
 	aa_perms_accum(perms, &tmp);
 	label_for_each_cont(i, label, tp) {
 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
@@ -1379,7 +1377,6 @@ next:
 		if (!state)
 			goto fail;
 		tmp = *aa_lookup_perms(rules->policy, state);
-		aa_apply_modes_to_perms(profile, &tmp);
 		aa_perms_accum(perms, &tmp);
 	}
author	John Johansen <john.johansen@canonical.com>	2025-11-14 00:14:36 -0800
committer	John Johansen <john.johansen@canonical.com>	2026-01-29 01:27:54 -0800
commit	b2e27be2948f2f8c38421cd554b5fc9383215648 (patch)
tree	526b27da1a4ada763d0aa9a34ae84717623e90f0 /security
parent	9f79b1cee91b3591a9b8fc0b3534ec966b8e463f (diff)