From: Miklos Szeredi <mszeredi@suse.cz>
Subject: apparmor: fix open after profile replacement
Patch-mainline: not yet
References: bnc#885599

Don't use obsolete profile in apparmor_file_open().

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 security/apparmor/lsm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -376,6 +376,7 @@ static int apparmor_inode_getattr(struct
 
 static int apparmor_file_open(struct file *file, const struct cred *cred)
 {
+	const struct aa_task_cxt *cxt = cred_cxt(cred);
 	struct aa_file_cxt *fcxt = file->f_security;
 	struct aa_profile *profile;
 	int error = 0;
@@ -393,7 +394,7 @@ static int apparmor_file_open(struct fil
 		return 0;
 	}
 
-	profile = aa_cred_profile(cred);
+	profile = aa_get_newest_profile(cxt->profile);
 	if (!unconfined(profile)) {
 		struct inode *inode = file_inode(file);
 		struct path_cond cond = { inode->i_uid, inode->i_mode };
@@ -403,6 +404,7 @@ static int apparmor_file_open(struct fil
 		/* todo cache full allowed permissions set and state */
 		fcxt->allow = aa_map_file_to_perms(file);
 	}
+	aa_put_profile(profile);
 
 	return error;
 }