From 0256a7f382670a4f07b6b6068371f1463c251325 Mon Sep 17 00:00:00 2001
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
Date: Tue, 20 Nov 2018 06:36:26 -0600
Subject: [PATCH] apparmor: fix unnecessary creation of net-compat
Patch-mainline: Never, fixes a compat patch
References: bsc#1116724 

We do not want to create net-compat all of the time,
only when there are rules in profile AND version is less
than 8. This will improve performance for cases which
does not have net rules in profile but uses networking.

Also, remove a bogus condition.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
---
 security/apparmor/net.c           | 2 --
 security/apparmor/policy_unpack.c | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/security/apparmor/net.c b/security/apparmor/net.c
index 042aee4408c1..b19778a1798d 100644
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -174,8 +174,6 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
 		return 0;
 	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
 	if (state) {
-		if (!state)
-			return 0;
 		buffer[0] = cpu_to_be16(family);
 		buffer[1] = cpu_to_be16((u16) type);
 		state = aa_dfa_match_len(profile->policy.dfa, state,
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 9c9a329fd2d7..3d6fa51178c4 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -773,7 +773,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 	}
 
 	size = unpack_array(e, "net_allowed_af");
-	if (size || VERSION_LT(e->version, v8)) {
+	if (size && VERSION_LT(e->version, v8)) {
 		profile->net_compat = kzalloc(sizeof(struct aa_net_compat), GFP_KERNEL);
 		if (!profile->net_compat) {
 			info = "out of memory";
-- 
2.16.4