apparmor: lift kernel socket check out of critical section

There is no need for the kern check to be in the critical section,
it only complicates the code and slows down the case where the
socket is being created by the kernel.

Lifting it out will also allow socket_create to share common template
code, with other socket_permission checks.

Signed-off-by: John Johansen <john.johansen@canonical.com>

Author: jrjohansen

security/apparmor/lsm.c

@@ -1095,10 +1095,14 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
 
 	AA_BUG(in_interrupt());
 
+	if (kern)
+		return 0;
+
 	label = begin_current_label_crit_section();
-	if (!(kern || unconfined(label)))
+	if (!unconfined(label)) {
 		error = aa_af_perm(current_cred(), label, OP_CREATE,
 				   AA_MAY_CREATE, family, type, protocol);
+	}
 	end_current_label_crit_section(label);
 
 	return error;