[apparmor] [PATCH 2/2] Default profiles to be chroot relative

[John Johansen]

Due to changes in path looks and the work going forward default profiles
to resolve relative to the chroot instead of the namespace.

This will only affect profiles that are used on tasks within a chroot.
For now it will be possible to get the old default namespace relative
behavior by passing the namespace_relative flag to the profile

eg.
  profile /example (namespace_relative) { .. }

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_yacc.y |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 79a5ab2..9e05d24 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -418,6 +418,10 @@ flagvals:	flagvals flagval
 		    (PATH_CHROOT_REL | PATH_NS_REL))
 			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));
 
+		if (!($1.path & PATH_NS_REL))
+			/* default to chroot relative profiles */
+			$1.path |= PATH_CHROOT_REL;
+
 		if (($1.path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) ==
 		    (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))
 			yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted"));
-- 
1.7.9