[apparmor] [patch] Handle #include <directory> in is_known_rule()

[Christian Boltz]

Hello,

this patch fixes the crash reported in
https://bugs.launchpad.net/apparmor/+bug/1471425
and also avoids asking for and adding superfluous rules that are
already covered by a file in the included directory.

This patch looks bigger than it is because it moves quite some lines
into the "else:" branch. Everything inside the "else:" just got an
additional whitespace level.

Note: 2.9 needs a different patch because it has some profile_known_*()
functions instead of is_known_rule().


[ 61-is_known_rule-check-directory-includes.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-04 18:35:52.337494351 +0200
+++ utils/apparmor/aa.py        2015-07-04 18:34:30.602541182 +0200
@@ -4091,13 +4091,16 @@
     while incname:
         checked.append(incname)
 
-        if include[incname][incname].get(rule_type, False):
-            if include[incname][incname][rule_type].is_covered(rule_obj, False):
-                return True
+        if os.path.isdir(profile_dir + '/' + incname):
+            includelist += include_dir_filelist(profile_dir, incname)
+        else:
+            if include[incname][incname].get(rule_type, False):
+                if include[incname][incname][rule_type].is_covered(rule_obj, False):
+                    return True
 
-        for childinc in include[incname][incname]['include'].keys():
-            if childinc not in checked:
-                includelist += [childinc]
+            for childinc in include[incname][incname]['include'].keys():
+                if childinc not in checked:
+                    includelist += [childinc]
 
         if len(includelist):
             incname = includelist.pop(0)


Regards,

Christian Boltz
-- 
Immer noch am Squid oder lieber Knöpfchen drücken und anstarren,
ob sich was tut? Vergiß es, der Computer sitzt am längeren Hebel
und ist, was solche Geschäfte angeht, ein Sturkopf.
[Helga Fischer in suse-linux]