[apparmor] [PATCH 5/2] Fix compilation of audit modifiers

[John Johansen]

This fixes the incorrect compilation of audit modifiers for exec and
pivot_root as detailed in

https://launchpad.net/bugs/1431717
https://launchpad.net/bugs/1432045

The permission accumulation routine on the backend was incorrectly setting
the audit mask based off of the exec type bits (info about the exec) and
not the actual exec permission.

This bug could have also caused permissions issues around overlapping exec
generic and exact match exec rules, except the encoding of EXEC_MODIFIERS
ensured that the 
  exact_match_allow & AA_USER/OTHER_EXEC_TYPE
test would never fail for a permission accumulation with the exec permission
set.

Signed-off-by: John Johansen <john.johansen at canonical.com>

---

=== modified file 'parser/libapparmor_re/hfa.cc'
--- parser/libapparmor_re/hfa.cc	2014-09-03 21:36:08 +0000
+++ parser/libapparmor_re/hfa.cc	2015-03-17 06:32:53 +0000
@@ -1335,19 +1335,16 @@
 	}
 
 	perms.allow |= exact_match_allow & ~(ALL_AA_EXEC_TYPE);
-
-	if (exact_match_allow & AA_USER_EXEC_TYPE) {
+	perms.audit |= exact_audit & ~(ALL_AA_EXEC_TYPE);
+	
+	if (exact_match_allow & AA_USER_EXEC) {
 		perms.allow = (exact_match_allow & AA_USER_EXEC_TYPE) |
 			(perms.allow & ~AA_USER_EXEC_TYPE);
-		perms.audit = (exact_audit & AA_USER_EXEC_TYPE) |
-			(perms.audit & ~AA_USER_EXEC_TYPE);
 		perms.exact = AA_USER_EXEC_TYPE;
 	}
-	if (exact_match_allow & AA_OTHER_EXEC_TYPE) {
+	if (exact_match_allow & AA_OTHER_EXEC) {
 		perms.allow = (exact_match_allow & AA_OTHER_EXEC_TYPE) |
 			(perms.allow & ~AA_OTHER_EXEC_TYPE);
-		perms.audit = (exact_audit & AA_OTHER_EXEC_TYPE) |
-			(perms.audit & ~AA_OTHER_EXEC_TYPE);
 		perms.exact |= AA_OTHER_EXEC_TYPE;
 	}
 	if (AA_USER_EXEC & perms.deny)