[apparmor] [PATCH 15/20] Fix screening of change_profile permission from file rule entries

[John Johansen]

While change_profile rules are always created separately from file
rules. The merge phase can result in change_profile rules merging
with file rules, resulting in the change_profile permission being
set when a file rule is created.

Make sure to screen off the change_profile permission, when creating
a file rule.

Note: the proper long term fix is to split file, link and change_profile
rules into their own classes.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_regex.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 8c6a26a..74b4761 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -532,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	if (entry->deny) {
 		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
 		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
-					entry->mode & ~AA_LINK_BITS,
-					entry->audit & ~AA_LINK_BITS, dfaflags))
+					entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
+					entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
+		    dfaflags))
 			return FALSE;
 	} else if (entry->mode & ~AA_CHANGE_PROFILE) {
 		if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode,
-- 
2.1.4