[apparmor] [patch] Update cleanprof to also delete superfluous signal etc. rules

[Christian Boltz]

Hello,

besides 'signal', also 'change_profile' and 'rlimit' cleanup was missing
for the main profile.

In aa.py delete_duplicates() (used to check includes), only 'signal' was
missing.



[ 10-cleanprof-more-rule-types.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-10-23 15:15:05.562818747 +0200
+++ utils/apparmor/aa.py        2015-10-23 17:08:32.594881219 +0200
@@ -2113,7 +2113,7 @@
     # Allow rules covered by denied rules shouldn't be deleted
     # only a subset allow rules may actually be denied
 
-    ruletypes = ['capability', 'change_profile', 'network', 'rlimit']
+    ruletypes = ['capability', 'change_profile', 'network', 'rlimit', 'signal']
 
     if include.get(incname, False):
         for rule_type in ruletypes:
=== modified file ./utils/apparmor/cleanprofile.py
--- utils/apparmor/cleanprofile.py      2015-06-18 23:50:22.428586163 +0200
+++ utils/apparmor/cleanprofile.py      2015-10-23 17:03:58.344857512 +0200
@@ -64,12 +64,11 @@
                 deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc)
 
             #Clean duplicate rules in other profile
-            if not self.same_file:
-                deleted += self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
-                deleted += self.other.aa[program][hat]['network'].delete_duplicates(self.profile.aa[program][hat]['network'])
-            else:
-                deleted += self.other.aa[program][hat]['capability'].delete_duplicates(None)
-                deleted += self.other.aa[program][hat]['network'].delete_duplicates(None)
+            for ruletype in ['capability', 'change_profile', 'network', 'rlimit', 'signal']:
+                if not self.same_file:
+                    deleted += self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])
+                else:
+                    deleted += self.other.aa[program][hat][ruletype].delete_duplicates(None)
 
             #Clean the duplicates of path in other profile
             deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file)



Regards,

Christian Boltz
-- 
:O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es
dann so ein Pyramidenschema?   Bekommt man eine Prämie,  wenn man einen
weiteren Newbie in sein Unglück lockt?   [Thorsten Haude in suse-linux]