File set-flags-for-profiles-represented-by-glob.patch of Package apparmor.9207

commit 5e187daa0b87a4999f78925e5e9864e7656ffc11
Author: Goldwyn Rodrigues <rgoldwyn@suse.com>
Date:   Tue Apr 10 09:02:09 2018 -0500
References: bsc#1086154

    Set flags for profiles represented by a glob
    
    Getting and Setting profile represented by a glob does not work correctly
    because they are checked for equality. Use a glob match to check for them.
    Also, add a warning stating that the profile being set represents multiple programs.
    
    traceroute is an example whose profile name is represented as
    /usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
    
    Setting /usr/sbin/traceroute to enforce mode.
    
    ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
    
    Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index c8089aa8..4545dfc7 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -612,9 +612,12 @@ def get_profile_flags(filename, program):
         for line in f_in:
             if RE_PROFILE_START.search(line):
                 matches = parse_profile_start_line(line, filename)
-                profile = matches['profile']
+                if (matches['attachment'] is not None):
+                    profile_glob = AARE(matches['attachment'], True)
+                else:
+                    profile_glob = AARE(matches['profile'], True)
                 flags = matches['flags']
-                if profile == program or program is None:
+                if (program is not None and profile_glob.match(program)) or program is None:
                     return flags
 
     raise AppArmorException(_('%s contains no profile') % filename)
@@ -667,8 +670,14 @@ def set_profile_flags(prof_filename, program, newflags):
                     space = matches['leadingspace'] or ''
                     profile = matches['profile']
 
-                    if profile == program or program is None:
+                    if (matches['attachment'] is not None):
+                        profile_glob = AARE(matches['attachment'], True)
+                    else:
+                        profile_glob = AARE(matches['profile'], True)
+                    if (program is not None and profile_glob.match(program)) or program is None:
                         found = True
+                        if program is not None and program != profile:
+                          aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
                         header_data = {
                             'attachment': matches['attachment'] or '',
                             'flags': newflags,
openSUSE Build Service is sponsored by