ask_exec(): no longer skip exec events in hats

Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.

(When the tools support nested child profiles one day, we can even allow
child exec again.)

Backported from dfb6f90aee /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1133 to match the
3.1 branch

(cherry picked from commit 0e70ad9b7c)

utils/apparmor/aa.py

@@ -813,11 +813,6 @@ def ask_exec(hashlog):
 
     for aamode in hashlog:
         for full_profile in hashlog[aamode]:
-            if '//' in hashlog[aamode][full_profile]['final_name'] and hashlog[aamode][full_profile]['exec'].keys():
-                # TODO: is this really needed? Or would removing Cx from the options be good enough?
-                aaui.UI_Important('WARNING: Ignoring exec event in %s, nested profiles are not supported yet.' % hashlog[aamode][full_profile]['final_name'])
-                continue
-
             profile, hat = split_name(full_profile)  # XXX temporary solution to avoid breaking the existing code
 
             for exec_target in hashlog[aamode][full_profile]['exec']:
@@ -848,7 +843,9 @@ def ask_exec(hashlog):
                             ##options = 'i'
 
                         # Don't allow hats to cx?
-                        options.replace('c', '')
+                        if '//' in hashlog[aamode][full_profile]['final_name'] and hashlog[aamode][full_profile]['exec'].keys():
+                            options = options.replace('c', '')
+
                         # Add deny to options
                         options += 'd'
                         # Define the default option