From 0d842eae346e287a067a19c28a9a3e5a337cdf3a Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 8 Jul 2015 22:46:01 +0200 Subject: [PATCH] Handle #include in is_known_rule() is_known_rule() ignored directory includes, which resulted in asking for and adding superfluous rules that are already covered by a file in the included directory. This patch looks bigger than it is because it moves quite some lines into the "else:" branch. Everything inside the "else:" just got an additional whitespace level. References: https://bugs.launchpad.net/apparmor/+bug/1471425 (however, trunk didn't crash, it "just" ignored directory includes) Acked-by: Steve Beattie --- utils/apparmor/aa.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index a7f8a675e..86f55a85e 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -4078,13 +4078,16 @@ def is_known_rule(profile, rule_type, rule_obj): incname = includelist.pop(0) checked.append(incname) - if include[incname][incname].get(rule_type, False): - if include[incname][incname][rule_type].is_covered(rule_obj, False): - return True + if os.path.isdir(profile_dir + '/' + incname): + includelist += include_dir_filelist(profile_dir, incname) + else: + if include[incname][incname].get(rule_type, False): + if include[incname][incname][rule_type].is_covered(rule_obj, False): + return True - for childinc in include[incname][incname]['include'].keys(): - if childinc not in checked: - includelist += [childinc] + for childinc in include[incname][incname]['include'].keys(): + if childinc not in checked: + includelist += [childinc] return False