Change internal include file storage to absolute paths

This removes the need to remove profile_dir from include paths at
various places.

A side effect is that aa-logprof / match_includes() now propose more
include rules, for example matching local/ files.

Another side effect is that proposals for include rules
(match_includes() again) now come with the full path.

Both side effects will be fixed in the next commits.

utils/apparmor/aa.py

@@ -1913,10 +1913,6 @@ def parse_profile_data(data, file, do_include):
                 active_profiles.add_inc_ie(file, rule_obj)
 
             for incname in rule_obj.get_full_paths(profile_dir):
-                # include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-                if incname.startswith(profile_dir):
-                    incname = incname.replace('%s/' % profile_dir, '')
-
                 load_include(incname)
 
         elif NetworkRule.match(line):
@@ -2274,10 +2270,6 @@ def include_list_recursive(profile):
             continue
         full_list.append(incname)
 
-        # include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-        if incname.startswith(profile_dir):
-            incname = incname.replace('%s/' % profile_dir, '')
-
         for childinc in include[incname][incname]['inc_ie'].rules:
             for childinc_file in childinc.get_full_paths(profile_dir):
                 if childinc_file not in full_list:
@@ -2294,10 +2286,6 @@ def is_known_rule(profile, rule_type, rule_obj):
     includelist = include_list_recursive(profile)
 
     for incname in includelist:
-        # include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-        if incname.startswith(profile_dir):
-            incname = incname.replace('%s/' % profile_dir, '')
-
         if include[incname][incname][rule_type].is_covered(rule_obj, False):
             return True
 
@@ -2311,10 +2299,6 @@ def get_file_perms(profile, path, audit, deny):
     includelist = include_list_recursive(profile)
 
     for incname in includelist:
-        # include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-        if incname.startswith(profile_dir):
-            incname = incname.replace('%s/' % profile_dir, '')
-
         incperms = include[incname][incname]['file'].get_perms_for_path(path, audit, deny)
 
         for allow_or_deny in ['allow', 'deny']:
@@ -2411,9 +2395,6 @@ def include_dir_filelist(profile_dir, include_name):
             continue
         if os.path.isfile(include_name_abs + '/' + path):
             file_name = include_name + '/' + path
-            # strip off profile_dir for non-absolute paths
-            if not include_name.startswith('/'):
-                file_name = file_name.replace(profile_dir + '/', '')
             files.append(file_name)
 
     return files
@@ -2463,7 +2444,6 @@ def loadincludes():
                     continue
                 else:
                     fi = dirpath + '/' + fi
-                    fi = fi.replace(profile_dir + '/', '', 1)
                     load_include(fi)
 
 def glob_common(path):

utils/apparmor/cleanprofile.py

@@ -53,10 +53,6 @@ class CleanProf(object):
 
             #Clean up superfluous rules from includes in the other profile
             for inc in includes:
-                # apparmor.include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-                if inc.startswith(apparmor.profile_dir):
-                    inc = inc.replace('%s/' % apparmor.profile_dir, '')
-
                 if not self.profile.include.get(inc, {}).get(inc, False):
                     apparmor.load_include(inc)
                 if self.other.aa[program].get(hat):  # carefully avoid to accidently initialize self.other.aa[program][hat]

utils/apparmor/profile_list.py

@@ -207,10 +207,6 @@ class ProfileList:
             inc_add[filename] = mainfile_variables['+=']  # variable additions from main file
 
         for incname in all_incfiles:
-            # include[] keys can be a) 'abstractions/foo' and b) '/full/path'
-            if incname.startswith(profile_dir):
-                incname = incname.replace('%s/' % profile_dir, '')
-
             if not self.files.get(incname):
                 continue  # tunables/* only end up in self.files if they contain variable or alias definitions
 

utils/test/test-aa.py

@@ -132,8 +132,8 @@ class AaTest_create_new_profile(AATest):
 
         # load the abstractions we need in the test
         apparmor.aa.profile_dir = self.profile_dir
-        apparmor.aa.load_include('abstractions/base')
-        apparmor.aa.load_include('abstractions/bash')
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
 
         exp_interpreter_path, exp_abstraction = expected
         # damn symlinks!
@@ -755,10 +755,10 @@ class AaTest_get_file_perms_2(AATest):
 
         # load the abstractions we need in the test
         apparmor.aa.profile_dir = self.profile_dir
-        apparmor.aa.load_include('abstractions/base')
-        apparmor.aa.load_include('abstractions/bash')
-        apparmor.aa.load_include('abstractions/enchant')
-        apparmor.aa.load_include('abstractions/aspell')
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
 
         profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
         profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>'))
@@ -793,10 +793,10 @@ class AaTest_propose_file_rules(AATest):
 
         # load the abstractions we need in the test
         apparmor.aa.profile_dir = self.profile_dir
-        apparmor.aa.load_include('abstractions/base')
-        apparmor.aa.load_include('abstractions/bash')
-        apparmor.aa.load_include('abstractions/enchant')
-        apparmor.aa.load_include('abstractions/aspell')
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
 
         # add some user_globs ('(N)ew') to simulate a professional aa-logprof user (and to make sure that part of the code also gets tested)
         apparmor.aa.user_globs['/usr/share/common*/foo/*'] = AARE('/usr/share/common*/foo/*', True)
@@ -836,7 +836,7 @@ class AaTest_propose_file_rules_with_absolute_includes(AATest):
 
         # load the abstractions we need in the test
         apparmor.aa.profile_dir = self.profile_dir
-        apparmor.aa.load_include('abstractions/base')
+        apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
 
         abs_include1 = write_file(self.tmpdir, 'test-abs1', "/some/random/include rw,")
         apparmor.aa.load_include(abs_include1)