From: Jeff Mahoney <jeffm@suse.com>

Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes

 The version of AppArmor that was accepted into the mainline kernel
 issues audit events for things like change_hat while unconfined.
 Previous versions just returned -EPERM without the audit.

 This results in logprof and friends spewing uninitialized value errors
 when it hits events like:
 type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron

 ... which happen any time an unconfined process does something with pam
 when pam_apparmor is installed.

 This patch skips those events.

[Note that the second half of the OpenSUSE patch had already been applied.]

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

utils/Immunix/AppArmor.pm

@@ -2788,6 +2788,13 @@ sub add_event_to_tree ($) {
     return if ($e->{operation} =~ /profile_set/);
 
     my ($profile, $hat);
+
+    # The version of AppArmor that was accepted into the mainline kernel
+    # issues audit events for things like change_hat while unconfined.
+    # Previous versions just returned -EPERM without the audit so the
+    # events wouldn't have been picked up here.
+    return if (!$e->{profile});
+
     # just convert new null profile style names to old before we begin processing
     # profile and name can contain multiple layers of null- but all we care about
     # currently is single level.