From 58e4e8169cbcb419f6631ab1cfedddf5ed9b238c Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 17 Sep 2020 04:38:56 -0700
Subject: [PATCH] parser: Fix automatic adding of rule for change_hat interface

The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.

Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5b850c154f26bdd5435b8d9d3af4a7fc2072c62e)
---
 parser/parser_policy.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index 38e33afc6..544ca118d 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -204,9 +204,8 @@ static int profile_add_hat_rules(Profile *prof)
 {
 	struct cod_entry *entry;
 
-	/* TODO: ??? fix logic for when to add to hat/base vs. local */
-	/* don't add hat rules for local_profiles or base profiles */
-	if (prof->local || prof->hat_table.empty())
+	/* don't add hat rules if not hat or profile doesn't have hats */
+	if (!prof->flags.hat || !prof->hat_table.empty())
 		return 0;
 
 	/* add entry to hat */