VariableRuleset: Prevent re-defining variables

When adding a variable with a name that is already known to the
VariableRuleset, raise an exception.

Also add a test for this.

utils/apparmor/rule/variable.py

@@ -137,7 +137,19 @@ class VariableRule(BaseRule):
 
 class VariableRuleset(BaseRuleset):
     '''Class to handle and store a collection of variable rules'''
-    pass
+
+    def add(self, rule, cleanup=False):
+        ''' Add variable rule object
+
+            If the variable name is already known, raise an exception because re-defining a variable isn't allowed.
+        '''
+
+        if rule.mode == '=':
+            for knownrule in self.rules:
+                if rule.varname == knownrule.varname:
+                    raise AppArmorException(_('Redefining existing variable %(variable)s: %(value)s') % { 'variable': rule.varname, 'value': rule.values })
+
+        super(VariableRuleset, self).add(rule, cleanup)
 
 def separate_vars(vs):
     """Returns a list of all the values for a variable"""

utils/test/test-variable.py

@@ -354,6 +354,12 @@ class VariableRulesTest(AATest):
         self.assertEqual(expected_clean, ruleset.get_clean())
         self.assertEqual(expected_clean_unsorted, ruleset.get_clean_unsorted())
 
+    def test_ruleset_overwrite(self):
+        ruleset = VariableRuleset()
+
+        ruleset.add(VariableRule.parse('@{foo} = /bar'))
+        with self.assertRaises(AppArmorException):
+            ruleset.add(VariableRule.parse('@{foo} = /asdf'))  # attempt to redefine @{foo}
 
 class VariableGlobTestAATest(AATest):
     def setUp(self):