collapse_log: ignore events from null-* profiles

If final_name still includes null-*, that's most likely caused by nested
execs which aren't supported by the tools yet. Ignoring them is better
than creating a useless null-* hat.

Note: The tools always had this restriction, so this is not a regression ;-)

Also note that test-libapparmor-test_multi expects that null-* hats get
created (which makes sense because the one-line log sniplets don't have
any exec indication), therefore add an optional parameter to keep this
behaviour for the tests.

utils/apparmor/aa.py

@@ -1780,7 +1780,7 @@ def save_profiles():
 def get_pager():
     return 'less'
 
-def collapse_log(hashlog):
+def collapse_log(hashlog, ignore_null_profiles=True):
     log_dict = hasher()
 
     for aamode in hashlog.keys():
@@ -1788,6 +1788,12 @@ def collapse_log(hashlog):
             if hashlog[aamode][full_profile]['final_name'] == '':
                 continue  # user chose "deny" or "unconfined" for this target, therefore ignore log events
 
+            if '//null-' in hashlog[aamode][full_profile]['final_name'] and ignore_null_profiles:
+                # ignore null-* profiles (probably nested childs)
+                # otherwise we'd accidently create a null-* hat in the profile which is worse
+                # XXX drop this once we support nested childs
+                continue
+
             profile, hat = split_name(hashlog[aamode][full_profile]['final_name'])  # XXX limited to two levels to avoid an Exception on nested child profiles or nested null-*
             # TODO: support nested child profiles
 

utils/test/test-libapparmor-test_multi.py

@@ -239,7 +239,7 @@ def logfile_to_profile(logfile):
     apparmor.aa.ask_exec(hashlog)
     apparmor.aa.ask_addhat(hashlog)
 
-    log_dict = apparmor.aa.collapse_log(hashlog)
+    log_dict = apparmor.aa.collapse_log(hashlog, ignore_null_profiles=False)
 
     if profile != hat:
         # log event for a child profile means log_dict only contains the child profile