Preserve 'hat' keyword in ProfileStorage

... instead of always writing hats as '^hat'.

When writing a profile, prepending '^' or 'hat' to a hat name moves from
aa.py write_piece() to ProfileStorage.get_header().

Also extend cleanprof_test.* with 'hat bar {...}'.

utils/apparmor/aa.py

@@ -2096,9 +2096,6 @@ def write_piece(profile_data, depth, name, nhat, write_flags):
             if not profile_data[hat]['external']:
                 data.append('')
 
-                if profile_data[hat]['is_hat']:
-                    only_hat = '^%s' % only_hat
-
                 data += profile_data[hat].get_header(depth + 1, only_hat, True, write_flags)
 
                 data += profile_data[hat].get_rules_clean(depth + 2)

utils/apparmor/profile_storage.py

@@ -74,6 +74,7 @@ class ProfileStorage:
         data['initial_comment']  = ''
         data['profile_keyword']  = False  # currently only set by change_profile_flags()
         data['is_hat']           = False  # profile or hat?
+        data['hat_keyword']      = False  # True for 'hat foo', False for '^foo'
 
         data['allow'] = dict()
         data['deny'] = dict()
@@ -146,7 +147,12 @@ class ProfileStorage:
         if self.data['header_comment']:
             comment = ' %s' % self.data['header_comment']
 
-        if (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
+        if self.data['is_hat']:
+            if self.data['hat_keyword']:
+                name = 'hat %s' % name
+            else:
+                name = '^%s' % name
+        elif (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
             name = 'profile %s%s' % (name, attachment)
 
         xattrs = ''
@@ -237,7 +243,9 @@ class ProfileStorage:
         prof_storage['flags'] = matches['flags']
         prof_storage['is_hat'] = matches['is_hat']
 
-        if not matches['is_hat']:
+        if matches['is_hat']:
+            prof_storage['hat_keyword'] = matches['hat_keyword']
+        else:
             prof_storage['attachment'] = matches['attachment'] or ''
             prof_storage['xattrs'] = matches['xattrs']
 

utils/apparmor/regex.py

@@ -143,6 +143,10 @@ def parse_profile_start_line(line, filename):
     if result.get('hat'):
         result['is_hat'] = True
         result['profile'] = result['hat']
+        if result['hat_keyword'] == '^':
+            result['hat_keyword'] = False
+        else:
+            result['hat_keyword'] = True
         result['profile_keyword'] = True
     elif result['plainprofile']:
         result['profile'] = result['plainprofile']

utils/test/cleanprof_test.in

@@ -68,6 +68,11 @@ $foo = false
 
 	mount options=(rw,suid) /c -> /3,
 
+    hat bar {
+        /etc/passwd r,
+        capability sys_admin,
+        }
+
 	pivot_root oldroot=/mnt/root/old/,
 
 	deny    owner       link       /some/thing    ->     /foo/bar    ,

utils/test/cleanprof_test.out

@@ -46,6 +46,13 @@ $bar = true
   change_profile,
 
 
+  hat bar {
+    capability sys_admin,
+
+    /etc/passwd r,
+
+  }
+
   ^foo {
     capability dac_override,