[apparmor] [PATCH 2/2] Update profile generation so LIB and image perms can be disabled separately

[John Johansen]

There are special cases where we need to disable the auto generation of
lib or image rules.  Split disabling of defaults up and use this in
exec.sh instead of -N and specifying hard coded paths for the libs.

This fixes the problem that exec.sh has when used under multiarh

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 tests/regression/apparmor/exec.sh      |    2 +-
 tests/regression/apparmor/prologue.inc |   29 +++++++++++++++++++++--------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/tests/regression/apparmor/exec.sh b/tests/regression/apparmor/exec.sh
index 80fbd61..f4481cb 100755
--- a/tests/regression/apparmor/exec.sh
+++ b/tests/regression/apparmor/exec.sh
@@ -66,5 +66,5 @@ runchecktest "EXEC unconfined -> confined" pass $file
 
 # UNCONFINED -> CONFINED no access to self binary
 
-genprofile -N image=$file  "/lib{64,}/ld*.so*:rix" "/lib{64,}/lib*.so*:rm"
+genprofile -I image=$file
 runchecktest "EXEC unconfined -> confined/no access to self" pass $file
diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
index 9c6aa0c..62dbf81 100755
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -353,16 +353,24 @@ emit_profile()
 
 	name=$1; perm=$2; shift 2
 
-	if [ "$subprofile" -eq 1 -o "$nodefaults" -eq 1 ]
-	then
-		# skip dynamic libs for subprofiles
-		$bin/mkprofile.pl ${mkflags} "$name" ${outfile}:w "$@" >> $profile
+	local imageperm="${name}:${perm}"
 
-	else
+	if [ "$nolibs" -eq 1 ] ; then
+		dynlibs="";
+        fi
+
+	if [ "$noimage" -eq 1 ] ; then
+		imageperm="";
+        fi
 
-		$bin/mkprofile.pl ${mkflags} "$name" ${name}:${perm} $dynlibs ${outfile}:w "$@" >> $profile
+	if [ "$subprofile" -eq 1 ] ; then
+		# skip dynamic libs for subprofiles
+		dynlibs="";
+		imageperm="";
 	fi
 
+	$bin/mkprofile.pl ${mkflags} "$name" ${imageperm} ${dynlibs} ${outfile}:w "$@" >> $profile
+
 	echo $name >> $profilenames
 }
 		
@@ -379,7 +387,8 @@ fi
 
 	complainflag=""
 	escapeflag=""
-	nodefaults=0
+	nolibs=0
+	noimage=0
 	while /bin/true 
 	do
 		case "$1" in 
@@ -387,7 +396,11 @@ fi
 			      ;;
 			"-E") escapeflag="-E"
 			      ;;
-			"-N") nodefaults=1
+			"-L") nolibs=1
+			      ;;
+			"-I") noimage=1
+			      ;;
+			"-N") nolibs=1 ; noimage=1
 			      ;;
 			*) break
 			   ;;
-- 
1.7.7.3