"force-complain" and "disable" directories breaks aa-genprof

Thank you for using Ubuntu and taking the time to report a bug. This also affects the /etc/apparmor.d/disable directory.

Actually, Hardy had in SubDomain.pm:

sub isSkippableFile($) {
    my $path = shift;

    return ($path =~ /(^|\/)\.[^\/]*$/
            || $path =~ /\.rpm(save|new)$/
            || $path =~ /\.dpkg-(old|new|dist)$/
            || -e "$profiledir/disable/$path"
            || $path =~ /\~$/);
}

The '|| -e "$profiledir/disable/$path"' was dropped in Intrepid. So 'disable' didn't cause problems in Hardy.

Here is the patch I am putting into Jaunty.

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu8

---------------
apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low

  * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109)
  * utils/SubDomain.pm: re-add dropped patch to not process disable/ as
    include files, and also don't process force-complain/ (LP: #331534)

 -- Jamie Strandboge <email address hidden> Thu, 12 Mar 2009 12:53:08 -0500

This bug affects Hardy too, namely the force-complain dir is installed by packages such as freshclam, leading to the same error as the original bug filer reported.

A debdiff for a Hardy SRU is at http://jdong.mit.edu/~jdong/motu/apparmor_2.1+1075-0ubuntu9.2.debdiff

Jamie, please review and upload if appropriate.

The patch looks good. I uploaded it to hardy-proposed also uploaded a patched package for Intrepid using the patch I used in Jaunty.

IMPACT: aa-genprof cannot be used to generate new profiles when profiles are in force-complain mode (hardy and intrepid) or disabled (intrepid)

DEV RELEASE: it is fixed in the Jaunty with the attached patch

TEST CASE (hardy):
1. ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/force-complain
2. sudo aa-genprof /usr/bin/yes

TEST CASE (intrepid):
1. ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/force-complain
2. sudo aa-genprof /usr/bin/yes
3. rm -f /etc/apparmor.d/force-complain/usr.sbin.cupsd
4. /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable
5. sudo aa-genprof /usr/bin/yes

REGRESSION POTENTIAL: considered to be low due to a very minimal patch to ignore more directories in /etc/apparmor.d. The patched file is used by all the apparmor helper functions, but a regression should not cause a problem with apparmor protections or profile manipulation via apparmor_parser.

Accepted apparmor into intrepid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Tested both Hardy and Intrepid and the test cases now work properly.

This bug was fixed in the package apparmor - 2.1+1075-0ubuntu9.2

---------------
apparmor (2.1+1075-0ubuntu9.2) hardy-proposed; urgency=low

  * SubDomain.pm: Ignore "force-complain/" to prevent aa-genprof from failing.
    (LP: #331534)

 -- John Dong <email address hidden> Tue, 28 Apr 2009 15:26:48 -0400

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu4.2

---------------
apparmor (2.3+1289-0ubuntu4.2) intrepid-proposed; urgency=low

  * utils/SubDomain.pm: re-add dropped patch to not process disable/ as
    include files, and also don't process force-complain/ (LP: #331534)

 -- Jamie Strandboge <email address hidden> Mon, 04 May 2009 08:32:55 -0500