All false are reloads to restore former content (that is ok): src/security/security_apparmor.c:706: return reload_profile(mgr, def, NULL, false); src/security/security_apparmor.c:750: return reload_profile(mgr, def, NULL, false); src/security/security_apparmor.c:795: return reload_profile(mgr, def, NULL, false); src/security/security_apparmor.c:1017: return reload_profile(mgr, def, NULL, false); src/security/security_apparmor.c:1088: return reload_profile(mgr, def, NULL, false); src/security/security_apparmor.c:1125: return reload_profile(mgr, def, NULL, false);
All additions of paths are append=true which will cause it to use -F: src/security/security_apparmor.c:320: return reload_profile(ptr->mgr, def, file, true); src/security/security_apparmor.c:501: return reload_profile(mgr, def, stdin_path, true); src/security/security_apparmor.c:733: return reload_profile(mgr, def, mem->nvdimmPath, true); src/security/security_apparmor.c:776: return reload_profile(mgr, def, input->source.evdev, true); src/security/security_apparmor.c:1039: ret = reload_profile(mgr, def, dev_source->data.file.path, true); src/security/security_apparmor.c:1047: if (reload_profile(mgr, def, in, true) < 0) src/security/security_apparmor.c:1051: if (reload_profile(mgr, def, out, true) < 0) src/security/security_apparmor.c:1054: ret = reload_profile(mgr, def, dev_source->data.file.path, true); src/security/security_apparmor.c:1096: return reload_profile(mgr, def, savefile, true); src/security/security_apparmor.c:1111: rc = reload_profile(mgr, def, full_path, true); src/security/security_apparmor.c:1114: rc = reload_profile(mgr, def, path, true); src/security/security_apparmor.c:1152: return reload_profile(mgr, def, fd_path, true);
The only outlier to this rule is: src/security/security_apparmor.c:466: if (load_profile(mgr, secdef->label, def, NULL, false) < 0) {
Which is what we hit in the call chain of this use-case that fails here.
All false are reloads to restore former content (that is ok): security_ apparmor. c:706: return reload_profile(mgr, def, NULL, false); security_ apparmor. c:750: return reload_profile(mgr, def, NULL, false); security_ apparmor. c:795: return reload_profile(mgr, def, NULL, false); security_ apparmor. c:1017: return reload_profile(mgr, def, NULL, false); security_ apparmor. c:1088: return reload_profile(mgr, def, NULL, false); security_ apparmor. c:1125: return reload_profile(mgr, def, NULL, false);
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
All additions of paths are append=true which will cause it to use -F: security_ apparmor. c:320: return reload_ profile( ptr->mgr, def, file, true); security_ apparmor. c:501: return reload_profile(mgr, def, stdin_path, true); security_ apparmor. c:733: return reload_profile(mgr, def, mem->nvdimmPath, true); security_ apparmor. c:776: return reload_profile(mgr, def, input-> source. evdev, true); security_ apparmor. c:1039: ret = reload_profile(mgr, def, dev_source- >data.file. path, true); security_ apparmor. c:1047: if (reload_ profile( mgr, def, in, true) < 0) security_ apparmor. c:1051: if (reload_ profile( mgr, def, out, true) < 0) security_ apparmor. c:1054: ret = reload_profile(mgr, def, dev_source- >data.file. path, true); security_ apparmor. c:1096: return reload_profile(mgr, def, savefile, true); security_ apparmor. c:1111: rc = reload_profile(mgr, def, full_path, true); security_ apparmor. c:1114: rc = reload_profile(mgr, def, path, true); security_ apparmor. c:1152: return reload_profile(mgr, def, fd_path, true);
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
src/security/
The only outlier to this rule is: security_ apparmor. c:466: if (load_profile(mgr, secdef->label, def, NULL, false) < 0) {
src/security/
Which is what we hit in the call chain of this use-case that fails here.