From 73fe7a7475ab621ddc2af62e892a7bb38099c7d3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 22 Mar 2024 19:47:45 +0000
Subject: [PATCH] build: exex directive: add support for transition.

---
 pkg/prebuild/directive/exec.go      | 34 ++++++++++++++++++++---------
 pkg/prebuild/directive/exec_test.go | 14 ++++++++++++
 2 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go
index 0fdc1f95..a1e24b78 100644
--- a/pkg/prebuild/directive/exec.go
+++ b/pkg/prebuild/directive/exec.go
@@ -18,7 +18,7 @@ func init() {
 	Directives["exec"] = &Exec{
 		DirectiveBase: DirectiveBase{
 			message: "Exec directive applied",
-			usage:   `#aa:exec [P|U|p|u|i|] profiles_name...`,
+			usage:   `#aa:exec [P|U|p|u|PU|pu|] profiles_name...`,
 		},
 	}
 }
@@ -26,23 +26,37 @@ func init() {
 func (d Exec) Apply(opt *Option, profile string) string {
 	res := ""
 	transition := "Px"
+	transitions := []string{"P", "U", "p", "u", "PU", "pu"}
+	for _, t := range transitions {
+		if _, present := opt.Args[t]; present {
+			transition = t + "x"
+			delete(opt.Args, t)
+			break
+		}
+	}
+
 	for name := range opt.Args {
-		tmp, err := rootApparmord.Join(name).ReadFile()
+		content, err := rootApparmord.Join(name).ReadFile()
 		if err != nil {
 			panic(err)
 		}
-		profiletoTransition := string(tmp)
+		profiletoTransition := string(content)
 
-		p := aa.DefaultTunables()
-		p.ParseVariables(profiletoTransition)
-		for _, variable := range p.Variables {
+		p := &aa.AppArmorProfile{}
+		dstProfile := aa.DefaultTunables()
+		dstProfile.ParseVariables(profiletoTransition)
+		for _, variable := range dstProfile.Variables {
 			if variable.Name == "exec_path" {
-				for _, value := range variable.Values {
-					res += "  " + value + " " + transition + ",\n"
+				for _, v := range variable.Values {
+					p.Rules = append(p.Rules, &aa.File{
+						Path:   v,
+						Access: transition,
+					})
 				}
+				break
 			}
 		}
-		profile = strings.Replace(profile, opt.Raw, res, -1)
+		res += p.String()
 	}
-	return profile
+	return strings.Replace(profile, opt.Raw, res, -1)
 }
diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go
index 8367be26..cfcc2a6d 100644
--- a/pkg/prebuild/directive/exec_test.go
+++ b/pkg/prebuild/directive/exec_test.go
@@ -30,6 +30,20 @@ func TestExec_Apply(t *testing.T) {
 			profile: `  #aa:exec DiscoverNotifier`,
 			want: `  @{lib}/DiscoverNotifier Px,
   @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px,
+`,
+		},
+		{
+			name:          "exec-unconfined",
+			rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"),
+			opt: &Option{
+				Name: "exec",
+				Args: map[string]string{"U": "", "polkit-agent-helper": ""},
+				File: nil,
+				Raw:  "  #aa:exec U polkit-agent-helper",
+			},
+			profile: `  #aa:exec U polkit-agent-helper`,
+			want: `  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] Ux,
+  @{lib}/polkit-agent-helper-[0-9] Ux,
 `,
 		},
 	}