diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index a1e24b78..a792a263 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -24,7 +24,6 @@ func init() { } func (d Exec) Apply(opt *Option, profile string) string { - res := "" transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} for _, t := range transitions { @@ -35,6 +34,7 @@ func (d Exec) Apply(opt *Option, profile string) string { } } + p := &aa.AppArmorProfile{} for name := range opt.Args { content, err := rootApparmord.Join(name).ReadFile() if err != nil { @@ -42,7 +42,6 @@ func (d Exec) Apply(opt *Option, profile string) string { } profiletoTransition := string(content) - p := &aa.AppArmorProfile{} dstProfile := aa.DefaultTunables() dstProfile.ParseVariables(profiletoTransition) for _, variable := range dstProfile.Variables { @@ -56,7 +55,10 @@ func (d Exec) Apply(opt *Option, profile string) string { break } } - res += p.String() } - return strings.Replace(profile, opt.Raw, res, -1) + p.Sort() + rules := p.String() + lenRules := len(rules) + rules = rules[:lenRules-1] + return strings.Replace(profile, opt.Raw, rules, -1) } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index cfcc2a6d..5c2c2534 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -28,9 +28,8 @@ func TestExec_Apply(t *testing.T) { Raw: " #aa:exec DiscoverNotifier", }, profile: ` #aa:exec DiscoverNotifier`, - want: ` @{lib}/DiscoverNotifier Px, - @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px, -`, + want: ` @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier Px, + @{lib}/DiscoverNotifier Px,`, }, { name: "exec-unconfined", @@ -43,8 +42,7 @@ func TestExec_Apply(t *testing.T) { }, profile: ` #aa:exec U polkit-agent-helper`, want: ` @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] Ux, - @{lib}/polkit-agent-helper-[0-9] Ux, -`, + @{lib}/polkit-agent-helper-[0-9] Ux,`, }, } for _, tt := range tests {