[39/38] Ignore exec events for non-existing profiles

The switch to FileRule made some bugs visible that survived unnoticed
with hasher for years.

If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).

However, with FileRule it causes a crash saying

      File ".../utils/apparmor/aa.py", line 1335, in handle_children
        aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
    AttributeError: 'collections.defaultdict' object has no attribute 'add'

This patch makes sure exec events for unknown profiles get ignored.



Reproducer:

    python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')

This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
    profile klogd /{usr/,}sbin/klogd {



References: https://bugs.launchpad.net/bugs/1379874



Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9

utils/apparmor/aa.py

@@ -1094,6 +1094,9 @@ def handle_children(profile, hat, root):
                     prelog[aamode][profile][hat]['path'][path] = mode
 
                 if do_execute:
+                    if not aa[profile][hat]:
+                        continue  # ignore log entries for non-existing profiles
+
                     if profile_known_exec(aa[profile][hat], 'exec', exec_target):
                         continue