From b4e6f0449bbf8f87495f89b81dc14f82882468c0 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 13 Feb 2025 12:26:29 -0800
Subject: [PATCH] aa-notify: fix package build install of polkit files

The install of the polkit action files for aa-notify leaks build root
information.

From OBS
  apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy

this is present on Ubuntu as well
    <annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>

this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.

Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Co-Author: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 utils/python-tools-setup.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/utils/python-tools-setup.py b/utils/python-tools-setup.py
index 363762ce6..3f42ee38a 100644
--- a/utils/python-tools-setup.py
+++ b/utils/python-tools-setup.py
@@ -27,6 +27,14 @@ import sys
 from setuptools import setup
 from setuptools.command.install import install as _install
 
+# removeprefix is only in python 3.9+ support older python versions
+def replace_path_prefix(text, prefix):
+    if text.startswith(prefix):
+        suffix = text[len(prefix):]
+        if not suffix.startswith("/"):
+            suffix = "/" + suffix
+        return suffix
+    return text
 
 class Install(_install):
     """Override setuptools to install the files where we want them."""
@@ -65,7 +73,8 @@ class Install(_install):
         with open(pkexec_action_name, 'r') as f:
             polkit_template = f.read()
 
-        polkit = polkit_template.format(LIB_PATH=self.install_lib)
+        # don't leak the buildroot into the polkit files
+        polkit = polkit_template.format(LIB_PATH=replace_path_prefix(self.install_lib, prefix))
 
         if not os.path.exists(prefix + '/usr/share/polkit-1/actions/'):
             self.mkpath(prefix + '/usr/share/polkit-1/actions/')