From 652dac0cec060f4ad7ddbdee0adb900615351c47 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Thu, 31 May 2018 17:27:00 +0000
Subject: [PATCH 1/2] aa-exec: Remove extra newline when profile changes fail

An extra newline was being printed when aa_change_profile() failed and
errno was ENOENT or EACCES.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 binutils/aa_exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/binutils/aa_exec.c b/binutils/aa_exec.c
index 7e73f45f3..85424c010 100644
--- a/binutils/aa_exec.c
+++ b/binutils/aa_exec.c
@@ -202,7 +202,7 @@ int main(int argc, char **argv)
 
 	if (rc) {
 		if (errno == ENOENT || errno == EACCES) {
-			error("%s '%s' does not exist\n",
+			error("%s '%s' does not exist",
 			      opt_profile ? "profile" : "namespace", name);
 		} else if (errno == EINVAL) {
 			error("AppArmor interface not available");

From 95286bb9e7ac8eb904a6a385934cda2ee10d62b4 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Thu, 31 May 2018 17:32:39 +0000
Subject: [PATCH 2/2] aa-exec: Clarify ENOENT and EACCES errors when changing
 profiles

The aa-exec tool was indicating, in an error message, that a profile
didn't exist in cases where aa_change_profile() failed with errno set to
ENOENT or EACCES. However, the EACCES error means that changing to the
target profile is not allowed. This patch fixes the error message in the
cause of EACCES:

 $ ./aa-exec -p dne -- true
 aa-exec: ERROR: profile 'dne' does not exist

 $ ./aa-exec -p /usr/sbin/tcpdump -- ./aa-exec -p unconfined -- true
 aa-exec: ERROR: insufficient permissions to change to the profile 'unconfined'

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 binutils/aa_exec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/binutils/aa_exec.c b/binutils/aa_exec.c
index 85424c010..f85bba2f9 100644
--- a/binutils/aa_exec.c
+++ b/binutils/aa_exec.c
@@ -201,9 +201,12 @@ int main(int argc, char **argv)
 	}
 
 	if (rc) {
-		if (errno == ENOENT || errno == EACCES) {
+		if (errno == ENOENT) {
 			error("%s '%s' does not exist",
 			      opt_profile ? "profile" : "namespace", name);
+		} else if (errno == EACCES) {
+			error("insufficient permissions to change to the %s '%s'",
+			      opt_profile ? "profile" : "namespace", name);
 		} else if (errno == EINVAL) {
 			error("AppArmor interface not available");
 		} else {