Comment 9 for bug 1014304

Kshitij and I worked on this today. After a very interesting[tm] hunt through the code, here's a proof-of-concept patch:

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-08-17 16:16:33 +0000
+++ utils/apparmor/aa.py 2014-08-17 20:51:09 +0000
@@ -1043,6 +1043,14 @@
                 if not regex_nullcomplain.search(p) and not regex_nullcomplain.search(h):
                     profile = p
                     hat = h
+ else:
+ if profile_changes[pid]:
+ print(profile_changes[pid])
+ if len(profile_changes[pid].split("//"))>1:
+ profile,hat=profile_changes[pid].split("//")
+ else:
+ profile=profile_changes[pid]
+ hat=profile
                 if not profile or not hat or not detail:
                     continue

@@ -1097,6 +1106,7 @@

                 if do_execute:
                     if profile_known_exec(aa[profile][hat], 'exec', exec_target):
+ profile_changes[pid] = '/home/cb/linuxtag/apparmor/scripts/hello///usr/bin/cat'
                         continue

                     p = update_repo_profile(aa[profile][profile])

The first section of the patch is probably the final version already.

Needless to say that profile_changes[pid] = ... line should not be hardcoded ;-) - it needs to be filled based on the exec mode which we already have in the profile.