[Apparmor-dev] [rfr] check for newer profile in repo before asking to add new hats and execs

[jesse michael]

Currently, logprof/genprof asks hat and execute transition questions before
checking if there's a newer version of the profile in the repository
which can result in just-added rules being erased when overwriting the 
local profile with an updated version from the repository.

This adds checks for a newer profile in the repository before asking to
add new hats or execute rules to a profile.

It currently results in a repository check for every hat or exec in the
system log whether the existing profile now satisfies the request or not
which is not exactly ideal.  

check_repo_for_newer() should be changed to return whether the profile was 
updated so that the callers can be refactored to only perform the repo check
if the current local profile does not satisfy the request.  


The code currently does something roughly along the lines of:

  check_repo_for_newer($profile);
  if (event_not_satisfied($profile, $event) {
      prompt_user_for_event($profile, $event);
  }

It should probably be doing something like:

  if (event_not_satisfied($profile, $event) {
      if (!upgrade_to_newer($profile) || event_not_satisfied($profile, $event) {
          prompt_user_for_event($profile, $event);
      }
  }

-------------- next part --------------
A non-text attachment was scrubbed...
Name: repo-update-check.diff
Type: text/x-patch
Size: 631 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070926/ee0a01a6/repo-update-check.bin