Here's a proposed fix. Patched against apparmor_2.8.95~2430-0ubuntu5. This modifies the Python parser to propagate information about 'current profile' context and defined variables to included files, in keeping with what I presume are the textual-inclusion semantics of #include. Because included files now modify their "parent" profile_data directly, parse_profile_data no longer caches parsed includes, and will re-parse them in each context where they're included.
This may have substantial performance impacts, which could be mitigated by instead separately storing data on "pending append" operations from includes, and applying those operations in any including context. This would allow an include file's operations to be applied to an including context without re-parsing the file.
Here's a proposed fix. Patched against apparmor_2.8.95~2430-0ubuntu5. This modifies the Python parser to propagate information about 'current profile' context and defined variables to included files, in keeping with what I presume are the textual-inclusion semantics of #include. Because included files now modify their "parent" profile_data directly, parse_profile_data no longer caches parsed includes, and will re-parse them in each context where they're included.
This may have substantial performance impacts, which could be mitigated by instead separately storing data on "pending append" operations from includes, and applying those operations in any including context. This would allow an include file's operations to be applied to an including context without re-parsing the file.