diff --git a/parser/all_rule.cc b/parser/all_rule.cc
index 34159349e..4ebc47a8a 100644
--- a/parser/all_rule.cc
+++ b/parser/all_rule.cc
@@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	prefix_rule_t *rule;
 	const prefixes *prefix = this;
 
-	rule = new unix_rule(0, audit, rule_mode);
+	rule = new unix_rule(0xffffffff, audit, rule_mode);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
@@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
-	rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh
index daaefee9b..9ef1f5355 100755
--- a/tests/regression/apparmor/aa_exec.sh
+++ b/tests/regression/apparmor/aa_exec.sh
@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
 
 genprofile_aa_exec "$test" 0
 runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile --stdin <<EOF
+$test {
+  all,
+}
+
+:${ns}:${test} {
+  all,
+}
+EOF
+    runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
+fi
diff --git a/tests/regression/apparmor/access.sh b/tests/regression/apparmor/access.sh
index 6b0c9675c..189526ec0 100644
--- a/tests/regression/apparmor/access.sh
+++ b/tests/regression/apparmor/access.sh
@@ -28,7 +28,14 @@ wxperm=wix
 touch $file
 chmod 777 $file	# full perms so discretionary access checks succeed
 
-# PASS TEST 
+# PASS TEST
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile "all"
+    runchecktest "ACCESS allow all r (rwx)" pass $file r
+    runchecktest "ACCESS allow all rx (rwx)" pass $file rx
+    runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
+fi
+
 genprofile $file:$rwxperm
 runchecktest "ACCESS file r (rwx)" pass $file r
 runchecktest "ACCESS file rx (rwx)" pass $file rx
diff --git a/tests/regression/apparmor/attach_disconnected.sh b/tests/regression/apparmor/attach_disconnected.sh
index c63e6611b..bb6dced26 100644
--- a/tests/regression/apparmor/attach_disconnected.sh
+++ b/tests/regression/apparmor/attach_disconnected.sh
@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
 
 # TODO: adding attach_disconnected.path to a replaced unconfined
 
+# ALLOW ALL does not include attach_disconnected
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
+
+	genprofile "all" -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+fi
+
 genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh
index 32746a9b1..189fc16b9 100755
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@@ -45,6 +45,11 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		gendbusprofile "all,"
+		runchecktest "eavesdrop (allow all)" pass $args
+	fi
+
 	gendbusprofile "dbus,"
 	runchecktest "eavesdrop (dbus allowed)" pass $args
 
diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh
index 14bd1e522..882997eb6 100755
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@@ -60,6 +60,12 @@ run_tests()
 
 	# Make sure send is allowed when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		message_gendbusprofile "all,"
+		runtestfg "message (allow all)" pass $confined_args
+		checktestfg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	message_gendbusprofile "dbus,"
 	runtestfg "message (dbus allowed)" pass $confined_args
 	checktestfg "compare_logs $unconfined_log eq $confined_log"
diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh
index 10b61484a..4daf74dd7 100755
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@@ -92,6 +92,14 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		service_gendbusprofile "all,"
+		service_runtestbg "service (allow all)" pass $unconfined_log
+		sendmethod
+		sendsignal
+		service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	service_gendbusprofile "dbus,"
 	service_runtestbg "service (dbus allowed)" pass $unconfined_log
 	sendmethod
diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh
index 626554f3d..6b6d658c3 100644
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@@ -80,6 +80,14 @@ run_tests()
 	sendmethodreturn
 	ur_checktestbg
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		# All perms are granted so the logs should be equal
+		ur_gendbusprofile "all,"
+		ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
+		sendmethodreturn
+		ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	# All dbus perms are granted so the logs should be equal
 	ur_gendbusprofile "dbus,"
 	ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
diff --git a/tests/regression/apparmor/io_uring.sh b/tests/regression/apparmor/io_uring.sh
index 8f0feec9d..92e8002a2 100755
--- a/tests/regression/apparmor/io_uring.sh
+++ b/tests/regression/apparmor/io_uring.sh
@@ -55,6 +55,11 @@ do_tests "no perms" fail fail
 genprofile $required_perms "qual=deny:io_uring"
 do_tests "deny perms" fail fail
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_tests "allow all" pass pass
+fi
+
 genprofile $required_perms "io_uring"
 do_tests "generic perms" pass pass
 
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index 37c5f3193..0154d1ac1 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -424,6 +424,34 @@ fsmount_tests() {
 	fsmount_test " fsmount deny att_dis" "qual=deny:" "flag:attach_disconnected" ${should_fail}
 }
 
+all_rule() {
+	if [ "$(parser_supports 'all,')" != "true" ]; then
+		echo "    not supported by parser - skipping allow all,"
+		return
+	fi
+
+	settest mount
+	genprofile "all"
+
+	runchecktest "MOUNT (confined allow all)" pass mount ${loop_device} ${mount_point}
+
+	runchecktest "UMOUNT (confined allow all)" pass umount ${loop_device} ${mount_point}
+
+	runchecktest "MOUNT (confined allow all remount setup)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (confined allow all remount)" pass mount ${loop_device} ${mount_point} -o remount
+	remove_mnt
+
+	settest move_mount
+	genprofile "all"
+
+	runchecktest "MOVE_MOUNT (confined fsmount: allow all)" pass fsmount ${loop_device} ${mount_point} ${fstype}
+	remove_mnt
+
+	mount ${loop_device} ${mnt_source}
+	runchecktest "MOVE_MOUNT (confined open_tree: allow all)" pass open_tree ${mount_point2} ${mount_point} ${fstype}
+	remove_mnt
+}
+
 # TEST 1.  Make sure can mount and umount unconfined
 runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
 remove_mnt
@@ -569,6 +597,8 @@ else
 	fsmount_tests tmpfs ${mount_point} tmpfs
 	fsmount_tests ${loop_device} ${mount_point} ${fstype}
 	open_tree_tests ${mount_point2} ${mount_point} ${fstype}
+
+	all_rule
 fi
 
 #need tests for chroot
diff --git a/tests/regression/apparmor/net_inet.sh b/tests/regression/apparmor/net_inet.sh
index f5060740a..c72ad8f52 100644
--- a/tests/regression/apparmor/net_inet.sh
+++ b/tests/regression/apparmor/net_inet.sh
@@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
-rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
@@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
-rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+fi
diff --git a/tests/regression/apparmor/net_raw.sh b/tests/regression/apparmor/net_raw.sh
index ca42e56a4..6b4304ca6 100755
--- a/tests/regression/apparmor/net_raw.sh
+++ b/tests/regression/apparmor/net_raw.sh
@@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
 genprofile cap:net_raw network:
 runchecktest "RAW SOCKET (cap net_raw)" pass
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "RAW SOCKET (allow all)" pass
+fi
diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
index dd7104edc..70abec5e7 100755
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -120,6 +120,11 @@ if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "t
 	exit
 fi
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_test "allow all rule" pass "$put_old" "$new_root" "$test"
+fi
+
 # Ensure failure when no pivot_root perms are granted
 genprofile $cur $cap
 do_test "cap only" fail "$put_old" "$new_root" "$test"
diff --git a/tests/regression/apparmor/posix_mq.sh b/tests/regression/apparmor/posix_mq.sh
index 0a049009f..9a2c92edd 100755
--- a/tests/regression/apparmor/posix_mq.sh
+++ b/tests/regression/apparmor/posix_mq.sh
@@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
     genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
     do_tests "confined $username - deny perms" fail fail fail fail $usercmd
 
+    if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" -- image=$sender "all"
+	do_tests "confined $username - allow all" pass pass pass pass $usercmd
+    fi
 
     # generic mqueue
     # 2 Potential failures caused by missing other x permission in path
diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc
index b0cf983ad..5065a2e8f 100644
--- a/tests/regression/apparmor/ptrace_v6.inc
+++ b/tests/regression/apparmor/ptrace_v6.inc
@@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
 runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
 runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "test allow all" pass -n 100 ${bin_true}
+	runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
+	runchecktest "test allow all -h" pass -h -n 100 $helper
+	runchecktest "test allow all -hc" pass -h -c -n 100 $helper
+	runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
+	runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
+fi
 
 #ptraced confined app traced by profile can px
 genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix
diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
index 4d27b7bb4..7d528cb39 100755
--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
 genprofile 
 runchecktest "TCP (accept, connect) no network rules" fail $port
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	# PASS TEST - allow all
+	genprofile "all"
+	runchecktest "TCP (allow all)" pass $port
+fi
+
 # PASS TEST - allow tcp
 genprofile network:tcp
 runchecktest "TCP (accept, connect) allow tcp" pass $port
diff --git a/tests/regression/apparmor/unix_socket.inc b/tests/regression/apparmor/unix_socket.inc
index 905c99c6f..6d6c60fd4 100644
--- a/tests/regression/apparmor/unix_socket.inc
+++ b/tests/regression/apparmor/unix_socket.inc
@@ -71,6 +71,11 @@ do_test()
 
 	desc+=" confined $test_prog"
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		$genprof "all"
+		runchecktest "$desc (allow all)" pass $args
+	fi
+
 	$genprof "unix:ALL"
 	runchecktest "$desc (implicit perms)" pass $args
 
diff --git a/tests/regression/apparmor/userns.sh b/tests/regression/apparmor/userns.sh
index df1260ae3..9df4e7b43 100755
--- a/tests/regression/apparmor/userns.sh
+++ b/tests/regression/apparmor/userns.sh
@@ -101,6 +101,11 @@ fi
 # confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
 run_confined_tests()
 {
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		generate_profile="genprofile all"
+		do_test "confined allow all $1" pass pass pass pass "$generate_profile"
+	fi
+
 	generate_profile="genprofile userns"
 	do_test "confined all perms $1" pass pass fail fail "$generate_profile"