dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic

I've seen this test fail because "apparmor_parser -N" returned the expected
lines, but in a different order than what's expected (dirtest.out).

To fix this, sort both the expected and actual output.

.gitignore

@@ -4,6 +4,8 @@ binutils/aa-enabled
 binutils/aa-enabled.1
 binutils/aa-exec
 binutils/aa-exec.1
+binutils/aa-features-abi
+binutils/aa-features-abi.1
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
@@ -12,6 +14,7 @@ parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
 parser/generated_cap_names.h
+parser/generated_af_names.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -157,6 +160,7 @@ libraries/libapparmor/swig/perl/libapparmor_wrap.c
 libraries/libapparmor/swig/perl/libapparmor_wrap.o
 libraries/libapparmor/swig/perl/pm_to_blib
 libraries/libapparmor/swig/python/LibAppArmor.py
+libraries/libapparmor/swig/python/LibAppArmor.egg-info/
 libraries/libapparmor/swig/python/build/
 libraries/libapparmor/swig/python/libapparmor_wrap.c
 libraries/libapparmor/swig/python/Makefile
@@ -173,7 +177,7 @@ libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
 libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
-libraries/libapparmor/swig/ruby/Makefile.new
+libraries/libapparmor/swig/ruby/Makefile.bak
 libraries/libapparmor/swig/ruby/Makefile.ruby
 libraries/libapparmor/swig/ruby/mkmf.log
 libraries/libapparmor/testsuite/.deps
@@ -201,14 +205,22 @@ utils/*.tmp
 utils/po/*.mo
 utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
+utils/apparmor.egg-info/
+utils/build/
+utils/htmlcov/
 utils/test/common_test.pyc
 utils/test/.coverage
+utils/test/coverage-report.txt
 utils/test/htmlcov/
 utils/vim/apparmor.vim
 utils/vim/apparmor.vim.5
 utils/vim/apparmor.vim.5.html
 utils/vim/pod2htmd.tmp
+tests/regression/apparmor/*.o
+tests/regression/apparmor/aa_policy_cache
 tests/regression/apparmor/access
+tests/regression/apparmor/at_secure
+tests/regression/apparmor/attach_disconnected
 tests/regression/apparmor/changehat
 tests/regression/apparmor/changehat_fail
 tests/regression/apparmor/changehat_fork
@@ -223,6 +235,10 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/dbus_eavesdrop
+tests/regression/apparmor/dbus_message
+tests/regression/apparmor/dbus_service
+tests/regression/apparmor/dbus_unrequested_reply
 tests/regression/apparmor/deleted
 tests/regression/apparmor/env_check
 tests/regression/apparmor/environ
@@ -233,7 +249,10 @@ tests/regression/apparmor/fchdir
 tests/regression/apparmor/fchgrp
 tests/regression/apparmor/fchmod
 tests/regression/apparmor/fchown
+tests/regression/apparmor/fd_inheritance
+tests/regression/apparmor/fd_inheritor
 tests/regression/apparmor/fork
+tests/regression/apparmor/introspect
 tests/regression/apparmor/link
 tests/regression/apparmor/link_subset
 tests/regression/apparmor/mkdir
@@ -244,15 +263,20 @@ tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat
 tests/regression/apparmor/pipe
+tests/regression/apparmor/pivot_root
 tests/regression/apparmor/ptrace
 tests/regression/apparmor/ptrace_helper
 tests/regression/apparmor/pwrite
+tests/regression/apparmor/query_label
 tests/regression/apparmor/readdir
 tests/regression/apparmor/rename
 tests/regression/apparmor/rw
+tests/regression/apparmor/socketpair
 tests/regression/apparmor/swap
 tests/regression/apparmor/symlink
 tests/regression/apparmor/syscall_chroot
+tests/regression/apparmor/syscall_ioperm
+tests/regression/apparmor/syscall_iopl
 tests/regression/apparmor/syscall_mknod
 tests/regression/apparmor/syscall_mlockall
 tests/regression/apparmor/syscall_ptrace
@@ -264,10 +288,15 @@ tests/regression/apparmor/syscall_setscheduler
 tests/regression/apparmor/syscall_sysctl
 tests/regression/apparmor/sysctl_proc
 tests/regression/apparmor/tcp
+tests/regression/apparmor/transition
 tests/regression/apparmor/unix_fd_client
 tests/regression/apparmor/unix_fd_server
+tests/regression/apparmor/unix_socket
+tests/regression/apparmor/unix_socket_client
 tests/regression/apparmor/unlink
+tests/regression/apparmor/uservars.inc
 tests/regression/apparmor/xattrs
+tests/regression/apparmor/xattrs_profile
 tests/regression/apparmor/coredump
 **/__pycache__/
 *.orig

.gitlab-ci.yml

@@ -1,9 +1,5 @@
 ---
 image: ubuntu:latest
-before_script:
-  - export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-coverage python3-notify2 python3-psutil zlib1g-dev
-  - lsb_release -a
-  - uname -a
 
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
@@ -12,45 +8,131 @@ stages:
   - build
   - test
 
+.ubuntu-before_script:
+  before_script:
+    - export DEBIAN_FRONTEND=noninteractive
+    - apt-get update -qq
+    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - lsb_release -a
+    - uname -a
+
+.install-c-build-deps: &install-c-build-deps
+  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
+
 build-all:
   stage: build
+  extends:
+    - .ubuntu-before_script
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
     untracked: true
     paths:
-        - libraries/libapparmor/
-        - parser/
-        - binutils/
-        - utils/
-        - changehat/mod_apparmor/
-        - changehat/pam_apparmor/
-        - profiles/
+      - libraries/libapparmor/
+      - parser/
+      - binutils/
+      - utils/
+      - changehat/mod_apparmor/
+      - changehat/pam_apparmor/
+      - profiles/
   script:
-      - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
-      - make -C parser
-      - make -C binutils
-      - make -C utils
-      - make -C changehat/mod_apparmor
-      - make -C changehat/pam_apparmor
-      - make -C profiles
+    - *install-c-build-deps
+    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
+    - make -C parser
+    - make -C binutils
+    - make -C utils
+    - make -C changehat/mod_apparmor
+    - make -C changehat/pam_apparmor
+    - make -C profiles
 
-test-all:
+test-libapparmor:
   stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
   script:
-      - make -C libraries/libapparmor check
-      - make -C parser check
-      - make -C binutils check
-      - make -C utils check
-      - make -C utils/test coverage-regression
-      - make -C changehat/mod_apparmor check
-      - make -C profiles check-parser
-      - make -C profiles check-abstractions.d
+    - *install-c-build-deps
+    - make -C libraries/libapparmor check
+
+test-parser:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
+  script:
+    - *install-c-build-deps
+    - make -C parser check
+
+test-binutils:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
+  script:
+    - make -C binutils check
+
+test-utils:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
+  script:
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
+    # See apparmor/apparmor#221
+    - make -C parser/tst gen_dbus
+    - make -C parser/tst gen_xtrans
+    - make -C utils check
+    - make -C utils/test coverage-regression
+  artifacts:
+    paths:
+      - utils/test/htmlcov/
+    when: always
+
+test-mod-apparmor:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
+  script:
+    - make -C changehat/mod_apparmor check
+
+test-profiles:
+  stage: test
+  needs: ["build-all"]
+  extends:
+    - .ubuntu-before_script
+  script:
+    - make -C profiles check-parser
+    - make -C profiles check-abstractions.d
+
+shellcheck:
+  stage: test
+  needs: []
+  extends:
+    - .ubuntu-before_script
+  script:
+  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
+  - shellcheck --version
+  - './tests/bin/shellcheck-tree --format=checkstyle
+       | xmlstarlet tr tests/checkstyle2junit.xslt
+       > shellcheck.xml'
+  artifacts:
+    when: always
+    reports:
+      junit: shellcheck.xml
 
 # Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
-#      - make -C profiles check-profiles
+#   - make -C profiles check-profiles
 
 # test-pam_apparmor:
 #  - stage: test
 #  - script:
 #    - cd changehat/pam_apparmor && make check
+
+include:
+  - template: SAST.gitlab-ci.yml
+  - template: Secret-Detection.gitlab-ci.yml
+
+variables:
+  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
+  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

.shellcheckrc

@@ -0,0 +1,10 @@
+# Don't follow source'd scripts
+disable=SC1090
+disable=SC1091
+
+# dash supports 'local'
+disable=SC2039
+disable=SC3043
+
+# dash supports 'echo -n'
+disable=SC3037

binutils/aa_features_abi.c

@@ -124,7 +124,7 @@ static char **parse_args(int argc, char **argv)
 		{"stdout", no_argument, 0, ARG_STDOUT},
 	};
 
-	while ((opt = getopt_long(argc, argv, "+dvhxl:w:", long_opts, NULL)) != -1) {
+	while ((opt = getopt_long(argc, argv, "+dvhxf:l:w:", long_opts, NULL)) != -1) {
 		switch (opt) {
 		case 'd':
 			opt_debug = true;
@@ -181,7 +181,7 @@ int main(int argc, char **argv)
 			error("failed to extract features abi from the kernel");
 	}
 	if (opt_file) {
-		int in = open(opt_file, O_RDONLY);
+		in = open(opt_file, O_RDONLY);
 		if (in == -1)
 			error("failed to open file '%s'", opt_file);
 		rc = aa_features_new_from_file(&features, in);

binutils/aa_status.c

@@ -135,7 +135,16 @@ static int get_profiles(struct profile **profiles, size_t *n) {
 	while (getline(&line, &len, fp) != -1) {
 		struct profile *_profiles;
 		autofree char *status = NULL;
-		autofree char *name = strdup(aa_splitcon(line, &status));
+		autofree char *name = NULL;
+		char *tmpname = aa_splitcon(line, &status);
+
+		if (!tmpname) {
+			dfprintf(stderr, "Error: failed profile name split of '%s'.\n", line);
+			ret = AA_EXIT_INTERNAL_ERROR;
+			// skip this entry and keep processing
+			continue;
+		}
+		name = strdup(tmpname);
 
 		if (status)
 			status = strdup(status);

common/Version

@@ -1 +1 @@
-3.0.0
+3.0.98

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -70,6 +70,10 @@ AppArmor extensions to the system are not available.
 
 AppArmor is available on the system but has been disabled at boot.
 
+=item B<EBUSY>
+
+AppArmor is available but only via private interfaces.
+
 =item B<ENOENT>
 
 AppArmor is available (and maybe even enforcing policy) but the interface is

libraries/libapparmor/m4/ac_python_devel.m4

@@ -66,17 +66,17 @@ variable to configure. See ``configure --help'' for reference.
         fi
 
         #
-        # Check if you have distutils, else fail
+        # Check if you have setuptools, else fail
         #
-        AC_MSG_CHECKING([for the distutils Python package])
-        ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
-        if test -z "$ac_distutils_result"; then
+        AC_MSG_CHECKING([for the setuptools Python package])
+        ac_setuptools_result=`$PYTHON -c "import setuptools" 2>&1`
+        if test -z "$ac_setuptools_result"; then
                 AC_MSG_RESULT([yes])
         else
                 AC_MSG_RESULT([no])
-                AC_MSG_ERROR([cannot import Python module "distutils".
+                AC_MSG_ERROR([cannot import Python module "setuptools".
 Please check your Python installation. The error was:
-$ac_distutils_result])
+$ac_setuptools_result])
                 PYTHON_VERSION=""
         fi
 
@@ -88,8 +88,8 @@ $ac_distutils_result])
                 PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
         fi
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
-sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
+                python_path=`$PYTHON -c "import sys; import sysconfig;\
+sys.stdout.write('%s\n' % sysconfig.get_path('include'));"`
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -108,8 +108,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
         if test -z "$PYTHON_LDFLAGS"; then
                 # (makes two attempts to ensure we've got a version number
                 # from the interpreter)
-                py_version=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
-sys.stdout.write('%s\n' % ''.join(get_config_vars('VERSION')))"`
+                py_version=`$PYTHON -c "import sys; import sysconfig; \
+sys.stdout.write('%s\n' % ''.join(sysconfig.get_config_vars('VERSION')))"`
                 if test "$py_version" == "[None]"; then
                         if test -n "$PYTHON_VERSION"; then
                                 py_version=$PYTHON_VERSION
@@ -119,8 +119,8 @@ sys.stdout.write("%s\n" % sys.version[[:3]])"`
                         fi
                 fi
 
-                PYTHON_LDFLAGS=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
-sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHON -c \
+                PYTHON_LDFLAGS=`$PYTHON -c "import sys; import sysconfig; \
+sys.stdout.write('-L' + sysconfig.get_path('stdlib') + ' -lpython\n')"`$py_version`$PYTHON -c \
 "import sys; sys.stdout.write('%s' % getattr(sys,'abiflags',''))"`
         fi
         AC_MSG_RESULT([$PYTHON_LDFLAGS])
@@ -131,8 +131,8 @@ sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHO
         #
         AC_MSG_CHECKING([for Python site-packages path])
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import sys; import distutils.sysconfig; \
-sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
+                PYTHON_SITE_PKG=`$PYTHON -c "import sys; import sysconfig; \
+sys.stdout.write('%s\n' % sysconfig.get_path('purelib'));"`
         fi
         AC_MSG_RESULT([$PYTHON_SITE_PKG])
         AC_SUBST([PYTHON_SITE_PKG])
@@ -146,8 +146,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
                         PYTHON_EXTRA_LIBS=''
         fi
         if test -z "$PYTHON_EXTRA_LIBS"; then
-           PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
-conf = distutils.sysconfig.get_config_var; \
+           PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import sysconfig; \
+conf = sysconfig.get_config_var; \
 sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
@@ -162,8 +162,8 @@ sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf(
                         PYTHON_EXTRA_LDFLAGS=''
         fi
         if test -z "$PYTHON_EXTRA_LDFLAGS"; then
-                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
-conf = distutils.sysconfig.get_config_var; \
+                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import sysconfig; \
+conf = sysconfig.get_config_var; \
 sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])

libraries/libapparmor/src/Makefile.am

@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 9
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 2
 AA_LIB_AGE = 8
 
 SUFFIXES = .pc.in .pc
@@ -38,7 +38,7 @@ include $(COMMONDIR)/Make.rules
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC
+AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<

libraries/libapparmor/src/features.c

@@ -194,6 +194,8 @@ static int features_dir_cb(int dirfd, const char *name, struct stat *st,
 	if (features_snprintf(fst, "%s {", name) == -1)
 		return -1;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		ssize_t len;
 		size_t remaining;
@@ -664,7 +666,7 @@ static const char *features_lookup(aa_features *features, const char *str)
 
 	/* Empty strings are not accepted. Neither are leading '/' chars. */
 	if (!str || str[0] == '/')
-		return false;
+		return NULL;
 
 	/**
 	 * Break @str into an array of components. For example,
@@ -677,7 +679,7 @@ static const char *features_lookup(aa_features *features, const char *str)
 
 	/* At least one valid token is required */
 	if (!num_components)
-		return false;
+		return NULL;
 
 	/* Ensure that all components are valid and found */
 	for (i = 0; i < num_components; i++) {

libraries/libapparmor/src/grammar.y

@@ -38,7 +38,7 @@
 #if (YYDEBUG != 0)
 #define debug_unused_ /* nothing */
 #else
-#define no_debug_unused_ unused_
+#define debug_unused_ unused_
 #endif
 
 aa_log_record *ret_record;
@@ -46,7 +46,7 @@ aa_log_record *ret_record;
 /* Since we're a library, on any errors we don't want to print out any
  * error messages. We should probably add a debug interface that does
  * emit messages when asked for. */
-void aalogparse_error(unused_ void *scanner, no_debug_unused_ char const *s)
+void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
 {
 #if (YYDEBUG != 0)
 	printf("ERROR: %s\n", s);
@@ -186,6 +186,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
 
+%token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
 %token TOK_SYSLOG_USER
 
@@ -232,24 +233,28 @@ dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	{ ret_record->version = AA_RECORD_SYNTAX_V2; free($1); }
 	;
 
+syslog_id: TOK_ID TOK_SYSLOG_KERNEL { free($1); }
+	| TOK_SOCKLOGD_KERNEL { }
+	;
+
 syslog_type:
-	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	  syslog_date syslog_id audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date syslog_id key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	| syslog_date syslog_id TOK_DMESG_STAMP audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	/* needs update: hard newline in handling mutiline log messages */
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
-	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
+	| syslog_date syslog_id TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;

libraries/libapparmor/src/kernel.c

@@ -43,10 +43,137 @@
 		__asm__ (".symver " #real "," #name "@" #version)
 #define default_symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@@" #version)
+#define DLLEXPORT __attribute__((visibility("default"),externally_visible))
 
 #define UNCONFINED		"unconfined"
 #define UNCONFINED_SIZE		strlen(UNCONFINED)
 
+/*
+ * AppArmor kernel interfaces. Potentially used by this code to
+ * implement the various library functions.
+ *
+ *
+ * /sys/module/apparmor/parameters/ *
+ *
+ * Available on all kernels, some options may not be available and policy
+ * may block access.
+ *     audit                - normal,quiet_denied,quiet,noquiet,all
+ *     debug (bool)         - turn on debug messages if enabled during compile
+ *     hash_policy (bool)   - provide a hash of loaded policy
+ *     logsyscall (bool)    - ignored
+ *     paranoid_load (bool) - whether full policy checks are done. Should only
+ *                            be disabled for embedded device kernels
+ *     audit_header (bool)  - include "apparmor=<mode> in messages"
+ *     enabled (bool)       - whether apparmor is enabled. This can be
+ *                            different than whether apparmor is available.
+ *                            See virtualization and LSM stacking.
+ *     lock_policy (bool)   - one way trigger. Once set policy can not be
+ *                            loaded, replace, removed.
+ *      mode                - global policy namespace control of whether
+ *                            apparmor is in "enforce", "complain"
+ *      path_max            - maximum path size. Can always be read but
+ *                            can only be set on some kernels.
+ *
+ * securityfs/apparmor - usually mounted at /sys/kernel/security/apparmor/ *
+ *     .access    - transactional interface used to query kernel
+ *     .ns_level  - RO policy namespace level of current task
+ *     .ns_name   - RO current policy namespace of current task
+ *     .ns_stacked - RO boolean if stacking is in use with the namespace
+ *     .null - special device file used to redirect closed fds to
+ *     profiles   - RO virtualized text list of visible loaded profiles
+ *     .remove    - WO names of profiles to remove
+ *     .replace   - WO binary policy to replace (will load if not present)
+ *     .load      - WO binary policy to load (will fail if already present)
+ *     revision   - RO unique incrementing revision number for policy
+ *     .stacked   - RO boolean if label is currently stacked
+ *     features/  - RO feature set supported by kernel
+ *     policy/    - RO policy loaded into kernel
+ *
+ *
+ * /proc/<tid>/attr/apparmor/ *
+ * New proc attr interface compatible with LSM stacking. Available even
+ * when LSM stacking is not in use.
+ *     current    - see /proc/<tid>/attr/current
+ *     exec       - see /proc/<tid>/attr/exec
+ *     prev       - see /proc/<tid>/attr/prev
+ *
+ * /proc/<tid>/attr/ * Old proc attr interface shared between LSMs goes
+ * to first registered LSM that wants the proc interface, but can be
+ * virtualized by setting the display LSM. So if LSM stacking is in
+ * use this interface may belong to another LSM. Use
+ *    /proc/<tid>/attr/apparmor/ *
+ * first if possible, and do NOT use if
+ *    /sys/module/apparmor/parameters/enabled=N.
+ * Note: older version of the library only used this interface and did not
+ *       check if it was available. Which could lead to weird failures if
+ *       another LSM has claimed it. This version of the library tries to
+ *       fix this problem, but unfortunately it is impossible to completely
+ *       address, because access to interfaces required to determine
+ *       whether apparmor owns the interface may be restricted, either
+ *       by existing apparmor policy that has not been updated to use the
+ *       new interface or by another LSM.
+ *     current    - current confinement
+ *     display    - LSM stacking. Which LSM currently owns the interface.
+ *     exec       - label to switch to at exec
+ *     fscreate   - unused by apparmor
+ *     keycreate  - unused by apparmor
+ *     prev       - when in HAT set to parent label
+ *     sockcreate - unused by apparmor
+ *
+ *
+ * Below /proc/ interface combinations are documented on how the library
+ * currently behaves and how it used to behave. This serves to document
+ * known failure points as we can not entirely fix this mess.
+ * Note: userspace applications using the interface directly have all
+ *       the issues/failures of AppArmor 2.x unless they have specifically
+ *       been updated to deal with this mess.
+ *
+ *
+ * AppArmor 2.x Lib
+ *
+ * LSM   AA            sys      sys    proc/   proc/   user
+ * Stk | Blt |  LSM  | enabl | avail |  aa/  |   *   | space |
+ * ----+-----+-------+-------+-------+-------+-------+-------+--------+
+ *  N  |  N  |   -   |   -   |   -   |   -   |   N   | AA2.x |   -    |
+ *  N  |  N  | other |   -   |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *  N  |  N  | other |denied |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *  N  |  Y  |   -   |   N   |   -   |   -   |   N   | AA2.x |   -    |
+ *  N  |  Y  | other |   -   |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *  N  |  Y  |  AA   |   -   |   -   |   -   |   Y   | AA2.x |  PASS  |
+ *  Y  |  N  |   -   |   -   |   -   |   -   |   N   | AA2.x |   -    |
+ *  Y  |  N  | other |   -   |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *  Y  |  Y  |   -   |   N   |   -   |   -   |   N   | AA2.x |   -    |
+ *  Y  |  Y  | other |   -   |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *  Y  |  Y  |  AA   |   -   |   -   |   -   |   Y   | AA2.x |  PASS  |
+ *  Y  |  Y  | major |   -   |   -   |   -   |   Y   | AA2.x |  PASS  |
+ *  Y  |  Y  | minor |   -   |   -   |   -   |   N   | AA2.x |  FAIL  |
+ *
+ *
+ * AppArmor 3.x Lib - adds stacking support.
+ *
+ * Will FAIL in a few cases because it can not determine if apparmor
+ * is enabled and has control of the old interface. Not failing in these
+ * cases where AppArmor is available will result in regressions where
+ * the library will not work correctly with old kernels. In these
+ * cases its better that apparmor userspace is not used.
+ *
+ * AppArmor 3.x will avoid the failure cases if any of enabled, avail
+ * or the new proc interfaces are available to the task. AppArmor 3.x
+ * will also automatically add permissions to access the new proc
+ * interfaces so change_hat and change_profile won't experience these
+ * failures, it will only happen for confined applications hitting the
+ * interfaces and not using change_hat or change_profile.
+ *
+ * LSM   AA            sys      sys    proc/   proc/
+ * Stk | Blt |  LSM  | enabl | avail |  aa/  |   *   |
+ * ----+-----+-------+-------+-------+-------+-------+-----------------
+ * Y/N |  N  | other | denied|   NA  |   NA  |   Y   | old interface avail
+ * Y/N |  Y  | other | denied|   NA  |   NA  |   Y   | old interface avail
+ *  Y  |  Y  | minor | denied|   NA  |   NA  |   Y   | old interface avail
+ *  Y  |  Y  | minor | denied|   NA  | denied|   Y   | old interface avail
+ * Y/N |  Y  | minor | denied| denied| denied|   Y   | old interface avail
+ */
+
 /**
  * aa_find_mountpoint - find where the apparmor interface filesystem is mounted
  * @mnt: returns buffer with the mountpoint string
@@ -93,25 +220,34 @@ int aa_find_mountpoint(char **mnt)
 	return rc;
 }
 
-// done as a macro so we can paste the param
+/**
+ * pararm_check_base - return boolean value for PARAM
+ * PARAM: parameter to check
+ *
+ * Returns: 1 == Y
+ *          0 == N
+ *         <0 == error
+ *
+ * done as a macro so we can paste the param
+ */
 
 #define param_check_base(PARAM)						\
 ({									\
 	int rc, fd;							\
 	fd = open("/sys/module/apparmor/parameters/" PARAM, O_RDONLY);	\
 	if (fd == -1) {							\
-		rc = errno;						\
+		rc = -errno;						\
 	} else {							\
 		char buffer[2];						\
 		int size = read(fd, &buffer, 2);			\
-		rc = errno;						\
+		rc = -errno;						\
 		close(fd);						\
-		errno = rc;						\
+		errno = -rc;						\
 		if (size > 0) {						\
 			if (buffer[0] == 'Y')				\
-				rc = 0;					\
+				rc = 1;					\
 			else						\
-				rc = ECANCELED;				\
+				rc = 0;					\
 		}							\
 	}								\
 	(rc);								\
@@ -130,31 +266,37 @@ static void param_check_enabled_init_once(void)
 
 static int param_check_enabled()
 {
-	if (pthread_once(&param_enabled_ctl, param_check_enabled_init_once) == 0)
+	if (pthread_once(&param_enabled_ctl, param_check_enabled_init_once) == 0 && param_enabled >= 0)
 		return param_enabled;
+	/* fallback if not initialized OR we recorded an error when
+	 * initializing.
+	 */
 	return param_check_base("enabled");
 }
 
 static int is_enabled(void)
 {
-	return !param_check_enabled();
+	return param_check_enabled() == 1;
 }
 
 static void param_check_private_enabled_init_once(void)
 {
-	param_enabled = param_check_base("private_enabled");
+	param_private_enabled = param_check_base("available");
 }
 
 static int param_check_private_enabled()
 {
-	if (pthread_once(&param_private_enabled_ctl, param_check_private_enabled_init_once) == 0)
+	if (pthread_once(&param_private_enabled_ctl, param_check_private_enabled_init_once) == 0 && param_private_enabled >= 0)
 		return param_private_enabled;
-	return param_check_base("private_enabled");
+	/* fallback if not initialized OR we recorded an error when
+	 * initializing.
+	 */
+	return param_check_base("available");
 }
 
 static int is_private_enabled(void)
 {
-	return !param_check_private_enabled();
+	return param_check_private_enabled() == 1;
 }
 
 /**
@@ -174,15 +316,17 @@ int aa_is_enabled(void)
 	bool private = false;
 
 	rc = param_check_enabled();
-	if (rc) {
-		if (rc == ENOENT)
-			errno = ENOSYS;
-		else
-			errno = rc;
+	if (rc < 1) {
+		if (!is_private_enabled()) {
+			if (rc == 0)
+				errno = ECANCELED;
+			else if (rc == -ENOENT)
+				errno = ENOSYS;
+			else
+				errno = -rc;
 
-		if (!is_private_enabled())
 			return 0;
-
+		}
 		/* actually available but only on private interfaces */
 		private = true;
 	}
@@ -228,41 +372,91 @@ static inline pid_t aa_gettid(void)
  */
 static pthread_once_t proc_attr_base_ctl = PTHREAD_ONCE_INIT;
 static const char *proc_attr_base_old = "/proc/%d/attr/%s";
+static const char *proc_attr_new_dir = "/proc/%d/attr/apparmor/";
 static const char *proc_attr_base_stacking = "/proc/%d/attr/apparmor/%s";
 static const char *proc_attr_base_unavailable = "/proc/%d/attr/apparmor/unavailable/%s";
-static const char *proc_attr_base;
+static const char *proc_attr_base = NULL;
+static int proc_stacking_present = -1;	/* unknown */
 
 static void proc_attr_base_init_once(void)
 {
 	autofree char *tmp;
 
 	/* if we fail we just fall back to the default value */
-	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
-		autoclose int fd = open(tmp, O_RDONLY);
-		if (fd != -1) {
+	if (asprintf(&tmp, proc_attr_new_dir, aa_gettid()) > 0) {
+		struct stat sb;
+		if (stat(tmp, &sb) == 0) {
 			proc_attr_base = proc_attr_base_stacking;
+			proc_stacking_present = 1;
 			return;
-		}
-	}
-	if (!is_enabled() && is_private_enabled()) {
-		/* new stacking interfaces aren't available and apparmor
-		* is disabled, but available. do not use the
-		* /proc/<pid>/attr/ * interfaces as they could be
-		* in use by another LSM
-		*/
-		proc_attr_base = proc_attr_base_unavailable;
+		} else if (errno == ENOENT) {
+			/* no stacking - try falling back */
+			proc_stacking_present = 0;
+		} else if (errno == EACCES) {
+			/* the dir exists, but access is denied */
+			proc_stacking_present = 1;
+			proc_attr_base = proc_attr_base_stacking;
+		} /* else
+			   denied by policy, or other error try falling back */
+	} else {
+		/* failed allocation - proc_attr_base stays NULL */
 		return;
 	}
-	proc_attr_base = proc_attr_base_old;
+	/* check for new interface failed, see if we can fallback */
+	if (param_check_enabled() == 0) {
+		/* definate NO (not just an error) on enabled. Do not fall
+		 * back to old shared proc interface
+		 *
+		 * First try an alternate check for private proc interface
+		 */
+		int enabled = param_check_private_enabled();
+		if (enabled == 1) {
+			/* the private interface exists and we can't
+			 * fallback so just keep trying on the new
+			 * interface.
+			 */
+			proc_attr_base = proc_attr_base_stacking;
+		} else if (enabled == 0) {
+			/* definite NO - no interface available */
+			proc_attr_base = proc_attr_base_unavailable;
+		} else {
+			/* error can't determine, proc_attr_base stays NULL */
+		}
+	} else if (param_check_enabled() == 1) {
+		/* apparmor is enabled, we can use the old interface */
+		proc_attr_base = proc_attr_base_old;
+	} else if (errno != EACCES) {
+		/* this shouldn't happen unless apparmor is not builtin
+		 * or proc isn't mounted
+		 */
+		proc_attr_base = proc_attr_base_unavailable;
+	} /* else
+		   denied by policy - proc_attr_base stays NULL */
+
+	return;
 }
 
 static char *procattr_path(pid_t pid, const char *attr)
 {
 	char *path = NULL;
+	const char *tmp;
 
+	/* TODO: rework this with futex or userspace RCU so we can update
+	 * the base value instead of continually using the same base
+	 * after we have hit an error
+	 */
 	/* ignore failure, we just fallback to the default value */
 	(void) pthread_once(&proc_attr_base_ctl, proc_attr_base_init_once);
-	if (asprintf(&path, proc_attr_base, pid, attr) > 0)
+
+	if (proc_attr_base)
+		tmp = proc_attr_base;
+	else if (proc_stacking_present)
+		/* couldn't determine during init */
+		tmp = proc_attr_base_stacking;
+	else
+		/* couldn't determine during init and no stacking */
+		tmp = proc_attr_base_old;
+	if (asprintf(&path, tmp, pid, attr) > 0)
 		return path;
 	return NULL;
 }
@@ -278,8 +472,8 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
 	}
 	fd = open(tmp, flags);
 	free(tmp);
-	/* Test is we can fallback to a different interface this is ugly.
-	 * If only the old interface is available:
+	/* Test is we can fallback to the old interface (this is ugly).
+	 * If we haven't tried the old interface already
 	 *    proc_attr_base == proc_attr_base_old - no fallback
 	 * else if is_enabled()
 	 *    apparmor is available on the old interface
@@ -289,7 +483,7 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
 	 *       old interface where is_enabled() is only successful if
 	 *       the old interface is available to apparmor.
 	 */
-	if (fd == -1 && errno == EACCES && proc_attr_base != proc_attr_base_old && is_enabled()) {
+	if (fd == -1 && tmp != proc_attr_base_old && param_check_enabled() != 0) {
 		if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0)
 			return -1;
 		fd = open(tmp, flags);
@@ -631,7 +825,7 @@ int aa_change_onexec(const char *profile)
 }
 
 /* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
-extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
+DLLEXPORT extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
 symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
 default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);
 
@@ -1029,7 +1223,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 
 /* export multiple aa_query_label symbols to compensate for downstream
  * releases with differing symbol versions. */
-extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
+DLLEXPORT extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
 symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
 default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
 

libraries/libapparmor/src/libapparmor.map

@@ -6,14 +6,14 @@
 
 IMMUNIX_1.0 {
   global:
-        change_hat;
+        change_hat; __old_change_hat;
   local:
         *;
 };
 
 APPARMOR_1.0 {
   global:
-        change_hat;
+        change_hat; __change_hat;
         parse_record;
         free_record;
   local:
@@ -24,7 +24,7 @@ APPARMOR_1.1 {
   global:
         aa_is_enabled;
         aa_find_mountpoint;
-        aa_change_hat;
+        aa_change_hat; __old_change_hat;
         aa_change_hatv;
         aa_change_hat_vargs;
         aa_change_profile;
@@ -37,7 +37,7 @@ APPARMOR_1.1 {
         free_record;
         aa_getprocattr_raw;
         aa_getprocattr;
-        aa_query_label;
+        aa_query_label; __aa_query_label;
 
 	# no more symbols here, please
 
@@ -47,7 +47,7 @@ APPARMOR_1.1 {
 
 APPARMOR_2.9 {
   global:
-	aa_query_label;
+	aa_query_label; query_label;
   local:
 	*;
 } APPARMOR_1.1;

libraries/libapparmor/src/policy_cache.c

@@ -45,6 +45,8 @@ struct aa_policy_cache {
 static int clear_cache_cb(int dirfd, const char *path, struct stat *st,
 			  void *data unused)
 {
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		/* remove regular files */
 		return unlinkat(dirfd, path, 0);

libraries/libapparmor/src/private.c

@@ -452,7 +452,8 @@ int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
  *
  * The cb function is called with the DIR in use and the name of the
  * file in that directory.  If the file is to be opened it should
- * use the openat, fstatat, and related fns.
+ * use the openat, fstatat, and related fns. If the file is a symlink
+ * _aa_dirat_for_each currently tries to traverse it for the caller
  *
  * Returns: 0 on success, else -1 and errno is set to the error code
  */
@@ -485,14 +486,34 @@ int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		autofree struct dirent *dir = namelist[i];
 		struct stat my_stat;
 
-		if (rc)
-			continue;
-
-		if (fstatat(cb_dirfd, dir->d_name, &my_stat, 0)) {
+		if (fstatat(cb_dirfd, dir->d_name, &my_stat, AT_SYMLINK_NOFOLLOW)) {
 			PDEBUG("stat failed for '%s': %m\n", dir->d_name);
 			rc = -1;
 			continue;
 		}
+		/* currently none of the callers handle symlinks, and this
+		 * same basic code was applied to each. So for this patch
+		 * just drop it here.
+		 *
+		 * Going forward we need to start handling symlinks as
+		 * they have meaning.
+		 * In the case of
+		 * cache: they act as a place holder for files that have been
+		 *        combined into a single binary. This enables the
+		 *        file based cache lookup time find that relation
+		 *        and dedup, so multiple loads aren't done.
+		 * profiles: just a profile in an alternate location, but
+		 *           should do dedup detection when doing dir reads
+		 *           so we don't double process.
+		 */
+		if (S_ISLNK(my_stat.st_mode)) {
+			/* just traverse the symlink */
+			if (fstatat(cb_dirfd, dir->d_name, &my_stat, 0)) {
+				PDEBUG("symlink target stat failed for '%s': %m\n", dir->d_name);
+				rc = -1;
+				continue;
+			}
+		}
 
 		if (cb(cb_dirfd, dir->d_name, &my_stat, data)) {
 			PDEBUG("dir_for_each callback failed for '%s'\n",

libraries/libapparmor/src/scanner.l

@@ -172,6 +172,7 @@ audit			"audit"
 ip_addr			[a-f[:digit:].:]{3,}
 
 /* syslog tokens */
+socklogd_kernel		kern.notice{colon}
 syslog_kernel		kernel{colon}
 syslog_user		[[:alnum:]_-]+\[[[:digit:]]+\]{colon}
 syslog_yyyymmdd		{digit}{4}{minus}{digit}{2}{minus}{digit}{2}
@@ -351,6 +352,7 @@ yy_flex_debug = 0;
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
 
+{socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_user}		{ return(TOK_SYSLOG_USER); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
@@ -365,6 +367,7 @@ yy_flex_debug = 0;
 
 <hostname>{
 	{ws}+		{ /* eat whitespace */ }
+	{socklogd_kernel} { BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 	{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
 }
 

libraries/libapparmor/swig/python/Makefile.am

@@ -21,7 +21,7 @@ install-exec-local:
 
 clean-local:
 	if test -x "$(PYTHON)"; then $(PYTHON) setup.py clean; fi
-	rm -rf build
+	rm -rf build LibAppArmor.egg-info
 	if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi
 
 endif

libraries/libapparmor/swig/python/__init__.py

@@ -1,6 +1 @@
-import sys
-
-if sys.version_info[0] >= 3:
-    from LibAppArmor.LibAppArmor import *
-else:
-    from .LibAppArmor import *
+from LibAppArmor.LibAppArmor import *

libraries/libapparmor/swig/python/setup.py.in

@@ -1,4 +1,4 @@
-from distutils.core import setup, Extension
+from setuptools import setup, Extension
 import string
 
 setup(name          = 'LibAppArmor',

libraries/libapparmor/swig/python/test/Makefile.am

@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_builddir)/config.status
 
 CLEANFILES = test_python.py
 
-# bah, how brittle is this?
-PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")'
+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 
 TESTS	= test_python.py
 TESTS_ENVIRONMENT = \

libraries/libapparmor/swig/python/test/buildpath.py

@@ -0,0 +1,10 @@
+#!/usr/bin/python3
+# the build path has changed in setuptools 61.2
+import sys
+import sysconfig
+import setuptools
+if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2):
+    identifier = sys.implementation.cache_tag
+else:
+    identifier = "%d.%d" % sys.version_info[:2]
+print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

libraries/libapparmor/swig/ruby/Makefile.am

@@ -9,7 +9,9 @@ LibAppArmor_wrap.c : $(srcdir)/../SWIG/libapparmor.i
 MOSTLYCLEANFILES=LibAppArmor_wrap.c
 
 Makefile.ruby: extconf.rb
+	mv Makefile Makefile.bak
 	PREFIX=$(prefix) $(RUBY) $< --with-LibAppArmor-include=$(top_srcdir)/include
+	mv Makefile.bak Makefile
 
 LibAppArmor.so: LibAppArmor_wrap.c Makefile.ruby
 	$(MAKE) -fMakefile.ruby
@@ -22,7 +24,7 @@ install-exec-local: Makefile.ruby
 
 clean-local:
 	if test -f Makefile.ruby; then $(MAKE) -fMakefile.ruby clean; fi
-	rm -f Makefile.ruby Makefile.new
+	rm -f Makefile.ruby Makefile.bak
 	rm -f *.o *.so *.log
 
 endif

libraries/libapparmor/swig/ruby/extconf.rb

@@ -2,16 +2,8 @@
 
 require 'mkmf'
 
-# hack 1: ruby black magic to write a Makefile.new instead of a Makefile
-alias open_orig open
-def open(path, mode=nil, perm=nil)
-  path = 'Makefile.new' if path == 'Makefile'
-  if block_given?
-    open_orig(path, mode, perm) { |io| yield(io) }
-  else
-    open_orig(path, mode, perm)
-  end
-end
+# hack 1: Before extconf.rb gets called, Makefile gets backed up, and
+#         restored afterwards (see Makefile.am)
 
 if ENV['PREFIX']
   prefix = CONFIG['prefix']
@@ -27,7 +19,7 @@ if find_library('apparmor', 'parse_record', '../../src/.libs') and
 
   # hack 2: strip all rpath references
   open('Makefile.ruby', 'w') do |out|
-    IO.foreach('Makefile.new') do |line|
+    IO.foreach('Makefile') do |line|
       out.puts line.gsub(/-Wl,-R'[^']*'/, '')
     end
   end

libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.in

@@ -0,0 +1 @@
+audit.log:type=AVC msg=audit(1630913351.586:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0"

libraries/libapparmor/testsuite/test_multi/status-filesystem-enabled.out

@@ -0,0 +1,3 @@
+START
+File: status-filesystem-enabled.in
+Event type: AA_RECORD_INVALID

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.in

@@ -0,0 +1 @@
+2021-09-11T20:57:41.91645 kern.notice: [  469.180605] audit: type=1400 audit(1631392703.952:3): apparmor="ALLOWED" operation="mkdir" profile="/usr/sbin/sshd" name="/run/user/1000/kakoune/" pid=2545 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.out

@@ -0,0 +1,15 @@
+START
+File: testcase_socklogd_mkdir.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1631392703.952:3
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 1000
+ouid: 1000
+Profile: /usr/sbin/sshd
+Name: /run/user/1000/kakoune/
+Command: sshd
+PID: 2545
+Epoch: 1631392703
+Audit subid: 3

libraries/libapparmor/testsuite/test_multi/testcase_socklogd_mkdir.profile

@@ -0,0 +1,4 @@
+/usr/sbin/sshd {
+  owner /run/user/1000/kakoune/ w,
+
+}

parser/Makefile

@@ -60,7 +60,7 @@ WARNINGS = -Wall
 CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
 CPP_WARNINGS =
 ifndef CFLAGS
-CFLAGS	= -g -O2 -pipe
+CFLAGS	= -g -O2 -pipe -flto-partition=none
 
 ifdef DEBUG
 CFLAGS += -pg -D DEBUG
@@ -102,7 +102,7 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
        af_rule.cc af_unix.cc policy_cache.c default_features.c
 HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
        rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
-       policy_cache.h
+       policy_cache.h file_cache.h
 TOOLS = apparmor_parser
 
 OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
@@ -215,10 +215,10 @@ apparmor_parser: $(OBJECTS) $(AAREOBJECTS) $(LIBAPPARMOR_A)
 	$(CXX) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
 	      ${LEXLIB}  $(AAREOBJECTS) $(AARE_LDFLAGS) $(AALIB)
 
-parser_yacc.c parser_yacc.h: parser_yacc.y parser.h profile.h
+parser_yacc.c parser_yacc.h: parser_yacc.y parser.h profile.h file_cache.h
 	$(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y
 
-parser_lex.c: parser_lex.l parser_yacc.h parser.h profile.h mount.h dbus.h policy_cache.h
+parser_lex.c: parser_lex.l parser_yacc.h parser.h profile.h mount.h dbus.h policy_cache.h file_cache.h
 	$(LEX) ${LEXFLAGS} -o$@ $<
 
 parser_lex.o: parser_lex.c parser.h parser_yacc.h
@@ -230,13 +230,13 @@ parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h cap_names.h $(APPA
 parser_yacc.o: parser_yacc.c parser_yacc.h $(APPARMOR_H)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
-parser_main.o: parser_main.c parser.h parser_version.h policy_cache.h libapparmor_re/apparmor_re.h $(APPARMOR_H)
+parser_main.o: parser_main.c parser.h parser_version.h policy_cache.h file_cache.h libapparmor_re/apparmor_re.h $(APPARMOR_H)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_interface.o: parser_interface.c parser.h profile.h libapparmor_re/apparmor_re.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
-parser_include.o: parser_include.c parser.h parser_include.h
+parser_include.o: parser_include.c parser.h parser_include.h file_cache.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_merge.o: parser_merge.c parser.h profile.h
@@ -257,7 +257,7 @@ parser_policy.o: parser_policy.c parser.h parser_yacc.h profile.h
 parser_alias.o: parser_alias.c parser.h profile.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
-parser_common.o: parser_common.c parser.h
+parser_common.o: parser_common.c parser.h file_cache.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 mount.o: mount.cc mount.h parser.h immunix.h rule.h
@@ -307,10 +307,18 @@ parser_version.h: Makefile
 # as well as the filtering that occurs for network protocols that
 # apparmor should not mediate.
 
-af_names.h: ../common/list_af_names.sh
-	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
-	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
-	# cat $@
+generated_af_names.h: ../common/list_af_names.sh
+	../common/list_af_names.sh > $@
+
+af_names.h: generated_af_names.h base_af_names.h
+	cat base_af_names.h | diff -u - generated_af_names.h | grep -v '^.AF_MAX' | grep '^\+[^+]' ; \
+	if [ $$? -eq 1 ] ; then \
+		cat base_af_names.h | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ ; \
+		cat base_af_names.h | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ ; \
+	else \
+		echo "Error: new AF names detected; please update base_af_names.h with values from generated_af_names.h" ; \
+		exit 1 ; \
+	fi
 
 generated_cap_names.h: /usr/include/linux/capability.h
 	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE\},\\n/pg" > $@
@@ -411,6 +419,7 @@ install-indep: indep
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
+	install -m 755 profile-load $(APPARMOR_BIN_PREFIX)
 	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
@@ -434,7 +443,7 @@ clean: pod_clean
 	rm -f $(YACC_C_FILES)
 	rm -f parser_version.h
 	rm -f $(NAME)*.tar.gz $(NAME)*.tgz
-	rm -f af_names.h
+	rm -f af_names.h generated_af_names.h
 	rm -f cap_names.h generated_cap_names.h
 	rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/
 	$(MAKE) -s -C $(AAREDIR) clean

parser/apparmor.d.pod

@@ -148,7 +148,7 @@ capabilities(7))
 
 B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
 
-B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' ) ','
+B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' | 'mctp' ) ','
 
 B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
@@ -842,7 +842,7 @@ and other operations that are typically reserved for the root user.
 
 AppArmor supports simple coarse grained network mediation.  The network
 rule restrict all socket(2) based operations.  The mediation done is
-a course grained check on whether a socket of a given type and family
+a coarse-grained check on whether a socket of a given type and family
 can be created, read, or written.  There is no mediation based of port
 number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.

parser/apparmor.systemd

@@ -71,6 +71,13 @@ fi
 
 case "$1" in
 	start)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_start
 		rc=$?
 		;;
@@ -79,6 +86,13 @@ case "$1" in
 		rc=$?
 		;;
 	restart|reload|force-reload)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_restart
 		rc=$?
 		;;

parser/base_af_names.h

@@ -0,0 +1,46 @@
+AF_UNSPEC 0,
+AF_UNIX 1,
+AF_INET 2,
+AF_AX25 3,
+AF_IPX 4,
+AF_APPLETALK 5,
+AF_NETROM 6,
+AF_BRIDGE 7,
+AF_ATMPVC 8,
+AF_X25 9,
+AF_INET6 10,
+AF_ROSE 11,
+AF_NETBEUI 13,
+AF_SECURITY 14,
+AF_KEY 15,
+AF_NETLINK 16,
+AF_PACKET 17,
+AF_ASH 18,
+AF_ECONET 19,
+AF_ATMSVC 20,
+AF_RDS 21,
+AF_SNA 22,
+AF_IRDA 23,
+AF_PPPOX 24,
+AF_WANPIPE 25,
+AF_LLC 26,
+AF_IB 27,
+AF_MPLS 28,
+AF_CAN 29,
+AF_TIPC 30,
+AF_BLUETOOTH 31,
+AF_IUCV 32,
+AF_RXRPC 33,
+AF_ISDN 34,
+AF_PHONET 35,
+AF_IEEE802154 36,
+AF_CAIF 37,
+AF_ALG 38,
+AF_NFC 39,
+AF_VSOCK 40,
+AF_KCM 41,
+AF_QIPCRTR 42,
+AF_SMC 43,
+AF_XDP 44,
+AF_MCTP 45,
+AF_MAX 46,

parser/capability.h

@@ -19,8 +19,29 @@
 #ifndef __AA_CAPABILITY_H
 #define __AA_CAPABILITY_H
 
+#include <cstdint>
+#include <linux/capability.h>
+
 #define NO_BACKMAP_CAP 0xff
 
+
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE 29
+#endif
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL 30
+#endif
+#ifndef CAP_SETFCAP
+#define CAP_SETFCAP	     31
+#endif
+#ifndef CAP_MAC_OVERRIDE
+#define CAP_MAC_OVERRIDE     32
+#endif
+
+#ifndef CAP_AUDIT_READ
+#define CAP_AUDIT_READ 37
+#endif
+
 #ifndef CAP_PERFMON
 #define CAP_PERFMON 38
 #endif

parser/file_cache.h

@@ -0,0 +1,52 @@
+/*
+ *   Copyright (c) 2021
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Canonical Ltd.
+ */
+
+#ifndef __AA_FILE_CACHE_H
+#define __AA_FILE_CACHE_H
+
+#include <set>
+#include <string>
+
+using namespace std;
+
+/* TODO: have includecache be a frontend for file cache, don't just
+ * store name.
+ */
+class IncludeCache_t {
+public:
+	set<string> cache;
+
+	IncludeCache_t() = default;
+	virtual ~IncludeCache_t() = default;
+
+	/* return true if in set */
+	bool find(const char *name) {
+		return cache.find(name) != cache.end();
+	}
+
+	bool insert(const char *name) {
+		pair<set<string>::iterator,bool> res = cache.insert(name);
+		if (res.second == false) {
+			return false;
+		}
+		/* inserted */
+
+		return true;
+	}
+};
+
+#endif /* __AA_FILE_CACHE_H */

parser/lib.c

@@ -183,7 +183,7 @@ int strn_escseq(const char **pos, const char *chrs, size_t n)
 	if (strchr(chrs, c))
 		return c;
 
-	/* unsupported escap sequence, backup to return that char */
+	/* unsupported escape sequence, backup to return that char */
 	pos--;
 	return -1;
 }

parser/libapparmor_re/expr-tree.h

@@ -599,9 +599,9 @@ public:
 
 	int min_match_len()
 	{
-		if (contains_oob()) {
-			return 0;
-		}
+		/* Inverse match does not match any oob char at this time
+		 * so only count characters
+		 */
 		return 1;
 	}
 

parser/parser.h

@@ -32,6 +32,7 @@
 
 #include <sys/apparmor.h>
 
+#include "file_cache.h"
 #include "immunix.h"
 #include "libapparmor_re/apparmor_re.h"
 #include "libapparmor_re/aare_rules.h"
@@ -353,6 +354,8 @@ extern char *profile_ns;
 extern char *current_filename;
 extern FILE *ofile;
 extern int read_implies_exec;
+extern IncludeCache_t *g_includecache;
+
 extern void pwarnf(bool werr, const char *fmt, ...) __attribute__((__format__(__printf__, 2, 3)));
 extern void common_warn_once(const char *name, const char *msg, const char **warned_name);
 

parser/parser_common.c

@@ -20,6 +20,7 @@
 #include <stdarg.h>
 
 #include "parser.h"
+#include "file_cache.h"
 
 /* Policy versioning is determined by a combination of 3 values:
  * policy_version:     version of txt policy
@@ -95,6 +96,8 @@ char *current_filename = NULL;
 
 FILE *ofile = NULL;
 
+IncludeCache_t *g_includecache;
+
 #ifdef FORCE_READ_IMPLIES_EXEC
 int read_implies_exec = 1;
 #else

parser/parser_include.c

@@ -151,7 +151,7 @@ void parse_default_paths(void)
 	add_search_dir(basedir);
 }
 
-FILE *search_path(char *filename, char **fullpath)
+FILE *search_path(char *filename, char **fullpath, bool *skip)
 {
 	FILE *newf = NULL;
 	char *buf = NULL;
@@ -161,15 +161,27 @@ FILE *search_path(char *filename, char **fullpath)
 			perror("asprintf");
 			exit(1);
 		}
+
+		if (g_includecache->find(buf)) {
+			/* hit do not want to re-include */
+			*skip = true;
+			return NULL;
+		}
+
 		newf = fopen(buf, "r");
-		if (newf && fullpath)
-			*fullpath = buf;
-		else
-			free(buf);
-		buf = NULL;
-		if (newf)
+		if (newf) {
+			/* ignore failing to insert into cache */
+			(void) g_includecache->insert(buf);
+			if (fullpath)
+				*fullpath = buf;
+			else
+				free(buf);
 			break;
+		}
+		free(buf);
+		buf = NULL;
 	}
+	*skip = false;
 	return newf;
 }
 

parser/parser_include.h

@@ -27,7 +27,7 @@ extern void init_base_dir(void);
 extern void set_base_dir(char *dir);
 extern void parse_default_paths(void);
 extern int do_include_preprocessing(char *profilename);
-FILE *search_path(char *filename, char **fullpath);
+FILE *search_path(char *filename, char **fullpath, bool *skip);
 
 extern void push_include_stack(char *filename);
 extern void pop_include_stack(void);

parser/parser_lex.l

@@ -44,6 +44,7 @@
 #include "parser_yacc.h"
 #include "lib.h"
 #include "policy_cache.h"
+#include "file_cache.h"
 
 #ifdef PDEBUG
 #undef PDEBUG
@@ -134,10 +135,19 @@ static int include_dir_cb(int dirfd unused, const char *name, struct stat *st,
 	if (is_blacklisted(name, path))
 		return 0;
 
+	if (g_includecache->find(path)) {
+		PDEBUG("skipping reinclude of \'%s\' in \'%s\'\n", path,
+			d->filename);
+		return 0;
+	}
+
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		if (!(yyin = fopen(path,"r")))
 			yyerror(_("Could not open '%s' in '%s'"), path, d->filename);
 		PDEBUG("Opened include \"%s\" in \"%s\"\n", path, d->filename);
+		(void) g_includecache->insert(path);
 		update_mru_tstamp(yyin, path);
 		push_include_stack(path);
 		yypush_buffer_state(yy_create_buffer(yyin, YY_BUF_SIZE));
@@ -151,16 +161,29 @@ void include_filename(char *filename, int search, bool if_exists)
 	FILE *include_file = NULL;
 	struct stat my_stat;
 	autofree char *fullpath = NULL;
+	bool cached;
 
 	if (search) {
-		if (preprocess_only)
+		include_file = search_path(filename, &fullpath, &cached);
+		if (!include_file && cached) {
+			goto skip;
+		} else if (preprocess_only) {
 			fprintf(yyout, "\n\n##included <%s>\n", filename);
-		include_file = search_path(filename, &fullpath);
+		} else if (!include_file && preprocess_only) {
+			fprintf(yyout, "\n\n##failed include <%s>\n", filename);
+		}
+
+	} else if (g_includecache->find(filename)) {
+		/* duplicate entry skip */
+		goto skip;
 	} else {
 		if (preprocess_only)
 			fprintf(yyout, "\n\n##included \"%s\"\n", filename);
 		fullpath = strdup(filename);
 		include_file = fopen(fullpath, "r");
+		if (include_file)
+			/* ignore failure to insert into cache */
+			(void) g_includecache->insert(filename);
 	}
 
 	if (!include_file) {
@@ -181,6 +204,7 @@ void include_filename(char *filename, int search, bool if_exists)
 		yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
         } else if (S_ISDIR(my_stat.st_mode)) {
 		struct cb_struct data = { fullpath, filename };
+		update_mru_tstamp(include_file, fullpath);
 		fclose(include_file);
 		include_file = NULL;
 		if (dirat_for_each(AT_FDCWD, fullpath, &data, include_dir_cb)) {
@@ -188,6 +212,13 @@ void include_filename(char *filename, int search, bool if_exists)
 				  " '%s' in '%s'"), fullpath, filename);;
 		}
 	}
+
+	return;
+
+skip:
+	if (preprocess_only)
+		fprintf(yyout, "\n\n##skipped duplicate include <%s>\n", filename);
+	return;
 }
 
 static char *lsntrim(char *s, int l)
@@ -712,7 +743,7 @@ include/{WS}	{
 	}
 }
 
-<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODEINCLUDE,INCLUDE_EXISTS,ABI_MODE>{
+<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODE,INCLUDE,INCLUDE_EXISTS,ABI_MODE>{
 	(.|\n)	{
 		DUMP_PREPROCESS;
 		/* Something we didn't expect */

parser/parser_main.c

@@ -50,6 +50,7 @@
 #include "common_optarg.h"
 #include "policy_cache.h"
 #include "libapparmor_re/apparmor_re.h"
+#include "file_cache.h"
 
 #define OLD_MODULE_NAME "subdomain"
 #define PROC_MODULES "/proc/modules"
@@ -84,13 +85,13 @@ int mru_skip_cache = 1;
 /* for jobs_max and jobs
  * LONG_MAX : no limit
  * LONG_MIN  : auto  = detect system processing cores
- * n  : use that number of processes/threads to compile policy
+ * -n  : multiply by the number of CPUs to compile policy
  */
 #define JOBS_AUTO LONG_MIN
 #define DEFAULT_JOBS_MAX -8
 #define DEFAULT_ESTIMATED_JOB_SIZE (50 * 1024 * 1024)
 long estimated_job_size = DEFAULT_ESTIMATED_JOB_SIZE;
-long jobs_max = -DEFAULT_JOBS_MAX;	/* 8 * cpus */
+long jobs_max = DEFAULT_JOBS_MAX;	/* 8 * cpus */
 long jobs = JOBS_AUTO;			/* default: number of processor cores */
 long njobs = 0;
 long jobs_scale = 0;			/* number of chance to resample online
@@ -1035,6 +1036,8 @@ void reset_parser(const char *filename)
 	aa_features_unref(policy_features);
 	policy_features = NULL;
 	clear_cap_flag(CAPFLAG_POLICY_FEATURE);
+	delete g_includecache;
+	g_includecache = new IncludeCache_t();
 }
 
 int test_for_dir_mode(const char *basename, const char *linkdir)
@@ -1418,14 +1421,14 @@ static void auto_tune_parameters(void)
 		} else if (estimated_jobs < ncpus) {
 			/* --jobs=estimate_jobs */
 			jobs = estimated_jobs;
-			PDEBUG("Auto tune: --jobs=%d", estimate_jobs);
+			PDEBUG("Auto tune: --jobs=%ld", estimated_jobs);
 		} else {
 			long long n = estimated_jobs / ncpus;
 
 			if (n < -DEFAULT_JOBS_MAX) {
 				/* --jobs=cpus*n */
 				jobs = -n;
-				PDEBUG("Auto tune: --jobs=%d", jobs);
+				PDEBUG("Auto tune: --jobs=%ld", jobs);
 			}
 		}
 	} else {
@@ -1447,6 +1450,8 @@ static int profile_dir_cb(int dirfd unused, const char *name, struct stat *st,
 {
 	int rc = 0;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
@@ -1469,6 +1474,8 @@ static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
 {
 	int rc = 0;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
@@ -1661,7 +1668,7 @@ int main(int argc, char *argv[])
 			if ((retval = dirat_for_each(AT_FDCWD, profilename,
 						     &cb_data, cb))) {
 				last_error = errno;
-				PDEBUG("Failed loading profiles from %s\n",
+				PERROR("There was an error while loading profiles from %s\n",
 				       profilename);
 				if (abort_on_error)
 					break;

parser/parser_policy.c

@@ -29,6 +29,7 @@
 #include <errno.h>
 #include <sys/apparmor.h>
 
+#include "lib.h"
 #include "parser.h"
 #include "profile.h"
 #include "parser_yacc.h"
@@ -145,6 +146,56 @@ void add_entry_to_policy(Profile *prof, struct cod_entry *entry)
 	prof->entries = entry;
 }
 
+static bool add_proc_access(Profile *prof, const char *rule)
+{
+		/* FIXME: should use @{PROC}/@{PID}/attr/{apparmor/,}{current,exec} */
+		struct cod_entry *new_ent;
+		/* allow probe for new interfaces */
+		char *buffer = strdup("/proc/*/attr/apparmor/");
+		if (!buffer) {
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		new_ent = new_entry(buffer, AA_MAY_READ, NULL);
+		if (!new_ent) {
+			free(buffer);
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		add_entry_to_policy(prof, new_ent);
+
+		/* allow probe if apparmor is enabled for the old interface */
+		buffer = strdup("/sys/module/apparmor/parameters/enabled");
+		if (!buffer) {
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		new_ent = new_entry(buffer, AA_MAY_READ, NULL);
+		if (!new_ent) {
+			free(buffer);
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		add_entry_to_policy(prof, new_ent);
+
+		/* allow setting on new and old interfaces */
+		buffer = strdup(rule);
+		if (!buffer) {
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		new_ent = new_entry(buffer, AA_MAY_WRITE, NULL);
+		if (!new_ent) {
+			free(buffer);
+			PERROR("Memory allocation error\n");
+			return FALSE;
+		}
+		add_entry_to_policy(prof, new_ent);
+
+		return TRUE;
+}
+
+#define CHANGEPROFILE_PATH "/proc/*/attr/{apparmor/,}{current,exec}"
 void post_process_file_entries(Profile *prof)
 {
 	struct cod_entry *entry;
@@ -170,22 +221,11 @@ void post_process_file_entries(Profile *prof)
 	}
 
 	/* if there are change_profile rules, this implies that we need
-	 * access to /proc/self/attr/current
+	 * access to some /proc/ interfaces
 	 */
 	if (cp_mode & AA_CHANGE_PROFILE) {
-		/* FIXME: should use @{PROC}/@{PID}/attr/{apparmor/,}{current,exec} */
-		struct cod_entry *new_ent;
-		char *buffer = strdup("/proc/*/attr/{apparmor/,}{current,exec}");
-		if (!buffer) {
-			PERROR("Memory allocation error\n");
+		if (!add_proc_access(prof, CHANGEPROFILE_PATH))
 			exit(1);
-		}
-		new_ent = new_entry(buffer, AA_MAY_WRITE, NULL);
-		if (!new_ent) {
-			PERROR("Memory allocation error\n");
-			exit(1);
-		}
-		add_entry_to_policy(prof, new_ent);
 	}
 }
 
@@ -202,19 +242,13 @@ void post_process_rule_entries(Profile *prof)
  */
 static int profile_add_hat_rules(Profile *prof)
 {
-	struct cod_entry *entry;
-
 	/* don't add hat rules if not hat or profile doesn't have hats */
 	if (!prof->flags.hat && prof->hat_table.empty())
 		return 0;
 
-	/* add entry to hat */
-	entry = new_entry(strdup(CHANGEHAT_PATH), AA_MAY_WRITE, NULL);
-	if (!entry)
+	if (!add_proc_access(prof, CHANGEHAT_PATH))
 		return ENOMEM;
 
-	add_entry_to_policy(prof, entry);
-
 	return 0;
 }
 

parser/parser_regex.c

@@ -468,20 +468,26 @@ static int process_profile_name_xmatch(Profile *prof)
 {
 	std::string tbuf;
 	pattern_t ptype;
-	const char *name;
+	char *name;
 
 	struct cond_entry *entry;
 	const char *xattr_value;
 
-	/* don't filter_slashes for profile names */
-	if (prof->attachment)
+	if (prof->attachment) {
 		name = prof->attachment;
-	else
-		name = local_name(prof->name);
+	} else {
+		/* don't filter_slashes for profile names, do on attachment */
+		name = strdup(local_name(prof->name));
+		if (!name)
+			return FALSE;
+	}
+	filter_slashes(name);
 	ptype = convert_aaregex_to_pcre(name, 0, glob_default, tbuf,
 					&prof->xmatch_len);
 	if (ptype == ePatternBasic)
 		prof->xmatch_len = strlen(name);
+	if (!prof->attachment)
+		free(name);
 
 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@@ -505,6 +511,7 @@ static int process_profile_name_xmatch(Profile *prof)
 			list_for_each(prof->altnames, alt) {
 				int len;
 				tbuf.clear();
+				filter_slashes(alt->name);
 				ptype = convert_aaregex_to_pcre(alt->name, 0,
 								glob_default,
 								tbuf, &len);
@@ -516,7 +523,7 @@ static int process_profile_name_xmatch(Profile *prof)
 		}
 		if (prof->xattrs.list) {
 			if (!(features_supports_domain_xattr && kernel_supports_oob)) {
-				warn_once_xattr(name);
+				warn_once_xattr(prof->name);
 				free_cond_entry_list(prof->xattrs);
 				goto build;
 			}

parser/parser_yacc.y

@@ -44,20 +44,6 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
-#include <linux/capability.h>
-
-#ifndef CAP_AUDIT_WRITE
-#define CAP_AUDIT_WRITE 29
-#endif
-#ifndef CAP_AUDIT_CONTROL
-#define CAP_AUDIT_CONTROL 30
-#endif
-#ifndef CAP_SETFCAP
-#define CAP_SETFCAP	     31
-#endif
-#ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE     32
-#endif
 
 #define CIDR_32 htonl(0xffffffff)
 #define CIDR_24 htonl(0xffffff00)
@@ -220,6 +206,7 @@ void add_local_entry(Profile *prof);
 	struct cond_entry_list cond_entry_list;
 	int boolean;
 	struct prefixes prefix;
+	IncludeCache_t *includecache;
 }
 
 %type <id> 	TOK_ID
@@ -334,9 +321,17 @@ opt_id: { /* nothing */ $$ = NULL; }
 opt_id_or_var: { /* nothing */ $$ = NULL; }
 	| id_or_var { $$ = $1; }
 
-profile_base: TOK_ID opt_id_or_var opt_cond_list flags TOK_OPEN rules TOK_CLOSE
+profile_base: TOK_ID opt_id_or_var opt_cond_list flags TOK_OPEN
 	{
-		Profile *prof = $6;
+		/* mid rule action
+		 * save current cache, restore at end of block
+		 */
+		$<includecache>$ = g_includecache;
+		g_includecache = new IncludeCache_t();
+	}
+    rules TOK_CLOSE
+	{
+		Profile *prof = $7;
 		bool self_stack = false;
 
 		if (!prof) {
@@ -387,6 +382,10 @@ profile_base: TOK_ID opt_id_or_var opt_cond_list flags TOK_OPEN rules TOK_CLOSE
 		post_process_file_entries(prof);
 		post_process_rule_entries(prof);
 		prof->flags.debug(cerr);
+
+		/* restore previous blocks include cache */
+		delete g_includecache;
+		g_includecache = $<includecache>6;
 		$$ = prof;
 
 	};
@@ -1775,12 +1774,17 @@ static int abi_features_base(struct aa_features **features, char *filename, bool
 	autofclose FILE *f = NULL;
 	struct stat my_stat;
 	char *fullpath = NULL;
+	bool cached;
 
 	if (search) {
 		if (strcmp(filename, "kernel") == 0)
 			return aa_features_new_from_kernel(features);
-		f = search_path(filename, &fullpath);
-		PDEBUG("abi lookup '%s' -> '%s' f %p\n", filename, fullpath, f);
+		f = search_path(filename, &fullpath, &cached);
+		PDEBUG("abi lookup '%s' -> '%s' f %p cached %d\n", filename, fullpath, f, cached);
+		if (!f && cached) {
+			*features = NULL;
+			return 0;
+		}
 	} else {
 		f = fopen(filename, "r");
 		PDEBUG("abi relpath '%s' f %p\n", filename, f);
@@ -1809,10 +1813,15 @@ static void abi_features(char *filename, bool search)
 			yyerror(_("failed to find features abi '%s': %m"), filename);
 	}
 	if (policy_features) {
-		if (!aa_features_is_equal(tmp_features, policy_features)) {
-			pwarn(WARN_ABI, _("%s: %s features abi '%s' differs from policy declared feature abi, using the features abi declared in policy\n"), progname, current_filename, filename);
+		if (tmp_features) {
+			if (!aa_features_is_equal(tmp_features, policy_features)) {
+				pwarn(WARN_ABI, _("%s: %s features abi '%s' differs from policy declared feature abi, using the features abi declared in policy\n"), progname, current_filename, filename);
+			}
+			aa_features_unref(tmp_features);
 		}
-		aa_features_unref(tmp_features);
+	} else if (!tmp_features) {
+		/* skipped reinclude, but features not set */
+		yyerror(_("failed features abi not set but include cache skipped\n"));
 	} else {
 		/* first features abi declaration */
 		policy_features = tmp_features;

parser/profile-load

@@ -0,0 +1,52 @@
+#!/bin/sh
+# profile-load
+#
+# ----------------------------------------------------------------------
+#    Copyright (c) 2010-2015 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Canonical, Ltd.
+# ----------------------------------------------------------------------
+#
+# Helper for loading an AppArmor profile in pre-start scripts.
+
+[ -z "$1" ]                  && exit 1 # require a profile name
+
+. /lib/apparmor/rc.apparmor.functions
+
+# do not load in a container
+if [ -x /usr/bin/systemd-detect-virt ] && \
+       systemd-detect-virt --quiet --container && \
+       ! is_container_with_internal_policy; then
+    exit 0
+fi
+
+[ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load if running liveCD
+
+profile=/etc/apparmor.d/"$1"
+[ -e "$profile" ]            || exit 0 # skip when missing profile
+
+module=/sys/module/apparmor
+[ -d $module ]               || exit 0 # do not load without AppArmor in kernel
+
+[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+aafs=/sys/kernel/security/apparmor
+[ -d $aafs ]                 || exit 0 # do not load if unmounted
+[ -w $aafs/.load ]           || exit 1 # fail if cannot load profiles
+
+params=$module/parameters
+[ -r $params/enabled ]       || exit 0 # do not load if missing
+read -r enabled < $params/enabled || exit 1 # if this fails, something went wrong
+[ "$enabled" = "Y" ]         || exit 0 # do not load if disabled
+
+/sbin/apparmor_parser -r -W "$profile" || exit 0 # LP: #1058356

parser/rc.apparmor.debian

@@ -1,117 +0,0 @@
-#!/bin/sh
-# ----------------------------------------------------------------------
-#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-#    NOVELL (All rights reserved)
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# rc.apparmor by Steve Beattie
-#
-# /etc/init.d/apparmor
-#
-# chkconfig: 2345 01 99
-# description: AppArmor rc file. This rc script inserts the apparmor \
-# 	       module and runs the parser on the /etc/apparmor.d/ \
-#	       directory.
-#
-### BEGIN INIT INFO
-# Provides: apparmor
-# Required-Start:
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
-# Short-Description: AppArmor initialization
-# Description: AppArmor rc file. This rc script inserts the apparmor
-#	module and runs the parser on the /etc/apparmor.d/
-#	directory.
-### END INIT INFO
-APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
-
-aa_action() {
-	STRING=$1
-	shift
-	$*
-	rc=$?
-	if [ $rc -eq 0 ] ; then
-		aa_log_success_msg $"$STRING "
-	else
-		aa_log_failure_msg $"$STRING "
-	fi
-	return $rc
-}
-
-aa_log_success_msg() {
- 	[ -n "$1" ] && echo -n $1
-        echo ": done."
-}
-
-aa_log_warning_msg() {
- 	[ -n "$1" ] && echo -n $1
-        echo ": Warning."
-}
-
-aa_log_failure_msg() {
- 	[ -n "$1" ] && echo -n $1
-        echo ": Failed."
-}
-
-aa_log_skipped_msg() {
- 	[ -n "$1" ] && echo -n $1
-        echo ": Skipped."
-}
-
-usage() {
-    echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
-}
-
-# source apparmor function library
-if [ -f "${APPARMOR_FUNCTIONS}" ]; then
-	. ${APPARMOR_FUNCTIONS}
-else
-	aa_log_failure_msg "Unable to find AppArmor initscript functions"
-	exit 1
-fi
-
-test -x ${PARSER} || exit 0 # by debian policy
-
-case "$1" in
-	start)
-		apparmor_start
-		rc=$?
-		;;
-	stop)
-		apparmor_stop
-		rc=$?
-		;;
-	restart|reload|force-reload)
-		apparmor_restart
-		rc=$?
-		;;
-	try-restart)
-		apparmor_try_restart
-		rc=$?
-		;;
-	kill)
-		apparmor_kill
-		rc=$?
-		;;
-	status)
-		apparmor_status
-		rc=$?
-		;;
-	*)
-		usage
-		exit 1
-		;;
-esac
-exit $rc

parser/rc.apparmor.functions

@@ -68,7 +68,7 @@ is_apparmor_present() {
 # something like `systemd-detect-virt --container`.
 #
 # The only known container environments capable of supporting internal policy
-# are LXD and LXC environment.
+# are LXD and LXC environments, and Windows Subsystem for Linux.
 #
 # Returns 0 if the container environment is capable of having its own internal
 # policy and non-zero otherwise.
@@ -90,6 +90,12 @@ is_container_with_internal_policy() {
 	local ns_stacked
 	local ns_name
 
+	# WSL needs to be detected explicitly
+	if [ -x /usr/bin/systemd-detect-virt ] && \
+	   [ "$(systemd-detect-virt --container)" = "wsl" ]; then
+		return 0
+	fi
+
 	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
 		return 1
 	fi
@@ -111,37 +117,6 @@ is_container_with_internal_policy() {
 	return 0
 }
 
-# This set of patterns to skip needs to be kept in sync with
-# AppArmor.pm::isSkippableFile()
-# returns 0 if profile should NOT be skipped
-# returns 1 on verbose skip
-# returns 2 on silent skip
-skip_profile() {
-	local profile="$1"
-	if [ "${profile%.rpmnew}"   != "$profile" ] || \
-	   [ "${profile%.rpmsave}"  != "$profile" ] || \
-	   [ "${profile%.orig}"     != "$profile" ] || \
-	   [ "${profile%.rej}"      != "$profile" ] || \
-	   [ "${profile%\~}"        != "$profile" ] ; then
-		return 1
-	fi
-	# Silently ignore the dpkg, pacman, and xbps files
-	if [ "${profile%.dpkg-new}"     != "$profile" ] || \
-	   [ "${profile%.dpkg-old}"     != "$profile" ] || \
-	   [ "${profile%.dpkg-dist}"    != "$profile" ] || \
-	   [ "${profile%.dpkg-bak}"     != "$profile" ] || \
-	   [ "${profile%.dpkg-remove}"  != "$profile" ] || \
-	   [ "${profile%.pacsave}"      != "$profile" ] || \
-	   [ "${profile%.pacnew}"       != "$profile" ] ; then
-		return 2
-	fi
-	if echo "$profile" | grep -E -q '^.+\.new-[0-9\.]+_[0-9]+$'; then
-		return 2
-	fi
-
-	return 0
-}
-
 __parse_profiles_dir() {
 	local parser_cmd="$1"
 	local profile_dir="$2"
@@ -157,41 +132,11 @@ __parse_profiles_dir() {
 		return 1
 	fi
 
-	# Note: the parser automatically skips files that match skip_profile()
-	# when we pass it a directory, but not when we pass it an individual
-	# profile. So we need to use skip_profile only in the latter case,
-	# as long as the parser is in sync' with skip_profile().
-	"$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir" || {
-		# FIXME: once the parser properly handles broken profiles
-		# (LP: #1377338), remove the following code and the
-		# skip_profile() function. For now, if the parser returns
-		# an error, just run it again separately on each profile.
-		for profile in "$profile_dir"/*; do
-			skip_profile "$profile"
-			skip=$?
-			if [ "$skip" -eq 2 ]; then
-				# Ignore skip status == 2 (silent skip)
-				continue
-			elif [ "$skip" -ne 0 ] ; then
-				aa_log_skipped_msg "$profile"
-				logger -t "AppArmor(init)" -p daemon.warn \
-					"Skipping profile $profile"
-				continue
-			fi
-			if [ ! -f "$profile" ] ; then
-				continue
-			fi
-			echo "$profile"
-		done | \
-		# Use xargs to parallelize calls to the parser over all CPUs
-		xargs -n1 -d"\n" --max-procs="$(getconf _NPROCESSORS_ONLN)" \
-			"$PARSER" $PARSER_OPTS "$parser_cmd" --
-		if [ $? -ne 0 ]; then
-			status=1
-			aa_log_failure_msg "At least one profile failed to load"
-		fi
-	}
-
+	# shellcheck disable=SC2086
+	if ! "$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir"; then
+		status=1
+		aa_log_failure_msg "At least one profile failed to load"
+	fi
 	return "$status"
 }
 
@@ -215,7 +160,6 @@ parse_profiles() {
 	# run the parser on all of the apparmor profiles
 	if [ ! -f "$PARSER" ]; then
 		aa_log_failure_msg "AppArmor parser not found"
-		aa_log_action_end 1
 		exit 1
 	fi
 
@@ -227,41 +171,6 @@ parse_profiles() {
 	return "$STATUS"
 }
 
-profiles_names_list() {
-	# run the parser on all of the apparmor profiles
-	if [ ! -f "$PARSER" ]; then
-		aa_log_failure_msg "- AppArmor parser not found"
-		exit 1
-	fi
-
-	for profile_dir in $PROFILE_DIRS; do
-		if [ ! -d "$profile_dir" ]; then
-			aa_log_warning_msg "- Profile directory not found: $profile_dir"
-			continue
-		fi
-
-		for profile in "$profile_dir"/*; do
-			if skip_profile "$profile" && [ -f "$profile" ] ; then
-				LIST_ADD=$("$PARSER" -N "$profile" )
-				if [ $? -eq 0 ]; then
-					echo "$LIST_ADD"
-				fi
-			fi
-		done
-	done
-}
-
-failstop_system() {
-	level=$(runlevel | cut -d" " -f2)
-	if [ "$level" -ne "1" ] ; then
-		aa_log_failure_msg "- could not start AppArmor.  Changing to runlevel 1"
-		telinit 1;
-		return 255;
-	fi
-	aa_log_failure_msg "- could not start AppArmor."
-	return 255
-}
-
 is_apparmor_loaded() {
 	if ! is_securityfs_mounted ; then
 		mount_securityfs
@@ -309,7 +218,7 @@ apparmor_start() {
 	fi
 
 	# if there is anything in the profiles file don't load
-	if ! read -r line < "$SFS_MOUNTPOINT/profiles"; then
+	if ! read -r _ < "$SFS_MOUNTPOINT/profiles"; then
 		parse_profiles load
 	else
 		aa_log_skipped_msg ": already loaded with profiles."
@@ -357,7 +266,7 @@ remove_profiles() {
 }
 
 apparmor_stop() {
-	aa_log_daemon_msg "Unloading AppArmor profiles "
+	aa_log_daemon_msg "Unloading AppArmor profiles"
 	remove_profiles
 	rc=$?
 	aa_log_end_msg "$rc"

parser/rc.apparmor.redhat

@@ -1,125 +0,0 @@
-#!/bin/sh
-# ----------------------------------------------------------------------
-#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-#    NOVELL (All rights reserved)
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# rc.apparmor by Steve Beattie
-#
-# /etc/init.d/apparmor
-#
-# chkconfig: 2345 01 99
-# description: AppArmor rc file. This rc script inserts the apparmor \
-# 	       module and runs the parser on the /etc/apparmor.d/ \
-#	       directory.
-#
-### BEGIN INIT INFO
-# Provides: apparmor
-# Required-Start:
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
-# Short-Description: AppArmor initialization
-# Description: AppArmor rc file. This rc script inserts the apparmor
-#	module and runs the parser on the /etc/apparmor.d/
-#	directory.
-### END INIT INFO
-APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
-
-# source function library
-if [ -f /etc/init.d/functions ]; then
-	. /etc/init.d/functions
-elif [ -f /etc/rc.d/init.d/functions ]; then
-	. /etc/rc.d/init.d/functions
-elif [ -f /lib/lsb/init-functions ]; then
-	. /lib/lsb/init-functions
-else
-	exit 0
-fi
-
-usage() {
-	echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
-}
-
-aa_log_success_msg() {
-	echo -n "$*"
-	success
-	echo
-}
-
-aa_log_warning_msg() {
-	echo -n "$*"
-	warning
-	echo
-}
-
-aa_log_skipped_msg() {
-	echo -n "$*"
-	warning
-	echo
-}
-
-aa_log_failure_msg() {
-	echo -n "$*"
-	failure
-	echo
-}
-
-aa_action() {
-	STRING=$1
-	shift
-	action "${STRING} " "$@"
-	return $?
-}
-
-# source apparmor function library
-if [ -f "${APPARMOR_FUNCTIONS}" ]; then
-	. ${APPARMOR_FUNCTIONS}
-else
-	aa_log_failure_msg "Unable to find AppArmor initscript functions"
-	exit 1
-fi
-
-case "$1" in
-	start)
-		apparmor_start
-		rc=$?
-		;;
-	stop)
-		apparmor_stop
-		rc=$?
-		;;
-	restart|reload|force-reload)
-		apparmor_restart
-		rc=$?
-		;;
-	try-restart)
-		apparmor_try_restart
-		rc=$?
-		;;
-	kill)
-		apparmor_kill
-		rc=$?
-		;;
-	status)
-		apparmor_status
-		rc=$?
-		;;
-	*)
-		usage
-		exit 1
-		;;
-esac
-exit $rc
-

parser/tst/Makefile

@@ -17,8 +17,8 @@ endif
 
 all: tests
 
-.PHONY: tests error_output gen_dbus gen_xtrans parser_sanity caching minimize equality valgrind
-tests: error_output caching minimize equality parser_sanity
+.PHONY: tests error_output gen_dbus gen_xtrans parser_sanity caching minimize equality dirtest valgrind
+tests: error_output caching minimize equality dirtest parser_sanity
 
 GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
 
@@ -29,7 +29,7 @@ $(GEN_TRANS_DIRS):
 	mkdir $@
 
 gen_dbus: $(GEN_TRANS_DIRS)
-	./gen-dbus.pl
+	./gen-dbus.py
 
 error_output: $(PARSER)
 	LANG=C ./errors.py -p "$(PARSER)" $(PYTEST_ARG)
@@ -46,6 +46,9 @@ minimize: $(PARSER)
 equality: $(PARSER)
 	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./equality.sh
 
+dirtest: $(PARSER)
+	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./dirtest.sh
+
 valgrind: $(PARSER) gen_xtrans gen_dbus
 	LANG=C ./valgrind_simple.py -p "$(PARSER) $(PARSER_ARGS)" -v simple_tests
 

parser/tst/caching.py

@@ -17,7 +17,6 @@
 
 from argparse import ArgumentParser
 import os
-import platform
 import shutil
 import time
 import tempfile
@@ -73,13 +72,13 @@ class AAParserCachingCommon(testlib.AATestTemplate):
         self.cmd_prefix = [config.parser, '--config-file=./parser.conf', '--base', self.tmp_dir, '--skip-kernel-load']
 
         if not self.is_apparmorfs_mounted():
-            self.cmd_prefix += ['-M', './features_files/features.all']
+            self.cmd_prefix.extend(('-M', './features_files/features.all'))
 
         # Otherwise get_cache_dir() will try to create /var/cache/apparmor
         # and will fail when the test suite is run as non-root.
-        self.cmd_prefix += [
+        self.cmd_prefix.extend((
             '--cache-loc', os.path.join(self.tmp_dir, 'cache')
-        ]
+        ))
 
         # create directory for cached blobs
         # NOTE: get_cache_dir() requires cmd_prefix to be fully initialized
@@ -98,7 +97,8 @@ class AAParserCachingCommon(testlib.AATestTemplate):
                 shutil.rmtree(self.tmp_dir)
 
     def get_cache_dir(self, create=False):
-        cmd = [config.parser, '--print-cache-dir'] + self.cmd_prefix
+        cmd = [config.parser, '--print-cache-dir']
+        cmd.extend(self.cmd_prefix)
         rc, report = self.run_cmd(cmd)
         if rc != 0:
             if "unrecognized option '--print-cache-dir'" not in report:
@@ -146,14 +146,11 @@ class AAParserCachingCommon(testlib.AATestTemplate):
 
 class AAParserBasicCachingTests(AAParserCachingCommon):
 
-    def setUp(self):
-        super(AAParserBasicCachingTests, self).setUp()
-
     def test_no_cache_by_default(self):
         '''test profiles are not cached by default'''
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '-r', self.profile])
+        cmd.extend(('-q', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False)
 
@@ -161,7 +158,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         '''test profiles are not cached with --skip-cache'''
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '--write-cache', '--skip-cache', '-r', self.profile])
+        cmd.extend(('-q', '--write-cache', '--skip-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False)
 
@@ -169,7 +166,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         '''test profiles are cached when requested'''
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '--write-cache', '-r', self.profile])
+        cmd.extend(('-q', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE))
 
@@ -177,7 +174,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         '''test features file is written when caching'''
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '--write-cache', '-r', self.profile])
+        cmd.extend(('-q', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE))
         self.assert_path_exists(os.path.join(self.cache_dir, '.features'))
@@ -188,7 +185,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         self.require_apparmorfs()
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '--write-cache', '-r', self.profile])
+        cmd.extend(('-q', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE))
         self.assert_path_exists(os.path.join(self.cache_dir, '.features'))
@@ -200,26 +197,26 @@ class AAParserAltCacheBasicTests(AAParserBasicCachingTests):
     '''Same tests as above, but with an alternate cache location specified on the command line'''
 
     def setUp(self):
-        super(AAParserAltCacheBasicTests, self).setUp()
+        super().setUp()
 
         alt_cache_loc = tempfile.mkdtemp(prefix='aa-alt-cache', dir=self.tmp_dir)
         os.chmod(alt_cache_loc, 0o755)
 
         self.unused_cache_loc = self.cache_dir
-        self.cmd_prefix.extend(['--cache-loc', alt_cache_loc])
+        self.cmd_prefix.extend(('--cache-loc', alt_cache_loc))
         self.cache_dir = self.get_cache_dir()
 
     def tearDown(self):
         if len(os.listdir(self.unused_cache_loc)) > 0:
             self.fail('original cache dir \'%s\' not empty' % self.unused_cache_loc)
-        super(AAParserAltCacheBasicTests, self).tearDown()
+        super().tearDown()
 
 
 class AAParserCreateCacheBasicTestsCacheExists(AAParserBasicCachingTests):
     '''Same tests as above, but with create cache option on the command line and the cache already exists'''
 
     def setUp(self):
-        super(AAParserCreateCacheBasicTestsCacheExists, self).setUp()
+        super().setUp()
         self.cmd_prefix.append('--create-cache-dir')
 
 
@@ -227,7 +224,7 @@ class AAParserCreateCacheBasicTestsCacheNotExist(AAParserBasicCachingTests):
     '''Same tests as above, but with create cache option on the command line and cache dir removed'''
 
     def setUp(self):
-        super(AAParserCreateCacheBasicTestsCacheNotExist, self).setUp()
+        super().setUp()
         shutil.rmtree(self.cache_dir)
         self.cmd_prefix.append('--create-cache-dir')
 
@@ -237,7 +234,7 @@ class AAParserCreateCacheAltCacheTestsCacheNotExist(AAParserBasicCachingTests):
        alt cache specified, and cache dir removed'''
 
     def setUp(self):
-        super(AAParserCreateCacheAltCacheTestsCacheNotExist, self).setUp()
+        super().setUp()
         shutil.rmtree(self.cache_dir)
         self.cmd_prefix.append('--create-cache-dir')
 
@@ -245,7 +242,7 @@ class AAParserCreateCacheAltCacheTestsCacheNotExist(AAParserBasicCachingTests):
 class AAParserCachingTests(AAParserCachingCommon):
 
     def setUp(self):
-        super(AAParserCachingTests, self).setUp()
+        super().setUp()
 
         r = testlib.filesystem_time_resolution()
         self.mtime_res = r[1]
@@ -253,28 +250,14 @@ class AAParserCachingTests(AAParserCachingCommon):
     def _generate_cache_file(self):
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-q', '--write-cache', '-r', self.profile])
+        cmd.extend(('-q', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         self.assert_path_exists(self.cache_file)
 
-    def _assertTimeStampEquals(self, time1, time2):
-        '''Compare two timestamps to ensure equality'''
-
-        # python 3.2 and earlier don't support writing timestamps with
-        # nanosecond resolution, only microsecond. When comparing
-        # timestamps in such an environment, loosen the equality bounds
-        # to compensate
-        # Reference: https://bugs.python.org/issue12904
-        (major, minor, _) = platform.python_version_tuple()
-        if (int(major) < 3) or ((int(major) == 3) and (int(minor) <= 2)):
-            self.assertAlmostEquals(time1, time2, places=5)
-        else:
-            self.assertEqual(time1, time2)
-
     def _set_mtime(self, path, mtime):
         atime = os.stat(path).st_atime
         os.utime(path, (atime, mtime))
-        self._assertTimeStampEquals(os.stat(path).st_mtime, mtime)
+        self.assertEqual(os.stat(path).st_mtime, mtime)
 
     def test_cache_loaded_when_exists(self):
         '''test cache is loaded when it exists, is newer than profile,  and features match'''
@@ -282,7 +265,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self._generate_cache_file()
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', self.profile])
+        cmd.extend(('-v', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Cached reload succeeded')
 
     def test_cache_not_loaded_when_skip_arg(self):
@@ -291,7 +274,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self._generate_cache_file()
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--skip-cache', '-r', self.profile])
+        cmd.extend(('-v', '--skip-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_not_loaded_when_skip_read_arg(self):
@@ -300,7 +283,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self._generate_cache_file()
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--skip-read-cache', '-r', self.profile])
+        cmd.extend(('-v', '--skip-read-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_not_loaded_when_features_differ(self):
@@ -311,7 +294,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         testlib.write_file(self.cache_dir, '.features', 'monkey\n')
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', self.profile])
+        cmd.extend(('-v', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_writing_does_not_overwrite_features_when_features_differ(self):
@@ -322,7 +305,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         features_file = testlib.write_file(self.cache_dir, '.features', 'monkey\n')
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--write-cache', '--skip-bad-cache', '-r', self.profile])
+        cmd.extend(('-v', '--write-cache', '--skip-bad-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
         self.assert_path_exists(features_file)
         # ensure that the features does *not* match the current features set
@@ -334,7 +317,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         testlib.write_file(self.cache_dir, '.features', 'monkey\n')
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--write-cache', '--skip-bad-cache', '-r', self.profile])
+        cmd.extend(('-v', '--write-cache', '--skip-bad-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
         self.assert_path_exists(self.cache_file, expected=False)
 
@@ -349,7 +332,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         new_features_file = new_file + '/.features';
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--write-cache', '-r', self.profile])
+        cmd.extend(('-v', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
         self.assert_path_exists(features_file)
         self.assert_path_exists(new_features_file)
@@ -362,7 +345,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         orig_stat = os.stat(cache_file)
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--write-cache', '-r', self.profile])
+        cmd.extend(('-v', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
         self.assert_path_exists(cache_file)
         stat = os.stat(cache_file)
@@ -378,7 +361,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         check_file = testlib.write_file(self.cache_dir, 'monkey', 'monkey\n')
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--write-cache', '-r', self.profile])
+        cmd.extend(('-v', '--write-cache', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
         self.assert_path_exists(check_file, expected=False)
 
@@ -416,7 +399,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         orig_stat = os.stat(self.cache_file)
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', self.profile])
+        cmd.extend(('-v', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
         stat = os.stat(self.cache_file)
@@ -434,7 +417,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         orig_stat = os.stat(self.cache_file)
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', self.profile])
+        cmd.extend(('-v', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
         stat = os.stat(self.cache_file)
@@ -452,12 +435,12 @@ class AAParserCachingTests(AAParserCachingCommon):
         orig_stat = os.stat(self.cache_file)
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', '-W', self.profile])
+        cmd.extend(('-v', '-r', '-W', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
         stat = os.stat(self.cache_file)
         self.assertNotEqual(orig_stat.st_ino, stat.st_ino)
-        self._assertTimeStampEquals(profile_mtime, stat.st_mtime)
+        self.assertEqual(profile_mtime, stat.st_mtime)
 
     def test_abstraction_newer_rewrites_cache(self):
         '''test cache is rewritten if abstraction is newer'''
@@ -469,12 +452,12 @@ class AAParserCachingTests(AAParserCachingCommon):
         orig_stat = os.stat(self.cache_file)
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '-r', '-W', self.profile])
+        cmd.extend(('-v', '-r', '-W', self.profile))
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
         stat = os.stat(self.cache_file)
         self.assertNotEqual(orig_stat.st_ino, stat.st_ino)
-        self._assertTimeStampEquals(abstraction_mtime, stat.st_mtime)
+        self.assertEqual(abstraction_mtime, stat.st_mtime)
 
     def test_parser_newer_uses_cache(self):
         '''test cache is not skipped if parser is newer'''
@@ -489,7 +472,7 @@ class AAParserCachingTests(AAParserCachingCommon):
 
         cmd = list(self.cmd_prefix)
         cmd[0] = new_parser
-        cmd.extend(['-v', '-r', self.profile])
+        cmd.extend(('-v', '-r', self.profile))
         self.run_cmd_check(cmd, expected_string='Cached reload succeeded for')
 
     def _purge_cache_test(self, location):
@@ -497,7 +480,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         cache_file = testlib.write_file(self.cache_dir, location, 'monkey\n')
 
         cmd = list(self.cmd_prefix)
-        cmd.extend(['-v', '--purge-cache', '-r', self.profile])
+        cmd.extend(('-v', '--purge-cache', '-r', self.profile))
         self.run_cmd_check(cmd)
         # no message is output
         self.assert_path_exists(cache_file, expected=False)
@@ -520,27 +503,27 @@ class AAParserAltCacheTests(AAParserCachingTests):
     check_orig_cache = True
 
     def setUp(self):
-        super(AAParserAltCacheTests, self).setUp()
+        super().setUp()
 
         alt_cache_loc = tempfile.mkdtemp(prefix='aa-alt-cache', dir=self.tmp_dir)
         os.chmod(alt_cache_loc, 0o755)
 
         self.orig_cache_dir = self.cache_dir
-        self.cmd_prefix.extend(['--cache-loc', alt_cache_loc])
+        self.cmd_prefix.extend(('--cache-loc', alt_cache_loc))
         self.cache_dir = self.get_cache_dir(create=True)
         self.cache_file = os.path.join(self.cache_dir, PROFILE)
 
     def tearDown(self):
         if self.check_orig_cache and len(os.listdir(self.orig_cache_dir)) > 0:
             self.fail('original cache dir \'%s\' not empty' % self.orig_cache_dir)
-        super(AAParserAltCacheTests, self).tearDown()
+        super().tearDown()
 
     def test_cache_purge_leaves_original_cache_alone(self):
         '''test cache purging only touches alt cache'''
 
         # skip tearDown check to ensure non-alt cache is empty
         self.check_orig_cache = False
-        filelist = [PROFILE, '.features', 'monkey']
+        filelist = (PROFILE, '.features', 'monkey')
 
         for f in filelist:
             testlib.write_file(self.orig_cache_dir, f, 'monkey\n')

parser/tst/dirtest.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+#   Copyright (c) 2022
+#   Canonical, Ltd. (All rights reserved)
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, contact Canonical Ltd.
+#
+
+# simple test to ensure dir is being iterated as expected
+# yes this needs to be improved and reworked
+
+
+# passed in by Makefile
+#APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
+
+
+do_tst() {
+	local msg="$1"
+	local expected="$2"
+	local rc=0
+	shift 2
+	#global tmpdir
+
+	${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
+	rc=$?
+	LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
+	if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
+		echo "failed: expected \"$expected\" but parser returned error"
+		return 1
+	fi
+	if [ $rc -eq 0 ] && [ "$expected" = "fail" ] ; then
+		echo "succeeded unexpectedly: expected \"$expected\" but parser returned success"
+		return 1
+	fi
+	if ! diff -q "$tmpdir/out" dirtest/dirtest.out ; then
+		echo "failed: expected \"$expected\" but output comparison failed"
+		diff -u dirtest/dirtest.out "$tmpdir/out"
+		return 1
+	fi
+
+	return 0
+}
+
+tmpdir=$(mktemp -d "$tmpdir.XXXXXXXX")
+chmod 755 "$tmpdir"
+export tmpdir
+
+rc=0
+
+# pass - no parser errors and output matches
+# error - parser error and output matches
+# fail - comparison out parser output failed
+do_tst "good dir list" pass -N dirtest/gooddir/ || rc=1
+do_tst "bad link in dir" fail -N dirtest/badlink/ || rc=1
+do_tst "bad profile in dir" fail -N dirtest/badprofile/ || rc=1
+
+rm -rf "$tmpdir"
+
+if [ $rc -eq 0 ] ; then
+	echo "PASS"
+fi
+
+exit $rc

parser/tst/dirtest/badlink/bar

@@ -0,0 +1 @@
+foo

parser/tst/dirtest/badlink/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/badlink/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/badlink/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/badprofile/bad

@@ -0,0 +1,3 @@
+profile bad_profile {
+  file
+}

parser/tst/dirtest/badprofile/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/badprofile/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/badprofile/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/dirtest.out

@@ -0,0 +1,3 @@
+a_profile
+b_profile
+good_target

parser/tst/dirtest/gooddir/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/gooddir/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/gooddir/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/goodtarget

@@ -0,0 +1,2 @@
+profile good_target {
+}

parser/tst/equality.sh

@@ -630,7 +630,18 @@ verify_binary_equality "link rules slash filtering" \
                            /t { link @{FOO}//foo -> /mnt/bar, }" \
                        "@{FOO}=/dev/
                         @{BAR}=/mnt/
-                           /t { link @{FOO}/foo -> @{BAR}/bar, }" \
+                           /t { link @{FOO}/foo -> @{BAR}/bar, }"
+
+verify_binary_equality "attachment slash filtering" \
+                       "/t /bin/foo { }" \
+                       "/t /bin//foo { }" \
+                       "@{BAR}=/bin/
+			   /t @{BAR}/foo { }" \
+                       "@{FOO}=/foo
+			   /t /bin/@{FOO} { }" \
+                       "@{BAR}=/bin/
+                        @{FOO}=/foo
+			   /t @{BAR}/@{FOO} { }"
 
 if [ $fails -ne 0 ] || [ $errors -ne 0 ]
 then

parser/tst/errors.py

@@ -36,9 +36,9 @@ class AAErrorTests(testlib.AATestTemplate):
         else:
             self.assertEqual(rc, 0, report)
 
-        ignore_messages = [
+        ignore_messages = (
             'Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)\n',
-        ]
+        )
         for ign in ignore_messages:
             if ign in outerr:
                 outerr = outerr.replace(ign, '')
@@ -73,7 +73,7 @@ class AAErrorTests(testlib.AATestTemplate):
         )
 
     def test_deprecation1(self):
-        self.cmd_prefix.extend(['--warn=deprecated'])
+        self.cmd_prefix.append('--warn=deprecated')
         self._run_test(
             'errors/deprecation1.sd',
             "Warning from errors/deprecation1.sd (errors/deprecation1.sd line 6): The use of file paths as profile names is deprecated. See man apparmor.d for more information\n",
@@ -81,7 +81,7 @@ class AAErrorTests(testlib.AATestTemplate):
         )
 
     def test_deprecation2(self):
-        self.cmd_prefix.extend(['--warn=deprecated'])
+        self.cmd_prefix.append('--warn=deprecated')
         self._run_test(
             'errors/deprecation2.sd',
             "Warning from errors/deprecation2.sd (errors/deprecation2.sd line 6): The use of file paths as profile names is deprecated. See man apparmor.d for more information\n",

parser/tst/gen-dbus.pl

@@ -1,167 +0,0 @@
-#!/usr/bin/perl
-#
-#   Copyright (c) 2013
-#   Canonical, Ltd. (All rights reserved)
-#
-#   This program is free software; you can redistribute it and/or
-#   modify it under the terms of version 2 of the GNU General Public
-#   License published by the Free Software Foundation.
-#
-#   This program is distributed in the hope that it will be useful,
-#   but WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#   GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License
-#   along with this program; if not, contact Canonical Ltd.
-#
-
-use strict;
-use Locale::gettext;
-use POSIX;
-
-setlocale(LC_MESSAGES, "");
-
-my $count=0;
-
-my $prefix="simple_tests/generated_dbus";
-
-my @quantifier = ("", "deny", "audit");
-my @session = ("", "bus=session", "bus=system", "bus=accessibility");
-my @path = ("", "path=/foo/bar", "path=\"/foo/bar\"");
-my @interface = ("", "interface=com.baz", "interface=\"com.baz\"");
-my @member = ("", "member=bar", "member=\"bar\"");
-
-my @name = ("", "name=com.foo", "name=\"com.foo\"");
-my @peer = map { "peer=($_)" } (@name, "label=/usr/bin/app",
-				"label=\"/usr/bin/app\"",
-				"name=com.foo label=/usr/bin/app",
-				"name=\"com.foo\" label=\"/usr/bin/app\"");
-
-# @msg_perms are the permissions that are related to sending and receiving
-# messages. @svc_perms are the permissions related to services.
-my @base_msg_perms = ("r", "w", "rw", "read", "receive", "write", "send");
-my @msg_perms = ("", @base_msg_perms, (map { "($_)" } @base_msg_perms),
-		 "(write, read)", "(send receive)", "(send read)",
-		 "(receive write)");
-
-gen_files("message-rules", "PASS", \@quantifier, \@msg_perms, \@session,
-	  [""], \@path, \@interface, \@member, \@peer);
-gen_files("service-rules", "PASS", \@quantifier, ["bind"], \@session,
-	  \@name, [""], [""], [""], [""]);
-gen_files("eavesdrop-rules", "PASS", \@quantifier, ["eavesdrop"], \@session,
-	  [""], [""], [""], [""], [""]);
-gen_file("sloppy-formatting", "PASS", "", "(send , receive )", "bus=session",
-	 "", "path =\"/foo/bar\"", "interface = com.foo", "  member=bar",
-	 "peer =(   label= /usr/bin/app name  =\"com.foo\")");
-gen_file("sloppy-formatting", "PASS", "", "bind", "bus =session",
-	 "name= com.foo", "", "", "", "");
-gen_file("sloppy-formatting", "PASS", "", "eavesdrop", "bus = system",
-	 "", "", "", "", "");
-
-# Don't use the first element, which is empty, from each array since all empty
-# conditionals would PASS but we want all FAILs
-shift @msg_perms;
-shift @name;
-shift @path;
-shift @interface;
-shift @member;
-shift @peer;
-gen_files("message-incompat", "FAIL", \@quantifier, \@msg_perms, \@session,
-	  \@name, [""], [""], [""], [""]);
-gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
-	  \@name, \@path, [""], [""], [""]);
-gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
-	  \@name, [""], \@interface, [""], [""]);
-gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
-	  \@name, [""], [""], \@member, [""]);
-gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
-	  \@name, [""], [""], [""], \@peer);
-gen_files("eavesdrop-incompat", "FAIL", \@quantifier, ["eavesdrop"], \@session,
-	  \@name, \@path, \@interface, \@member, \@peer);
-
-gen_files("pairing-unsupported", "FAIL", \@quantifier, ["send", "bind"],
-	  \@session, ["name=sn", "label=sl"], [""], [""], [""],
-	  ["peer=(name=pn)", "peer=(label=pl)"]);
-
-# missing bus= prefix
-gen_file("bad-formatting", "FAIL", "", "send", "session", "", "", "", "", "");
-# incorrectly formatted permissions
-gen_files("bad-perms", "FAIL", [""], ["send receive", "(send", "send)"],
-	  ["bus=session"], [""], [""], [""], [""], [""]);
-# invalid permissions
-gen_files("bad-perms", "FAIL", [""],
-	  ["a", "x", "Ux", "ix", "m", "k", "l", "(a)", "(x)"], [""], [""],
-	  [""], [""], [""], [""]);
-
-gen_file("duplicated-conditionals", "FAIL", "", "bus=1 bus=2");
-gen_file("duplicated-conditionals", "FAIL", "", "name=1 name=2");
-gen_file("duplicated-conditionals", "FAIL", "", "path=1 path=2");
-gen_file("duplicated-conditionals", "FAIL", "", "interface=1 interface=2");
-gen_file("duplicated-conditionals", "FAIL", "", "member=1 member=2");
-gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(name=2)");
-gen_file("duplicated-conditionals", "FAIL", "", "peer=(label=1) peer=(label=2)");
-gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(label=2)");
-
-print "Generated $count dbus tests\n";
-
-sub print_rule($$$$$$$$$) {
-    my ($file, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
-
-    print $file " ";
-    print $file " ${quantifier}" if ${quantifier};
-    print $file " dbus";
-    print $file " ${perms}" if ${perms};
-    print $file " ${session}" if ${session};
-    print $file " ${name}" if ${name};
-    print $file " ${path}" if ${path};
-    print $file " ${interface}" if ${interface};
-    print $file " ${member}" if ${member};
-    print $file " ${peer}" if ${peer};
-    print $file ",\n";
-}
-
-sub gen_file($$$$$$$$$$) {
-    my ($test, $xres, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
-
-    my $file;
-    unless (open $file, ">${prefix}/$test-$count.sd") {
-	print("couldn't open $test\n");
-	exit 1;
-    }
-
-    print $file "#\n";
-    print $file "#=DESCRIPTION ${test}\n";
-    print $file "#=EXRESULT ${xres}\n";
-    print $file "#\n";
-    print $file "/usr/bin/foo {\n";
-    print_rule($file, $quantifier, $perms, $session, $name, $path, $interface,
-	       $member, $peer);
-    print $file "}\n";
-    close($file);
-
-    $count++;
-}
-
-sub gen_files($$$$$$$$$$) {
-    my ($test, $xres, $quantifiers, $perms, $sessions, $names, $paths, $interfaces, $members, $peers) = @_;
-
-    foreach my $quantifier (@{$quantifiers}) {
-      foreach my $perm (@{$perms}) {
-	foreach my $session (@{$sessions}) {
-	  foreach my $name (@{$names}) {
-	    foreach my $path (@{$paths}) {
-	      foreach my $interface (@{$interfaces}) {
-		foreach my $member (@{$members}) {
-		  foreach my $peer (@{$peers}) {
-		    gen_file($test, $xres, $quantifier, $perm, $session, $name,
-			     $path, $interface, $member, $peer);
-		  }
-		}
-	      }
-	    }
-	  }
-	}
-      }
-    }
-}

parser/tst/gen-dbus.py

@@ -0,0 +1,157 @@
+#!/usr/bin/python3
+#
+#   Copyright (c) 2013 Canonical, Ltd. (All rights reserved)
+#   Copyright (c) 2021 Christian Boltz
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, contact Canonical Ltd.
+#
+
+from testlib import write_file
+
+def get_rule (quantifier, perms, session, name, path, interface, member, peer):
+
+    result = ' '
+
+    for part in (quantifier, 'dbus', perms, session, name, path, interface, member, peer):
+        if part:
+            result += ' %s' % part
+
+    result += ',\n'
+
+    return result
+
+def gen_file(test, xres, quantifier, perms, session, name, path, interface, member, peer):
+    global count
+
+    content = ''
+    content += '#\n'
+    content += '#=DESCRIPTION %s\n' % test
+    content += '#=EXRESULT %s\n' % xres
+    content += '#\n'
+    content += '/usr/bin/foo {\n'
+    content += get_rule(quantifier, perms, session, name, path, interface, member, peer)
+    content += '}\n'
+
+    write_file('simple_tests/generated_dbus', '%s-%s.sd' % (test, count), content)
+
+    count += 1
+
+def gen_files (test, xres, quantifiers, perms, sessions, names, paths, interfaces, members, peers):
+    for quantifier in quantifiers:
+        for perm in perms:
+            for session in sessions:
+                for name in names:
+                    for path in paths:
+                        for interface in interfaces:
+                            for member in members:
+                                for peer in peers:
+                                    gen_file(test, xres, quantifier, perm, session, name, path, interface, member, peer)
+
+count=0
+
+quantifier = ('', 'deny', 'audit')
+session = ('', 'bus=session', 'bus=system', 'bus=accessibility')
+path = ['', 'path=/foo/bar', 'path="/foo/bar"']
+interface = ['', 'interface=com.baz', 'interface="com.baz"']
+member = ['', 'member=bar', 'member="bar"']
+
+name = ['', 'name=com.foo', 'name="com.foo"']
+peer = [
+    'peer=()',
+    'peer=(name=com.foo)',
+    'peer=(name="com.foo")',
+    'peer=(label=/usr/bin/app)',
+    'peer=(label="/usr/bin/app")',
+    'peer=(name=com.foo label=/usr/bin/app)',
+    'peer=(name="com.foo" label="/usr/bin/app")',
+]
+
+# msg_perms are the permissions that are related to sending and receiving
+# messages.
+msg_perms = [
+    '',
+    'r',
+    'w',
+    'rw',
+    'read',
+    'receive',
+    'write',
+    'send',
+    '(r)',
+    '(w)',
+    '(rw)',
+    '(read)',
+    '(receive)',
+    '(write)',
+    '(send)',
+    '(write, read)',
+    '(send receive)',
+    '(send read)',
+    '(receive write)',
+]
+
+empty_tup = ('',)
+
+gen_files('message-rules', 'PASS', quantifier, msg_perms, session,
+          empty_tup, path, interface, member, peer)
+gen_files('service-rules', 'PASS', quantifier, ['bind'], session,
+          name, empty_tup, empty_tup, empty_tup, empty_tup)
+gen_files('eavesdrop-rules', 'PASS', quantifier, ['eavesdrop'], session,
+          empty_tup, empty_tup, empty_tup, empty_tup, empty_tup)
+gen_file('sloppy-formatting', 'PASS', '', '(send , receive )', 'bus=session',
+	 '', 'path ="/foo/bar"', 'interface = com.foo', '  member=bar',
+	 'peer =(   label= /usr/bin/app name  ="com.foo")')
+gen_file('sloppy-formatting', 'PASS', '', 'bind', 'bus =session',
+	 'name= com.foo', '', '', '', '')
+gen_file('sloppy-formatting', 'PASS', '', 'eavesdrop', 'bus = system',
+	 '', '', '', '', '')
+
+# Don't use the empty element from each array since all empty conditionals would PASS but we want all FAILs
+msg_perms.remove('')
+name.remove('')
+path.remove('')
+interface.remove('')
+member.remove('')
+peer.remove('peer=()')
+
+gen_files('message-incompat', 'FAIL', quantifier, msg_perms, session, name, empty_tup, empty_tup, empty_tup, empty_tup)
+gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, path, empty_tup, empty_tup, empty_tup)
+gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, interface, empty_tup, empty_tup)
+gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, empty_tup, member, empty_tup)
+gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, empty_tup, empty_tup, peer)
+gen_files('eavesdrop-incompat', 'FAIL', quantifier, ('eavesdrop',), session, name, path, interface, member, peer)
+
+gen_files('pairing-unsupported', 'FAIL', quantifier, ('send', 'bind'),
+          session, ('name=sn', 'label=sl'), empty_tup, empty_tup, empty_tup,
+          ('peer=(name=pn)', 'peer=(label=pl)'))
+
+# missing bus= prefix
+gen_file('bad-formatting', 'FAIL', '', 'send', 'session', '', '', '', '', '')
+# incorrectly formatted permissions
+gen_files('bad-perms', 'FAIL', empty_tup, ('send receive', '(send', 'send)'),
+          ('bus=session',), empty_tup, empty_tup, empty_tup, empty_tup, empty_tup)
+# invalid permissions
+gen_files('bad-perms', 'FAIL', empty_tup,
+          ('a', 'x', 'Ux', 'ix', 'm', 'k', 'l', '(a)', '(x)'), empty_tup, empty_tup,
+          empty_tup, empty_tup, empty_tup, empty_tup)
+
+gen_file('duplicated-conditionals', 'FAIL', '', 'bus=1 bus=2', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'name=1 name=2', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'path=1 path=2', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'interface=1 interface=2', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'member=1 member=2', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'peer=(name=1) peer=(name=2)', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'peer=(label=1) peer=(label=2)', '', '', '', '', '', '')
+gen_file('duplicated-conditionals', 'FAIL', '', 'peer=(name=1) peer=(label=2)', '', '', '', '', '', '')
+
+print('Generated %s dbus tests' % count)

parser/tst/gen-xtrans.py

@@ -120,8 +120,8 @@ def gen_file (name, xres, leading1, qual1, rule1, perm1, target1, leading2, qual
 #
 # will conflict
 #
-# NOTE: conflict tests don't tests leading permissions or using unsafe keywords
-#      It is assumed that there are extra tests to verify 1 to 1 coorispondance
+# NOTE: conflict tests don't test leading permissions or using unsafe keywords
+#      It is assumed that there are extra tests to verify 1 to 1 correspondance
 def gen_files(name, rule1, rule2, default):
     perms = gen_list()
 
@@ -172,7 +172,7 @@ def gen_leading_perms (name, rule1, rule2):
                 gen_file(file, "PASS", 0, q, rule1, i, t, 1, q, rule2, i, t)
 
 # test for rules with leading safe or unsafe keywords.
-# check they are equivalent to their counter part,
+# check they are equivalent to their counterpart,
 # or if $invert that they properly conflict with their counterpart
 def gen_safe_perms(name, xres, invert, rule1, rule2):
     perms = gen_list()

parser/tst/simple_tests/abi/bad_13.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi "
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_14.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi ",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_15.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi ""
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_16.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi "",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_17.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi <
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_18.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi <,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_19.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi <>
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_20.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION abi testing - empty/cut-off rule
+#=EXRESULT FAIL
+
+abi <>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/include_tests/recursive_2.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - recursive include should not fail
+#=EXRESULT PASS
+#
+/does/not/exist {
+  #include <includes/recursive.include>
+}

parser/tst/simple_tests/include_tests/recursive_3.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION includes testing - recursive include should not fail
+#=EXRESULT PASS
+#
+
+#include <includes/recursive.preamble>
+
+/does/not/exist {
+  /foo r,
+}

parser/tst/simple_tests/includes/recursive.include

@@ -0,0 +1,6 @@
+
+# helper for include_tests/recursive_2.sd
+
+  /foo rw,
+  #include <includes/recursive.include>
+  /no/such/path r,

parser/tst/simple_tests/includes/recursive.preamble

@@ -0,0 +1,4 @@
+
+# helper for include_tests/recursive_3.sd
+
+#include <includes/recursive.preamble>

parser/tst/testlib.py

@@ -86,7 +86,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
         (rc, out, outerr) = self._run_cmd(command, input, stderr, stdout, stdin, timeout)
         report = out + outerr
 
-        return [rc, report]
+        return rc, report
 
     def _run_cmd(self, command, input=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE,
                  stdin=None, timeout=120):
@@ -96,7 +96,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
             sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr,
                                   close_fds=True, preexec_fn=subprocess_setup, universal_newlines=True)
         except OSError as e:
-            return [127, str(e)]
+            return 127, str(e), ''
 
         timeout_communicate = TimeoutFunction(sp.communicate, timeout)
         out, outerr = (None, None)
@@ -115,7 +115,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
         if outerr is None:
             outerr = ''
 
-        return (rc, out, outerr)
+        return rc, out, outerr
 
 
 # Timeout handler using alarm() from John P. Speno's Pythonic Avocado
@@ -180,7 +180,7 @@ def read_features_dir(path):
     if not os.path.exists(path) or not os.path.isdir(path):
         return result
 
-    for name in os.listdir(path):
+    for name in sorted(os.listdir(path)):
         entry = os.path.join(path, name)
         result += '%s {' % name
         if os.path.isfile(entry):

parser/tst/valgrind_simple.py

@@ -13,12 +13,12 @@
 # TODO
 # - finish adding suppressions for valgrind false positives
 
-from argparse import ArgumentParser  # requires python 2.7 or newer
+from argparse import ArgumentParser
 import os
 import sys
-import tempfile
 import unittest
 import testlib
+from tempfile import NamedTemporaryFile
 
 DEFAULT_TESTDIR = "./simple_tests/vars"
 VALGRIND_ERROR_CODE = 151
@@ -42,8 +42,8 @@ class AAParserValgrindTests(testlib.AATestTemplate):
         self.maxDiff = None
 
     def _runtest(self, testname, config):
-        parser_args = ['-Q', '-I', config.testdir, '-M', './features_files/features.all']
-        failure_rc = [VALGRIND_ERROR_CODE, testlib.TIMEOUT_ERROR_CODE]
+        parser_args = ('-Q', '-I', config.testdir, '-M', './features_files/features.all')
+        failure_rc = (VALGRIND_ERROR_CODE, testlib.TIMEOUT_ERROR_CODE)
         command = [config.valgrind]
         command.extend(VALGRIND_ARGS)
         command.append(config.parser)
@@ -65,13 +65,10 @@ def find_testcases(testdir):
 
 def create_suppressions():
     '''generate valgrind suppressions file'''
+    with NamedTemporaryFile("w+", suffix='.suppressions', prefix='aa-parser-valgrind', delete=False) as temp_file:
+        temp_file.write(VALGRIND_SUPPRESSIONS)
+    return temp_file.name
 
-    handle, name = tempfile.mkstemp(suffix='.suppressions', prefix='aa-parser-valgrind')
-    os.close(handle)
-    handle = open(name,"w+")
-    handle.write(VALGRIND_SUPPRESSIONS)
-    handle.close()
-    return name
 
 def main():
     rc = 0

profiles/Makefile

@@ -41,13 +41,13 @@ ifdef USE_SYSTEM
     LOGPROF?=aa-logprof
 else
     # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")
+    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
     LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
     PARSER?=../parser/apparmor_parser
     # use ../utils logprof
-    LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof --configdir ../utils/test/
+    LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof --configdir ../utils/
 endif
 
 # $(PWD) is wrong when using "make -C profiles" - explicitly set it here to get the right value

profiles/apparmor.d/abstractions/apache2-common

@@ -6,6 +6,10 @@
 
   include <abstractions/nameservice>
 
+  # Allow other processes to read our /proc entries
+  ptrace (readby),
+  # Allow other processes to trace us by default
+  ptrace (tracedby),
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default

profiles/apparmor.d/abstractions/apparmor_api/is_enabled

@@ -15,5 +15,6 @@ abi <abi/3.0>,
 
 include <abstractions/apparmor_api/find_mountpoint>
 @{sys}/module/apparmor/parameters/enabled r,
+@{sys}/module/apparmor/parameters/available r,
 
 # TODO: add alternate apparmorfs interface for enabled

profiles/apparmor.d/abstractions/authentication

@@ -2,7 +2,7 @@
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
 #    Copyright (C) 2009-2012 Canonical Ltd
-#    Copyright (C) 2019 Christian Boltz
+#    Copyright (C) 2019-2021 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -36,6 +36,8 @@
   # SuSE's pwdutils are different:
   @{etc_ro}/default/passwd         r,
   @{etc_ro}/login.defs             r,
+  @{etc_ro}/login.defs.d/          r,
+  @{etc_ro}/login.defs.d/*.defs    r,
 
   # nis
   include <abstractions/nis>

profiles/apparmor.d/abstractions/base

@@ -12,6 +12,7 @@
 
   abi <abi/3.0>,
 
+  include <abstractions/crypto>
 
   # (Note that the ldd profile has inlined this file; if you make
   # modifications here, please consider including them in the ldd
@@ -104,9 +105,6 @@
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,
 
-  # libgcrypt reads some flags from /proc
-  @{PROC}/sys/crypto/*           r,
-
   # some applications will display license information
   /usr/share/common-licenses/**  r,
 

profiles/apparmor.d/abstractions/crypto

@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009-2011 Canonical Ltd.
+#    Copyright (C) 2021 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+  @{etc_ro}/gcrypt/random.conf r,
+  @{PROC}/sys/crypto/fips_enabled r,
+
+  # libgcrypt reads some flags from /proc
+  @{PROC}/sys/crypto/* r,
+
+  # crypto policies used by various libraries
+  /etc/crypto-policies/*/*.txt r,
+  /usr/share/crypto-policies/*/*.txt r,
+
+  include if exists <abstractions/crypto.d>

profiles/apparmor.d/abstractions/exo-open

@@ -51,13 +51,6 @@
 
   /{,usr/}bin/which rix,
 
-  # Deny DBus
-
-  # for GTK error message dialog, not required exo-open to work.
-  deny dbus send
-    bus=session
-    path=/org/gtk/vfs/mounttracker,
-
   # System files
 
   /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,

profiles/apparmor.d/abstractions/gtk

@@ -0,0 +1,55 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/3.0>,
+
+  /usr/share/themes/{,**} r,
+
+  /usr/share/gtksourceview-[0-9]*/{,**} r,
+
+  /usr/share/gtk-2.0/ r,
+  /usr/share/gtk-2.0/gtkrc r,
+
+  /usr/share/gtk-{3,4}.0/ r,
+  /usr/share/gtk-{3,4}.0/settings.ini r,
+
+  /etc/gtk-2.0/ r,
+  /etc/gtk-2.0/gtkrc r,
+
+  /etc/gtk-{3,4}.0/ r,
+  /etc/gtk-{3,4}.0/*.conf r,
+
+  /etc/gtk/gtkrc r,
+
+  owner @{HOME}/.themes/{,**} r,
+  owner @{HOME}/.local/share/themes/{,**} r,
+
+  owner @{HOME}/.gtk r,
+  owner @{HOME}/.gtkrc r,
+  owner @{HOME}/.gtkrc-2.0 r,
+  owner @{HOME}/.gtk-bookmarks r,
+  owner @{HOME}/.config/gtkrc r,
+  owner @{HOME}/.config/gtkrc-2.0 r,
+  owner @{HOME}/.config/gtk-{3,4}.0/ rw,
+  owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
+  owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
+  owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
+
+  # for gtk file dialog
+  owner @{HOME}/.config/gtk-2.0/ rw,
+  owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
+
+  # .Xauthority file required for X connections
+  owner @{HOME}/.Xauthority r,
+
+  # Xsession errors file
+  owner @{HOME}/.xsession-errors w,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/gtk.d>

profiles/apparmor.d/abstractions/ibus

@@ -16,5 +16,14 @@
   owner @{HOME}/.config/ibus/bus/ rw,
   owner @{HOME}/.config/ibus/bus/* rw,
 
+  # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+  # This should use this, but due to LP: #1856738 we cannot
+  #unix (connect, receive, send)
+  #    type=stream
+  #    peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
   # Include additions to the abstraction
   include if exists <abstractions/ibus.d>

profiles/apparmor.d/abstractions/mesa

@@ -10,6 +10,8 @@
   # (src/intel/perf/gen_perf.c, load_oa_metrics())
   @{PROC}/sys/dev/i915/perf_stream_paranoid r,
 
+  @{sys}/devices/pci[0-9]*/**/{revision,config} r,
+
   # User files
   owner @{HOME}/.cache/ w, # if user clears all caches
   owner @{HOME}/.cache/mesa_shader_cache/ rw,

profiles/apparmor.d/abstractions/nss-systemd

@@ -24,6 +24,7 @@
   @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
   @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
   @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
 
   @{PROC}/sys/kernel/random/boot_id r,
 

profiles/apparmor.d/abstractions/openssl

@@ -11,9 +11,9 @@
   abi <abi/3.0>,
 
   /etc/ssl/openssl.cnf r,
+  /etc/ssl/{engdef,engines}.d/ r,
+  /etc/ssl/{engdef,engines}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,
-  @{PROC}/sys/crypto/fips_enabled r,
-
 
   # Include additions to the abstraction
   include if exists <abstractions/openssl.d>

profiles/apparmor.d/abstractions/php

@@ -13,26 +13,25 @@
   abi <abi/3.0>,
 
   # shared snippets for config files
-  /etc/php{,5,7}/**/ r,
-  /etc/php{,5,7}/**.ini r,
+  /etc/php{,5,7,8}/** r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
   # php extensions
-  /usr/lib{64,}/php{,5,7}/*/*.so mr,
+  /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
 
   # ICU (unicode support) data tables
   /usr/share/icu/*/*.dat r,
 
   # php session mmap socket
-  /var/lib/php{,5,7}/session_mm_* rwlk,
+  /var/lib/php{,5,7,8}/session_mm_* rwlk,
   # file based session handler
-  /var/lib/php{,5,7}/sess_* rwlk,
-  /var/lib/php{,5,7}/sessions/* rwlk,
+  /var/lib/php{,5,7,8}/sess_* rwlk,
+  /var/lib/php{,5,7,8}/sessions/* rwlk,
 
   # php libraries
-  /usr/share/php{,5,7}/ r,
-  /usr/share/php{,5,7}/** mr,
+  /usr/share/php{,5,7,8}/ r,
+  /usr/share/php{,5,7,8}/** mr,
 
   # MySQL extension
   /usr/share/mysql/** r,

profiles/apparmor.d/abstractions/python

@@ -12,18 +12,17 @@
 
   abi <abi/3.0>,
 
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
-  /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
-
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
+  /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+  /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-9]}/** r,
+  /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -36,7 +35,7 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
 
   # Include additions to the abstraction
   include if exists <abstractions/python.d>