Prepare for 4.1.0~beta5 release

- bump version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -1,4 +1,4 @@
-apparmor-*
+apparmor-
 cscope.*
 binutils/aa-enabled
 binutils/aa-enabled.1
@@ -6,15 +6,29 @@ binutils/aa-exec
 binutils/aa-exec.1
 binutils/aa-features-abi
 binutils/aa-features-abi.1
+binutils/aa-load
+binutils/aa-load.8
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
 binutils/po/*.mo
+changehat/mod_apparmor/.libs
+changehat/mod_apparmor/mod_apparmor.8
+changehat/mod_apparmor/mod_apparmor.8.html
+changehat/mod_apparmor/mod_apparmor.la
+changehat/mod_apparmor/mod_apparmor.lo
+changehat/mod_apparmor/mod_apparmor.slo
+changehat/mod_apparmor/mod_apparmor.so
+changehat/mod_apparmor/pod2htmd.tmp
+changehat/pam_apparmor/get_options.o
+changehat/pam_apparmor/pam_apparmor.o
+changehat/pam_apparmor/pam_apparmor.so
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
 parser/generated_cap_names.h
 parser/generated_af_names.h
+parser/errnos.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -26,38 +40,9 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
-parser/af_rule.o
-parser/af_unix.o
-parser/common_optarg.o
-parser/dbus.o
-parser/default_features.o
-parser/lib.o
-parser/libapparmor_re/aare_rules.o
-parser/libapparmor_re/chfa.o
-parser/libapparmor_re/expr-tree.o
-parser/libapparmor_re/hfa.o
+parser/libapparmor_re/*.o
 parser/libapparmor_re/libapparmor_re.a
-parser/libapparmor_re/parse.o
-parser/mount.o
-parser/network.o
-parser/parser_alias.o
-parser/parser_common.o
-parser/parser_include.o
-parser/parser_interface.o
-parser/parser_lex.o
-parser/parser_main.o
-parser/parser_merge.o
-parser/parser_misc.o
-parser/parser_policy.o
-parser/parser_regex.o
-parser/parser_symtab.o
-parser/parser_variable.o
-parser/parser_yacc.o
-parser/policy_cache.o
-parser/profile.o
-parser/ptrace.o
-parser/rule.o
-parser/signal.o
+parser/*.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -136,6 +121,18 @@ libraries/libapparmor/src/tst_aalogmisc
 libraries/libapparmor/src/tst_aalogmisc.log
 libraries/libapparmor/src/tst_aalogmisc.o
 libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_aalogparse_cpp
+libraries/libapparmor/src/tst_aalogparse_cpp.log
+libraries/libapparmor/src/tst_aalogparse_cpp.o
+libraries/libapparmor/src/tst_aalogparse_cpp.trs
+libraries/libapparmor/src/tst_aalogparse_reentrancy
+libraries/libapparmor/src/tst_aalogparse_reentrancy.log
+libraries/libapparmor/src/tst_aalogparse_reentrancy.o
+libraries/libapparmor/src/tst_aalogparse_reentrancy.trs
+libraries/libapparmor/src/tst_aalogparse_oldname
+libraries/libapparmor/src/tst_aalogparse_oldname.log
+libraries/libapparmor/src/tst_aalogparse_oldname.o
+libraries/libapparmor/src/tst_aalogparse_oldname.trs
 libraries/libapparmor/src/tst_features
 libraries/libapparmor/src/tst_features.log
 libraries/libapparmor/src/tst_features.o
@@ -196,7 +193,6 @@ libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
 libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
-changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
 utils/*.5
@@ -207,6 +203,7 @@ utils/apparmor/*.pyc
 utils/apparmor/rule/*.pyc
 utils/apparmor.egg-info/
 utils/build/
+!utils/emacs/apparmor-mode.el
 utils/htmlcov/
 utils/test/common_test.pyc
 utils/test/.coverage
@@ -235,6 +232,7 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/complain
 tests/regression/apparmor/dbus_eavesdrop
 tests/regression/apparmor/dbus_message
 tests/regression/apparmor/dbus_service
@@ -253,17 +251,23 @@ tests/regression/apparmor/fd_inheritance
 tests/regression/apparmor/fd_inheritor
 tests/regression/apparmor/fork
 tests/regression/apparmor/introspect
+tests/regression/apparmor/io_uring
 tests/regression/apparmor/link
 tests/regression/apparmor/link_subset
 tests/regression/apparmor/mkdir
 tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
+tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat
 tests/regression/apparmor/pipe
 tests/regression/apparmor/pivot_root
+tests/regression/apparmor/posix_mq_rcv
+tests/regression/apparmor/posix_mq_snd
 tests/regression/apparmor/ptrace
 tests/regression/apparmor/ptrace_helper
 tests/regression/apparmor/pwrite
@@ -287,6 +291,8 @@ tests/regression/apparmor/syscall_setpriority
 tests/regression/apparmor/syscall_setscheduler
 tests/regression/apparmor/syscall_sysctl
 tests/regression/apparmor/sysctl_proc
+tests/regression/apparmor/sysv_mq_rcv
+tests/regression/apparmor/sysv_mq_snd
 tests/regression/apparmor/tcp
 tests/regression/apparmor/transition
 tests/regression/apparmor/unix_fd_client
@@ -294,9 +300,23 @@ tests/regression/apparmor/unix_fd_server
 tests/regression/apparmor/unix_socket
 tests/regression/apparmor/unix_socket_client
 tests/regression/apparmor/unlink
+tests/regression/apparmor/userns
+tests/regression/apparmor/userns_setns
 tests/regression/apparmor/uservars.inc
 tests/regression/apparmor/xattrs
 tests/regression/apparmor/xattrs_profile
 tests/regression/apparmor/coredump
 **/__pycache__/
 *.orig
+
+# Patterns related to spread integration tests
+*.img
+*.iso
+*.lock
+*.log
+*.qcow2
+*.run
+.spread-reuse.yaml
+.spread-reuse.*.yaml
+spread-artifacts/
+spread-logs/

.gitlab-ci.yml

@@ -4,25 +4,41 @@ image: ubuntu:latest
 # XXX - add a deploy stage to publish man pages, docs, and coverage
 # reports
 
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH
+
 stages:
   - build
   - test
+  - spread
 
-.ubuntu-before_script:
+.ubuntu-common:
   before_script:
-    - export DEBIAN_FRONTEND=noninteractive
+    # Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
     - apt-get update -qq
-    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
+    - apt-get install --yes yq make lsb-release
+    - |
+      printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
+      | make -f - nothing \
+      | yq '.packages | .[]' \
+      | xargs apt-get install --yes --no-install-recommends
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
+  after_script:
+    # Inspect the kernel and lsb-release.
     - lsb_release -a
     - uname -a
 
-.install-c-build-deps: &install-c-build-deps
-  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
-
 build-all:
   stage: build
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
+  script:
+    # Run the spread prepare section to build everything.
+    - yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
   artifacts:
     name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
     expire_in: 30 days
@@ -35,39 +51,33 @@ build-all:
       - changehat/mod_apparmor/
       - changehat/pam_apparmor/
       - profiles/
-  script:
-    - *install-c-build-deps
-    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
-    - make -C parser
-    - make -C binutils
-    - make -C utils
-    - make -C changehat/mod_apparmor
-    - make -C changehat/pam_apparmor
-    - make -C profiles
 
 test-libapparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C libraries/libapparmor --touch
     - make -C libraries/libapparmor check
 
 test-parser:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - *install-c-build-deps
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C parser --touch
+    - make -C parser -j $(nproc) tst_binaries
     - make -C parser check
 
 test-binutils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
     - make -C binutils check
 
@@ -75,9 +85,16 @@ test-utils:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C utils --touch
+
+    # TODO: move those to cloud-init list?
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
     - make -C parser/tst gen_xtrans
@@ -92,30 +109,37 @@ test-mod-apparmor:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C changehat/mod_apparmor --touch
     - make -C changehat/mod_apparmor check
 
 test-profiles:
   stage: test
   needs: ["build-all"]
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
+    # This is to touch the built files in the test stage to avoid needless rebuilding
+    - make -C profiles --touch
     - make -C profiles check-parser
     - make -C profiles check-abstractions.d
+    - make -C profiles check-local
 
 shellcheck:
   stage: test
   needs: []
   extends:
-    - .ubuntu-before_script
+    - .ubuntu-common
   script:
-  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
-  - shellcheck --version
-  - './tests/bin/shellcheck-tree --format=checkstyle
-       | xmlstarlet tr tests/checkstyle2junit.xslt
-       > shellcheck.xml'
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - shellcheck --version
+    - "./tests/bin/shellcheck-tree --format=checkstyle
+      | xmlstarlet tr tests/checkstyle2junit.xslt
+      > shellcheck.xml"
   artifacts:
     when: always
     reports:
@@ -136,3 +160,147 @@ include:
 variables:
   SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
   SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
+
+coverity:
+  stage: .post
+  extends:
+    - .ubuntu-common
+  script:
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
+    - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
+    - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+      --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
+    - tar xfz /tmp/cov-analysis-linux64.tgz
+    - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
+    - PATH=$PATH:$(pwd)/$COV_VERSION/bin
+    - make coverity
+    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+      --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
+      --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
+      --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
+  artifacts:
+    paths:
+      - "apparmor-*.tar.gz"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"
+
+.image-garden-x86_64:
+  stage: spread
+  # TODO: use tagged release once container tagging is improved upstream.
+  image: registry.gitlab.com/zygoon/image-garden:latest
+  tags:
+    - linux
+    - x86_64
+    - kvm
+  variables:
+    ARCH: x86_64
+    GARDEN_DL_DIR: dl
+    CACHE_POLICY: pull-push
+    CACHE_COMPRESSION_LEVEL: fastest
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+  script:
+    # Prepare the image, for real.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image "Prepare image"
+    - image-garden make "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image
+  cache:
+    # Cache the base image (pre-customization).
+    - key: image-garden-base-${GARDEN_SYSTEM}.${ARCH}
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_DL_DIR
+        # Those are never mutated so they are safe to share.
+        - efi-code.*.img
+        - efi-vars.*.img
+    # Cache the customized system. This cache depends on .image-garden.mk file
+    # so that any customization updates are immediately acted upon.
+    - key:
+        prefix: image-garden-custom-${GARDEN_SYSTEM}.${ARCH}-
+        files:
+          - .image-garden.mk
+      policy: $CACHE_POLICY
+      when: always
+      paths:
+        - $GARDEN_SYSTEM.*
+        - $GARDEN_SYSTEM.seed.iso
+        - $GARDEN_SYSTEM.meta-data
+        - $GARDEN_SYSTEM.user-data
+
+# This job builds and caches the image that the job below looks at.
+image-ubuntu-cloud-24.04-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+  needs: []
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH
+      changes:
+        paths:
+          - .image-garden.mk
+          - .gitlab-ci.yml
+        compare_to: "refs/heads/master"
+
+.spread-x86_64:
+  extends: .image-garden-x86_64
+  variables:
+    # GitLab project identifier of zygoon/spread-dist can be seen on
+    # https://gitlab.com/zygoon/spread-dist, under the three-dot menu on
+    # top-right.
+    SPREAD_GITLAB_PROJECT_ID: "65375371"
+    # Git revision of spread to install.
+    # This must have been built via spread-dist.
+    # TODO: switch to upstream 1.0 release when available.
+    SPREAD_REV: 413817eda7bec07a3885e0717c178b965f8924e1
+    # Run all the tasks for a given system.
+    SPREAD_ARGS: "garden:$GARDEN_SYSTEM:"
+    SPREAD_GOARCH: amd64
+  before_script:
+    # Prepare the image in dry-run mode. This helps in debugging cache misses
+    # when files are not cached correctly by the runner, causing the build section
+    # below to always do hevy-duty work.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" prepare_image_dry_run "Prepare image (dry run)"
+    - image-garden make --dry-run --debug "$GARDEN_SYSTEM.$ARCH.run" "$GARDEN_SYSTEM.$ARCH.qcow2" "$GARDEN_SYSTEM.seed.iso" "$GARDEN_SYSTEM.user-data" "$GARDEN_SYSTEM.meta-data"
+    - stat .image-garden.mk "$GARDEN_SYSTEM".* || true
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" prepare_image_dry_run
+    # Install the selected revision of spread.
+    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_spread "Installing spread..."
+    # Install pre-built spread from https://gitlab.com/zygoon/spread-dist generic package repository.
+    - |
+      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --location --output spread "${CI_API_V4_URL}/projects/${SPREAD_GITLAB_PROJECT_ID}/packages/generic/spread/${SPREAD_REV}/spread.${SPREAD_GOARCH}"
+    - chmod +x spread
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_spread
+  script:
+    - printf '\e[0K%s:%s:%s\r\e[0K%s\n' section_start "$(date +%s)" run_spread "Running spread for $GARDEN_SYSTEM..."
+    # TODO: transform to inject ^...$ to properly select jobs to run.
+    - mkdir -p spread-logs spread-artifacts
+    - ./spread -list $SPREAD_ARGS |
+      split --number=l/"${CI_NODE_INDEX:-1}"/"${CI_NODE_TOTAL:-1}" |
+      xargs --verbose ./spread -v -artifacts ./spread-artifacts -v | tee spread-logs/"$GARDEN_SYSTEM".log
+    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" run_spread
+  artifacts:
+    paths:
+      - spread-logs
+      - spread-artifacts
+    when: always
+
+spread-ubuntu-cloud-24.04-x86_64:
+  extends: .spread-x86_64
+  variables:
+    GARDEN_SYSTEM: ubuntu-cloud-24.04
+    SPREAD_ARGS: garden:$GARDEN_SYSTEM:tests/regression/ garden:$GARDEN_SYSTEM:tests/profiles/
+    CACHE_POLICY: pull
+  dependencies: []
+  needs:
+    - job: image-ubuntu-cloud-24.04-x86_64
+      optional: true
+  parallel: 4

.image-garden.mk

@@ -0,0 +1,110 @@
+# This file is read by image-garden when spread is allocating test machines.
+# All the package installation happens through cloud-init profiles defined
+# below.
+
+# This is the cloud-init user-data profile for all Debian systems. Note that it
+# is an extension of the default profile necessary for operation of
+# image-garden.
+define DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- apache2-dev
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- build-essential
+- dejagnu
+- dosfstools
+- flake8
+- flex
+- fuse-overlayfs
+- gdb
+- gettext
+- libdbus-1-dev
+- libpam0g-dev
+- libtool
+- liburing-dev
+- pkg-config
+- python3-all-dev
+- python3-gi
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-tk
+- python3-ttkthemes
+- swig
+- toybox
+endef
+
+# Ubuntu shares cloud-init profile with Debian.
+UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE=$(DEBIAN_CLOUD_INIT_USER_DATA_TEMPLATE)
+
+# This is the cloud-init user-data profile for openSUSE Tumbleweed.
+define OPENSUSE_tumbleweed_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+- sed -i -e 's/security=selinux/security=apparmor/g' /etc/default/grub
+- update-bootloader
+packages:
+- apache2-devel
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-1-devel
+- dejagnu
+- dosfstools
+- flex
+- fuse-overlayfs
+- gcc
+- gcc-c++
+- gdb
+- gettext
+- gobject-introspection
+- libtool
+- liburing2-devel
+- make
+- pam-devel
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-notify2
+- python3-psutil
+- python3-setuptools
+- python3-setuptools
+- python3-tk
+- python311
+- python311-devel
+- swig
+endef
+
+define FEDORA_CLOUD_INIT_USER_DATA_TEMPLATE
+$(CLOUD_INIT_USER_DATA_TEMPLATE)
+packages:
+- attr
+- autoconf
+- autoconf-archive
+- automake
+- bison
+- dbus-devel
+- dejagnu
+- dosfstools
+- flex
+- gdb
+- gettext
+- httpd-devel
+- libstdc++-static
+- libtool
+- liburing-devel
+- pam-devel
+- perl
+- pkg-config
+- python3-devel
+- python3-flake8
+- python3-gobject-base
+- python3-notify2
+- python3-tkinter
+- swig
+endef

Makefile

@@ -59,7 +59,7 @@ coverity: snapshot
 		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	cov-build --dir $(COVERITY_DIR) -- sh -c \
 	"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
+		$(MAKE) -j $$(nproc) -C $(SNAPSHOT_NAME)/$(dir);) "
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir

README.md

@@ -181,6 +181,9 @@ $ make check	# depends on the parser having been built first
 $ make install
 ```
 
+Note that the empty local/* profile sniplets no longer get created by default.
+If you want them, run `make local` before running `make check`.
+
 [Note that for the parser, binutils, and utils, if you only wish to build/use
  some of the locale languages, you can override the default by passing
  the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
@@ -194,6 +197,33 @@ usage and how to update and add tests. Below is a quick overview of their
 location and how to run them.
 
 
+Using spread with local virtual machines
+----------------------------------------
+
+It may be convenient to use the spread tool to provision and run the test suite
+in an ephemeral virtual machine. This allows testing in isolation from the
+host, as well as testing across different commonly used distributions and their
+real kernels.
+
+```sh
+sudo apt install git golang whois ovmf genisoimage qemu-utils qemu-system
+go install github.com/snapcore/spread/cmd/spread@latest
+git clone https://gitlab.com/zygoon/image-garden
+make -C image-garden
+sudo make -C image-garden install
+image-garden make ubuntu-cloud-24.10.x86_64.run
+cd $APPARMOR_PATH
+git clean -xdf
+~/go/bin/spread -artifacts ./spread-artifacts -v ubuntu-cloud-24.10
+# or ~/go/bin/spread -v garden:ubuntu-cloud-24.04:tests/regression/apparmor:at_secure
+```
+
+Running the `run_spread.sh` script, with `spread` on `PATH` will run all the
+tests across several supported systems (Debian, Ubuntu and openSUSE).
+
+If you include a `bzImage` file in the root of the repository then that kernel
+will be used in the integration test. Please look at `spread.yaml` for details.
+
 Regression tests
 ----------------
 For details on structure and adding tests, see
@@ -351,6 +381,10 @@ The aa-notify tool's Python dependencies can be satisfied by installing the
 following packages (Debian package names, other distros may vary):
 * python3-notify2
 * python3-psutil
+* python3-sqlite (part of the python3.NN-stdlib package)
+* python3-tk
+* python3-ttkthemes
+* python3-gi
 
 Perl is no longer needed since none of the utilities shipped to end users depend
 on it anymore.

binutils/Makefile

@@ -21,7 +21,7 @@ DESTDIR=/
 BINDIR=${DESTDIR}/usr/bin
 SBINDIR=${DESTDIR}/usr/sbin
 LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
+MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-load.8 aa-status.8
 
 WARNINGS = -Wall
 CPP_WARNINGS =
@@ -48,10 +48,10 @@ endif
 # Internationalization support. Define a package and a LOCALEDIR
 EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
 
-SRCS = aa_enabled.c
+SRCS = aa_enabled.c aa_load.c
 HDRS =
 BINTOOLS = aa-enabled aa-exec aa-features-abi
-SBINTOOLS = aa-status
+SBINTOOLS = aa-status aa-load
 
 AALIB = -Wl,-Bstatic -lapparmor  -Wl,-Bdynamic -lpthread
 
@@ -126,6 +126,9 @@ endif
 aa-features-abi: aa_features_abi.c $(LIBAPPARMOR_A)
 	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
 
+aa-load: aa_load.c $(LIBAPPARMOR_A)
+	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
+
 aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
 	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB) 
 

binutils/aa-load.pod

@@ -0,0 +1,77 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-load - load precompiled AppArmor policy from cache location(s)
+
+=head1 SYNOPSIS
+
+B<aa-load> [options] (cache file|cache dir|cache base dir)+
+
+=head1 DESCRIPTION
+
+B<aa-load> loads precompiled AppArmor policy from the specified locations.
+
+=head1 OPTIONS
+
+B<aa-load> accepts the following arguments:
+
+=over 4
+
+=item -f, --force
+
+Force B<aa-load> to load a policy even if its abi does not match the kernel abi.
+
+=item -d, --debug
+
+Display debug messages.
+
+=item -v, --verbose
+
+Display progress and error messages.
+
+=item -n, --dry-run
+
+Do not actually load the specified policy/policies into the kernel.
+
+=item -h, --help
+
+Display a brief usage guide.
+
+=back
+
+=head1 EXIT STATUS
+
+Upon exiting, B<aa-load> returns 0 upon success and 1 upon an error loading
+the precompiled policy.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://gitlab.com/apparmor/apparmor/-/issues>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), and L<https://wiki.apparmor.net>.
+
+=cut

binutils/aa-status.pod

@@ -72,11 +72,18 @@ displays the number of loaded non-enforcing AppArmor policies.
 
 =item --kill
 
-displays the number of loaded enforcing AppArmor policies that will kill tasks on policy violations.
+displays the number of loaded enforcing AppArmor policies that will
+kill tasks on policy violations.
+
+=item --prompt
+
+displays the number of loaded enforcing AppArmor policies, with
+fallback to userspace mediation.
 
 =item --special-unconfined
 
-displays the number of loaded non-enforcing AppArmor policies that are in the special unconfined mode.
+displays the number of loaded non-enforcing AppArmor policies that are
+in the special unconfined mode.
 
 =item --process-mixed
 displays the number of processes confined by profile stacks with
@@ -97,6 +104,40 @@ set in a JSON format, fit for machine consumption.
 same as --json, formatted to be readable by humans as well
 as by machines.
 
+=item --show
+
+what data sets to show information about. Currently I<processes>,
+I<profiles>, I<all> for both processes and profiles. The default is
+I<all>.
+
+=item --count
+
+display only counts for selected information.
+
+=item --filter.mode=filter
+
+Allows specifying a posix regular expression filter that will be
+applied against the displayed processess and profiles apparmor profile
+mode, reducing the output.
+
+=item --filter.profiles=filter
+
+Allows specifying a posix regular expression filter that will be
+applied against the displayed processess and profiles confining
+profile, reducing the output.
+
+=item --filter.pid=filter
+
+Allows specifying a posix regular expression filter that will be
+applied against the displayed processes, so that only processes pids
+matching the expression will be displayed.
+
+=item --filter.exe=filter
+
+Allows specifying a posix regular expression filter that will be
+applied against the displayed processes, so that only processes
+executable name matching the expression will be displayed.
+
 =item --help
 
 displays a short usage statement.
@@ -124,7 +165,8 @@ if apparmor is enabled but no policy is loaded.
 
 =item B<3>
 
-if the apparmor control files aren't available under /sys/kernel/security/.
+if the apparmor control files aren't available under
+/sys/kernel/security/.
 
 =item B<4>
 
@@ -140,8 +182,9 @@ if an internal error occurred.
 =head1 BUGS
 
 B<aa-status> must be run as root to read the state of the loaded
-policy from the apparmor module. It uses the /proc filesystem to determine
-which processes are confined and so is susceptible to race conditions.
+policy from the apparmor module. It uses the /proc filesystem to
+determine which processes are confined and so is susceptible to race
+conditions.
 
 If you find any additional bugs, please report them at
 L<https://gitlab.com/apparmor/apparmor/-/issues>.

binutils/aa_load.c

@@ -0,0 +1,408 @@
+/*
+ *   Copyright (C) 2020 Canonical Ltd.
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ */
+
+#define _GNU_SOURCE /* for asprintf() */
+#include <stdio.h>
+#include <errno.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <fcntl.h>
+#include <string.h>
+#include <dirent.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <sys/apparmor.h>
+
+#include <libintl.h>
+#define _(s) gettext(s)
+
+/* TODO: implement config locations - value can change */
+#define DEFAULT_CONFIG_LOCATIONS "/etc/apparmor/parser.conf"
+#define DEFAULT_POLICY_LOCATIONS "/var/cache/apparmor:/etc/apparmor.d/cache.d:/etc/apparmor.d/cache"
+#define CACHE_FEATURES_FILE ".features"
+
+bool opt_debug = false;
+bool opt_verbose = false;
+bool opt_dryrun = false;
+bool opt_force = false;
+bool opt_config = false;
+
+#define warning(fmt, args...) _error(_("aa-load: WARN: " fmt "\n"), ## args)
+#define error(fmt, args...) _error(_("aa-load: ERROR: " fmt "\n"), ## args)
+static void _error(const char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	va_end(args);
+}
+
+#define verbose(fmt, args...) _debug(opt_verbose, _(fmt "\n"), ## args)
+#define debug(fmt, args...) _debug(opt_debug, _("aa-load: DEBUG: " fmt "\n"), ## args)
+static void _debug(bool opt_displayit, const char *fmt, ...)
+{
+	va_list args;
+
+	if (!opt_displayit)
+		return;
+
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	va_end(args);
+}
+
+static int have_enough_privilege(const char *command)
+{
+	uid_t uid, euid;
+
+	uid = getuid();
+	euid = geteuid();
+
+	if (uid != 0 && euid != 0) {
+		error("%s: Sorry. You need root privileges to run this program.\n",
+		      command);
+		return EPERM;
+	}
+
+	if (uid != 0 && euid == 0) {
+		error("%s: Aborting! You've set this program setuid root.\n"
+		      "Anybody who can run this program can update "
+		      "your AppArmor profiles.\n", command);
+		exit(EXIT_FAILURE);
+	}
+
+	return 0;
+}
+
+
+static int load_config(const char *file)
+{
+	/* TODO */
+	return ENOENT;
+}
+
+/**
+ * load a single policy cache file to the kernel
+ */
+static int load_policy_file(const char *file)
+{
+	int rc = 0;
+
+	struct aa_kernel_interface *kernel_interface;
+
+	if (aa_kernel_interface_new(&kernel_interface, NULL, NULL)) {
+		rc = -errno;
+		error("Failed to open kernel interface '%s': %m", file);
+		return rc;
+	}
+	if (!opt_dryrun &&
+	    aa_kernel_interface_replace_policy_from_file(kernel_interface,
+							 AT_FDCWD, file)) {
+		rc = -errno;
+		error("Failed to load policy into kernel '%s': %m", file);
+	}
+	aa_kernel_interface_unref(kernel_interface);
+
+	return rc;
+}
+
+static void validate_features(const char *dir_path)
+{
+	aa_features *kernel_features;
+
+	if (aa_features_new_from_kernel(&kernel_features) == -1) {
+		error("Failed to obtain features: %m");
+		return;
+	}
+
+	if (aa_features_check(AT_FDCWD, dir_path, kernel_features) == -1) {
+		if (errno == ENOENT) {
+			/* features file does not exist
+			 * not an issue when loading cache policies from dir
+			 */
+		}
+		else if (errno == EEXIST) {
+			warning("Overlay features do not match kernel features");
+		}
+	}
+	aa_features_unref(kernel_features);
+}
+
+/**
+ * load a directory of policy cache files to the kernel
+ * This does not do a subdir search to find the kernel match but
+ * tries to load the dir regardless of whether its features match
+ *
+ * The hierarchy looks like
+ *
+ * dir/
+ *     .features
+ *     profile1
+ *     ...
+ */
+
+static int load_policy_dir(const char *dir_path)
+{
+	DIR *d;
+	struct dirent *dir;
+	int rc = 0;
+	char *file;
+	size_t len;
+
+	validate_features(dir_path);
+
+	d = opendir(dir_path);
+	if (!d) {
+		rc = -errno;
+		error("Failed to open directory '%s': %m", dir_path);
+		return rc;
+	}
+
+	while ((dir = readdir(d)) != NULL) {
+		/* Only check regular files for now */
+		if (dir->d_type == DT_REG) {
+			/* As per POSIX dir->d_name has at most NAME_MAX characters */
+			len = strnlen(dir->d_name, NAME_MAX);
+			/* Ignores .features */
+			if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
+				continue;
+			}
+			if (asprintf(&file, "%s/%s", dir_path, dir->d_name) == -1) {
+				error("Failure allocating memory");
+				closedir(d);
+				return -1;
+			}
+			load_policy_file(file);
+			free(file);
+			file = NULL;
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+
+/**
+ * load_hashed_policy - find policy hashed dir and load it
+ *
+ * load/replace all policy from a policy hierarchy directory
+ *
+ * Returns: 0 on success < -errno
+ *
+ * It will find the subdir that matches the kernel and load all
+ * precompiled policy files from it.
+ *
+ * The hierarchy looks something like
+ *
+ * location/
+ *          kernel_hash1.0/
+ *                         .features
+ *                         profile1
+ *                         ...
+ *          kernel_hash2.0/
+ *                        .features
+ *                        profile1
+ *                        ...
+ */
+static int load_policy_by_hash(const char *location)
+{
+	aa_policy_cache *policy_cache = NULL;
+	int rc;
+
+	if ((rc = aa_policy_cache_new(&policy_cache, NULL, AT_FDCWD, location, 0))) {
+		rc = -errno;
+		error("Failed to open policy cache '%s': %m", location);
+		return rc;
+	}
+
+	if (opt_debug) {
+		/* show hash directory under location that matches the
+		 * current kernel
+		 */
+		char *cache_loc = aa_policy_cache_dir_path_preview(NULL, AT_FDCWD, location);
+		if (!cache_loc) {
+			rc = -errno;
+			error("Failed to find cache location '%s': %m", location);
+			goto out;
+		}
+		debug("Loading cache from '%s'\n", cache_loc);
+		free(cache_loc);
+	}
+
+	if (!opt_dryrun) {
+		if ((rc = aa_policy_cache_replace_all(policy_cache, NULL)) < 0) {
+			error("Failed to load policy cache '%s': %m", location);
+		} else {
+			verbose("Success - Loaded policy cache '%s'", location);
+		}
+	}
+
+out:
+	aa_policy_cache_unref(policy_cache);
+
+	return rc;
+}
+
+/**
+ * load_arg - calls specific load functions for files and directories
+ *
+ * load/replace all policy files/dir in arg
+ *
+ * Returns: 0 on success, 1 on failure.
+ *
+ * It will load by hash subtree first, and fallback to a cache dir
+ * If not a directory, it will try to load it as a cache file
+ */
+static int load_arg(char *arg)
+{
+	char **location = NULL;
+	int i, n, rc = 0;
+
+
+	/* arg can specify an overlay of multiple cache locations */
+	if ((n = aa_split_overlay_str(arg, &location, 0, true)) == -1) {
+		error("Failed to parse overlay locations: %m");
+		return 1;
+	}
+
+	for (i = 0; i < n; i++) {
+		struct stat st;
+		debug("Trying to open %s", location[i]);
+		if (stat(location[i], &st) == -1) {
+			error("Failed stat of '%s': %m", location[i]);
+			rc = 1;
+			continue;
+		}
+		if (S_ISDIR(st.st_mode)) {
+			/* try hash dir subtree first */
+			if (load_policy_by_hash(location[i]) < 0) {
+				error("Failed load policy by hash '%s': %m", location[i]);
+				rc = 1;
+			}
+			/* fall back to cache dir */
+			if (load_policy_dir(location[i]) < 0) {
+				error("Failed load policy by directory '%s': %m", location[i]);
+				rc = 1;
+			}
+
+		} else if (load_policy_file(location[i]) < 0) {
+			rc = 1;
+		}
+	}
+
+	for (i = 0; i < n; i++)
+		free(location[i]);
+	free(location);
+	return rc;
+}
+
+static void print_usage(const char *command)
+{
+	printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)+\n"
+	       "Load precompiled AppArmor policy from cache location(s)\n\n"
+	       "Options:\n"
+	       "  -f, --force     load policy even if abi does not match the kernel\n"
+	       "  -d, --debug     display debug messages\n"
+	       "  -v, --verbose   display progress and error messages\n"
+	       "  -n, --dry-run   do everything except actual load\n"
+	       "  -h, --help      this message\n",
+	       command);
+}
+
+static const char *short_options = "c:dfvnh";
+struct option long_options[] = {
+	{"config",	1, 0, 'c'},
+	{"debug",	0, 0, 'd'},
+	{"force",	0, 0, 'f'},
+	{"verbose",	0, 0, 'v'},
+	{"dry-run",	0, 0, 'n'},
+	{"help",	0, 0, 'h'},
+	{NULL, 0, 0, 0},
+};
+
+static int process_args(int argc, char **argv)
+{
+	int c, o;
+
+	opterr = 1;
+	while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1) {
+		switch(c) {
+		case 0:
+			error("error in argument processing\n");
+			exit(1);
+			break;
+		case 'd':
+			opt_debug = true;
+			break;
+		case 'f':
+			opt_force = true;
+			break;
+		case 'v':
+			opt_verbose = true;
+			break;
+		case 'n':
+			opt_dryrun = true;
+			break;
+		case 'h':
+			print_usage(argv[0]);
+			exit(0);
+			break;
+		case 'c':
+			/* TODO: reserved config location,
+			 *  act as a bad arg for now, when added update usage
+			 */
+			//opt_config = true; uncomment when implemented
+			/* Fall through */
+		default:
+			error("unknown argument: '%s'\n\n", optarg);
+			print_usage(argv[1]);
+			exit(1);
+			break;
+		}
+	}
+
+	return optind;
+}
+
+int main(int argc, char **argv)
+{
+	int i, rc = 0;
+
+	optind = process_args(argc, argv);
+
+	if (!opt_dryrun && have_enough_privilege(argv[0]))
+		return 1;
+
+	/* if no location use the default one */
+	if (optind == argc) {
+		if (!opt_config && load_config(DEFAULT_CONFIG_LOCATIONS) == 0) {
+			verbose("Loaded policy config");
+		}
+		if ((rc = load_arg(DEFAULT_POLICY_LOCATIONS)))
+			verbose("Loading policy from default location '%s'", DEFAULT_POLICY_LOCATIONS);
+		else
+			debug("No policy specified, and no policy config or policy in default locations");
+	}
+	for (i = optind; i < argc; i++) {
+		/* Try to load all policy locations even if one fails
+		 * but always return an error if any fail
+		 */
+
+		int tmp = load_arg(argv[i]);
+		if (!rc)
+			rc = tmp;
+	}
+
+	return rc;
+}

binutils/po/aa_load.pot

@@ -0,0 +1,34 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2025-02-18 07:37-0800\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_load.c:40
+msgid "aa-load: WARN: "
+msgstr ""
+
+#: ../aa_load.c:41
+msgid "aa-load: ERROR: "
+msgstr ""
+
+#: ../aa_load.c:51
+msgid "\n"
+msgstr ""
+
+#: ../aa_load.c:52
+msgid "aa-load: DEBUG: "
+msgstr ""

changehat/pam_apparmor/README

@@ -67,10 +67,10 @@ to syslog.
 References
 ----------
 Project webpage:
-http://developer.novell.com/wiki/index.php/Novell_AppArmor
+https://apparmor.net/
 
 To provide feedback or ask questions please contact the
-apparmor-dev@forge.novell.com mail list. This is the development list
+apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.
 
 See also: change_hat(3), and the Linux-PAM online documentation at

changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor

@@ -188,10 +188,9 @@ parent context.
 8. Feedback/Resources
    -----------------
 
-To provide feedback or ask questions please contact the 
-apparmor-dev@forge.novell.com mail list. This is the development list for the 
-AppArmor team.
-
-
-
+Project webpage:
+https://apparmor.net/
 
+To provide feedback or ask questions please contact the
+apparmor@lists.ubuntu.com mail list. This is the development list
+for the AppArmor team.

common/Make.rules

@@ -35,13 +35,11 @@ VERSION=$(shell cat $(COMMONDIR)/Version)
 pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
 map = $(foreach a,$(2),$(call $(1),$(a)))
 
-AWK:=$(shell which awk)
-ifndef AWK
-$(error awk utility required for build but not available)
-endif
+AWK?=$(or $(shell command -v awk),$(error awk utility required for build but not available))
 
 define nl
 
+
 endef
 
 REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev

common/Version

@@ -1 +1 @@
-3.1.0
+4.1.0~beta5

libraries/libapparmor/configure.ac

@@ -92,6 +92,17 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 
+AC_PROG_CXX
+
+m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
+EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
+AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
+AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
+	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
+	,)
+AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
+AC_SUBST([AM_CXXFLAGS], ["$EXTRA_CFLAGS"])
+
 AC_OUTPUT(
 Makefile
 doc/Makefile

libraries/libapparmor/doc/aa_getcon.pod

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 
 The confinement data is too large to fit in the supplied buffer.
 
+=item B<ENOPROTOOPT>
+
+The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
+mainly when the kernel lacks 'fine grained unix mediation' support. It also
+can happen on LSM stacking kernels where another LSM has claimed this
+interface and decides to return this error, although this is really a
+corner case.
+
 =back
 
 =head1 NOTES

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
 
- $ echo -n "stackprofile profile_a" > /proc/self/attr/current
+ $ echo -n "stack profile_a" > /proc/self/attr/current
 
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
 
- $ echo -n "stackexec profile_a" > /proc/self/attr/exec
+ $ echo -n "stack profile_a" > /proc/self/attr/exec
 
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
 
      # Needed for aa_stack_profile()
+     change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

libraries/libapparmor/include/aalogparse.h

@@ -19,6 +19,10 @@
 #ifndef __LIBAALOGPARSE_H_
 #define __LIBAALOGPARSE_H_
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #define AA_RECORD_EXEC_MMAP	1
 #define AA_RECORD_READ		2
 #define AA_RECORD_WRITE		4
@@ -26,10 +30,10 @@
 #define AA_RECORD_LINK		16
 
 /**
- * This is just for convenience now that we have two 
- * wildly different grammars.
+ * Enum representing which syntax version the log entry used.
+ * Support for V1 parsing was completely removed in 2011 and that enum entry
+ * is only still there for API compatibility reasons.
  */
-
 typedef enum
 {
 	AA_RECORD_SYNTAX_V1,
@@ -48,70 +52,23 @@ typedef enum
 	AA_RECORD_STATUS	/* Configuration change */
 } aa_record_event_type;
 
-/**
- * With the sole exception of active_hat, this is a 1:1
- * mapping from the keys that the new syntax uses.
+/*
+ * Use this preprocessor dance to maintain backcompat for field names
+ * This will break C code that used the C++ reserved keywords "namespace"
+ * and "class" as identifiers, but this is bad practice anyways, and we
+ * hope that we are the only ones in a given C file that messed up this way
  *
- * Some examples of the old syntax and how they're mapped with the aa_log_record struct:
- *
- * "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
- * - operation: access
- * - requested_mask: r
- * - pid: 12345
- * - profile: /profile
- * - name: /path
- * - info: program_name
- * - active_hat: hat
- *
- * "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
- * - operation: mkdir
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out 
- * - active_hat: /bin/freak-aa-out 
- * 
- * "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: xattr
- * - attribute: set
- * - name: /path/to/something
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- *
- * "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: setattr
- * - attribute: something
- * - name: /else
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
- * - operation: capability
- * - name: cap
- * - info: bash
- * - pid: 23415
- * - profile: /bin/freak-aa-out
- * - active_hat: /bin/freak-aa-out
- * 
- * "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
- * - operation: change_hat
- * - name: TESTHAT
- * - info: unknown_hat
- * - pid: 27764
- * - profile: /change_hat_test/test_hat
- * - active_hat: /change_hat_test/test_hat
- *
- * "LOGPROF-HINT fork pid=27764 child=38229"
- * - operation: clone
- * - task: 38229
- * - pid: 27764
- **/
+ * TODO: document this in a man page for aalogparse?
+ */
+#if defined(SWIG) && defined(__cplusplus)
+#error "SWIG and __cplusplus are defined together"
+#elif !defined(SWIG) && !defined(__cplusplus)
+/* Use SWIG's %rename feature to preserve backcompat */
+#define class rule_class
+#define namespace aa_namespace
+#endif
 
-typedef struct
+typedef struct aa_log_record
 {
 	aa_record_syntax_version version;
 	aa_record_event_type event;	/* Event type */
@@ -134,7 +91,7 @@ typedef struct
 	char *comm;			/* Command that triggered msg */
 	char *name;
 	char *name2;
-	char *namespace;
+	char *aa_namespace;
 	char *attribute;
 	unsigned long parent;	
 	char *info;
@@ -148,6 +105,7 @@ typedef struct
 	unsigned long net_local_port;
 	char *net_foreign_addr;
 	unsigned long net_foreign_port;
+
 	char *dbus_bus;
 	char *dbus_path;
 	char *dbus_interface;
@@ -159,6 +117,12 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *rule_class;
+
+	char *net_addr;
+	char *peer_addr;
+	char *execpath;
 } aa_log_record;
 
 /**
@@ -169,7 +133,7 @@ typedef struct
  * @return Parsed data.
  */
 aa_log_record *
-parse_record(char *str);
+parse_record(const char *str);
 
 /**
  * Frees all struct data.
@@ -178,5 +142,9 @@ parse_record(char *str);
 void
 free_record(aa_log_record *record);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif
 

libraries/libapparmor/include/sys/apparmor.h

@@ -105,8 +105,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 #define AA_QUERY_CMD_LABEL		"label"
 #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
 
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
+extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
+			  int *audited);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
 				  size_t label_len, const char *path,
 				  size_t path_len, int *allowed, int *audited);
@@ -157,6 +157,8 @@ extern int aa_features_write_to_file(aa_features *features,
 				     int dirfd, const char *path);
 extern bool aa_features_is_equal(aa_features *features1,
 				 aa_features *features2);
+extern int aa_features_check(int dirfd, const char *path,
+			     aa_features *features);
 extern bool aa_features_supports(aa_features *features, const char *str);
 extern char *aa_features_id(aa_features *features);
 extern char *aa_features_value(aa_features *features, const char *str, size_t *len);
@@ -209,6 +211,8 @@ extern char *aa_policy_cache_filename(aa_policy_cache *policy_cache, const char
 extern char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
 					      int dirfd, const char *path);
 
+extern int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable);
+
 #ifdef __cplusplus
 }
 #endif

libraries/libapparmor/src/Makefile.am

@@ -16,7 +16,8 @@ INCLUDES = $(all_includes)
 #        problems in the unlikely event where an interface has to break.
 #    - set AA_LIB_REVISION to 0.
 # 4. If any interfaces have been added since the last public release, then
-#    - increment AA_LIB_AGE.
+#    - increment AA_LIB_AGE by the same amount that AA_LIB_CURRENT was
+#      incremented.
 # 5. If any interfaces have been removed or changed since the last public
 #    release, then
 #    - set AA_LIB_AGE to 0.
@@ -29,9 +30,12 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 13
-AA_LIB_REVISION = 0
-AA_LIB_AGE = 9
+# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
+
+AA_LIB_CURRENT = 25
+AA_LIB_REVISION = 1
+AA_LIB_AGE = 24
+EXPECTED_SO_NAME = libapparmor.so.1.24.1
 
 SUFFIXES = .pc.in .pc
 
@@ -40,8 +44,7 @@ include $(COMMONDIR)/Make.rules
 
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
-AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
+AM_YFLAGS = -Wno-yacc -d -p aalogparse_
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<
@@ -49,13 +52,13 @@ scanner.h: scanner.l
 scanner.c: scanner.l
 
 af_protos.h:
-	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+	 echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
 
 libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c PMurHash.c
-libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
+libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -Bdynamic -pthread \
 	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
 
 pkgconfigdir = $(libdir)/pkgconfig
@@ -70,6 +73,16 @@ CLEANFILES = libapparmor.pc
 tst_aalogmisc_SOURCES = tst_aalogmisc.c
 tst_aalogmisc_LDADD = .libs/libapparmor.a
 
+tst_aalogparse_cpp_SOURCES = tst_aalogparse_cpp.cpp
+tst_aalogparse_cpp_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_oldname_SOURCES = tst_aalogparse_oldname.c
+tst_aalogparse_oldname_LDADD = .libs/libapparmor.a
+
+tst_aalogparse_reentrancy_SOURCES = tst_aalogparse_reentrancy.c
+tst_aalogparse_reentrancy_LDADD = .libs/libapparmor.a
+tst_aalogparse_reentrancy_LDFLAGS = -pthread
+
 tst_features_SOURCES = tst_features.c
 tst_features_LDADD = .libs/libapparmor.a
 
@@ -77,7 +90,11 @@ tst_kernel_SOURCES = tst_kernel.c
 tst_kernel_LDADD = .libs/libapparmor.a
 tst_kernel_LDFLAGS = -pthread
 
-check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
+check_PROGRAMS = tst_aalogmisc tst_aalogparse_cpp tst_aalogparse_reentrancy tst_aalogparse_oldname tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
+.PHONY: check-local
+check-local:
+	test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

libraries/libapparmor/src/features.c

@@ -35,6 +35,7 @@
 #include "PMurHash.h"
 
 #define FEATURES_FILE "/sys/kernel/security/apparmor/features"
+#define CACHE_FEATURES_FILE ".features"
 
 #define HASH_SIZE (8 + 1) /* 32 bits binary to hex + NUL terminator */
 #define STRING_SIZE 8192
@@ -658,6 +659,44 @@ bool aa_features_is_equal(aa_features *features1, aa_features *features2)
 	       strcmp(features1->string, features2->string) == 0;
 }
 
+/**
+ * aa_features_check - check if features from a directory matches an aa_features object
+ * @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))
+ * @path: the path containing the features
+ * @features: features to be matched against
+ *
+ * Returns: 0 on success, -1 on failure. errno is set to EEXIST when there's not a match
+ */
+int aa_features_check(int dirfd, const char *path,
+		      aa_features *features)
+{
+	aa_features *local_features = NULL;
+	autofree char *name = NULL;
+	bool rc;
+	int len;
+
+	len = asprintf(&name, "%s/%s", path, CACHE_FEATURES_FILE);
+	if (len == -1) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* verify that path dir .features matches */
+	if (aa_features_new(&local_features, dirfd, name)) {
+		PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);
+		return -1;
+	}
+
+	rc = aa_features_is_equal(local_features, features);
+	aa_features_unref(local_features);
+	if (!rc) {
+		errno = EEXIST;
+		return -1;
+	}
+
+	return 0;
+}
+
 static const char *features_lookup(aa_features *features, const char *str)
 {
 	const char *features_string = features->string;

libraries/libapparmor/src/grammar.y

@@ -15,17 +15,15 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+/* aalogparse_error now requires visibility of the aa_log_record type
+ * Also include in a %code requires block to add it to the header
+ */
+%code requires{
+	#include <aalogparse.h>
+}
 
 %{
 
-/* set the following to non-zero to get bison to emit debugging
- * information about tokens given and rules matched.
- * Also:
- *   Uncomment the %defines
- *   parse.error
- *   parse.trace
- */
-#define YYDEBUG 0
 #include <string.h>
 #include <aalogparse.h>
 #include "parser.h"
@@ -41,12 +39,10 @@
 #define debug_unused_ unused_
 #endif
 
-aa_log_record *ret_record;
-
 /* Since we're a library, on any errors we don't want to print out any
  * error messages. We should probably add a debug interface that does
  * emit messages when asked for. */
-void aalogparse_error(unused_ void *scanner, debug_unused_ char const *s)
+void aalogparse_error(unused_ void *scanner, aa_log_record *ret_record, debug_unused_ char const *s)
 {
 #if (YYDEBUG != 0)
 	printf("ERROR: %s\n", s);
@@ -89,9 +85,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %define parse.trace
 */
 
-%define api.pure
+%define api.pure full
 %lex-param{void *scanner}
 %parse-param{void *scanner}
+%parse-param{aa_log_record *ret_record}
 
 %union
 {
@@ -114,6 +111,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_PERIOD
 %token TOK_QUESTION_MARK
 %token TOK_SINGLE_QUOTE
+%token TOK_NONE
 
 %token TOK_TYPE_REJECT
 %token TOK_TYPE_AUDIT
@@ -159,7 +157,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
+%token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -185,6 +185,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_UNIX_PEER_ADDR
+%token TOK_KEY_EXECPATH
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -246,7 +249,7 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
-	/* needs update: hard newline in handling mutiline log messages */
+	/* needs update: hard newline in handling multiline log messages */
 	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
@@ -278,8 +281,9 @@ audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
 
 audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
 	{
-		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7))
-			yyerror(scanner, YY_("Out of memory"));
+		if (!asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7)) {
+			yyerror(scanner, ret_record, YY_("Out of memory"));
+		}
 		ret_record->epoch = atol($3);
 		ret_record->audit_sub_id = atoi($7);
 		free($3);
@@ -302,7 +306,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	| TOK_KEY_NAME TOK_EQUALS safe_string
 	{ ret_record->name = $3;}
 	| TOK_KEY_NAMESPACE TOK_EQUALS safe_string
-	{ ret_record->namespace = $3;}
+	{ ret_record->aa_namespace = $3;}
 	| TOK_KEY_NAME2 TOK_EQUALS safe_string
 	{ ret_record->name2 = $3;}
 	| TOK_KEY_MASK TOK_EQUALS TOK_QUOTED_STRING
@@ -351,15 +355,23 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
+	| TOK_KEY_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_ADDR TOK_EQUALS safe_string
+	{ ret_record->net_addr = $3; }
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS TOK_NONE
+	| TOK_KEY_UNIX_PEER_ADDR TOK_EQUALS safe_string
+	{ ret_record->peer_addr = $3; }
+	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - fsuid username */
+	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
 	{ free($3); /* Ignore - hostname from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS TOK_QUESTION_MARK
 	| TOK_KEY_TERMINAL TOK_EQUALS TOK_QUESTION_MARK
-	| TOK_KEY_ADDR TOK_EQUALS safe_string
-	{ free($3); /* Ignore - IP address from user AVC messages */ }
 	| TOK_KEY_TERMINAL TOK_EQUALS safe_string
 	{ free($3); /* Ignore - TTY from user AVC messages */ }
 	| TOK_KEY_EXE TOK_EQUALS safe_string
@@ -412,19 +424,21 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->dbus_member = $3; }
 	| TOK_KEY_SIGNAL TOK_EQUALS TOK_ID
 	{ ret_record->signal = $3; }
-
 	| TOK_KEY_FSTYPE TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fs_type = $3; }
 	| TOK_KEY_FLAGS TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->flags = $3; }
 	| TOK_KEY_SRCNAME TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->src_name = $3; }
-
+	| TOK_KEY_EXECPATH TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->execpath = $3; }
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->rule_class = $3; }
 	;
 
 apparmor_event:
@@ -461,31 +475,3 @@ protocol: TOK_QUOTED_STRING
 	}
 	;
 %%
-
-aa_log_record *
-_parse_yacc(char *str)
-{
-	/* yydebug = 1;  */
-	YY_BUFFER_STATE lex_buf;
-	yyscan_t scanner;
-
-	ret_record = NULL;
-	ret_record = malloc(sizeof(aa_log_record));
-
-	_init_log_record(ret_record);
-
-	if (ret_record == NULL)
-		return NULL;
-
-#if (YYDEBUG != 0)
-	yydebug = 1;
-#endif
-
-	aalogparse_lex_init(&scanner);
-	lex_buf = aalogparse__scan_string(str, scanner);
-	/* Ignore return value to return an AA_RECORD_INVALID event */
-	(void)aalogparse_parse(scanner);
-	aalogparse__delete_buffer(lex_buf, scanner);
-	aalogparse_lex_destroy(scanner);
-	return ret_record;
-}

libraries/libapparmor/src/kernel.c

@@ -463,7 +463,7 @@ static char *procattr_path(pid_t pid, const char *attr)
 
 static int procattr_open(pid_t tid, const char *attr, int flags)
 {
-	char *tmp;
+	autofree char *tmp = NULL;
 	int fd;
 
 	tmp = procattr_path(tid, attr);
@@ -471,7 +471,7 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
 		return -1;
 	}
 	fd = open(tmp, flags);
-	free(tmp);
+
 	/* Test is we can fallback to the old interface (this is ugly).
 	 * If we haven't tried the old interface already
 	 *    proc_attr_base == proc_attr_base_old - no fallback
@@ -483,11 +483,14 @@ static int procattr_open(pid_t tid, const char *attr, int flags)
 	 *       old interface where is_enabled() is only successful if
 	 *       the old interface is available to apparmor.
 	 */
-	if (fd == -1 && tmp != proc_attr_base_old && param_check_enabled() != 0) {
-		if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0)
-			return -1;
-		fd = open(tmp, flags);
+	if (fd == -1 && param_check_enabled() != 0 && strncmp(tmp, proc_attr_base_old, strlen(proc_attr_base_old)) != 0) {
 		free(tmp);
+		if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0) {
+			/* tmp is undefined, make sure it is null for autofree*/
+			tmp = NULL;
+			return -1;
+		}
+		fd = open(tmp, flags);
 	}
 
 	return fd;
@@ -1355,3 +1358,121 @@ int aa_query_link_path(const char *label, const char *target, const char *link,
 				      strlen(target), link, strlen(link),
 				      allowed, audited);
 }
+
+static int alloc_substring(char ***v, char *s, char *p,
+			   size_t max_size, size_t n, bool immutable)
+{
+	if (max_size) {
+		if (n >= max_size) {
+			errno = E2BIG;
+			return -1;
+		}
+	} else {
+		char ** tmpv;
+		tmpv = (char **) realloc(*v, (n + 1) * sizeof(char *));
+		if (tmpv == NULL) {
+			errno = ENOMEM;
+			return -1;
+		}
+		*v = tmpv;
+	}
+	if (immutable) {
+		char *tmp;
+		tmp = (char *) malloc(p - s + 1);
+		if (tmp == NULL) {
+			errno = ENOMEM;
+			return -1;
+		}
+		memcpy(tmp, s, p - s);
+		tmp[p - s] = 0;
+		(*v)[n] = tmp;
+	} else {
+		(*v)[n] = s;
+		if (*p)
+			*p = 0;
+	}
+
+	return 0;
+}
+
+/**
+ * aa_split_overlay_str - split a string into potentially multiple strings
+ * @str: the string to split
+ * @vec: vector to put string pointers into, IF null will be allocated
+ * @max_size: maximum number of ents to put in @vec, IF 0 dynamic
+ * @immutable: true if @str should not be modified.
+ *
+ * Returns: the number of entries in vec on success. -1 on error and errno set.
+ *
+ * Split a comma or colon separated string into substrings.
+ *
+ * IF @vec == NULL
+ *    the vec will be dynamically allocated
+ * ELSE
+ *    passed in @vec will be used, and NOT updated/extended
+ *
+ * IF @max_size == 0 && @vec == NULL
+ *    @vec will be dynamically resized
+ * ELSE
+ *    @vec will be fixed at @max_size
+ *
+ * IF @immutable is true
+ *    the substrings placed in @vec will be allocated copies.
+ * ELSE
+ *    @str will be updated in place and @vec[x] will point into @str
+ */
+int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable)
+{
+	char *s = str;
+	char *p = str;
+	int rc, n = 0;
+	char **v = *vec;
+
+	if (!*vec) {
+		if (max_size) {
+			v = (char **) malloc(max_size * sizeof(char *));
+			if (v == NULL) {
+				rc = ENOMEM;
+				goto err;
+			}
+		}
+	}
+
+	while (*p) {
+		if (*p == '\\') {
+			if (*(p + 1) != 0)
+				p++;
+		} else if (*p == ',' || *p == ':') {
+			if (p != s) {
+				if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {
+					rc = errno;
+					goto err;
+				}
+				n++;
+			}
+			p++;
+			s = p;
+		} else
+			p++;
+	}
+	if (p != s) {
+		if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {
+			rc = errno;
+			goto err;
+		}
+		n++;
+	}
+
+	*vec = v;
+	return n;
+err:
+	if (immutable) {
+		for (int i = 0; i < n; i++) {
+			free(v[i]);
+		}
+	}
+	if (!*vec)
+		free(v);
+	errno = rc;
+	return -1;
+}

libraries/libapparmor/src/libaalogparse.c

@@ -34,13 +34,42 @@
 #include <aalogparse.h>
 #include "parser.h"
 
+#include "grammar.h"
+#include "scanner.h"
+
 /* This is mostly just a wrapper around the code in grammar.y */
-aa_log_record *parse_record(char *str)
+aa_log_record *parse_record(const char *str)
 {
+	YY_BUFFER_STATE lex_buf;
+	yyscan_t scanner;
+	aa_log_record *ret_record;
+
 	if (str == NULL)
 		return NULL;
 
-	return _parse_yacc(str);
+	ret_record = malloc(sizeof(aa_log_record));
+
+	_init_log_record(ret_record);
+
+	if (ret_record == NULL)
+		return NULL;
+
+	struct string_buf string_buf = {.buf = NULL, .buf_len = 0, .buf_alloc = 0};
+
+#if (YYDEBUG != 0)
+	/* Warning: this is still a global even in reentrant parsers */
+	aalogparse_debug = 1;
+#endif
+
+	aalogparse_lex_init_extra(&string_buf, &scanner);
+	lex_buf = aalogparse__scan_string(str, scanner);
+	/* Ignore return value to return an AA_RECORD_INVALID event */
+	(void)aalogparse_parse(scanner, ret_record);
+	aalogparse__delete_buffer(lex_buf, scanner);
+	aalogparse_lex_destroy(scanner);
+	/* free(NULL) is a no-op */
+	free(string_buf.buf);
+	return ret_record;
 }
 
 void free_record(aa_log_record *record)
@@ -63,8 +92,8 @@ void free_record(aa_log_record *record)
 			free(record->name);
 		if (record->name2 != NULL)
 			free(record->name2);
-		if (record->namespace != NULL)
-			free(record->namespace);
+		if (record->aa_namespace != NULL)
+			free(record->aa_namespace);
 		if (record->attribute != NULL)
 			free(record->attribute);
 		if (record->info != NULL)
@@ -103,6 +132,15 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->net_addr != NULL)
+			free(record->net_addr);
+		if (record->peer_addr != NULL)
+			free(record->peer_addr);
+		if (record->execpath != NULL)
+			free(record->execpath);
+
+		if (record->rule_class != NULL)
+			free(record->rule_class);
 
 		free(record);
 	}

libraries/libapparmor/src/libapparmor.map

@@ -124,6 +124,14 @@ APPARMOR_3.0 {
 	*;
 } APPARMOR_2.13.1;
 
+APPARMOR_3.1 {
+  global:
+	aa_features_check;
+	aa_split_overlay_str;
+  local:
+	*;
+} APPARMOR_3.0;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;

libraries/libapparmor/src/parser.h

@@ -19,8 +19,14 @@
 #ifndef __AA_LOG_PARSER_H__
 #define __AA_LOG_PARSER_H__
 
+// Internal-only type
+struct string_buf {
+	char *buf;
+	unsigned int buf_len;
+	unsigned int buf_alloc;
+};
+
 extern void _init_log_record(aa_log_record *record);
-extern aa_log_record *_parse_yacc(char *str);
 extern char *hex_to_string(char *str);
 extern char *ipproto_to_string(unsigned int proto);
 

libraries/libapparmor/src/policy_cache.c

@@ -147,36 +147,6 @@ repeat:
 	return path;
 }
 
-static int cache_check_features(int dirfd, const char *cache_name,
-				aa_features *features)
-{
-	aa_features *local_features = NULL;
-	autofree char *name = NULL;
-	bool rc;
-	int len;
-
-	len = asprintf(&name, "%s/%s", cache_name, CACHE_FEATURES_FILE);
-	if (len == -1) {
-		errno = ENOMEM;
-		return -1;
-	}
-
-	/* verify that cache dir .features matches */
-	if (aa_features_new(&local_features, dirfd, name)) {
-		PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);
-		return -1;
-	}
-
-	rc = aa_features_is_equal(local_features, features);
-	aa_features_unref(local_features);
-	if (!rc) {
-		errno = EEXIST;
-		return -1;
-	}
-
-	return 0;
-}
-
 static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
 {
 	if (aa_policy_cache_remove(policy_cache->dirfd[0], "."))
@@ -194,8 +164,8 @@ static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
 static int init_cache_features(aa_policy_cache *policy_cache,
 			       aa_features *kernel_features, bool create)
 {
-	if (cache_check_features(policy_cache->dirfd[0], ".",
-				 kernel_features)) {
+	if (aa_features_check(policy_cache->dirfd[0], ".",
+			      kernel_features)) {
 		/* EEXIST must come before ENOENT for short circuit eval */
 		if (!create || errno == EEXIST || errno != ENOENT)
 			return -1;
@@ -231,13 +201,13 @@ static int cache_miss_cb(int dirfd, const struct dirent *ent, void *arg)
 		errno = ENOMEM;
 		return -1;
 	}
-	if (!cache_check_features(dirfd, cache_name, data->features) || errno == ENOENT) {
+	if (!aa_features_check(dirfd, cache_name, data->features) || errno == ENOENT) {
 		/* found cache dir matching pattern */
 		data->cache_name = cache_name;
 		/* return 1 to stop iteration and signal dir found */
 		return 1;
 	}  else if (errno != EEXIST) {
-		PDEBUG("cache_check_features() failed for dirfd '%d' '%s'\n", dirfd, cache_name);
+		PDEBUG("aa_features_check() failed for dirfd '%d' '%s'\n", dirfd, cache_name);
 		free(cache_name);
 		return -1;
 	}
@@ -273,12 +243,12 @@ static int cache_dir_from_path_and_features(char **cache_path,
 	if (len == -1)
 		return -1;
 
-	if (!cache_check_features(dirfd, cache_dir, features) || errno == ENOENT) {
+	if (!aa_features_check(dirfd, cache_dir, features) || errno == ENOENT) {
 		PDEBUG("cache_dir_from_path_and_features() found '%s'\n", cache_dir);
 		*cache_path = cache_dir;
 		return 0;
 	} else if (errno != EEXIST) {
-		PDEBUG("cache_check_features() failed for dirfd '%d' %s\n", dirfd, cache_dir);
+		PDEBUG("aa_features_check() failed for dirfd '%d' %s\n", dirfd, cache_dir);
 		free(cache_dir);
 		return -1;
 	}

libraries/libapparmor/src/scanner.l

@@ -19,6 +19,7 @@
 %option nounput
 %option noyy_top_state
 %option reentrant
+%option extra-type="struct string_buf*"
 %option prefix="aalogparse_"
 %option bison-bridge
 %option header-file="scanner.h"
@@ -34,45 +35,42 @@
 
 #define YY_NO_INPUT
 
-unsigned int string_buf_alloc = 0;
-unsigned int string_buf_len = 0;
-char *string_buf = NULL;
-
-void string_buf_reset()
+void string_buf_reset(struct string_buf* char_buf)
 {
 	/* rewind buffer to zero, possibly doing initial allocation too */
-	string_buf_len = 0;
- 	if (string_buf == NULL) {
-		string_buf_alloc = 128;
-		string_buf = malloc(string_buf_alloc);
-		assert(string_buf != NULL);
+	char_buf->buf_len = 0;
+	if (char_buf->buf == NULL) {
+		char_buf->buf_alloc = 128;
+		char_buf->buf = malloc(char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* always start with a valid but empty string */
-	string_buf[0] = '\0';
+	char_buf->buf[0] = '\0';
 }
 
-void string_buf_append(unsigned int length, char *text)
+void string_buf_append(struct string_buf* char_buf, unsigned int length, char *text)
 {
-	unsigned int current_length = string_buf_len;
+	unsigned int current_length = char_buf->buf_len;
 
 	/* handle calling ..._append before ..._reset */
-	if (string_buf == NULL) string_buf_reset();
+	if (char_buf->buf == NULL) string_buf_reset(char_buf);
 
-	string_buf_len += length;
+	char_buf->buf_len += length;
 	/* expand allocation if this append would exceed the allocation */
-	while (string_buf_len >= string_buf_alloc) {
-		string_buf_alloc *= 2;
-		string_buf = realloc(string_buf, string_buf_alloc);
-		assert(string_buf != NULL);
+	while (char_buf->buf_len >= char_buf->buf_alloc) {
+		// TODO: overflow?
+		char_buf->buf_alloc *= 2;
+		char_buf->buf = realloc(char_buf->buf, char_buf->buf_alloc);
+		assert(char_buf->buf != NULL);
 	}
 	/* copy and unconditionally terminate */
-	memcpy(string_buf+current_length, text, length);
-	string_buf[string_buf_len] = '\0';
+	memcpy(char_buf->buf+current_length, text, length);
+	char_buf->buf[char_buf->buf_len] = '\0';
 }
 
 %}
 
-ws		[ \t\r\n]
+ws		[ \t\r\n\x1d]
 
 equals		"="
 digit		[[:digit:]]
@@ -90,6 +88,7 @@ question_mark	"?"
 single_quote	"'"
 mode_chars      ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
 modes		({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
+none		"none"
 /* New message types */
 
 aa_reject_type		"APPARMOR_DENIED"
@@ -121,6 +120,8 @@ key_namespace		"namespace"
 key_mask		"mask"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
+key_denied		"denied"
+key_requested		"requested"
 key_attribute		"attribute"
 key_task		"task"
 key_parent		"parent"
@@ -138,7 +139,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
+key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -153,19 +156,28 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
+key_saddr		"saddr"
 key_faddr		"faddr"
+key_daddr		"daddr"
 key_lport		"lport"
+key_srcport		"src"
 key_fport		"fport"
+key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
+key_tcontext		"tcontext"
+key_unix_peer_addr	"peer_addr"
+key_execpath		"execpath"
 audit			"audit"
 
 /* network addrs */
@@ -218,7 +230,7 @@ yy_flex_debug = 0;
 	{open_paren}		{ return(TOK_OPEN_PAREN); }
 	{close_paren}		{ BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
 	{ws}		{ }
-	\"			{ string_buf_reset(); BEGIN(quoted_string); }
+	\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{ID}+	{
 			yylval->t_str = strdup(yytext);
 			BEGIN(INITIAL);
@@ -227,20 +239,20 @@ yy_flex_debug = 0;
 	{equals}		{ return(TOK_EQUALS); }
 	}
 
-\"			{ string_buf_reset(); BEGIN(quoted_string); }
+\"			{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 <quoted_string>\"	{ /* End of the quoted string */
 				BEGIN(INITIAL);
-				yylval->t_str = strdup(string_buf);
+				yylval->t_str = strdup(yyextra->buf);
 				return(TOK_QUOTED_STRING);
 			}
 
 
-<quoted_string>\\(.|\n) { string_buf_append(1, &yytext[1]); }
+<quoted_string>\\(.|\n) { string_buf_append(yyextra, 1, &yytext[1]); }
 
-<quoted_string>[^\\\n\"]+ { string_buf_append(yyleng, yytext); }
+<quoted_string>[^\\\n\"]+ { string_buf_append(yyextra, yyleng, yytext); }
 
 <safe_string>{
-	\"		{ string_buf_reset(); BEGIN(quoted_string); }
+	\"		{ string_buf_reset(yyextra); BEGIN(quoted_string); }
 	{hexstring}	{ yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
 	{equals}	{ return(TOK_EQUALS); }
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
@@ -296,6 +308,8 @@ yy_flex_debug = 0;
 {period}		{ return(TOK_PERIOD); }
 {question_mark}		{ return(TOK_QUESTION_MARK); }
 {single_quote}		{ return(TOK_SINGLE_QUOTE); }
+{none}			{ return(TOK_NONE); }
+
 
 {key_apparmor}		{ BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
 {key_type}		{ BEGIN(audit_types); return(TOK_KEY_TYPE); }
@@ -307,6 +321,8 @@ yy_flex_debug = 0;
 {key_mask}		{ return(TOK_KEY_MASK); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
+{key_denied}		{ return(TOK_KEY_DENIED_MASK); }
+{key_requested}		{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 {key_task}		{ return(TOK_KEY_TASK); }
 {key_parent}		{ return(TOK_KEY_PARENT); }
@@ -319,18 +335,21 @@ yy_flex_debug = 0;
 {key_peer_profile}	{ BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
 {key_label}		{ BEGIN(safe_string); return(TOK_KEY_LABEL); }
 {key_peer_label}	{ BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
+{key_tcontext}		{ BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
 {key_family}		{ return(TOK_KEY_FAMILY); }
 {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
 {key_ses}		{ return(TOK_KEY_SES); }
 {key_hostname}		{ return(TOK_KEY_HOSTNAME); }
-{key_addr}		{ return(TOK_KEY_ADDR); }
+{key_addr}		{ BEGIN(safe_string); return(TOK_KEY_ADDR); }
 {key_terminal}		{ return(TOK_KEY_TERMINAL); }
 {key_exe}		{ BEGIN(safe_string); return(TOK_KEY_EXE); }
 {key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
@@ -339,18 +358,26 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
+{key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
+{key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_unix_peer_addr}    { BEGIN(safe_string); return(TOK_KEY_UNIX_PEER_ADDR); }
+{key_execpath}		{ BEGIN(safe_string); return(TOK_KEY_EXECPATH); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

libraries/libapparmor/src/tst_aalogparse_cpp.cpp

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can do aalogparse stuff in C++ */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->aa_namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->rule_class != NULL) && (strcmp(record->rule_class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_oldname.c

@@ -0,0 +1,20 @@
+#include <aalogparse.h>
+#include <string.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+
+int main(void) {
+    int rc = 0;
+
+    /* Very basic test to ensure we can use the C++-incompatible field names */
+    aa_log_record *record = parse_record(log_line);
+    MY_TEST(record != NULL, "Log failed to parse");
+    MY_TEST(record->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+    MY_TEST(record->namespace == NULL, "Log should have NULL namespace");
+    MY_TEST((record->class != NULL) && (strcmp(record->class, "file") == 0), "Log should have file class");
+    free_record(record);
+
+    return rc;
+}

libraries/libapparmor/src/tst_aalogparse_reentrancy.c

@@ -0,0 +1,154 @@
+#include <pthread.h>
+#include <string.h>
+
+#include <aalogparse.h>
+
+#include "private.h"
+
+const char* log_line = "[23342.075380] audit: type=1400 audit(1725487203.971:1831): apparmor=\"DENIED\" operation=\"open\" class=\"file\" profile=\"snap-update-ns.firmware-updater\" name=\"/proc/202964/maps\" pid=202964 comm=\"5\" requested_mask=\"r\" denied_mask=\"r\" fsuid=1000 ouid=0";
+const char* log_line_2 = "[ 4074.372559] audit: type=1400 audit(1725553393.143:793): apparmor=\"DENIED\" operation=\"capable\" class=\"cap\" profile=\"/usr/lib/snapd/snap-confine\" pid=19034 comm=\"snap-confine\" capability=12  capname=\"net_admin\"";
+
+static int pthread_barrier_ok(int barrier_result) {
+	return barrier_result == 0 || barrier_result == PTHREAD_BARRIER_SERIAL_THREAD;
+}
+
+static int nullcmp_and_strcmp(const void *s1, const void *s2)
+{
+	/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
+	if (!s1 || !s2)
+		return s1 != s2;
+
+	return strcmp(s1, s2);
+}
+
+int aa_log_record_eq(aa_log_record *record1, aa_log_record *record2) {
+	int are_eq = 1;
+
+	are_eq &= (record1->version == record2->version);
+	are_eq &= (record1->event == record2->event);
+	are_eq &= (record1->pid == record2->pid);
+	are_eq &= (record1->peer_pid == record2->peer_pid);
+	are_eq &= (record1->task == record2->task);
+	are_eq &= (record1->magic_token == record2->magic_token);
+	are_eq &= (record1->epoch == record2->epoch);
+	are_eq &= (record1->audit_sub_id == record2->audit_sub_id);
+
+	are_eq &= (record1->bitmask == record2->bitmask);
+	are_eq &= (nullcmp_and_strcmp(record1->audit_id, record2->audit_id) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->operation, record2->operation) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->denied_mask, record2->denied_mask) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->requested_mask, record2->requested_mask) == 0);
+	are_eq &= (record1->fsuid == record2->fsuid);
+	are_eq &= (record1->ouid == record2->ouid);
+	are_eq &= (nullcmp_and_strcmp(record1->profile, record2->profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_profile, record2->peer_profile) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->comm, record2->comm) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name, record2->name) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->name2, record2->name2) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->namespace, record2->namespace) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->attribute, record2->attribute) == 0);
+	are_eq &= (record1->parent == record2->parent);
+	are_eq &= (nullcmp_and_strcmp(record1->info, record2->info) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_info, record2->peer_info) == 0);
+	are_eq &= (record1->error_code == record2->error_code);
+	are_eq &= (nullcmp_and_strcmp(record1->active_hat, record2->active_hat) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_family, record2->net_family) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_protocol, record2->net_protocol) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_sock_type, record2->net_sock_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->net_local_addr, record2->net_local_addr) == 0);
+	are_eq &= (record1->net_local_port == record2->net_local_port);
+	are_eq &= (nullcmp_and_strcmp(record1->net_foreign_addr, record2->net_foreign_addr) == 0);
+	are_eq &= (record1->net_foreign_port == record2->net_foreign_port);
+
+	are_eq &= (nullcmp_and_strcmp(record1->execpath, record2->execpath) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_bus, record2->dbus_bus) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_path, record2->dbus_path) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_interface, record2->dbus_interface) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->dbus_member, record2->dbus_member) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->signal, record2->signal) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer, record2->peer) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->fs_type, record2->fs_type) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->flags, record2->flags) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->src_name, record2->src_name) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->class, record2->class) == 0);
+
+	are_eq &= (nullcmp_and_strcmp(record1->net_addr, record2->net_addr) == 0);
+	are_eq &= (nullcmp_and_strcmp(record1->peer_addr, record2->peer_addr) == 0);
+	return are_eq;
+}
+
+typedef struct {
+	const char* log;
+	pthread_barrier_t *barrier;
+} pthread_parse_args;
+
+void* pthread_parse_log(void* args) {
+	pthread_parse_args *args_real = (pthread_parse_args *) args;
+	int barrier_wait_result = pthread_barrier_wait(args_real->barrier);
+	/* Return NULL and fail test if barrier wait fails */
+	if (!pthread_barrier_ok(barrier_wait_result)) {
+		return NULL;
+	}
+	aa_log_record *record = parse_record(args_real->log);
+	return (void*) record;
+}
+
+#define NUM_THREADS 16
+
+int main(void) {
+	pthread_t thread_ids[NUM_THREADS];
+	pthread_barrier_t barrier;
+	int barrier_wait_result;
+	aa_log_record* parsed_logs[NUM_THREADS];
+	int rc = 0;
+	/* Set up arguments to be passed to threads */
+	pthread_parse_args args = {.log=log_line, .barrier=&barrier};
+	pthread_parse_args args2 = {.log=log_line_2, .barrier=&barrier};
+
+	MY_TEST(NUM_THREADS > 2, "Test requires more than 2 threads");
+
+	/* Use barrier to synchronize the start of log parsing among all the threads
+	 * This increases the likelihood of tickling race conditions, if there are any
+	 */
+	MY_TEST(pthread_barrier_init(&barrier, NULL, NUM_THREADS+1) == 0,
+		"Could not init pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		if (i%2 == 0) {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args);
+		} else {
+			pthread_create(&thread_ids[i], NULL, pthread_parse_log, (void *) &args2);
+		}
+	}
+	/* Final barrier_wait to set off the thread race */
+	barrier_wait_result = pthread_barrier_wait(&barrier);
+	MY_TEST(pthread_barrier_ok(barrier_wait_result), "Could not wait on pthread barrier");
+
+	/* Wait for threads to finish parsing the logs */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(pthread_join(thread_ids[i], (void*) &parsed_logs[i]) == 0, "Could not join thread");
+	}
+
+	/* Check that all logs parsed and are equal */
+	for (int i=0; i<NUM_THREADS; i++) {
+		MY_TEST(parsed_logs[i] != NULL, "Log failed to parse");
+		MY_TEST(parsed_logs[i]->version == AA_RECORD_SYNTAX_V2, "Log should have parsed as v2 form");
+		MY_TEST(parsed_logs[i]->event == AA_RECORD_DENIED, "Log should have parsed as denied");
+
+		/* Also check i==0 and i==1 as a sanity check for aa_log_record_eq */
+		if (i%2 == 0) {
+			MY_TEST(aa_log_record_eq(parsed_logs[0], parsed_logs[i]), "Log 0 != Log even");
+		} else {
+			MY_TEST(aa_log_record_eq(parsed_logs[1], parsed_logs[i]), "Log 1 != Log odd");
+		}
+	}
+	MY_TEST(!aa_log_record_eq(parsed_logs[0], parsed_logs[1]), "Log 0 and log 1 shouldn't be equal");
+	/* Clean up */
+	MY_TEST(pthread_barrier_destroy(&barrier) == 0, "Could not destroy pthread barrier");
+	for (int i=0; i<NUM_THREADS; i++) {
+		free_record(parsed_logs[i]);
+	}
+	return rc;
+}

libraries/libapparmor/src/tst_features.c

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
 
 static int test_walk_one(void)
 {
-	struct component c;
+	struct component c = (struct component) { NULL, 0 };
 	const char *str;
 	int rc = 0;
 

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -5,9 +5,98 @@
 #include <sys/apparmor.h>
 #include <sys/apparmor_private.h>
 
+// Include static_assert if the C compiler supports it
+// static_assert standardized since C11, assert.h not needed since C23
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && __STDC_VERSION__ < 202311L
+#include <assert.h>
+#endif
 %}
 
 %include "typemaps.i"
+%include <cstring.i>
+%include <stdint.i>
+%include <exception.i>
+
+/*
+ * SWIG 4.3 included https://github.com/swig/swig/pull/2907 to distinguish
+ * between Py_None being returned as a default void and Py_None being returned
+ * as the equivalent of C NULL. Unfortunately, this turns into an API breaking
+ * change with our use of %append_output when we want the Python function to
+ * return something even when the C function has a void return type. Thus, we
+ * need an additional macro to smooth over the differences. Include all affected
+ * languages, even ones we don't build bindings for, for completeness.
+ */
+#if SWIG_VERSION >= 0x040300
+#ifdef SWIGPYTHON
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Python_AppendOutput($result, value, 1);}
+#elif defined(SWIGRUBY)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Ruby_AppendOutput($result, value, 1);}
+#elif defined(SWIGPHP)
+#define ISVOID_APPEND_OUTPUT(value) {$result = SWIG_Php_AppendOutput($result, value, 1);}
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+#else
+#define ISVOID_APPEND_OUTPUT(value) %append_output(value)
+#endif
+
+%newobject parse_record;
+%delobject free_record;
+/*
+ * Despite its name, %delobject does not hook up destructors to language
+ * deletion mechanisms. Instead, it sets flags so that manually calling the
+ * free function and then deleting by language mechanisms doesn't cause a
+ * double-free.
+ *
+ * Additionally, we can manually extend the struct with a C++-like
+ * destructor. This ensures that the record struct is freed 
+ * automatically when the high-level object goes out of scope.
+ */
+%extend aa_log_record {
+	~aa_log_record() {
+		free_record($self);
+	}
+}
+
+/*
+ * Generate a no-op free_record wrapper to avoid making a double-free footgun.
+ * Use rename directive to avoid colliding with the actual free_record, which
+ * we use above to clean up when the higher-level language deletes the object.
+ * 
+ * Ideally we would not expose a free_record at all, but we need to maintain
+ * backwards compatibility with the existing high-level code that uses it.
+ */
+%rename(free_record) noop_free_record;
+#ifdef SWIGPYTHON
+%pythonprepend noop_free_record %{
+import warnings
+warnings.warn("free_record is now a no-op as the record's memory is handled automatically", DeprecationWarning)
+%}
+#endif
+%feature("autodoc",
+  "This function used to free aa_log_record objects. Freeing is now handled "
+  "automatically, so this no-op function remains for backwards compatibility.") noop_free_record;
+%inline %{
+  void noop_free_record(aa_log_record *record) {(void) record;}
+%}
+
+/*
+ * Do not autogenerate a wrapper around free_record. This does not prevent us
+ * from calling it ourselves in %extend C code.
+ */
+%ignore free_record;
+
+
+/*
+ * Map names to preserve backwards compatibility
+ */
+#ifdef SWIGPYTHON
+%rename("_class") aa_log_record::rule_class;
+#else
+%rename("class") aa_log_record::rule_class;
+#endif
+%rename("namespace") aa_log_record::aa_namespace;
+
 %include <aalogparse.h>
 
 /**
@@ -21,18 +110,75 @@
 
 /* apparmor.h */
 
+/*
+ * label is a heap-allocated pointer, but when label and mode occur together,
+ * the freeing of label must be deferred because mode points into label.
+ *
+ * %cstring_output_allocate((char **label, char **mode), free(*$1))
+ * does not handle multi-argument typemaps correctly, so we write our own
+ * typemap based on it instead.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **label, char **mode) ($*1_ltype temp_label = 0, $*2_ltype temp_mode = 0) {
+  $1 = &temp_label;
+  $2 = &temp_mode;
+}
+%typemap(freearg,match="in") (char **label, char **mode) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **label, char **mode) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$2));
+  free(*$1);
+}
+
+/*
+ * mode also occurs in combination with con in aa_splitcon
+ * typemap based on %cstring_mutable but with substantial modifications
+ */
+%typemap(in,numinputs=1,fragment="SWIG_AsCharPtrAndSize") (char *con, char **mode) ($*2_ltype temp_mode = 0) {
+  int alloc_status = 0;
+  $1_ltype con_ptr = NULL;
+  size_t con_len = 0;
+  int char_ptr_res = SWIG_AsCharPtrAndSize($input, &con_ptr, &con_len, &alloc_status);
+  if (!SWIG_IsOK(char_ptr_res)) {
+    %argument_fail(char_ptr_res, "char *con", $symname, $argnum);
+  }
+  if (alloc_status != SWIG_NEWOBJ) {
+    // Unconditionally copy because the C function modifies the string in place
+    $1 = %new_copy_array(con_ptr, con_len+1, char);
+  } else {
+    $1 = con_ptr;
+  }
+
+  $2 = &temp_mode;
+}
+%typemap(freearg,noblock=1,match="in") (char *con, char **mode) {
+  %delete_array($1);
+}
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char *con, char **mode) {
+  /*
+   * aa_splitcon returns either con or NULL so we don't need to explicitly
+   * append it to the output, and we don't need the ISVOID helper here
+   * 
+   * SWIG_FromCharPtr does NULL checks for us
+   */
+  %append_output(SWIG_FromCharPtr(*$2));
+}
+
+%exception aa_splitcon {
+  $action
+  if (result == NULL) {
+    SWIG_exception_fail(SWIG_ValueError, "received invalid confinement context");
+  }
+}
+
 extern char *aa_splitcon(char *con, char **mode);
 
-/* apparmor_private.h */
-
-extern int _aa_is_blacklisted(const char *name);
-
 #ifdef SWIGPYTHON
 %exception {
   $action
   if (result < 0) {
+    // Unfortunately SWIG_exception does not support OSError
     PyErr_SetFromErrno(PyExc_OSError);
-    return NULL;
+    SWIG_fail;
   }
 }
 #endif
@@ -41,33 +187,219 @@ extern int _aa_is_blacklisted(const char *name);
 
 /* apparmor.h */
 
+/*
+ * aa_is_enabled returns a boolean as an int with failure reason in errno 
+ * Therefore, aa_is_enabled either returns True or throws an exception
+ *
+ * Keep that behavior for backwards compatibilty but return a boolean on Python
+ * where it makes more sense, which isn't a breaking change because a boolean is
+ * a subclass of int
+ */
+#ifdef SWIGPYTHON
+%typemap(out) int {
+	$result = PyBool_FromLong($1);
+}
+#endif
 extern int aa_is_enabled(void);
-extern int aa_find_mountpoint(char **mnt);
+
+#ifdef SWIGPYTHON
+// Based on SWIG's argcargv.i but we don't have an argc
+%typemap(in,fragment="SWIG_AsCharPtr") const char *subprofiles[] (Py_ssize_t seq_len=0, int* alloc_tracking = NULL) {
+  void* arg_as_ptr = NULL;
+  int res_convertptr = SWIG_ConvertPtr($input, &arg_as_ptr, $descriptor(char*[]), 0);
+  if (SWIG_IsOK(res_convertptr)) {
+    $1 = %static_cast(arg_as_ptr, $1_ltype);
+  } else {
+    // Clear error that would be set if ptr conversion failed
+    PyErr_Clear();
+
+    int is_list = PyList_Check($input);
+    if (is_list || PyTuple_Check($input)) {
+      seq_len = PySequence_Length($input);
+      /*
+       * %new_array zero-inits for cleaner error handling and memory cleanup
+       * %delete_array(NULL) is no-op (either free or delete), and
+       * alloc_tracking of 0 is uninit
+       * 
+       * Further note: SWIG_exception_fail jumps to the freearg typemap
+       */
+      $1 = %new_array(seq_len+1, char *);
+      if ($1 == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C subprofiles");
+      }
+
+      alloc_tracking = %new_array(seq_len, int);
+      if (alloc_tracking == NULL) {
+        SWIG_exception_fail(SWIG_MemoryError, "could not allocate C alloc track arr");
+      }
+      for (Py_ssize_t i=0; i<seq_len; i++) {
+        PyObject *o = is_list ? PyList_GetItem($input, i) : PyTuple_GetItem($input, i);
+        if (o == NULL) {
+          // Failed to get item-Python already set exception info
+          SWIG_fail;
+        } else if (o == Py_None) {
+          // SWIG_AsCharPtr(Py_None, ...) succeeds with ptr output being NULL
+          SWIG_exception_fail(SWIG_ValueError, "sequence contains a None object");
+        }
+        int res = SWIG_AsCharPtr(o, &$1[i], &alloc_tracking[i]);
+        if (!SWIG_IsOK(res)) {
+          // Could emit idx of error here, maybe?
+          SWIG_exception_fail(SWIG_ArgError(res), "sequence does not contain all strings");
+        }
+      }
+    } else {
+      SWIG_exception_fail(SWIG_TypeError, "subprofiles is not a list or tuple");
+    }
+  }
+}
+%typemap(freearg,noblock=1) const char *subprofiles[] {
+/*
+ * If static_assert is present, use it to verify the assumption that
+ * allocation uninitialized (0) != SWIG_NEWOBJ
+ */
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  /* 
+   * Some older versions of SWIG place this right after a goto label
+   * This would then be a label followed by a declaration, a C23 extension (!)
+   * To ensure this works for older SWIG versions and older compilers,
+   * make this a block element with curly braces.
+   */
+  {static_assert(SWIG_NEWOBJ != 0, "SWIG_NEWOBJ is 0");}
+%#endif
+  if ($1 != NULL && alloc_tracking$argnum != NULL) {
+    for (Py_ssize_t i=0; i<seq_len$argnum; i++) {
+      if (alloc_tracking$argnum[i] == SWIG_NEWOBJ) {
+        %delete_array($1[i]);
+      }
+    }
+  }
+  %delete_array(alloc_tracking$argnum);
+  %delete_array($1);
+}
+#endif
+
+/* These should not receive the VOID_Object typemap */
 extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
 extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
-extern int aa_change_hat_vargs(unsigned long token, int count, ...);
 extern int aa_stack_profile(const char *profile);
 extern int aa_stack_onexec(const char *profile);
-extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
-			      char **mode);
-extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+
+/*
+ * aa_find_mountpoint mnt is an output pointer to a heap-allocated string
+ *
+ * This is a replica of %cstring_output_allocate(char **mnt, free(*$1))
+ * that uses the ISVOID helper to work correctly on SWIG 4.3 or later.
+ */
+%typemap(in,noblock=1,numinputs=0) (char **mnt) ($*1_ltype temp_mnt = 0) {
+  $1 = &temp_mnt;
+}
+%typemap(freearg,match="in") (char **mnt) ""
+%typemap(argout,noblock=1,fragment="SWIG_FromCharPtr") (char **mnt) {
+  ISVOID_APPEND_OUTPUT(SWIG_FromCharPtr(*$1));
+  free(*$1);
+}
+/* The other errno-based functions should not always be returning the int value:
+ * - Python exceptions signal success/failure status instead via the %exception 
+ *   handler above.
+ * - Perl (the other binding) has $! for accessing errno but would check the int
+ *   return status first.
+ *
+ * The generated C code for (out) resets the return value to None
+ * before appending the returned data (argout generated by %cstring stuff)
+ */
+#ifdef SWIGPYTHON
+%typemap(out,noblock=1) int {
+#if defined(VOID_Object)
+	$result = VOID_Object;
+#endif
+}
+#endif
+
+/*
+ * We can't use "typedef int pid_t" because we still support systems
+ * with 16-bit PIDs and SWIG can't find sys/types.h
+ *
+ * Capture the passed-in value as a long because pid_t is guaranteed
+ * to be a signed integer and because the aalogparse struct uses
+ * (unsigned) longs to store pid values. While intmax_t would be more
+ * technically correct, if sizeof(pid_t) > sizeof(long) then aalogparse
+ * itself would also need fixing.
+ */
+%typemap(in,noblock=1,fragment="SWIG_AsVal_long") pid_t (int conv_pid, long pid_large) {
+%#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
+  static_assert(sizeof(pid_t) <= sizeof(long),
+    "pid_t type is too large to be stored in a long");
+%#endif
+  conv_pid = SWIG_AsVal_long($input, &pid_large);
+  if (!SWIG_IsOK(conv_pid)) {
+    %argument_fail(conv_pid, "pid_t", $symname, $argnum);
+  }
+  /*
+   * Cast the long to a pid_t and then cast back to check for overflow
+   * Technically this is implementation-defined behaviour but we should be fine
+   */
+  $1 = (pid_t) pid_large;
+  if ((long) $1 != pid_large) {
+    SWIG_exception_fail(SWIG_OverflowError, "pid_t is too large");
+  }
+}
+
+extern int aa_find_mountpoint(char **mnt);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
-extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
-			  int *audit);
-extern int aa_query_file_path_len(uint32_t mask, const char *label,
-				  size_t label_len, const char *path,
-				  size_t path_len, int *allowed, int *audited);
+
+/*
+ * Typemaps for the boolean outputs of the query functions
+ * Use boolean types for Python and int types elsewhere
+ */
+#ifdef SWIGPYTHON
+// TODO: find a way to deduplicate these
+%typemap(in, numinputs=0) int *allowed (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *allowed {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+
+%typemap(in, numinputs=0) int *audited (int temp) {
+  $1 = &temp;
+}
+%typemap(argout) int *audited {
+  ISVOID_APPEND_OUTPUT(PyBool_FromLong(*$1));
+}
+#else
+%apply int *OUTPUT { int *allowed };
+%apply int *OUTPUT { int *audited };
+#endif
+
+/* Sync this with the apparmor.h */
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC			(1 << 0)
+#define AA_MAY_WRITE			(1 << 1)
+#define AA_MAY_READ			(1 << 2)
+#define AA_MAY_APPEND			(1 << 3)
+#define AA_MAY_CREATE			(1 << 4)
+#define AA_MAY_DELETE			(1 << 5)
+#define AA_MAY_OPEN			(1 << 6)
+#define AA_MAY_RENAME			(1 << 7)
+#define AA_MAY_SETATTR			(1 << 8)
+#define AA_MAY_GETATTR			(1 << 9)
+#define AA_MAY_SETCRED			(1 << 10)
+#define AA_MAY_GETCRED			(1 << 11)
+#define AA_MAY_CHMOD			(1 << 12)
+#define AA_MAY_CHOWN			(1 << 13)
+#define AA_MAY_LOCK			0x8000
+#define AA_EXEC_MMAP			0x10000
+#define AA_MAY_LINK			0x40000
+#define AA_MAY_ONEXEC			0x20000000
+#define AA_MAY_CHANGE_PROFILE		0x40000000
+
 extern int aa_query_file_path(uint32_t mask, const char *label,
 			      const char *path, int *allowed, int *audited);
-extern int aa_query_link_path_len(const char *label, size_t label_len,
-				  const char *target, size_t target_len,
-				  const char *link, size_t link_len,
-				  int *allowed, int *audited);
 extern int aa_query_link_path(const char *label, const char *target,
 			      const char *link, int *allowed, int *audited);
 

libraries/libapparmor/swig/python/Makefile.am

@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
 
 all-local: libapparmor_wrap.c setup.py
 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
-	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
 
 install-exec-local:
 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

libraries/libapparmor/swig/python/setup.py.in

@@ -2,7 +2,7 @@ from setuptools import setup, Extension
 import string
 
 setup(name          = 'LibAppArmor',
-      version       = '@VERSION@',
+      version       = '@VERSION@'.replace('~', '-'),
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
       url           = 'https://wiki.apparmor.net',

libraries/libapparmor/swig/python/test/buildpath.py

@@ -7,8 +7,8 @@ import sysconfig
 import setuptools
 
 
-if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+if tuple(map(int, setuptools.__version__.split(".")[:2])) >= (62, 1):
     identifier = sys.implementation.cache_tag
 else:
     identifier = "%d.%d" % sys.version_info[:2]
-print("lib.%s-%s" % (sysconfig.get_platform(), identifier))
+print("lib.{}-{}".format(sysconfig.get_platform(), identifier))

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -35,6 +35,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -54,17 +55,107 @@ NO_VALUE_MAP = {
     'fsuid': int(ctypes.c_ulong(-1).value),
     'ouid':  int(ctypes.c_ulong(-1).value),
 }
-
-
 class AAPythonBindingsTests(unittest.TestCase):
 
+    def setUp(self):
+        # REPORT ALL THE OUTPUT
+        self.maxDiff = None
+
+    def test_aa_splitcon(self):
+        AA_SPLITCON_EXPECT = [
+            ("unconfined", "unconfined", None),
+            ("unconfined\n", "unconfined", None),
+            ("/bin/ping (enforce)", "/bin/ping", "enforce"),
+            ("/bin/ping (enforce)\n", "/bin/ping", "enforce"),
+            ("/usr/sbin/rsyslog (complain)", "/usr/sbin/rsyslog", "complain"),
+        ]
+        for context, expected_label, expected_mode in AA_SPLITCON_EXPECT:
+            actual_label, actual_mode = libapparmor.aa_splitcon(context)
+            if expected_label is None:
+                self.assertIsNone(actual_label)
+            else:
+                self.assertIsInstance(actual_label, str)
+                self.assertEqual(expected_label, actual_label)
+
+            if expected_mode is None:
+                self.assertIsNone(actual_mode)
+            else:
+                self.assertIsInstance(actual_mode, str)
+                self.assertEqual(expected_mode, actual_mode)
+
+        with self.assertRaises(ValueError):
+            libapparmor.aa_splitcon("")
+
+    def test_aa_is_enabled(self):
+        aa_enabled = libapparmor.aa_is_enabled()
+        self.assertIsInstance(aa_enabled, bool)
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_find_mountpoint(self):
+        mount_point = libapparmor.aa_find_mountpoint()
+        self.assertIsInstance(mount_point, str)
+        self.assertGreater(len(mount_point), 0, "mount point should not be empty")
+        self.assertTrue(os.path.isdir(mount_point))
+
+    # TODO: test commented out functions (or at least their prototypes)
+    # extern int aa_change_profile(const char *profile);
+    # extern int aa_change_onexec(const char *profile);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_change_hats(self):
+        # Changing hats will fail because we have no valid hats to change to
+        # However, we still verify that we get an OSError instead of a TypeError
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hat("nonexistent_profile", 12345678)
+
+        with self.assertRaises(OSError):
+            libapparmor.aa_change_hatv(["nonexistent_1", "nonexistent_2"], 0xabcdef)
+            libapparmor.aa_change_hatv(("nonexistent_1", "nonexistent_2"), 0xabcdef)
+
+    # extern int aa_stack_profile(const char *profile);
+    # extern int aa_stack_onexec(const char *profile);
+    # extern int aa_getprocattr(pid_t tid, const char *attr, char **label, char **mode);
+    # extern int aa_gettaskcon(pid_t target, char **label, char **mode);
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_gettaskcon(self):
+        # Our test harness should be running us as unconfined
+        # Get our own pid and this should be equivalent to aa_getcon
+        pid = os.getpid()
+
+        label, mode = libapparmor.aa_gettaskcon(pid)
+        self.assertEqual(label, "unconfined", "aa_gettaskcon label should be unconfined")
+        self.assertIsNone(mode, "aa_gettaskcon mode should be unconfined")
+
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_getcon(self):
+        # Our test harness should be running us as unconfined
+        label, mode = libapparmor.aa_getcon()
+        self.assertEqual(label, "unconfined", "aa_getcon label should be unconfined")
+        self.assertIsNone(mode, "aa_getcon mode should be unconfined")
+
+    # extern int aa_getpeercon(int fd, char **label, char **mode);
+
+    # extern int aa_query_file_path(uint32_t mask, const char *label,
+    #                 const char *path, int *allowed, int *audited);
+    @unittest.skipUnless(libapparmor.aa_is_enabled(), "AppArmor is not enabled")
+    def test_aa_query_file_path(self):
+        aa_query_mask = libapparmor.AA_MAY_EXEC | libapparmor.AA_MAY_READ | libapparmor.AA_MAY_WRITE
+        allowed, audited = libapparmor.aa_query_file_path(aa_query_mask, "unconfined", "/tmp/hello")
+        self.assertTrue(allowed)
+        self.assertFalse(audited)
+    # extern int aa_query_link_path(const char *label, const char *target,
+    #                 const char *link, int *allowed, int *audited);
+
+
+class AALogParsePythonBindingsTests(unittest.TestCase):
+
     def setUp(self):
         # REPORT ALL THE OUTPUT
         self.maxDiff = None
 
     def _runtest(self, testname):
-        infile = "%s.in" % (testname)
-        outfile = "%s.out" % (testname)
+        infile = testname + ".in"
+        outfile = testname + ".out"
         # infile *should* only contain one line
         with open(os.path.join(TESTDIR, infile), 'r') as f:
             line = f.read()
@@ -77,7 +168,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         expected = self.parse_output_file(outfile)
         self.assertEqual(expected, record,
                          "expected records did not match\n"
-                         "expected = %s\nactual = %s" % (expected, record))
+                         "expected = {}\nactual = {}".format(expected, record))
 
     def parse_output_file(self, outfile):
         """parse testcase .out file and return dict"""
@@ -92,7 +183,7 @@ class AAPythonBindingsTests(unittest.TestCase):
             count += 1
             if line == "START":
                 self.assertEqual(count, 1,
-                                  "Unexpected output format in %s" % (outfile))
+                                 "Unexpected output format in " + outfile)
                 continue
             else:
                 key, value = line.split(": ", 1)
@@ -109,7 +200,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         """parse the swig created record and construct a dict from it"""
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]
@@ -117,6 +208,9 @@ class AAPythonBindingsTests(unittest.TestCase):
                 # FIXME: out files should report log version?
                 # FIXME: or can we just deprecate v1 logs?
                 continue
+            elif key == "thisown":
+                # SWIG generates this key to track memory allocation
+                continue
             elif key in NO_VALUE_MAP:
                 if NO_VALUE_MAP[key] == value:
                     continue
@@ -140,8 +234,8 @@ def main():
     for f in find_testcases(TESTDIR):
         def stub_test(self, testname=f):
             self._runtest(testname)
-        stub_test.__doc__ = "test %s" % (f)
-        setattr(AAPythonBindingsTests, 'test_%s' % (f), stub_test)
+        stub_test.__doc__ = "test " + f
+        setattr(AALogParsePythonBindingsTests, 'test_' + f, stub_test)
     return unittest.main(verbosity=2)
 
 

libraries/libapparmor/testsuite/test_multi.c

@@ -1,5 +1,3 @@
-#define _GNU_SOURCE /* for glibc's basename version */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -7,6 +5,12 @@
 
 #include <aalogparse.h>
 
+static const char *basename(const char *path)
+{
+	const char *p = strrchr(path, '/');
+	return p ? p + 1 : path;
+}
+
 int print_results(aa_log_record *record);
 
 int main(int argc, char **argv)
@@ -103,7 +107,7 @@ int print_results(aa_log_record *record)
 		print_string("Name", record->name);
 		print_string("Command", record->comm);
 		print_string("Name2", record->name2);
-		print_string("Namespace", record->namespace);
+		print_string("Namespace", record->aa_namespace);
 		print_string("Attribute", record->attribute);
 		print_long("Task", record->task, 0);
 		print_long("Parent", record->parent, 0);
@@ -115,6 +119,8 @@ int print_results(aa_log_record *record)
 		print_long("Peer PID", record->peer_pid, 0);
 		print_string("Active hat", record->active_hat);
 
+		print_string("Net Addr", record->net_addr);
+		print_string("Peer Addr", record->peer_addr);
 		print_string("Network family", record->net_family);
 		print_string("Socket type", record->net_sock_type);
 		print_string("Protocol", record->net_protocol);
@@ -134,6 +140,10 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Execpath", record->execpath);
+
+		print_string("Class", record->rule_class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out

@@ -0,0 +1,15 @@
+START
+File: 0x1d-uppercase-FSUID-OUID.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1661734785.992:270
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/dolphin
+Name: /home/otis/.config/kdedefaults/kdeglobals
+Command: dolphin
+PID: 3483
+Epoch: 1661734785
+Audit subid: 270

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile

@@ -0,0 +1,4 @@
+/usr/bin/dolphin {
+  /home/otis/.config/kdedefaults/kdeglobals r,
+
+}

libraries/libapparmor/testsuite/test_multi/file_inherit_network_lp1509030.profile

@@ -1,4 +1,4 @@
 /usr/lib/NetworkManager/nm-dhcp-client.action {
-  network inet6 dgram,
+  network inet6 dgram port=10580,
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_lp1466812.profile

@@ -1,4 +1,4 @@
 /usr/sbin/apache2 {
-  network inet6 stream,
+  network inet6 stream ip=::ffff:192.168.236.159 port=80 peer=(ip=::ffff:192.168.103.80 port=61985),
 
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1577051.profile

@@ -1,7 +1,7 @@
 /usr/sbin/apache2 {
 
   ^www.xxxxxxxxxx.co.uk {
-    network inet6 stream,
+    network (send) inet6 stream ip=::ffff:192.168.1.100 port=80 peer=(ip=::ffff:192.168.1.100 port=45658),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/file_perm_network_receive_lp1582374.profile

@@ -1,7 +1,7 @@
 /usr/local/apache-tomcat-8.0.33/bin/catalina.sh {
 
   ^/usr/local/jdk1.8.0_92/bin/java {
-    network inet6 stream,
+    network (receive) inet6 stream ip=::ffff:127.0.0.1 port=8080 peer=(ip=::ffff:127.0.0.1 port=52308),
 
   }
 }

libraries/libapparmor/testsuite/test_multi/file_xm.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"

libraries/libapparmor/testsuite/test_multi/file_xm.out

@@ -0,0 +1,16 @@
+START
+File: file_xm.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1676978994.840:1493
+Operation: link
+Mask: xm
+Denied Mask: xm
+fsuid: 250
+ouid: 250
+Profile: cargo
+Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib
+Command: cargo
+Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib
+PID: 12412
+Epoch: 1676978994
+Audit subid: 1493

libraries/libapparmor/testsuite/test_multi/file_xm.profile

@@ -0,0 +1,4 @@
+profile cargo {
+  owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase36.in

@@ -0,0 +1 @@
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122

libraries/libapparmor/testsuite/test_multi/testcase36.out

@@ -0,0 +1,15 @@
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240

libraries/libapparmor/testsuite/test_multi/testcase36.profile

@@ -0,0 +1,4 @@
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in

@@ -0,0 +1 @@
+Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out

@@ -0,0 +1,15 @@
+START
+File: testcase_dbus_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1671125537.724:209
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
+Peer profile: unconfined
+Command: /usr/local/bin/dbus-broker
+DBus bus: session
+DBus path: /org/freedesktop/DBus
+DBus interface: org.freedesktop.DBus
+DBus member: Hello
+Epoch: 1671125537
+Audit subid: 209

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor/tests/regression/apparmor/dbus_message {
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.in

@@ -0,0 +1 @@
+[ 4584.703379] audit: type=1400 audit(1680266735.359:69): apparmor="DENIED" operation="uring_sqpoll" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1320 comm="io_uring" requested="sqpoll" denied="sqpoll"

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.out

@@ -0,0 +1,13 @@
+START
+File: testcase_io_uring_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1680266735.359:69
+Operation: uring_sqpoll
+Mask: sqpoll
+Denied Mask: sqpoll
+Profile: /root/apparmor/tests/regression/apparmor/io_uring
+Command: io_uring
+PID: 1320
+Class: io_uring
+Epoch: 1680266735
+Audit subid: 69

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/io_uring {
+  io_uring sqpoll,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.in

@@ -0,0 +1 @@
+[ 4584.491076] audit: type=1400 audit(1680266735.147:63): apparmor="DENIED" operation="uring_override" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1193 comm="io_uring" requested="override_creds" denied="override_creds" tcontext="/root/apparmor/tests/regression/apparmor/io_uring"

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_io_uring_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1680266735.147:63
+Operation: uring_override
+Mask: override_creds
+Denied Mask: override_creds
+Profile: /root/apparmor/tests/regression/apparmor/io_uring
+Peer profile: /root/apparmor/tests/regression/apparmor/io_uring
+Command: io_uring
+PID: 1193
+Class: io_uring
+Epoch: 1680266735
+Audit subid: 63

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/io_uring {
+  io_uring override_creds label=/root/apparmor/tests/regression/apparmor/io_uring,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
-  mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
+  mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mount_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1715045678.914:344186
+Operation: mount
+Profile: steam
+Name: /newroot/dev/
+Command: srt-bwrap
+Info: failed flags match
+ErrorCode: 13
+PID: 26487
+Flags: rw, nosuid, nodev, remount, bind, silent, relatime
+Epoch: 1715045678
+Audit subid: 344186

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile

@@ -0,0 +1,4 @@
+profile steam {
+  mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in

@@ -0,0 +1 @@
+Apr 05 19:36:19 ubuntu kernel: audit: type=1400 audit(1649187379.660:255): apparmor="DENIED" operation="create" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=791 comm="posix_mq_rcv" requested="create" denied="create" class="posix_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187379.660:255
+Operation: create
+Mask: create
+Denied Mask: create
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 791
+Class: posix_mqueue
+Epoch: 1649187379
+Audit subid: 255

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue create type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in

@@ -0,0 +1,2 @@
+Apr 05 19:36:29 ubuntu kernel: audit: type=1400 audit(1649187389.828:262): apparmor="DENIED" operation="open" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=848 comm="posix_mq_rcv" requested="read create" denied="read" class="posix_mqueue" fsuid=0 ouid=0
+

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187389.828:262
+Operation: open
+Mask: read create
+Denied Mask: read
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 848
+Class: posix_mqueue
+Epoch: 1649187389
+Audit subid: 262

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue read type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in

@@ -0,0 +1 @@
+Apr 05 19:36:39 ubuntu kernel: audit: type=1400 audit(1649187399.973:265): apparmor="DENIED" operation="unlink" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=897 comm="posix_mq_rcv" requested="delete" denied="delete" class="posix_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_03.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1649187399.973:265
+Operation: unlink
+Mask: delete
+Denied Mask: delete
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
+Name: /queuename
+Command: posix_mq_rcv
+PID: 897
+Class: posix_mqueue
+Epoch: 1649187399
+Audit subid: 265

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/posix_mq_rcv {
+  mqueue delete type=posix /queuename,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.in

@@ -0,0 +1 @@
+Jun 02 16:58:20 ubuntu kernel: audit: type=1400 audit(1654189100.680:1011): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=13574 comm="sysv_mq_rcv" requested="create" denied="create" class="sysv_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654189100.680:1011
+Operation: sysv_mqueue
+Mask: create
+Denied Mask: create
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
+Name: 123
+Command: sysv_mq_rcv
+PID: 13574
+Class: sysv_mqueue
+Epoch: 1654189100
+Audit subid: 1011

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
+  mqueue create type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.in

@@ -0,0 +1 @@
+Jun 02 17:15:45 ubuntu kernel: audit: type=1400 audit(1654190145.439:1135): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=15849 comm="sysv_mq_snd" requested="open" denied="open" class="sysv_mqueue"

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.out

@@ -0,0 +1,14 @@
+START
+File: testcase_mqueue_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190145.439:1135
+Operation: sysv_mqueue
+Mask: open
+Denied Mask: open
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
+Name: 123
+Command: sysv_mq_snd
+PID: 15849
+Class: sysv_mqueue
+Epoch: 1654190145
+Audit subid: 1135

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_snd {
+  mqueue open type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.in

@@ -0,0 +1 @@
+Jun 02 17:15:37 ubuntu kernel: audit: type=1400 audit(1654190137.559:1122): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15632 comm="sysv_mq_rcv" requested="read" denied="read" class="sysv_mqueue" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.out

@@ -0,0 +1,16 @@
+START
+File: testcase_mqueue_06.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1654190137.559:1122
+Operation: sysv_mqueue
+Mask: read
+Denied Mask: read
+fsuid: 0
+ouid: 0
+Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
+Name: 123
+Command: sysv_mq_rcv
+PID: 15632
+Class: sysv_mqueue
+Epoch: 1654190137
+Audit subid: 1122

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.profile

@@ -0,0 +1,4 @@
+/root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
+  mqueue read type=sysv 123,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.in

@@ -0,0 +1 @@
+Jun 02 17:15:51 ubuntu kernel: audit: type=1400 audit(1654190151.003:1145): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15973 comm="sysv_mq_rcv" requested="delete" denied="delete" class="sysv_mqueue" fsuid=1001 ouid=1001