Prepare for AppArmor 3.1.3 release

- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitlab-ci.yml

@@ -77,7 +77,7 @@ test-utils:
   extends:
     - .ubuntu-before_script
   script:
-    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil
+    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
     # See apparmor/apparmor#221
     - make -C parser/tst gen_dbus
     - make -C parser/tst gen_xtrans

binutils/aa_status.c

@@ -534,16 +534,19 @@ static int detailed_output(FILE *json) {
 				} else {
 					fprintf(json, "%s\"%s\": [{\"profile\": \"%s\", \"pid\": \"%s\", \"status\": \"%s\"}",
 					       // first element will be a unique executable
-					       i == 0 && j == 0 ? "" : "], ",
+					       j == 0 ? "" : "], ",
 					       filtered[j].exe, filtered[j].profile, filtered[j].pid, filtered[j].mode);
 				}
 
 			}
+			if (j > 0) {
+				fprintf(json, "]");
+			}
 		}
 		free_processes(filtered, nfiltered);
 	}
 	if (json) {
-		fprintf(json, "%s}}\n", nprocesses > 0 ? "]" : "");
+		fprintf(json, "}}\n");
 	}
 
 exit:

common/Version

@@ -1 +1 @@
-3.0.98
+3.1.3

libraries/libapparmor/include/aalogparse.h

@@ -159,6 +159,8 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *class;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/Makefile.am

@@ -11,9 +11,13 @@ INCLUDES = $(all_includes)
 # 3. If any interfaces have been added, removed, or changed since the last
 #    update,
 #    - increment AA_LIB_CURRENT
+#      - by 1 if bugfix release
+#      - by 5 on larger releases. This gives room to fix library interface
+#        problems in the unlikely event where an interface has to break.
 #    - set AA_LIB_REVISION to 0.
 # 4. If any interfaces have been added since the last public release, then
-#    - increment AA_LIB_AGE.
+#    - increment AA_LIB_AGE by the same amount that AA_LIB_CURRENT was
+#      incremented.
 # 5. If any interfaces have been removed or changed since the last public
 #    release, then
 #    - set AA_LIB_AGE to 0.
@@ -26,9 +30,12 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 9
+# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
+
+AA_LIB_CURRENT = 13
 AA_LIB_REVISION = 2
-AA_LIB_AGE = 8
+AA_LIB_AGE = 12
+EXPECTED_SO_NAME = libapparmor.so.1.12.2
 
 SUFFIXES = .pc.in .pc
 
@@ -77,4 +84,8 @@ tst_kernel_LDFLAGS = -pthread
 check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
+.PHONY: check-local
+check-local:
+	test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

libraries/libapparmor/src/grammar.y

@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
+%token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -185,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -351,6 +354,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - fsuid username */
+	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
@@ -425,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->class = $3; }
 	;
 
 apparmor_event:

libraries/libapparmor/src/libaalogparse.c

@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->class != NULL)
+			free(record->class);
 
 		free(record);
 	}

libraries/libapparmor/src/scanner.l

@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)
 
 %}
 
-ws		[ \t\r\n]
+ws		[ \t\r\n\x1d]
 
 equals		"="
 digit		[[:digit:]]
@@ -121,6 +121,8 @@ key_namespace		"namespace"
 key_mask		"mask"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
+key_denied		"denied"
+key_requested		"requested"
 key_attribute		"attribute"
 key_task		"task"
 key_parent		"parent"
@@ -138,7 +140,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
+key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -161,11 +165,13 @@ key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
 audit			"audit"
 
 /* network addrs */
@@ -307,6 +313,8 @@ yy_flex_debug = 0;
 {key_mask}		{ return(TOK_KEY_MASK); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
+{key_denied}		{ return(TOK_KEY_DENIED_MASK); }
+{key_requested}		{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 {key_task}		{ return(TOK_KEY_TASK); }
 {key_parent}		{ return(TOK_KEY_PARENT); }
@@ -324,7 +332,9 @@ yy_flex_debug = 0;
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
@@ -346,11 +356,13 @@ yy_flex_debug = 0;
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

libraries/libapparmor/swig/python/__init__.py

@@ -1,6 +1 @@
-import sys
-
-if sys.version_info[0] >= 3:
-    from LibAppArmor.LibAppArmor import *
-else:
-    from .LibAppArmor import *
+from LibAppArmor.LibAppArmor import *

libraries/libapparmor/swig/python/test/Makefile.am

@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_builddir)/config.status
 
 CLEANFILES = test_python.py
 
-# bah, how brittle is this?
-PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 
 TESTS	= test_python.py
 TESTS_ENVIRONMENT = \

libraries/libapparmor/swig/python/test/buildpath.py

@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+# the build path has changed in setuptools 62.1:
+# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894
+import sys
+import sysconfig
+
+import setuptools
+
+
+if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+    identifier = sys.implementation.cache_tag
+else:
+    identifier = "%d.%d" % sys.version_info[:2]
+print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -13,6 +13,7 @@
 import ctypes
 import os
 import unittest
+
 import LibAppArmor as libapparmor
 
 TESTDIR = "../../../testsuite/test_multi"
@@ -34,6 +35,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -75,11 +77,11 @@ class AAPythonBindingsTests(unittest.TestCase):
 
         expected = self.parse_output_file(outfile)
         self.assertEqual(expected, record,
-                          "expected records did not match\n" +
-                          "expected = %s\nactual = %s" % (expected, record))
+                         "expected records did not match\n"
+                         "expected = %s\nactual = %s" % (expected, record))
 
     def parse_output_file(self, outfile):
-        '''parse testcase .out file and return dict'''
+        """parse testcase .out file and return dict"""
 
         output = dict()
         with open(os.path.join(TESTDIR, outfile), 'r') as f:
@@ -105,10 +107,10 @@ class AAPythonBindingsTests(unittest.TestCase):
         return output
 
     def create_record_dict(self, record):
-        '''parse the swig created record and construct a dict from it'''
+        """parse the swig created record and construct a dict from it"""
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]
@@ -128,7 +130,7 @@ class AAPythonBindingsTests(unittest.TestCase):
 
 
 def find_testcases(testdir):
-    '''dig testcases out of passed directory'''
+    """dig testcases out of passed directory"""
 
     for f in os.listdir(testdir):
         if f.endswith(".in"):
@@ -143,5 +145,6 @@ def main():
         setattr(AAPythonBindingsTests, 'test_%s' % (f), stub_test)
     return unittest.main(verbosity=2)
 
+
 if __name__ == "__main__":
     main()

libraries/libapparmor/testsuite/test_multi.c

@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Class", record->class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out

@@ -0,0 +1,15 @@
+START
+File: 0x1d-uppercase-FSUID-OUID.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1661734785.992:270
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/dolphin
+Name: /home/otis/.config/kdedefaults/kdeglobals
+Command: dolphin
+PID: 3483
+Epoch: 1661734785
+Audit subid: 270

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile

@@ -0,0 +1,4 @@
+/usr/bin/dolphin {
+  /home/otis/.config/kdedefaults/kdeglobals r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in

@@ -0,0 +1 @@
+Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out

@@ -0,0 +1,15 @@
+START
+File: testcase_dbus_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1671125537.724:209
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
+Peer profile: unconfined
+Command: /usr/local/bin/dbus-broker
+DBus bus: session
+DBus path: /org/freedesktop/DBus
+DBus interface: org.freedesktop.DBus
+DBus member: Hello
+Epoch: 1671125537
+Audit subid: 209

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor/tests/regression/apparmor/dbus_message {
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
+
+}

parser/Makefile

@@ -60,7 +60,7 @@ WARNINGS = -Wall
 CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
 CPP_WARNINGS =
 ifndef CFLAGS
-CFLAGS	= -g -O2 -pipe -flto-partition=none
+CFLAGS	= -g -O2 -pipe
 
 ifdef DEBUG
 CFLAGS += -pg -D DEBUG
@@ -70,6 +70,8 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
+CFLAGS	+= -flto-partition=none
+
 EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
 
@@ -384,11 +386,11 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
 	       elif [ -f /etc/debian_version ] ; then \
 	         echo debian ;\
 	       elif which rpm > /dev/null ; then \
-	         if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
+	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
 	             echo suse ;\
-	         elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
+	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
 	            echo rhel4 ;\
-	         elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
+	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
 	            echo rhel4 ;\
 	         else \
 	            echo unknown ;\

parser/af_unix.cc

@@ -111,8 +111,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
 
 unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
-	af_rule("unix"), addr(NULL), peer_addr(NULL),
-	audit(0), deny(0)
+	af_rule("unix"), addr(NULL), peer_addr(NULL)
 {
 	move_conditionals(conds);
 	move_peer_conditionals(peer_conds);
@@ -136,7 +135,7 @@ ostream &unix_rule::dump_local(ostream &os)
 {
 	af_rule::dump_local(os);
 	if (addr)
-		os << "addr='" << addr << "'";
+		os << " addr='" << addr << "'";
 	return os;
 }
 
@@ -144,7 +143,7 @@ ostream &unix_rule::dump_peer(ostream &os)
 {
 	af_rule::dump_peer(os);
 	if (peer_addr)
-		os << "addr='" << peer_addr << "'";
+		os << " addr='" << peer_addr << "'";
 	return os;
 }
 

parser/af_unix.h

@@ -36,9 +36,6 @@ class unix_rule: public af_rule {
 public:
 	char *addr;
 	char *peer_addr;
-	int mode;
-	int audit;
-	bool deny;
 
 	unix_rule(unsigned int type_p, bool audit_p, bool denied);
 	unix_rule(int mode, struct cond_entry *conds,

parser/libapparmor_re/chfa.cc

@@ -193,9 +193,8 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	State *default_state = dfa.nonmatching;
 	ssize_t base = 0;
 	int resize;
-
 	StateTrans &trans = from->trans;
-	ssize_t c = trans.begin()->first.c;
+	ssize_t c;
 	ssize_t prev = 0;
 	ssize_t x = first_free;
 
@@ -204,6 +203,7 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	if (trans.empty())
 		goto do_insert;
 
+	c = trans.begin()->first.c;
 repeat:
 	resize = 0;
 	/* get the first free entry that won't underflow */
@@ -251,10 +251,18 @@ repeat:
 			first_free = next;
 	}
 
-do_insert:
+	/* these flags will only be set on states that have transitions */
 	if (c < 0) {
 		base |= MATCH_FLAG_OOB_TRANSITION;
 	}
+do_insert:
+	/* While a state without transitions could have the diff encode
+	 * flag set, it would be pointless resulting in just an extra
+	 * state transition in the encoding chain, and so it should be
+	 * considered an error
+	 * TODO: add check that state without transitions isn't being
+	 * given a diffencode flag
+	 */
 	if (from->flags & DiffEncodeFlag)
 		base |= DiffEncodeBit32;
 	default_base.push_back(make_pair(default_state, base));

parser/parser.h

@@ -66,10 +66,12 @@ extern int parser_token;
 #define WARN_FORMAT		0x400
 #define WARN_MISSING		0x800
 #define WARN_OVERRIDE		0x1000
+#define WARN_INCLUDE		0x2000
 
 #define WARN_DEV (WARN_RULE_NOT_ENFORCED | WARN_RULE_DOWNGRADED | WARN_ABI | \
 		  WARN_DEPRECATED | WARN_DANGEROUS | WARN_UNEXPECTED | \
-		  WARN_FORMAT | WARN_MISSING | WARN_OVERRIDE | WARN_DEBUG_CACHE)
+		  WARN_FORMAT | WARN_MISSING | WARN_OVERRIDE | \
+		  WARN_DEBUG_CACHE | WARN_INCLUDE)
 
 #define DEFAULT_WARNINGS (WARN_CONFIG | WARN_CACHE | WARN_JOBS | \
 			  WARN_UNEXPECTED | WARN_OVERRIDE)
@@ -77,7 +79,8 @@ extern int parser_token;
 #define WARN_ALL (WARN_RULE_NOT_ENFORCED | WARN_RULE_DOWNGRADED | WARN_ABI | \
 		  WARN_DEPRECATED | WARN_CONFIG | WARN_CACHE | \
 		  WARN_DEBUG_CACHE | WARN_JOBS | WARN_DANGEROUS | \
-		  WARN_UNEXPECTED | WARN_FORMAT | WARN_MISSING | WARN_OVERRIDE)
+		  WARN_UNEXPECTED | WARN_FORMAT | WARN_MISSING | \
+		  WARN_OVERRIDE | WARN_INCLUDE)
 
 extern dfaflags_t warnflags;
 extern dfaflags_t werrflags;

parser/parser_lex.l

@@ -613,6 +613,7 @@ GT		>
 	/* Don't use PUSH() macro here as we don't want #include echoed out.
 	 * It needs to be handled specially
 	 */
+	pwarn(WARN_INCLUDE, _("deprecated use of '#include'\n"));
 	yy_push_state(INCLUDE_EXISTS);
 }
 
@@ -627,6 +628,7 @@ include{WS}+if{WS}+exists/{WS}	{
 	/* Don't use PUSH() macro here as we don't want #include echoed out.
 	 * It needs to be handled specially
 	 */
+	pwarn(WARN_INCLUDE, _("deprecated use of '#include'\n"));
 	yy_push_state(INCLUDE);
 }
 

parser/parser_main.c

@@ -269,6 +269,7 @@ optflag_table_t warnflag_table[] = {
 	{ 1, "missing", "warn when missing qualifier and a default is used", WARN_MISSING },
 	{ 1, "override", "warn when overriding", WARN_OVERRIDE },
 	{ 1, "dev", "turn on warnings that are useful for profile development", WARN_DEV },
+	{ 1, "pound-include", "warn when #include is used", WARN_INCLUDE },
 	{ 1, "all", "turn on all warnings", WARN_ALL},
 	{ 0, NULL, NULL, 0 },
 };

parser/tst/caching.py

@@ -15,13 +15,11 @@
 # - check cache not used if parser in $PATH is newer
 # - check cache used for force-complain, disable symlink, etc.
 
-from argparse import ArgumentParser
 import os
-import platform
 import shutil
-import time
 import tempfile
 import unittest
+from argparse import ArgumentParser
 
 import testlib
 
@@ -51,7 +49,7 @@ class AAParserCachingCommon(testlib.AATestTemplate):
     do_cleanup = True
 
     def setUp(self):
-        '''setup for each test'''
+        """setup for each test"""
         global config
 
         # REPORT ALL THE OUTPUT
@@ -89,7 +87,7 @@ class AAParserCachingCommon(testlib.AATestTemplate):
         self.cache_file = os.path.join(self.cache_dir, PROFILE)
 
     def tearDown(self):
-        '''teardown for each test'''
+        """teardown for each test"""
 
         if not self.do_cleanup:
             print("\n===> Skipping cleanup, leaving testfiles behind in '%s'" % (self.tmp_dir))
@@ -115,7 +113,7 @@ class AAParserCachingCommon(testlib.AATestTemplate):
         return cache_dir
 
     def assert_path_exists(self, path, expected=True):
-        if expected is True:
+        if expected:
             self.assertTrue(os.path.exists(path),
                             'test did not create file %s, when it was expected to do so' % path)
         else:
@@ -138,20 +136,19 @@ class AAParserCachingCommon(testlib.AATestTemplate):
         with open(features_path) as f:
             features = f.read()
         if expected:
-            self.assertEqual(expected_output, features,
-                              "features contents differ, expected:\n%s\nresult:\n%s" % (expected_output, features))
+            self.assertEqual(
+                expected_output, features,
+                "features contents differ, expected:\n%s\nresult:\n%s" % (expected_output, features))
         else:
-            self.assertNotEqual(expected_output, features,
-                                 "features contents equal, expected:\n%s\nresult:\n%s" % (expected_output, features))
+            self.assertNotEqual(
+                expected_output, features,
+                "features contents equal, expected:\n%s\nresult:\n%s" % (expected_output, features))
 
 
 class AAParserBasicCachingTests(AAParserCachingCommon):
 
-    def setUp(self):
-        super(AAParserBasicCachingTests, self).setUp()
-
     def test_no_cache_by_default(self):
-        '''test profiles are not cached by default'''
+        """test profiles are not cached by default"""
 
         cmd = list(self.cmd_prefix)
         cmd.extend(('-q', '-r', self.profile))
@@ -159,7 +156,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False)
 
     def test_no_cache_w_skip_cache(self):
-        '''test profiles are not cached with --skip-cache'''
+        """test profiles are not cached with --skip-cache"""
 
         cmd = list(self.cmd_prefix)
         cmd.extend(('-q', '--write-cache', '--skip-cache', '-r', self.profile))
@@ -167,7 +164,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False)
 
     def test_cache_when_requested(self):
-        '''test profiles are cached when requested'''
+        """test profiles are cached when requested"""
 
         cmd = list(self.cmd_prefix)
         cmd.extend(('-q', '--write-cache', '-r', self.profile))
@@ -175,7 +172,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         self.assert_path_exists(os.path.join(self.cache_dir, PROFILE))
 
     def test_write_features_when_caching(self):
-        '''test features file is written when caching'''
+        """test features file is written when caching"""
 
         cmd = list(self.cmd_prefix)
         cmd.extend(('-q', '--write-cache', '-r', self.profile))
@@ -184,7 +181,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
         self.assert_path_exists(os.path.join(self.cache_dir, '.features'))
 
     def test_features_match_when_caching(self):
-        '''test features file is written when caching'''
+        """test features file is written when caching"""
 
         self.require_apparmorfs()
 
@@ -198,10 +195,10 @@ class AAParserBasicCachingTests(AAParserCachingCommon):
 
 
 class AAParserAltCacheBasicTests(AAParserBasicCachingTests):
-    '''Same tests as above, but with an alternate cache location specified on the command line'''
+    """Same tests as above, but with an alternate cache location specified on the command line"""
 
     def setUp(self):
-        super(AAParserAltCacheBasicTests, self).setUp()
+        super().setUp()
 
         alt_cache_loc = tempfile.mkdtemp(prefix='aa-alt-cache', dir=self.tmp_dir)
         os.chmod(alt_cache_loc, 0o755)
@@ -211,34 +208,34 @@ class AAParserAltCacheBasicTests(AAParserBasicCachingTests):
         self.cache_dir = self.get_cache_dir()
 
     def tearDown(self):
-        if len(os.listdir(self.unused_cache_loc)) > 0:
-            self.fail('original cache dir \'%s\' not empty' % self.unused_cache_loc)
-        super(AAParserAltCacheBasicTests, self).tearDown()
+        if os.listdir(self.unused_cache_loc):
+            self.fail("original cache dir '%s' not empty" % self.unused_cache_loc)
+        super().tearDown()
 
 
 class AAParserCreateCacheBasicTestsCacheExists(AAParserBasicCachingTests):
-    '''Same tests as above, but with create cache option on the command line and the cache already exists'''
+    """Same tests as above, but with create cache option on the command line and the cache already exists"""
 
     def setUp(self):
-        super(AAParserCreateCacheBasicTestsCacheExists, self).setUp()
+        super().setUp()
         self.cmd_prefix.append('--create-cache-dir')
 
 
 class AAParserCreateCacheBasicTestsCacheNotExist(AAParserBasicCachingTests):
-    '''Same tests as above, but with create cache option on the command line and cache dir removed'''
+    """Same tests as above, but with create cache option on the command line and cache dir removed"""
 
     def setUp(self):
-        super(AAParserCreateCacheBasicTestsCacheNotExist, self).setUp()
+        super().setUp()
         shutil.rmtree(self.cache_dir)
         self.cmd_prefix.append('--create-cache-dir')
 
 
 class AAParserCreateCacheAltCacheTestsCacheNotExist(AAParserBasicCachingTests):
-    '''Same tests as above, but with create cache option on the command line,
-       alt cache specified, and cache dir removed'''
+    """Same tests as above, but with create cache option on the command line,
+       alt cache specified, and cache dir removed"""
 
     def setUp(self):
-        super(AAParserCreateCacheAltCacheTestsCacheNotExist, self).setUp()
+        super().setUp()
         shutil.rmtree(self.cache_dir)
         self.cmd_prefix.append('--create-cache-dir')
 
@@ -246,7 +243,7 @@ class AAParserCreateCacheAltCacheTestsCacheNotExist(AAParserBasicCachingTests):
 class AAParserCachingTests(AAParserCachingCommon):
 
     def setUp(self):
-        super(AAParserCachingTests, self).setUp()
+        super().setUp()
 
         r = testlib.filesystem_time_resolution()
         self.mtime_res = r[1]
@@ -258,27 +255,13 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.run_cmd_check(cmd)
         self.assert_path_exists(self.cache_file)
 
-    def _assertTimeStampEquals(self, time1, time2):
-        '''Compare two timestamps to ensure equality'''
-
-        # python 3.2 and earlier don't support writing timestamps with
-        # nanosecond resolution, only microsecond. When comparing
-        # timestamps in such an environment, loosen the equality bounds
-        # to compensate
-        # Reference: https://bugs.python.org/issue12904
-        (major, minor, _) = platform.python_version_tuple()
-        if (int(major) < 3) or ((int(major) == 3) and (int(minor) <= 2)):
-            self.assertAlmostEquals(time1, time2, places=5)
-        else:
-            self.assertEqual(time1, time2)
-
     def _set_mtime(self, path, mtime):
         atime = os.stat(path).st_atime
         os.utime(path, (atime, mtime))
-        self._assertTimeStampEquals(os.stat(path).st_mtime, mtime)
+        self.assertEqual(os.stat(path).st_mtime, mtime)
 
     def test_cache_loaded_when_exists(self):
-        '''test cache is loaded when it exists, is newer than profile,  and features match'''
+        """test cache is loaded when it exists, is newer than profile, and features match"""
 
         self._generate_cache_file()
 
@@ -287,7 +270,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.run_cmd_check(cmd, expected_string='Cached reload succeeded')
 
     def test_cache_not_loaded_when_skip_arg(self):
-        '''test cache is not loaded when --skip-cache is passed'''
+        """test cache is not loaded when --skip-cache is passed"""
 
         self._generate_cache_file()
 
@@ -296,7 +279,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_not_loaded_when_skip_read_arg(self):
-        '''test cache is not loaded when --skip-read-cache is passed'''
+        """test cache is not loaded when --skip-read-cache is passed"""
 
         self._generate_cache_file()
 
@@ -305,7 +288,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_not_loaded_when_features_differ(self):
-        '''test cache is not loaded when features file differs'''
+        """test cache is not loaded when features file differs"""
 
         self._generate_cache_file()
 
@@ -316,7 +299,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.run_cmd_check(cmd, expected_string='Replacement succeeded for')
 
     def test_cache_writing_does_not_overwrite_features_when_features_differ(self):
-        '''test cache writing does not overwrite the features files when it differs and --skip-bad-cache is given'''
+        """test cache writing does not overwrite the features files when it differs and --skip-bad-cache is given"""
 
         self.require_apparmorfs()
 
@@ -330,7 +313,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.compare_features_file(features_file, expected=False)
 
     def test_cache_writing_skipped_when_features_differ(self):
-        '''test cache writing is skipped when features file differs'''
+        """test cache writing is skipped when features file differs"""
 
         testlib.write_file(self.cache_dir, '.features', 'monkey\n')
 
@@ -340,14 +323,14 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assert_path_exists(self.cache_file, expected=False)
 
     def test_cache_writing_collision_of_features(self):
-        '''test cache writing collision of features'''
+        """test cache writing collision of features"""
         # cache dir with different features causes a collision resulting
         # in a new cache dir
         self.require_apparmorfs()
 
         features_file = testlib.write_file(self.cache_dir, '.features', 'monkey\n')
         new_file = self.get_cache_dir()
-        new_features_file = new_file + '/.features';
+        new_features_file = new_file + '/.features'
 
         cmd = list(self.cmd_prefix)
         cmd.extend(('-v', '--write-cache', '-r', self.profile))
@@ -357,7 +340,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.compare_features_file(new_features_file)
 
     def test_cache_writing_updates_cache_file(self):
-        '''test cache writing updates cache file'''
+        """test cache writing updates cache file"""
 
         cache_file = testlib.write_file(self.cache_dir, PROFILE, 'monkey\n')
         orig_stat = os.stat(cache_file)
@@ -374,7 +357,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(os.stat(self.profile).st_mtime, stat.st_mtime)
 
     def test_cache_writing_clears_all_files(self):
-        '''test cache writing clears all cache files'''
+        """test cache writing clears all cache files"""
 
         check_file = testlib.write_file(self.cache_dir, 'monkey', 'monkey\n')
 
@@ -384,7 +367,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assert_path_exists(check_file, expected=False)
 
     def test_profile_mtime_preserved(self):
-        '''test profile mtime is preserved when it is newest'''
+        """test profile mtime is preserved when it is newest"""
         expected = 1
         self._set_mtime(self.abstraction, 0)
         self._set_mtime(self.profile, expected)
@@ -392,7 +375,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
 
     def test_abstraction_mtime_preserved(self):
-        '''test abstraction mtime is preserved when it is newest'''
+        """test abstraction mtime is preserved when it is newest"""
         expected = 1000
         self._set_mtime(self.profile, 0)
         self._set_mtime(self.abstraction, expected)
@@ -400,7 +383,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
 
     def test_equal_mtimes_preserved(self):
-        '''test equal profile and abstraction mtimes are preserved'''
+        """test equal profile and abstraction mtimes are preserved"""
         expected = 10000 + self.mtime_res
         self._set_mtime(self.profile, expected)
         self._set_mtime(self.abstraction, expected)
@@ -408,7 +391,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(expected, os.stat(self.cache_file).st_mtime)
 
     def test_profile_newer_skips_cache(self):
-        '''test cache is skipped if profile is newer'''
+        """test cache is skipped if profile is newer"""
 
         self._generate_cache_file()
         profile_mtime = os.stat(self.cache_file).st_mtime + self.mtime_res
@@ -426,7 +409,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
 
     def test_abstraction_newer_skips_cache(self):
-        '''test cache is skipped if abstraction is newer'''
+        """test cache is skipped if abstraction is newer"""
 
         self._generate_cache_file()
         abstraction_mtime = os.stat(self.cache_file).st_mtime + self.mtime_res
@@ -444,7 +427,7 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assertEqual(orig_stat.st_mtime, stat.st_mtime)
 
     def test_profile_newer_rewrites_cache(self):
-        '''test cache is rewritten if profile is newer'''
+        """test cache is rewritten if profile is newer"""
 
         self._generate_cache_file()
         profile_mtime = os.stat(self.cache_file).st_mtime + self.mtime_res
@@ -458,10 +441,10 @@ class AAParserCachingTests(AAParserCachingCommon):
 
         stat = os.stat(self.cache_file)
         self.assertNotEqual(orig_stat.st_ino, stat.st_ino)
-        self._assertTimeStampEquals(profile_mtime, stat.st_mtime)
+        self.assertEqual(profile_mtime, stat.st_mtime)
 
     def test_abstraction_newer_rewrites_cache(self):
-        '''test cache is rewritten if abstraction is newer'''
+        """test cache is rewritten if abstraction is newer"""
 
         self._generate_cache_file()
         abstraction_mtime = os.stat(self.cache_file).st_mtime + self.mtime_res
@@ -475,10 +458,10 @@ class AAParserCachingTests(AAParserCachingCommon):
 
         stat = os.stat(self.cache_file)
         self.assertNotEqual(orig_stat.st_ino, stat.st_ino)
-        self._assertTimeStampEquals(abstraction_mtime, stat.st_mtime)
+        self.assertEqual(abstraction_mtime, stat.st_mtime)
 
     def test_parser_newer_uses_cache(self):
-        '''test cache is not skipped if parser is newer'''
+        """test cache is not skipped if parser is newer"""
 
         self._generate_cache_file()
 
@@ -504,24 +487,24 @@ class AAParserCachingTests(AAParserCachingCommon):
         self.assert_path_exists(cache_file, expected=False)
 
     def test_cache_purge_removes_features_file(self):
-        '''test cache --purge-cache removes .features file'''
+        """test cache --purge-cache removes .features file"""
         self._purge_cache_test('.features')
 
     def test_cache_purge_removes_cache_file(self):
-        '''test cache --purge-cache removes profile cache file'''
+        """test cache --purge-cache removes profile cache file"""
         self._purge_cache_test(PROFILE)
 
     def test_cache_purge_removes_other_cache_files(self):
-        '''test cache --purge-cache removes other cache files'''
+        """test cache --purge-cache removes other cache files"""
         self._purge_cache_test('monkey')
 
 
 class AAParserAltCacheTests(AAParserCachingTests):
-    '''Same tests as above, but with an alternate cache location specified on the command line'''
+    """Same tests as above, but with an alternate cache location specified on the command line"""
     check_orig_cache = True
 
     def setUp(self):
-        super(AAParserAltCacheTests, self).setUp()
+        super().setUp()
 
         alt_cache_loc = tempfile.mkdtemp(prefix='aa-alt-cache', dir=self.tmp_dir)
         os.chmod(alt_cache_loc, 0o755)
@@ -532,12 +515,12 @@ class AAParserAltCacheTests(AAParserCachingTests):
         self.cache_file = os.path.join(self.cache_dir, PROFILE)
 
     def tearDown(self):
-        if self.check_orig_cache and len(os.listdir(self.orig_cache_dir)) > 0:
-            self.fail('original cache dir \'%s\' not empty' % self.orig_cache_dir)
-        super(AAParserAltCacheTests, self).tearDown()
+        if self.check_orig_cache and os.listdir(self.orig_cache_dir):
+            self.fail("original cache dir '%s' not empty" % self.orig_cache_dir)
+        super().tearDown()
 
     def test_cache_purge_leaves_original_cache_alone(self):
-        '''test cache purging only touches alt cache'''
+        """test cache purging only touches alt cache"""
 
         # skip tearDown check to ensure non-alt cache is empty
         self.check_orig_cache = False
@@ -583,6 +566,7 @@ def main():
 
     return rc
 
+
 if __name__ == "__main__":
     rc = main()
     exit(rc)

parser/tst/dirtest.sh

@@ -31,8 +31,9 @@ do_tst() {
 	shift 2
 	#global tmpdir
 
-	${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null
+	${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
 	rc=$?
+	LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
 	if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
 		echo "failed: expected \"$expected\" but parser returned error"
 		return 1

parser/tst/dirtest/dirtest.out

@@ -1,3 +1,3 @@
-good_target
 a_profile
 b_profile
+good_target

parser/tst/errors.py

@@ -13,14 +13,15 @@
 #
 # ------------------------------------------------------------------
 
-from argparse import ArgumentParser
-import os
-import unittest
 import subprocess
+import unittest
+from argparse import ArgumentParser
+
 import testlib
 
 config = None
 
+
 class AAErrorTests(testlib.AATestTemplate):
     def setUp(self):
         self.maxDiff = None

parser/tst/gen-dbus.py

@@ -18,7 +18,8 @@
 
 from testlib import write_file
 
-def get_rule (quantifier, perms, session, name, path, interface, member, peer):
+
+def get_rule(quantifier, perms, session, name, path, interface, member, peer):
 
     result = ' '
 
@@ -30,6 +31,7 @@ def get_rule (quantifier, perms, session, name, path, interface, member, peer):
 
     return result
 
+
 def gen_file(test, xres, quantifier, perms, session, name, path, interface, member, peer):
     global count
 
@@ -46,7 +48,8 @@ def gen_file(test, xres, quantifier, perms, session, name, path, interface, memb
 
     count += 1
 
-def gen_files (test, xres, quantifiers, perms, sessions, names, paths, interfaces, members, peers):
+
+def gen_files(test, xres, quantifiers, perms, sessions, names, paths, interfaces, members, peers):
     for quantifier in quantifiers:
         for perm in perms:
             for session in sessions:
@@ -57,7 +60,8 @@ def gen_files (test, xres, quantifiers, perms, sessions, names, paths, interface
                                 for peer in peers:
                                     gen_file(test, xres, quantifier, perm, session, name, path, interface, member, peer)
 
-count=0
+
+count = 0
 
 quantifier = ('', 'deny', 'audit')
 session = ('', 'bus=session', 'bus=system', 'bus=accessibility')
@@ -109,12 +113,12 @@ gen_files('service-rules', 'PASS', quantifier, ['bind'], session,
 gen_files('eavesdrop-rules', 'PASS', quantifier, ['eavesdrop'], session,
           empty_tup, empty_tup, empty_tup, empty_tup, empty_tup)
 gen_file('sloppy-formatting', 'PASS', '', '(send , receive )', 'bus=session',
-	 '', 'path ="/foo/bar"', 'interface = com.foo', '  member=bar',
-	 'peer =(   label= /usr/bin/app name  ="com.foo")')
+         '', 'path ="/foo/bar"', 'interface = com.foo', '  member=bar',
+         'peer =(   label= /usr/bin/app name  ="com.foo")')
 gen_file('sloppy-formatting', 'PASS', '', 'bind', 'bus =session',
-	 'name= com.foo', '', '', '', '')
+         'name= com.foo', '', '', '', '')
 gen_file('sloppy-formatting', 'PASS', '', 'eavesdrop', 'bus = system',
-	 '', '', '', '', '')
+         '', '', '', '', '')
 
 # Don't use the empty element from each array since all empty conditionals would PASS but we want all FAILs
 msg_perms.remove('')

parser/tst/gen-xtrans.py

@@ -27,7 +27,7 @@ trans_modifiers = {
 
 targets = ("", "target", "target2")
 # null_target uses "_" instead of "" because "" gets skipped in some for loops. Replace with "" when actually using the value.
-null_target = ("_")
+null_target = ("_",)
 
 named_trans = {
     "p": targets,
@@ -60,6 +60,7 @@ qualifiers = ("", "owner")
 
 count = 0
 
+
 def gen_list():
     output = []
     for trans in trans_types:
@@ -71,8 +72,9 @@ def gen_list():
 
     return output
 
+
 def test_gen_list():
-    ''' test if gen_list returns the expected output '''
+    """test if gen_list returns the expected output"""
 
     expected = "pix pux px Pix Pux Px cix cux cx Cix Cux Cx ux ix".split()
     actual = gen_list()
@@ -80,6 +82,7 @@ def test_gen_list():
     if actual != expected:
         raise Exception("gen_list produced unexpected result, expected %s, got %s" % (expected, actual))
 
+
 def build_rule(leading, qual, name, perm, target):
     rule = ''
 
@@ -88,14 +91,15 @@ def build_rule(leading, qual, name, perm, target):
     else:
         rule += "\t%s %s %s" % (qual, name, perm)
 
-    if target != "":
+    if target:
         rule += " -> %s" % target
 
     rule += ",\n"
 
     return rule
 
-def gen_file (name, xres, leading1, qual1, rule1, perm1, target1, leading2, qual2, rule2, perm2, target2):
+
+def gen_file(name, xres, leading1, qual1, rule1, perm1, target1, leading2, qual2, rule2, perm2, target2):
     global count
     count += 1
 
@@ -144,23 +148,27 @@ def gen_files(name, rule1, rule2, default):
 
                             gen_file(file, xres, 0, q, rule1, i, t, 0, r, rule2, j, u)
 
+
 def gen_conflicting_x():
     gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL")
 
+
 def gen_overlap_re_exact():
     gen_files("exact", "/bin/cat", "/bin/*", "PASS")
 
+
 # we currently don't support this, once supported change to "PASS"
 def gen_dominate_re_re():
     gen_files("dominate", "/bin/*", "/bin/**", "FAIL")
 
+
 def gen_ambiguous_re_re():
     gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL")
 
 
 # test that rules that lead with permissions don't conflict with
 # the same rule using trailing permissions.
-def gen_leading_perms (name, rule1, rule2):
+def gen_leading_perms(name, rule1, rule2):
     perms = gen_list()
 
     for i in perms:
@@ -171,6 +179,7 @@ def gen_leading_perms (name, rule1, rule2):
                 file = prefix_leading + '/' + name + '-' + q + i + t + ".sd"
                 gen_file(file, "PASS", 0, q, rule1, i, t, 1, q, rule2, i, t)
 
+
 # test for rules with leading safe or unsafe keywords.
 # check they are equivalent to their counterpart,
 # or if $invert that they properly conflict with their counterpart
@@ -216,4 +225,4 @@ gen_safe_perms("overlap", "PASS", "inv", "/*", "/bin/cat")
 gen_safe_perms("dominate", "FAIL", "inv", "/**", "/*")
 gen_safe_perms("ambiguous", "FAIL", "inv", "/a*", "/*b")
 
-print ("Generated %s xtransition interaction tests" % count)
+print("Generated %s xtransition interaction tests" % count)

parser/tst/mk_features_file.py

@@ -10,12 +10,14 @@
 #
 # ------------------------------------------------------------------
 
-from testlib import read_features_dir
-from argparse import ArgumentParser
 import os
+from argparse import ArgumentParser
 from sys import stderr, exit
 
-DEFAULT_FEATURES_DIR='/sys/kernel/security/apparmor/features'
+from testlib import read_features_dir
+
+DEFAULT_FEATURES_DIR = '/sys/kernel/security/apparmor/features'
+
 
 def main():
     p = ArgumentParser()
@@ -33,5 +35,6 @@ def main():
 
     return 0
 
+
 if __name__ == "__main__":
     exit(main())

parser/tst/testlib.py

@@ -41,9 +41,9 @@ class AANoCleanupMetaClass(type):
 
     @classmethod
     def keep_on_fail(cls, unittest_func):
-        '''wrapping function for unittest testcases to detect failure
+        """wrapping function for unittest testcases to detect failure
            and leave behind test files in tearDown(); to be used as
-           a decorator'''
+           a decorator"""
 
         def new_unittest_func(self):
             try:
@@ -58,17 +58,17 @@ class AANoCleanupMetaClass(type):
 
 
 class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
-    '''Stub class for use by test scripts'''
+    """Stub class for use by test scripts"""
     debug = False
     do_cleanup = True
 
     def run_cmd_check(self, command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE,
                       stdin=None, timeout=120, expected_rc=0, expected_string=None):
-        '''Wrapper around run_cmd that checks the rc code against
+        """Wrapper around run_cmd that checks the rc code against
            expected_rc and for expected strings in the output if
            passed. The valgrind tests generally don't care what the
            rc is as long as it's not a specific set of return codes,
-           so can't push the check directly into run_cmd().'''
+           so can't push the check directly into run_cmd()."""
         rc, report = self.run_cmd(command, input, stderr, stdout, stdin, timeout)
         self.assertEqual(rc, expected_rc, "Got return code %d, expected %d\nCommand run: %s\nOutput: %s" % (rc, expected_rc, (' '.join(command)), report))
         if expected_string:
@@ -77,11 +77,11 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
 
     def run_cmd(self, command, input=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE,
                 stdin=None, timeout=120):
-        '''Try to execute given command (array) and return its stdout, or
-           return a textual error if it failed.'''
+        """Try to execute given command (array) and return its stdout, or
+           return a textual error if it failed."""
 
         if self.debug:
-            print('\n===> Running command: \'%s\'' % (' '.join(command)))
+            print("\n===> Running command: '%s'" % (' '.join(command)))
 
         (rc, out, outerr) = self._run_cmd(command, input, stderr, stdout, stdin, timeout)
         report = out + outerr
@@ -90,7 +90,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
 
     def _run_cmd(self, command, input=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE,
                  stdin=None, timeout=120):
-        '''Try to execute given command (array) and return its rc, stdout, and stderr as a tuple'''
+        """Try to execute given command (array) and return its rc, stdout, and stderr as a tuple"""
 
         try:
             sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr,
@@ -121,7 +121,6 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
 # Timeout handler using alarm() from John P. Speno's Pythonic Avocado
 class TimeoutFunctionException(Exception):
     """Exception to raise on a timeout"""
-    pass
 
 
 class TimeoutFunction:
@@ -144,7 +143,7 @@ class TimeoutFunction:
 
 
 def filesystem_time_resolution():
-    '''detect whether the filesystem stores subsecond timestamps'''
+    """detect whether the filesystem stores subsecond timestamps"""
 
     default_diff = 0.1
     result = (True, default_diff)
@@ -199,7 +198,7 @@ def touch(path):
 
 
 def write_file(directory, file, contents):
-    '''construct path, write contents to it, and return the constructed path'''
+    """construct path, write contents to it, and return the constructed path"""
     path = os.path.join(directory, file)
     with open(path, 'w+') as f:
         f.write(contents)

parser/tst/valgrind_simple.py

@@ -13,11 +13,12 @@
 # TODO
 # - finish adding suppressions for valgrind false positives
 
-from argparse import ArgumentParser  # requires python 2.7 or newer
 import os
 import sys
-import tempfile
 import unittest
+from argparse import ArgumentParser
+from tempfile import NamedTemporaryFile
+
 import testlib
 
 DEFAULT_TESTDIR = "./simple_tests/vars"
@@ -50,12 +51,14 @@ class AAParserValgrindTests(testlib.AATestTemplate):
         command.extend(parser_args)
         command.append(testname)
         rc, output = self.run_cmd(command, timeout=120)
-        self.assertNotIn(rc, failure_rc,
-                    "valgrind returned error code %d, gave the following output\n%s\ncommand run: %s" % (rc, output, " ".join(command)))
+        self.assertNotIn(
+            rc, failure_rc,
+            "valgrind returned error code %d, gave the following output\n%s\ncommand run: %s"
+            % (rc, output, " ".join(command)))
 
 
 def find_testcases(testdir):
-    '''dig testcases out of passed directory'''
+    """dig testcases out of passed directory"""
 
     for (fdir, direntries, files) in os.walk(testdir):
         for f in files:
@@ -64,13 +67,10 @@ def find_testcases(testdir):
 
 
 def create_suppressions():
-    '''generate valgrind suppressions file'''
-
-    handle, name = tempfile.mkstemp(suffix='.suppressions', prefix='aa-parser-valgrind')
-    os.close(handle)
-    with open(name, "w+") as handle:
-        handle.write(VALGRIND_SUPPRESSIONS)
-    return name
+    """generate valgrind suppressions file"""
+    with NamedTemporaryFile("w+", suffix='.suppressions', prefix='aa-parser-valgrind', delete=False) as temp_file:
+        temp_file.write(VALGRIND_SUPPRESSIONS)
+    return temp_file.name
 
 
 def main():
@@ -125,6 +125,7 @@ def main():
 
     return rc
 
+
 if __name__ == "__main__":
     rc = main()
     exit(rc)

profiles/Makefile

@@ -41,7 +41,7 @@ ifdef USE_SYSTEM
     LOGPROF?=aa-logprof
 else
     # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../libraries/libapparmor/swig/python/test/buildpath.py)
     LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)

profiles/apparmor.d/abstractions/audio

@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,
 
+# pipewire
+/usr/share/pipewire/client.conf r,
+
   # Include additions to the abstraction
   include if exists <abstractions/audio.d>

profiles/apparmor.d/abstractions/base

@@ -101,6 +101,7 @@
   @{PROC}/cpuinfo                r,
   @{sys}/devices/system/cpu/       r,
   @{sys}/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/possible r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,

profiles/apparmor.d/abstractions/crypto

@@ -13,6 +13,7 @@
 
   abi <abi/3.0>,
 
+  @{etc_ro}/gcrypt/hwf.deny r,
   @{etc_ro}/gcrypt/random.conf r,
   @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/groff

@@ -0,0 +1,67 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2023 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # Note: executing groff and nroff themself is not included in this abstraction
+  # so that you can choose to ix, Px or Cx them in your profile
+
+  # groff/nroff helpers, preprocessors, and postprocessors
+  /usr/bin/addftinfo mrix,
+  /usr/bin/afmtodit mrix,
+  /usr/bin/chem mrix,
+  /usr/bin/eqn mrix,
+  /usr/bin/eqn2graph mrix,
+  /usr/bin/gdiffmk mrix,
+  /usr/bin/geqn mrix,
+  /usr/bin/grap2graph mrix,
+  /usr/bin/grn mrix,
+  /usr/bin/grodvi mrix,
+  /usr/bin/groffer mrix,
+  /usr/bin/grog mrix,
+  /usr/bin/grolbp mrix,
+  /usr/bin/grolj4 mrix,
+  /usr/bin/gropdf mrix,
+  /usr/bin/grops mrix,
+  /usr/bin/grotty mrix,
+  /usr/bin/gtbl mrix,
+  /usr/bin/hpftodit mrix,
+  /usr/bin/indxbib mrix,
+  /usr/bin/lkbib mrix,
+  /usr/bin/lookbib mrix,
+  /usr/bin/mmroff mrix,
+  /usr/bin/neqn mrix,
+  /usr/bin/pdfmom mrix,
+  /usr/bin/pdfroff mrix,
+  /usr/bin/pfbtops mrix,
+  /usr/bin/pic mrix,
+  /usr/bin/pic2graph mrix,
+  /usr/bin/post-grohtml mrix,
+  /usr/bin/pre-grohtml mrix,
+  /usr/bin/preconv mrix,
+  /usr/bin/refer mrix,
+  /usr/bin/roff2dvi mrix,
+  /usr/bin/roff2html mrix,
+  /usr/bin/roff2pdf mrix,
+  /usr/bin/roff2ps mrix,
+  /usr/bin/roff2text mrix,
+  /usr/bin/roff2x mrix,
+  /usr/bin/soelim mrix,
+  /usr/bin/tbl mrix,
+  /usr/bin/tfmtodit mrix,
+  /usr/bin/troff mrix,
+  /usr/bin/xtotroff mrix,
+
+  # at least its macros and fonts
+  /usr/libexec/groff/** r,
+  /usr/share/groff/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/groff.d>

profiles/apparmor.d/abstractions/kde

@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
+owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/trashrc r, # Used by KFileWidget
 
 /usr/share/X11/XKeysymDB r,

profiles/apparmor.d/abstractions/nameservice

@@ -44,6 +44,7 @@
   @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
   @{etc_ro}/resolvconf/run/resolv.conf  r,
   @{run}/systemd/resolve/stub-resolv.conf r,
+  /mnt/wsl/resolv.conf r,
 
   @{etc_ro}/samba/lmhosts  r,
   @{etc_ro}/services       r,

profiles/apparmor.d/abstractions/nvidia

@@ -23,9 +23,13 @@
 
   @{sys}/devices/system/memory/block_size_bytes r,
 
+  owner @{HOME}/.cache/nvidia/ w,
+  owner @{HOME}/.cache/nvidia/GLCache/ rw,
+  owner @{HOME}/.cache/nvidia/GLCache/** rwk,
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,
+  owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
 

profiles/apparmor.d/abstractions/openssl

@@ -11,6 +11,7 @@
   abi <abi/3.0>,
 
   /etc/ssl/openssl.cnf r,
+  /etc/ssl/openssl-*.cnf r,
   /etc/ssl/{engdef,engines}.d/ r,
   /etc/ssl/{engdef,engines}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,

profiles/apparmor.d/abstractions/samba

@@ -25,9 +25,10 @@
   /var/log/samba/cores/** rw,
   /var/log/samba/* w,
   @{run}/{,lock/}samba/ w,
-  @{run}/{,lock/}samba/*.tdb rw,
-  @{run}/{,lock/}samba/msg.lock/ rwk,
-  @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+  @{run}/{,lock/}samba/*.tdb rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
+  /var/cache/samba/*.tdb rwk,
   /var/cache/samba/msg.lock/ rwk,
   /var/cache/samba/msg.lock/[0-9]* rwk,
 

profiles/apparmor.d/abstractions/ssl_certs

@@ -17,7 +17,7 @@
   /etc/{,libre}ssl/certs/{,**} r,
   /{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
   /{etc,usr/share}/pki/trust/{,*} r,
-  /{etc,usr/share}/pki/trust/anchors/{,**} r,
+  /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
   /usr/share/ca-certificates/{,**} r,
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/{,**} r,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -80,6 +80,7 @@ profile sanitized_helper {
   /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
 
   # Full access

profiles/apparmor.d/lsb_release

@@ -30,6 +30,8 @@ profile lsb_release {
   /{usr/,}bin/dash ixr,
   /usr/bin/basename ixr,
   /usr/bin/dpkg-query ixr,
+  /usr/bin/cat ixr,
+  /usr/bin/cut ixr,
   /usr/bin/getopt ixr,
   /usr/bin/sed ixr,
   /usr/bin/tr ixr,

profiles/apparmor.d/nvidia_modprobe

@@ -54,10 +54,10 @@ profile nvidia_modprobe {
     # System files
 
     /etc/modprobe.d/{,*.conf} r,
-    /etc/nvidia/current/*.conf r,
+    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
     @{sys}/module/ipmi_devintf/initstate r,
     @{sys}/module/ipmi_msghandler/initstate r,
-    @{sys}/module/nvidia/initstate r,
+    @{sys}/module/{drm,nvidia}/initstate r,
     @{PROC}/cmdline r,
   }
 

profiles/apparmor.d/php-fpm

@@ -35,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
 
   # we need to be able to create all sockets
   @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php*-fpm.pid rw,
   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
 
   # to reload

profiles/apparmor.d/samba-bgqd

@@ -14,9 +14,10 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
   @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/fd/ r,
 
-  @{run}/samba/samba-bgqd.pid wk,
+  @{run}/{,samba/}samba-bgqd.pid rwk,
 
-  /usr/lib*/samba/{,samba/}samba-bgqd m,
+  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  /var/cache/samba/printing/*.tdb rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-bgqd>

profiles/apparmor.d/samba-dcerpcd

@@ -16,10 +16,11 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
   include <abstractions/samba-rpcd>
 
-  @{run}/samba/samba-dcerpcd.pid wk,
+  @{run}/{,samba/}samba-dcerpcd.pid rwk,
 
-  /usr/lib*/samba/{,samba/}samba-dcerpcd m,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
 
+  /usr/lib*/samba/ r,
   /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
   /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
   /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,

profiles/apparmor.d/samba-rpcd

@@ -15,7 +15,10 @@ include <tunables/global>
 
 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
   include <abstractions/samba-rpcd>
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+  @{run}/samba/ncalrpc/np/winreg wr,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd>
 }

profiles/apparmor.d/samba-rpcd-classic

@@ -17,7 +17,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
   include <abstractions/samba-rpcd>
   include <abstractions/wutmp>
 
-  /usr/lib*/samba/{,samba/}rpcd_classic m,
+  /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-classic>

profiles/apparmor.d/samba-rpcd-spoolss

@@ -16,8 +16,16 @@ include <tunables/global>
 profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
   include <abstractions/samba-rpcd>
 
-  /usr/lib*/samba/{,samba/}rpcd_spoolss m,
+  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
   /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/ w,
+  /var/cache/samba/printing/*.tdb rwk,
+  @{run}/{,samba/}samba-bgqd.pid rk,
+
+  /dev/urandom rw,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-spoolss>

profiles/apparmor.d/sbin.syslog-ng

@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   /{var,var/run,run}/log/journal/ r,
   /{var,var/run,run}/log/journal/*/ r,
   /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var,var/run,run}/log/journal/*.journal r,
   @{run}/syslog-ng.ctl a,
   @{run}/syslog-ng/additional-log-sockets.conf r,
 

profiles/apparmor.d/sbin.syslogd

@@ -30,12 +30,16 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
 
   /dev/log                      wl,
   /var/lib/*/dev/log            wl,
+  /proc/kmsg                    r,
 
   /dev/tty*                     w,
   /dev/xconsole                 rw,
   /etc/syslog.conf              r,
+  /etc/syslog.d/                r,
+  /etc/syslog.d/*               r,
   /{usr/,}{bin,sbin}/syslogd    rmix,
   /var/log/**                   rw,
+  @{run}/syslog.pid           krwl,
   @{run}/syslogd.pid          krwl,
   @{run}/utmp                 rw,
   /var/spool/compaq/nic/messages_fifo rw,

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -1,7 +1,7 @@
 abi <abi/3.0>,
 
 include <tunables/global>
-profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -111,19 +111,26 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   @{run}/containers/cni/dnsname/*/dnsmasq.conf r,
   @{run}/containers/cni/dnsname/*/addnhosts r,
   @{run}/containers/cni/dnsname/*/pidfile rw,
+  owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
+  owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
+  owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
+
+  # waydroid lxc-net pid file
+  @{run}/waydroid-lxc/dnsmasq.pid rw,
 
   profile libvirt_leaseshelper {
     include <abstractions/base>
 
     /etc/libnl-3/classid r,
 
-    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-    /usr/libexec/libvirt_leaseshelper m,
+    /usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
+    /usr/libexec/libvirt_leaseshelper mr,
 
     owner @{PROC}/@{pid}/net/psched r,
     owner @{PROC}/@{pid}/status r,
 
     @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/possible r,
     @{sys}/devices/system/node/ r,
     @{sys}/devices/system/node/*/meminfo r,
 

profiles/apparmor.d/usr.sbin.nscd

@@ -41,6 +41,10 @@ profile nscd /usr/{bin,sbin}/nscd {
   @{PROC}/@{pid}/fd/* r,
   @{PROC}/@{pid}/mounts r,
 
+  # systemd-userdb
+  /{etc,run,run/host,/usr/lib}/userdb/ r,
+  /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.nscd>
 }

profiles/apparmor.d/usr.sbin.smbd

@@ -49,14 +49,14 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/{bin,sbin}/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+  /var/lib/nscd/netgroup r,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
   @{run}/dbus/system_bus_socket rw,
-  @{run}/smbd.pid rwk,
+  @{run}/{,samba/}smbd.pid rwk,
   @{run}/samba/** rk,
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
-  @{run}/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,

profiles/apparmor/profiles/extras/bin.netstat

@@ -46,4 +46,7 @@ profile netstat /{usr/,}bin/netstat {
   @{PROC}/@{pid}/net/udplite r,
   @{PROC}/@{pid}/net/udplit6 r,
   @{PROC}/@{pid}/net/unix r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bin.netstat>
 }

profiles/apparmor/profiles/extras/etc.cron.daily.logrotate

@@ -74,4 +74,7 @@ include <tunables/global>
 
   /var/spool/slrnpull/ wr,
   /var/spool/slrnpull/log* wrl,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/etc.cron.daily.logrotate>
 }

profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron

@@ -25,4 +25,7 @@ include <tunables/global>
   /usr/bin/slocate                 mixr,
   /usr/bin/renice                  mixr,
   /**                              r   ,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/etc.cron.daily.slocate.cron>
 }

profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch

@@ -22,4 +22,7 @@ include <tunables/global>
   /var/cache/man*/**        r,
   /var/tmp                  r,
   /var/tmp/**               rwl,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/etc.cron.daily.tmpwatch>
 }

profiles/apparmor/profiles/extras/postfix-anvil

@@ -23,4 +23,7 @@ profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
   /etc/postfix/main.cf                        r,
   /{var/spool/postfix/,}private/anvil         rw,
   /{var/spool/postfix/,}pid/unix.anvil        rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-anvil>
 }

profiles/apparmor/profiles/extras/postfix-bounce

@@ -47,4 +47,7 @@ profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
   /{var/spool/postfix/,}pid/unix.bounce          rwk,
   /{var/spool/postfix/,}pid/unix.defer           rwk,
   /{var/spool/postfix/,}pid/unix.trace           rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-bounce>
 }

profiles/apparmor/profiles/extras/postfix-cleanup

@@ -38,4 +38,7 @@ profile postfix-cleanup /usr/lib/postfix/{bin/,sbin/,}cleanup {
 
   /etc/{m,fs}tab                              r,
   /etc/postfix/*                              r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-cleanup>
 }

profiles/apparmor/profiles/extras/postfix-discard

@@ -18,4 +18,7 @@ profile postfix-discard /usr/lib/postfix/{bin/,sbin/,}discard {
   include <abstractions/base>
 
   /usr/lib/postfix/{bin/,sbin/,}discard mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-discard>
 }

profiles/apparmor/profiles/extras/postfix-dnsblog

@@ -19,4 +19,7 @@ profile postfix-dnsblog /usr/lib/postfix/{bin/,sbin/,}dnsblog {
   /usr/lib/postfix/{bin/,sbin/,}dnsblog mrix,
 
   /var/spool/postfix/private/dnsblog rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-dnsblog>
 }

profiles/apparmor/profiles/extras/postfix-error

@@ -26,4 +26,6 @@ profile postfix-error /usr/lib/postfix/{bin/,sbin/,}error {
   /var/spool/postfix/pid/unix.retry rwk,
   owner /var/spool/postfix/private/defer w,
 
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-error>
 }

profiles/apparmor/profiles/extras/postfix-flush

@@ -40,4 +40,6 @@ profile postfix-flush /usr/lib/postfix/{bin/,sbin/,}flush {
 
   @{HOME}/.forward                            r,
 
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-flush>
 }

profiles/apparmor/profiles/extras/postfix-lmtp

@@ -24,4 +24,6 @@ profile postfix-lmtp /usr/lib/postfix/{bin/,sbin/,}lmtp {
   /var/spool/postfix/active/* rwk,
   /var/spool/postfix/pid/unix.lmtp rwk,
 
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-lmtp>
 }

profiles/apparmor/profiles/extras/postfix-local

@@ -44,4 +44,7 @@ profile postfix-local /usr/lib/postfix/{bin/,sbin/,}local {
   /{var/spool/postfix/,}public/{cleanup,flush}          rw,
   # deliver mail
   /var/mail/*                                          wk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-local>
 }

profiles/apparmor/profiles/extras/postfix-master

@@ -58,4 +58,7 @@ profile postfix-master /usr/lib/postfix/{bin/,sbin/,}master {
   /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite     Px,
 
   owner /var/lib/postfix/master.lock rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-master>
 }

profiles/apparmor/profiles/extras/postfix-nqmgr

@@ -45,4 +45,7 @@ profile postfix-nqmgr /usr/lib/postfix/{bin/,sbin/,}nqmgr {
   /{var/spool/postfix/,}private/local                             w,
   /{var/spool/postfix/,}public/flush                              w,
   /{var/spool/postfix/,}public/qmgr                               r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-nqmgr>
 }

profiles/apparmor/profiles/extras/postfix-oqmgr

@@ -20,4 +20,7 @@ profile postfix-oqmgr /usr/lib/postfix/{bin/,sbin/,}oqmgr {
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}oqmgr mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-oqmgr>
 }

profiles/apparmor/profiles/extras/postfix-pickup

@@ -24,4 +24,7 @@ profile postfix-pickup /usr/lib/postfix/{bin/,sbin/,}pickup {
   /{var/spool/postfix/,}public/pickup            r,
   /{var/spool/postfix/,}maildrop/                r,
   /{var/spool/postfix/,}maildrop/*               rwl,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-pickup>
 }

profiles/apparmor/profiles/extras/postfix-pipe

@@ -27,4 +27,6 @@ profile postfix-pipe /usr/lib/postfix/{bin/,sbin/,}pipe {
   /var/spool/postfix/private/rewrite w,
   /var/spool/postfix/private/trace w,
 
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-pipe>
 }

profiles/apparmor/profiles/extras/postfix-postscreen

@@ -16,4 +16,7 @@ profile postfix-postscreen /usr/lib/postfix/{bin/,sbin/,}postscreen {
   include <abstractions/base>
 
   /usr/lib/postfix/{bin/,sbin/,}postscreen mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-postscreen>
 }

profiles/apparmor/profiles/extras/postfix-proxymap

@@ -23,4 +23,7 @@ profile postfix-proxymap /usr/lib/postfix/{bin/,sbin/,}proxymap {
   /etc/my.cnf r,
   /usr/lib/postfix/{bin/,sbin/,}proxymap     mrix,
   /{var/spool/postfix/,}private/proxymap     rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-proxymap>
 }

profiles/apparmor/profiles/extras/postfix-qmgr

@@ -51,4 +51,7 @@ profile postfix-qmgr /usr/lib/postfix/{bin/,sbin/,}qmgr {
   /{var/spool/postfix/,}private/smtp                              w,
   /{var/spool/postfix/,}private/trace                             w,
   /{var/spool/postfix/,}private/uucp                              w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-qmgr>
 }

profiles/apparmor/profiles/extras/postfix-qmqpd

@@ -19,4 +19,7 @@ profile postfix-qmqpd /usr/lib/postfix/{bin/,sbin/,}qmqpd {
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}qmqpd mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-qmqpd>
 }

profiles/apparmor/profiles/extras/postfix-scache

@@ -21,4 +21,7 @@ profile postfix-scache /usr/lib/postfix/{bin/,sbin/,}scache {
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}scache mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-scache>
 }

profiles/apparmor/profiles/extras/postfix-showq

@@ -48,4 +48,7 @@ profile postfix-showq /usr/lib/postfix/{bin/,sbin/,}showq {
   /{var/spool/postfix/,}pid/unix.showq                             rwk,
   owner /{var/spool/postfix,}/defer/[0-9A-F]/[0-9A-F]* r,
   owner /{var/spool/postfix,}/deferred/[0-9A-F]/[0-9A-F]* r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-showq>
 }

profiles/apparmor/profiles/extras/postfix-smtp

@@ -45,4 +45,7 @@ profile postfix-smtp /usr/lib/postfix/{bin/,sbin/,}smtp {
   /etc/postfix/prng_exch                      rw,
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /etc/mtab                                   r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-smtp>
 }

profiles/apparmor/profiles/extras/postfix-smtpd

@@ -52,4 +52,7 @@ profile postfix-smtpd /usr/lib/postfix/{bin/,sbin/,}smtpd {
   /{var/spool/postfix/,}public/cleanup           rw,
 
   /{,var/}run/sasl2/mux                             w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-smtpd>
 }

profiles/apparmor/profiles/extras/postfix-spawn

@@ -19,4 +19,7 @@ profile postfix-spawn /usr/lib/postfix/{bin/,sbin/,}spawn {
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}spawn mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-spawn>
 }

profiles/apparmor/profiles/extras/postfix-tlsmgr

@@ -17,6 +17,7 @@ include <tunables/global>
 profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,
@@ -28,4 +29,7 @@ profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   /{,var/}run/smtpd_tls_session_cache.db rw,
   /var/lib/postfix/smtpd_scache.db rwk,
   /var/lib/postfix/smtp_scache.db rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-tlsmgr>
 }

profiles/apparmor/profiles/extras/postfix-trivial-rewrite

@@ -26,4 +26,7 @@ profile postfix-trivial-rewrite /usr/lib/postfix/{bin/,sbin/,}trivial-rewrite {
   /etc/{m,fs}tab                              r,
   /var/spool/postfix/pid/unix.rewrite         rw,
   /{var/spool/postfix/,}private/rewrite       rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-trivial-rewrite>
 }

profiles/apparmor/profiles/extras/postfix-verify

@@ -19,4 +19,7 @@ profile postfix-verify /usr/lib/postfix/{bin/,sbin/,}verify {
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}verify mrix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-verify>
 }

profiles/apparmor/profiles/extras/postfix-virtual

@@ -23,4 +23,7 @@ profile postfix-virtual /usr/lib/postfix/{bin/,sbin/,}virtual {
   /var/spool/postfix/active/* rw,
   /var/spool/postfix/pid/unix.virtual rw,
   /var/spool/postfix/private/bounce w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/postfix-virtual>
 }

profiles/apparmor/profiles/extras/sbin.dhclient

@@ -87,5 +87,6 @@ profile dhclient /{usr/,}sbin/dhclient {
   /var/lib/dhcp/* rw,
   /{,var/}run/nm-dhclient-*.conf r,
 
+  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/sbin.dhclient>
 }

profiles/apparmor/profiles/extras/sbin.dhclient-script

@@ -27,5 +27,6 @@ profile dhclient-script /{usr/,}sbin/dhclient-script {
   /{usr/,}sbin/ip rix,
   /{usr/,}sbin/resolvconf rPUx,
 
+  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/sbin.dhclient-script>
 }

profiles/apparmor/profiles/extras/sbin.dhcpcd

@@ -44,4 +44,7 @@ profile dhcpcd /{usr/,}sbin/dhcpcd {
   /var/lib/dhcpcd/dhcpcd-*.info rw,
   /var/lib/dhcpcd/dhcpcd-*.info.old rw,
   /{,var/}run/dhcpcd-*.pid rwl,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/sbin.dhcpcd>
 }

profiles/apparmor/profiles/extras/sbin.portmap

@@ -23,4 +23,7 @@ profile portmap /{usr/,}sbin/portmap {
 
   /etc/bindresvport.blacklist r,
   /{usr/,}sbin/portmap         rmix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/sbin.portmap>
 }

profiles/apparmor/profiles/extras/sbin.resmgrd

@@ -31,4 +31,7 @@ profile resmgrd /{usr/,}sbin/resmgrd {
   /{,var/}run/fence* lrw,
   /{,var/}run/resmgr/classes/** wl,
   /{run,var}/lock/LCK* lrw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/sbin.resmgrd>
 }

profiles/apparmor/profiles/extras/sbin.rpc.lockd

@@ -15,4 +15,7 @@ include <tunables/global>
 profile rpc.lockd /{usr/,}sbin/rpc.lockd {
   include <abstractions/base>
   /{usr/,}sbin/rpc.lockd	rmix,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/sbin.rpc.lockd>
 }