Release: prepare for 2.12 release

update version and library version

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -1,4 +1,10 @@
 apparmor-*
+cscope.*
+binutils/aa-enabled
+binutils/aa-enabled.1
+binutils/aa-exec
+binutils/aa-exec.1
+binutils/po/*.mo
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
@@ -13,6 +19,37 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
+parser/af_rule.o
+parser/af_unix.o
+parser/common_optarg.o
+parser/dbus.o
+parser/lib.o
+parser/libapparmor_re/aare_rules.o
+parser/libapparmor_re/chfa.o
+parser/libapparmor_re/expr-tree.o
+parser/libapparmor_re/hfa.o
+parser/libapparmor_re/libapparmor_re.a
+parser/libapparmor_re/parse.o
+parser/mount.o
+parser/network.o
+parser/parser_alias.o
+parser/parser_common.o
+parser/parser_include.o
+parser/parser_interface.o
+parser/parser_lex.o
+parser/parser_main.o
+parser/parser_merge.o
+parser/parser_misc.o
+parser/parser_policy.o
+parser/parser_regex.o
+parser/parser_symtab.o
+parser/parser_variable.o
+parser/parser_yacc.o
+parser/policy_cache.o
+parser/profile.o
+parser/ptrace.o
+parser/rule.o
+parser/signal.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -60,14 +97,22 @@ libraries/libapparmor/src/Makefile.in
 libraries/libapparmor/src/af_protos.h
 libraries/libapparmor/src/change_hat.lo
 libraries/libapparmor/src/features.lo
+libraries/libapparmor/src/features.o
 libraries/libapparmor/src/grammar.lo
+libraries/libapparmor/src/grammar.o
 libraries/libapparmor/src/kernel.lo
+libraries/libapparmor/src/kernel.o
 libraries/libapparmor/src/kernel_interface.lo
+libraries/libapparmor/src/kernel_interface.o
 libraries/libapparmor/src/libaalogparse.lo
+libraries/libapparmor/src/libaalogparse.o
 libraries/libapparmor/src/libimmunix_warning.lo
 libraries/libapparmor/src/policy_cache.lo
+libraries/libapparmor/src/policy_cache.o
 libraries/libapparmor/src/private.lo
+libraries/libapparmor/src/private.o
 libraries/libapparmor/src/scanner.lo
+libraries/libapparmor/src/scanner.o
 libraries/libapparmor/src/libapparmor.pc
 libraries/libapparmor/src/libapparmor.la
 libraries/libapparmor/src/libimmunix.la
@@ -75,7 +120,19 @@ libraries/libapparmor/src/grammar.c
 libraries/libapparmor/src/grammar.h
 libraries/libapparmor/src/scanner.c
 libraries/libapparmor/src/scanner.h
+libraries/libapparmor/src/test-suite.log
 libraries/libapparmor/src/tst_aalogmisc
+libraries/libapparmor/src/tst_aalogmisc.log
+libraries/libapparmor/src/tst_aalogmisc.o
+libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_features
+libraries/libapparmor/src/tst_features.log
+libraries/libapparmor/src/tst_features.o
+libraries/libapparmor/src/tst_features.trs
+libraries/libapparmor/src/tst_kernel
+libraries/libapparmor/src/tst_kernel.log
+libraries/libapparmor/src/tst_kernel.o
+libraries/libapparmor/src/tst_kernel.trs
 libraries/libapparmor/swig/Makefile
 libraries/libapparmor/swig/Makefile.in
 libraries/libapparmor/swig/perl/LibAppArmor.bs
@@ -89,6 +146,7 @@ libraries/libapparmor/swig/perl/MYMETA.json
 libraries/libapparmor/swig/perl/MYMETA.yml
 libraries/libapparmor/swig/perl/blib
 libraries/libapparmor/swig/perl/libapparmor_wrap.c
+libraries/libapparmor/swig/perl/libapparmor_wrap.o
 libraries/libapparmor/swig/perl/pm_to_blib
 libraries/libapparmor/swig/python/LibAppArmor.py
 libraries/libapparmor/swig/python/build/
@@ -98,6 +156,10 @@ libraries/libapparmor/swig/python/Makefile.in
 libraries/libapparmor/swig/python/setup.py
 libraries/libapparmor/swig/python/test/Makefile
 libraries/libapparmor/swig/python/test/Makefile.in
+libraries/libapparmor/swig/python/test/test-suite.log
+libraries/libapparmor/swig/python/test/test_python.py
+libraries/libapparmor/swig/python/test/test_python.py.log
+libraries/libapparmor/swig/python/test/test_python.py.trs
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
 libraries/libapparmor/testsuite/.deps
@@ -115,6 +177,7 @@ libraries/libapparmor/testsuite/lib/Makefile.in
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
+libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
 changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
@@ -122,6 +185,14 @@ utils/*.5
 utils/*.5.html
 utils/*.tmp
 utils/po/*.mo
+utils/apparmor/*.pyc
+utils/apparmor/rule/*.pyc
+utils/test/.coverage
+utils/test/htmlcov/
+utils/vim/apparmor.vim
+utils/vim/apparmor.vim.5
+utils/vim/apparmor.vim.5.html
+utils/vim/pod2htmd.tmp
 tests/regression/apparmor/access
 tests/regression/apparmor/changehat
 tests/regression/apparmor/changehat_fail

Makefile

@@ -17,12 +17,9 @@ DIRS=libraries/libapparmor \
      profiles \
      tests
 
-#REPO_URL?=lp:apparmor
-# --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
-REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
-# alternate possibilities to export from
-#REPO_URL=.
-#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
+# with conversion to git, we don't export from the remote
+REPO_URL?=git@gitlab.com:apparmor/apparmor.git
+REPO_BRANCH?=master
 
 COVERITY_DIR=cov-int
 RELEASE_DIR=apparmor-${VERSION}
@@ -31,7 +28,9 @@ __SETUP_DIR?=.
 # We create a separate version for tags because git can't handle tags
 # with embedded ~s in them. No spaces around '-' or they'll get
 # embedded in ${VERSION}
-TAG_VERSION=$(subst ~,-,${VERSION})
+# apparmor version tag format 'vX.Y.ZZ'
+# apparmor branch name format 'apparmor-X.Y'
+TAG_VERSION="v$(subst ~,-,${VERSION})"
 
 # Add exclusion entries arguments for tar here, of the form:
 #   --exclude dir_to_exclude --exclude other_dir
@@ -40,49 +39,48 @@ TAR_EXCLUSIONS=
 .PHONY: tarball
 tarball: clean
 	REPO_VERSION=`$(value REPO_VERSION_CMD)` && \
-	make export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
-	make setup __SETUP_DIR=${RELEASE_DIR} && \
+	$(MAKE) export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
+	$(MAKE) setup __SETUP_DIR=${RELEASE_DIR} && \
 	tar ${TAR_EXCLUSIONS} -cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
 
 .PHONY: snapshot
 snapshot: clean
 	$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
-	$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(REPO_VERSION))
-	make export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
-	make setup __SETUP_DIR=${SNAPSHOT_NAME} && \
+	$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(shell echo $(REPO_VERSION) | cut -d '-' -f 2-))
+	$(MAKE) export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
+	$(MAKE) setup __SETUP_DIR=${SNAPSHOT_NAME} && \
 	tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME}
 
 .PHONY: coverity
 coverity: snapshot
 	cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
 	$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		cov-build --dir $(COVERITY_DIR) -- make -C $(SNAPSHOT_NAME)/$(dir);)
+		cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir);)
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir
 export_dir:
 	mkdir $(__EXPORT_DIR)
-	/usr/bin/bzr export --per-file-timestamps -r $(__REPO_VERSION) $(__EXPORT_DIR) $(REPO_URL)
-	echo "$(REPO_URL) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
+	/usr/bin/git archive --prefix=$(__EXPORT_DIR)/ --format tar $(__REPO_VERSION) | tar xv
+	echo "$(REPO_URL) $(REPO_BRANCH) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
 
 .PHONY: clean
 clean:
 	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
 	for dir in $(DIRS); do \
-		make -C $$dir clean; \
+		$(MAKE) -C $$dir clean; \
 	done
 
 .PHONY: setup
 setup:
 	cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
 	# parser has an extra doc to build
-	make -C $(__SETUP_DIR)/parser extra_docs
+	$(MAKE) -C $(__SETUP_DIR)/parser extra_docs
 	# libraries/libapparmor needs configure to have run before
 	# building docs
 	$(foreach dir, $(filter-out libraries/libapparmor tests, $(DIRS)), \
-		make -C $(__SETUP_DIR)/$(dir) docs;)
+		$(MAKE) -C $(__SETUP_DIR)/$(dir) docs;)
 
 .PHONY: tag
 tag:
-	bzr tag apparmor_${TAG_VERSION}
-
+	git tag -m 'AppArmor $(VERSION)' -s $(TAG_VERSION)

README

@@ -57,7 +57,14 @@ Building and Installing AppArmor Userspace
 ------------------------------------------
 
 To build and install AppArmor userspace on your system, build and install in
-the following order.
+the following order. Some systems may need to export various python-related
+environment variables to complete the build. For example, before building
+anything on these systems, use something along the lines of:
+
+$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
+$ export PYTHON=/usr/bin/python3
+$ export PYTHON_VERSION=3
+$ export PYTHON_VERSIONS=python3
 
 
 libapparmor:
@@ -79,16 +86,16 @@ $ make check
 $ make install
 
 
-Utilities:
-$ cd utils
-$ make
+parser:
+$ cd parser
+$ make		# depends on libapparmor having been built first
 $ make check
 $ make install
 
 
-parser:
-$ cd parser
-$ make		# depends on libapparmor having been built first
+Utilities:
+$ cd utils
+$ make
 $ make check
 $ make install
 

binutils/Makefile

@@ -114,7 +114,7 @@ $(LIBAPPARMOR_A):
 		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
-		return 1; \
+		exit 1; \
 	fi
 endif
 

binutils/po/de.po

@@ -8,14 +8,14 @@ msgstr ""
 "Project-Id-Version: apparmor\n"
 "Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
-"PO-Revision-Date: 2017-03-31 10:44+0000\n"
-"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
+"PO-Revision-Date: 2017-12-21 12:20+0000\n"
+"Last-Translator: Christian Boltz <Unknown>\n"
 "Language-Team: German <de@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-04-05 05:23+0000\n"
-"X-Generator: Launchpad (build 18335)\n"
+"X-Launchpad-Export-Date: 2017-12-22 05:12+0000\n"
+"X-Generator: Launchpad (build 18521)\n"
 "Language: de\n"
 
 #: ../aa_enabled.c:26
@@ -26,6 +26,10 @@ msgid ""
 "  -q | --quiet        Don't print out any messages\n"
 "  -h | --help         Print help\n"
 msgstr ""
+"%s: [Optionen]\n"
+"  Optionen:\n"
+"  -q | --quiet        Keine Nachrichten anzeigen\n"
+"  -h | --help         Hilfetext anzeigen\n"
 
 #: ../aa_enabled.c:45
 #, c-format
@@ -61,6 +65,7 @@ msgstr ""
 #, c-format
 msgid "Maybe - insufficient permissions to determine availability.\n"
 msgstr ""
+"Vielleicht - ungenügende Berechtigungen, um die Verfügbarkeit zu prüfen\n"
 
 #: ../aa_enabled.c:84
 #, c-format

changehat/mod_apparmor/Makefile

@@ -87,7 +87,7 @@ docs: ${MANPAGES} ${HTMLMANPAGES}
 install: ${TARGET} ${MANPAGES}
 	mkdir -p ${DESTDIR}/${APXS_INSTALL_DIR}
 	install -m 755 $< ${DESTDIR}/${APXS_INSTALL_DIR}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
 .PHONY: clean
 clean: pod_clean

common/Make.rules

@@ -42,10 +42,9 @@ endif
 
 define nl
 
-
 endef
 
-REPO_VERSION_CMD=[ -x /usr/bin/bzr ] && /usr/bin/bzr version-info --custom --template="{revno}" . 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
+REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
 
 ifndef PYTHON_VERSIONS
 PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)

common/Version

@@ -1 +1 @@
-2.11.95
+2.12

libraries/libapparmor/doc/aa_features.pod

@@ -136,6 +136,9 @@ I<aa_features> family of functions that return -1 on error.
 All aa_features functions described above are present in libapparmor version
 2.10 and newer.
 
+aa_features_unref() saves the value of errno when called and restores errno
+before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at

libraries/libapparmor/doc/aa_kernel_interface.pod

@@ -133,7 +133,7 @@ I<*kernel_interface> will point to an I<aa_kernel_interface> object that must
 be freed by aa_kernel_interface_unref(). -1 is returned on error, with errno
 set appropriately, and I<*kernel_interface> will be set to NULL.
 
-aa_kernel_features_ref() returns the value of I<kernel_features>.
+aa_kernel_interface_ref() returns the value of I<kernel_interface>.
 
 The aa_kernel_interface_load() family of functions, the
 aa_kernel_interface_replace() family of functions,
@@ -150,6 +150,9 @@ I<aa_kernel_interface> family of functions that return -1 on error.
 All aa_kernel_interface functions described above are present in libapparmor
 version 2.10 and newer.
 
+aa_kernel_interface_unref() saves the value of errno when called and restores
+errno before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at

libraries/libapparmor/doc/aa_policy_cache.pod

@@ -112,6 +112,9 @@ I<aa_policy_cache> family of functions that return -1 on error.
 All aa_policy_cache functions described above are present in libapparmor
 version 2.10 and newer.
 
+aa_policy_cache_unref() saves the value of errno when called and restores errno
+before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at

libraries/libapparmor/src/Makefile.am

@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 5
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 2
 AA_LIB_AGE = 4
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/features.c

@@ -404,10 +404,7 @@ int aa_features_new(aa_features **features, int dirfd, const char *path)
 		 load_features_dir(dirfd, path, f->string, STRING_SIZE) :
 		 load_features_file(dirfd, path, f->string, STRING_SIZE);
 	if (retval == -1) {
-		int save = errno;
-
 		aa_features_unref(f);
-		errno = save;
 		return -1;
 	}
 
@@ -482,8 +479,12 @@ aa_features *aa_features_ref(aa_features *features)
  */
 void aa_features_unref(aa_features *features)
 {
+	int save = errno;
+
 	if (features && atomic_dec_and_test(&features->ref_count))
 		free(features);
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/src/kernel_interface.c

@@ -229,10 +229,7 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 	if (kernel_features) {
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
-		int save = errno;
-
 		aa_kernel_interface_unref(ki);
-		errno = save;
 		return -1;
 	}
 	ki->supports_setload = aa_features_supports(kernel_features, set_load);
@@ -240,11 +237,8 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 
 	if (!apparmorfs) {
 		if (find_iface_dir(&alloced_apparmorfs) == -1) {
-			int save = errno;
-
 			alloced_apparmorfs = NULL;
 			aa_kernel_interface_unref(ki);
-			errno = save;
 			return -1;
 		}
 		/* alloced_apparmorfs will be autofree'ed */
@@ -253,10 +247,7 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 
 	ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
 	if (ki->dirfd < 0) {
-		int save = errno;
-
 		aa_kernel_interface_unref(ki);
-		errno = save;
 		return -1;
 	}
 
@@ -283,12 +274,16 @@ aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interfa
  */
 void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
 {
+	int save = errno;
+
 	if (kernel_interface &&
 	    atomic_dec_and_test(&kernel_interface->ref_count)) {
 		if (kernel_interface->dirfd >= 0)
 			close(kernel_interface->dirfd);
 		free(kernel_interface);
 	}
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/src/policy_cache.c

@@ -159,8 +159,6 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 open:
 	pc->dirfd = openat(dirfd, path, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
 	if (pc->dirfd < 0) {
-		int save;
-
 		/* does the dir exist? */
 		if (create && errno == ENOENT) {
 			if (mkdirat(dirfd, path, 0700) == 0)
@@ -172,28 +170,20 @@ open:
 			PDEBUG("Cache directory '%s' does not exist\n", path);
 		}
 
-		save = errno;
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 
 	if (kernel_features) {
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
-		int save = errno;
-
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 	pc->kernel_features = kernel_features;
 
 	if (init_cache_features(pc, kernel_features, create)) {
-		int save = errno;
-
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 
@@ -220,6 +210,8 @@ aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache)
  */
 void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 {
+	int save = errno;
+
 	if (policy_cache && atomic_dec_and_test(&policy_cache->ref_count)) {
 		aa_features_unref(policy_cache->features);
 		aa_features_unref(policy_cache->kernel_features);
@@ -227,6 +219,8 @@ void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 			close(policy_cache->dirfd);
 		free(policy_cache);
 	}
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile

@@ -1,4 +1,4 @@
 /usr/sbin/cupsd {
-  /boot/ r,
+  owner /boot/ r,
 
 }

libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir {
-  /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
+  owner /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile

@@ -1,4 +1,4 @@
 "/home/steve/tmp/my prog.sh" {
-  "/home/steve/tmp/my prog.sh" r,
+  owner "/home/steve/tmp/my prog.sh" r,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile

@@ -1,4 +1,4 @@
 profile "test space" {
-  /lib/x86_64-linux-gnu/libdl-2.13.so r,
+  owner /lib/x86_64-linux-gnu/libdl-2.13.so r,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile

@@ -1,4 +1,4 @@
 /usr/sbin/vsftpd {
-  /home/bane/foo r,
+  owner /home/bane/foo r,
 
 }

parser/Makefile

@@ -179,7 +179,7 @@ $(LIBAPPARMOR_A):
 		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
-		return 1; \
+		exit 1; \
 	fi
 endif
 

parser/tst/Makefile

@@ -57,7 +57,7 @@ valgrind: $(PARSER) gen_xtrans gen_dbus
 	LANG=C ./valgrind_simple.py -p "$(PARSER)" -v simple_tests
 
 $(PARSER):
-	make -C $(PARSER_DIR) $(PARSER_BIN)
+	$(MAKE) -C $(PARSER_DIR) $(PARSER_BIN)
 
 clean:
 	find $(GEN_TRANS_DIRS) -type f | xargs rm -f

parser/tst/simple_tests/file/allow/ok_append_1.sd

@@ -4,11 +4,11 @@
 # vim:syntax=apparmor
 #
 /usr/bin/foo {
-  allow /bin/cat a,
-  allow /bin/true ra,
-  allow /bin/false ma,
+  allow /{usr/,}bin/cat a,
+  allow /{usr/,}bin/true ra,
+  allow /{usr/,}bin/false ma,
   allow /lib/libc.so la,
-  allow /bin/less ixa,
-  allow /bin/more pxa,
+  allow /{usr/,}bin/less ixa,
+  allow /{usr/,}bin/more pxa,
   allow /a uxa,
 }

parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd

@@ -2,6 +2,6 @@
 #=EXRESULT PASS
 # vim:syntax=apparmor
 
-/bin/foo {
+/{usr/,}bin/foo {
   allow "/abc\ def" r,
 }

parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd

@@ -2,6 +2,6 @@
 #=EXRESULT PASS
 # vim:syntax=apparmor
 
-/bin/foo {
+/{usr/,}bin/foo {
   allow "/abc def" r,
 }

parser/tst/simple_tests/file/allow/ok_lock_1.sd

@@ -4,15 +4,15 @@
 # vim:syntax=apparmor
 #
 /usr/bin/foo {
-  allow /bin/a k,
-  allow /bin/b rk,
-  allow /bin/c wk,
-  allow /bin/d ak,
-  allow /bin/e lk,
-  allow /bin/e mk,
-  allow /bin/f pxk,
-  allow /bin/g Pxk,
-  allow /bin/h ixk,
-  allow /bin/i uxk,
-  allow /bin/j Uxk,
+  allow /{usr/,}bin/a k,
+  allow /{usr/,}bin/b rk,
+  allow /{usr/,}bin/c wk,
+  allow /{usr/,}bin/d ak,
+  allow /{usr/,}bin/e lk,
+  allow /{usr/,}bin/e mk,
+  allow /{usr/,}bin/f pxk,
+  allow /{usr/,}bin/g Pxk,
+  allow /{usr/,}bin/h ixk,
+  allow /{usr/,}bin/i uxk,
+  allow /{usr/,}bin/j Uxk,
 }

parser/tst/simple_tests/file/allow/ok_mmap_1.sd

@@ -4,10 +4,10 @@
 # vim:syntax=apparmor
 #
 /usr/bin/foo {
-  allow /bin/cat mix,
-  allow /bin/true mpx,
-  allow /bin/false mux,
+  allow /{usr/,}bin/cat mix,
+  allow /{usr/,}bin/true mpx,
+  allow /{usr/,}bin/false mux,
   allow /lib/libc.so rwlm,
-  allow /bin/less mUx,
-  allow /bin/more mPx,
+  allow /{usr/,}bin/less mUx,
+  allow /{usr/,}bin/more mPx,
 }

parser/tst/simple_tests/file/allow/ok_mmap_2.sd

@@ -4,12 +4,12 @@
 # vim:syntax=apparmor
 #
 /usr/bin/foo {
-  allow /bin/cat rm,
-  allow /bin/cat ix,
-  allow /bin/true px,
-  allow /bin/true m,
-  allow /bin/false m,
-  allow /bin/false ux,
+  allow /{usr/,}bin/cat rm,
+  allow /{usr/,}bin/cat ix,
+  allow /{usr/,}bin/true px,
+  allow /{usr/,}bin/true m,
+  allow /{usr/,}bin/false m,
+  allow /{usr/,}bin/false ux,
   allow /lib/libc.so rwl,
   allow /lib/libc.so m,
 }

profiles/apparmor.d/abstractions/X

@@ -17,6 +17,7 @@
 
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
+  owner @{HOME}/.local/share/sddm/.Xauthority r,
   owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
   owner /{,var/}run/lightdm/*/xauthority r,

profiles/apparmor.d/abstractions/audio

@@ -49,7 +49,7 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
 
 # pulse
 /etc/pulse/ r,
-/etc/pulse/* r,
+/etc/pulse/** r,
 /{run,dev}/shm/ r,
 owner /{run,dev}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
@@ -57,6 +57,8 @@ owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
 owner /{,var/}run/user/*/pulse/  rw,
 owner /{,var/}run/user/*/pulse/{native,pid} rwk,
+owner @{HOME}/.config/pulse/*.conf r,
+owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
 owner @{HOME}/.config/pulse/cookie rwk,
 owner /tmp/pulse-*/ rw,
 owner /tmp/pulse-*/* rw,

profiles/apparmor.d/abstractions/fonts

@@ -39,6 +39,8 @@
   owner @{HOME}/.fonts.conf             r,
   owner @{HOME}/.fonts/                 r,
   owner @{HOME}/.fonts/**               r,
+  owner @{HOME}/.local/share/fonts/     r,
+  owner @{HOME}/.local/share/fonts/**   r,
   owner @{HOME}/.fonts.cache-2          mr,
   owner @{HOME}/.{,cache/}fontconfig/   r,
   owner @{HOME}/.{,cache/}fontconfig/** mrl,

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -39,4 +39,4 @@
   # some unpackaged, but popular browsers
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,
-  /opt/google/chrome/google-chrome Cx -> sanitized_helper,
+  /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/java

@@ -4,11 +4,10 @@
   owner @{HOME}/.java/deployment/deployment.properties k,
   /etc/java-*/ r,
   /etc/java-*/** r,
-  /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
-  /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
-  /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
-  /usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk,
-  /usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
+  /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
+  /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
+  /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
+  /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
   /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
   /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
   /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
@@ -48,12 +47,15 @@
     /var/lib/dbus/machine-id r,
 
     /usr/bin/env ix,
-    /usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix,
+    /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
+    /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
     /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
 
     # Why would java need this?
     deny /usr/bin/gconftool-2 x,
 
+    owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
+    owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
     owner @{HOME}/ r,
     owner @{HOME}/** rwk,
   }

profiles/apparmor.d/abstractions/ubuntu-email

@@ -20,5 +20,5 @@
   /usr/bin/sylpheed Cx -> sanitized_helper,
   /usr/bin/tkrat Cx -> sanitized_helper,
 
-  /usr/lib/thunderbird*/thunderbird{,.sh} Cx -> sanitized_helper,
+  /usr/lib/thunderbird*/thunderbird{,.sh,-bin} Cx -> sanitized_helper,
 

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -44,6 +44,9 @@ profile sanitized_helper {
   #include <abstractions/dbus-strict>
   dbus,
 
+  # Needed for Google Chrome
+  ptrace (trace) peer=**//sanitized_helper,
+
   # Allow exec of anything, but under this profile. Allow transition
   # to other profiles if they exist.
   /{usr/,}bin/* Pixr,
@@ -66,10 +69,10 @@ profile sanitized_helper {
   # paths (man ld.so)).
   /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
   /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
-  /opt/google/chrome/chrome-sandbox PUxr,
-  /opt/google/chrome/google-chrome Pixr,
-  /opt/google/chrome/chrome Pixr,
-  /opt/google/chrome/lib*.so{,.*} m,
+  /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
+  /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
+  /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
+  /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
 
   # Full access
   / r,

profiles/apparmor.d/sbin.syslog-ng

@@ -38,6 +38,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
   /dev/syslog w,
   /dev/tty10 rw,
   /dev/xconsole rw,
+  /dev/kmsg r,
   /etc/machine-id r,
   /etc/syslog-ng/* r,
   /etc/syslog-ng/conf.d/ r,

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -22,6 +22,8 @@
   #include <abstractions/dovecot-common>
 
   capability audit_write,
+  capability dac_override,
+  capability dac_read_search,
   capability setuid,
 
   /etc/my.cnf r,

profiles/apparmor.d/usr.lib.dovecot.dict

@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/mysql>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
   #include <abstractions/dovecot-common>
 
   capability setuid,

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -32,6 +32,8 @@
   /etc/dovecot/conf.d/ r,
   /etc/dovecot/conf.d/** r,
 
+  owner /tmp/dovecot.imap.* rw,
+
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -27,6 +27,7 @@
   network inet6 stream,
 
   /usr/lib/dovecot/managesieve-login mr,
+  /{,var/}run/dovecot/login-master-notify* rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -23,6 +23,7 @@
   capability sys_chroot,
 
   /usr/lib/dovecot/pop3-login mr,
+  /{,var/}run/dovecot/anvil rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.sbin.dovecot

@@ -23,6 +23,7 @@
 
   capability chown,
   capability dac_override,
+  capability dac_read_search,
   capability fsetid,
   capability kill,
   capability net_bind_service,
@@ -30,6 +31,8 @@
   capability sys_chroot,
   capability sys_resource,
 
+  signal send set=(int,quit) peer=/usr/lib/dovecot/*,
+
   /etc/dovecot/** r,
   /etc/mtab r,
   /etc/lsb-release r,

profiles/apparmor/profiles/extras/bin.netstat

@@ -22,7 +22,9 @@ profile netstat /{usr/,}bin/netstat {
 
   capability dac_override,
   capability dac_read_search,
-  deny capability sys_ptrace,
+  capability sys_ptrace,
+
+  ptrace (read),
 
   /{usr/,}bin/netstat rmix,
   /etc/networks r,

profiles/apparmor/profiles/extras/usr.sbin.useradd

@@ -20,6 +20,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/wutmp>
 
+  capability audit_write,
   capability chown,
   capability dac_override,
   capability fowner,
@@ -51,9 +52,22 @@
   /usr/lib*/pwdutils/*so* mr,
   /usr/sbin/adduser rmix,
   /usr/sbin/nscd rPix,
+  /{,usr/}sbin/pam_tally2 Cx -> pam_tally2,
   /usr/sbin/useradd rmix,
   /usr/sbin/useradd.local rmix,
   /var/log/faillog rw,
   /{,var/}run/nscd.pid rw,
   /var/spool/mail/* rw,
+
+  profile pam_tally2 {
+    #include <abstractions/base>
+    #include <abstractions/consoles>
+    #include <abstractions/nameservice>
+
+    capability audit_write,
+
+    /sbin/pam_tally2 mr,
+    /var/log/tallylog rw,
+
+  }
 }

tests/Makefile

@@ -3,5 +3,5 @@ SUBDIRS=regression stress
 .PHONY: clean
 clean:
 	for dir in $(SUBDIRS) ; do \
-		make clean -C $${dir} ; \
+		$(MAKE) clean -C $${dir} ; \
 	done

tests/regression/Makefile

@@ -3,5 +3,5 @@ SUBDIRS=apparmor
 .PHONY: clean
 clean:
 	for dir in $(SUBDIRS) ; do \
-		make clean -C $${dir} ; \
+		$(MAKE) clean -C $${dir} ; \
 	done

tests/regression/apparmor/fork.c

@@ -23,8 +23,6 @@
 #define FALSE 0
 #define TRUE !FALSE
 
-#define max(x,y) (x) > (y) ? (x) : (y)
-
 #define MAX_FILES 5
 
 int (*pass)[MAX_FILES];
@@ -60,7 +58,12 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 
-	num_files = max(argc - 1, MAX_FILES);
+	num_files = argc - 1;
+	if (num_files > MAX_FILES) {
+		fprintf(stderr, "ERROR: a maximum of %d files is supported\n",
+			MAX_FILES);
+		return 1;
+	}
 
 	shmid = shmget(IPC_PRIVATE, sizeof(int[2][MAX_FILES]), IPC_CREAT);
 	if (shmid == -1) {
@@ -81,11 +84,11 @@ int main(int argc, char *argv[])
 		int status;
 		int allpassed = TRUE;
 
-		test_files(argc - 1, &argv[1], 0);
+		test_files(num_files, &argv[1], 0);
 
 		while (wait(&status) != pid) ;
 
-		for (i = 0; i < argc - 1; i++) {
+		for (i = 0; i < num_files; i++) {
 			if (pass[0][i] != pass[1][i] ||
 			    pass[0][i] == -1 || pass[1][i] == -1) {
 				if (allpassed) {
@@ -108,7 +111,7 @@ int main(int argc, char *argv[])
 		shmctl(shmid, IPC_RMID, &shm_desc);
 
 	} else {
-		test_files(argc - 1, &argv[1], 1);
+		test_files(num_files, &argv[1], 1);
 	}
 
 	return 0;

tests/regression/apparmor/unix_fd_server.c

@@ -31,7 +31,7 @@
 int main (int argc, char * argv[]) {
 	int sock, in_sock, fd;
 	struct sockaddr_un local, remote;
-	int len, exec_now, pfd_ret;
+	int len, pfd_ret;
 	socklen_t len2;
 	char comparison_buffer[17];
 	char inbound_buffer[17];
@@ -40,9 +40,6 @@ int main (int argc, char * argv[]) {
         struct cmsghdr *ctrl_mesg;
 	struct pollfd pfd;
 
-
-	exec_now = 0;
-
 	if (argc < 4 || argc > 5 || (argc == 5 && (strcmp(argv[4], "delete_file") != 0))) {
 		fprintf(stderr, "Usage: %s <file>\n", argv[0]);
 		return(1);

tests/stress/Makefile

@@ -3,5 +3,5 @@ SUBDIRS=subdomain
 .PHONY: clean
 clean:
 	for dir in $(SUBDIRS) ; do \
-		make clean -C $${dir} ; \
+		$(MAKE) clean -C $${dir} ; \
 	done

utils/aa-decode

@@ -70,7 +70,7 @@ fi
 while read line ; do
 
     # check if line contains encoded name= or profile=
-    if [[ "$line" =~ \ (name|profile)=[0-9a-fA-F] ]]; then
+    if [[ "$line" =~ \ (name|profile|proctitle)=[0-9a-fA-F] ]]; then
 
         # cut the encoded filename/profile name out of the line and decode it
         ne=`echo "$line" | sed 's/.* name=\([^ ]*\).*$/\\1/g'`
@@ -79,9 +79,13 @@ while read line ; do
         pe=`echo "$line" | sed 's/.* profile=\([^ ]*\).*$/\\1/g'`
         pd="$(decode ${pe/\'/\\\'})"
 
+        pce=`echo "$line" | sed 's/.* proctitle=\([^ ]*\).*$/\\1/g'`
+        pcd="$(decode ${pce/\'/\\\'})"
+
         # replace encoded name and profile with its decoded counterparts (only if it was encoded)
         test -n "$nd" && line="${line/name=$ne/name=\"$nd\"}"
         test -n "$pd" && line="${line/profile=$pe/profile=\"$pd\"}"
+        test -n "$pcd" && line="${line/proctitle=$pce/proctitle=\"$pcd\"}"
 
     fi
 

utils/aa-mergeprof

@@ -165,7 +165,10 @@ class Merge(object):
         options = []
         for inc in other.filelist[other.filename]['include'].keys():
             if not inc in self.user.filelist[self.user.filename]['include'].keys():
-                options.append('#include <%s>' %inc)
+                if inc.startswith('/'):
+                    options.append('#include "%s"' %inc)
+                else:
+                    options.append('#include <%s>' %inc)
 
         default_option = 1
 

utils/aa-remove-unknown

@@ -27,7 +27,8 @@ DRY_RUN=0
 usage() {
 	local progname="$1"
 	local rc="$2"
-	local msg="usage: ${progname} [options]\n
+	local msg="usage: ${progname} [options]
+
 Remove profiles unknown to the system
 
 Options:

utils/apparmor/aa.py

@@ -1191,8 +1191,8 @@ def handle_children(profile, hat, root):
                                     ans = 'INVALID'
 
                         if exec_mode and 'i' in exec_mode:
-                            # For inherit we need r
-                            file_perm = 'r'
+                            # For inherit we need mr
+                            file_perm = 'mr'
                         else:
                             if ans == 'CMD_DENY':
                                 aa[profile][hat]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))
@@ -1315,10 +1315,6 @@ def UI_ask_to_upload_profiles():
     # To-Do
     pass
 
-def UI_ask_mode_toggles(audit_toggle, owner_toggle, oldmode):
-    # To-Do
-    return (audit_toggle, owner_toggle)
-
 def parse_repo_profile(fqdbin, repo_url, profile):
     # To-Do
     pass
@@ -1432,7 +1428,10 @@ def ask_the_questions(log_dict):
                 options = []
                 for inc in log_dict[aamode][profile][hat]['include'].keys():
                     if not inc in aa[profile][hat]['include'].keys():
-                        options.append('#include <%s>' %inc)
+                        if inc.startswith('/'):
+                            options.append('#include "%s"' %inc)
+                        else:
+                            options.append('#include <%s>' %inc)
 
                 default_option = 1
 
@@ -1521,6 +1520,16 @@ def ask_the_questions(log_dict):
 
                                 options = set_options_audit_mode(rule_obj, options)
 
+                            elif ans.startswith('CMD_USER_'):
+                                if ans == 'CMD_USER_ON':
+                                    rule_obj.owner = True
+                                    rule_obj.raw_rule = None
+                                else:
+                                    rule_obj.owner = False
+                                    rule_obj.raw_rule = None
+
+                                options = set_options_owner_mode(rule_obj, options)
+
                             elif ans == 'CMD_ALLOW':
                                 done = True
                                 changed[profile] = True
@@ -1605,6 +1614,16 @@ def set_options_audit_mode(rule_obj, options):
     '''change audit state in options (proposed rules) to audit state in rule_obj.
        #include options will be kept unchanged
     '''
+    return set_options_mode(rule_obj, options, 'audit')
+
+def set_options_owner_mode(rule_obj, options):
+    '''change owner state in options (proposed rules) to owner state in rule_obj.
+       #include options will be kept unchanged
+    '''
+    return set_options_mode(rule_obj, options, 'owner')
+
+def set_options_mode(rule_obj, options, what):
+    ''' helper function for set_options_audit_mode() and set_options_owner_mode'''
     new_options = []
 
     for rule in options:
@@ -1612,7 +1631,13 @@ def set_options_audit_mode(rule_obj, options):
             new_options.append(rule)
         else:
             parsed_rule = selection_to_rule_obj(rule_obj, rule)
-            parsed_rule.audit = rule_obj.audit
+            if what == 'audit':
+                parsed_rule.audit = rule_obj.audit
+            elif what == 'owner':
+                parsed_rule.owner = rule_obj.owner
+            else:
+                raise AppArmorBug('Unknown "what" value given to set_options_mode: %s' % what)
+
             parsed_rule.raw_rule = None
             new_options.append(parsed_rule.get_raw())
 
@@ -1640,6 +1665,12 @@ def available_buttons(rule_obj):
     else:
         buttons += ['CMD_AUDIT_NEW']
 
+    if rule_obj.can_owner:
+        if rule_obj.owner:
+            buttons += ['CMD_USER_OFF']
+        else:
+            buttons += ['CMD_USER_ON']
+
     buttons += ['CMD_ABORT', 'CMD_FINISHED']
 
     return buttons
@@ -1699,6 +1730,11 @@ def ask_conflict_mode(profile, hat, old_profile, merge_profile):
 
                     done = True
 
+def get_include_path(incname):
+    if incname.startswith('/'):
+        return incname
+    return profile_dir + '/' + incname
+
 def match_includes(profile, rule_type, rule_obj):
     newincludes = []
     for incname in include.keys():
@@ -1719,6 +1755,8 @@ def valid_include(profile, incname):
 
     if incname.startswith('abstractions/') and os.path.isfile(profile_dir + '/' + incname):
         return True
+    elif incname.startswith('/') and os.path.isfile(incname):
+        return True
 
     return False
 
@@ -1823,16 +1861,20 @@ def save_profiles():
             if not changed:
                 return
 
-            q.options = sorted(changed.keys())
+            options = sorted(changed.keys())
+            q.options = options
 
             ans, arg = q.promptUser()
+
+            q.selected = arg  # remember selection
+            which = options[arg]
+
             if ans == 'CMD_SAVE_SELECTED':
-                profile_name = list(changed.keys())[arg]
-                write_profile_ui_feedback(profile_name)
-                reload_base(profile_name)
+                write_profile_ui_feedback(which)
+                reload_base(which)
+                q.selected = 0  # saving the selected profile removes it from the list, therefore reset selection
 
             elif ans == 'CMD_VIEW_CHANGES':
-                which = list(changed.keys())[arg]
                 oldprofile = None
                 if aa[which][which].get('filename', False):
                     oldprofile = aa[which][which]['filename']
@@ -1848,7 +1890,6 @@ def save_profiles():
                 aaui.UI_Changes(oldprofile, newprofile, comments=True)
 
             elif ans == 'CMD_VIEW_CHANGES_CLEAN':
-                which = list(changed.keys())[arg]
                 oldprofile = serialize_profile(original_aa[which], which, '')
                 newprofile = serialize_profile(aa[which], which, '')
 
@@ -2021,6 +2062,13 @@ def read_profiles():
                 read_profile(profile_dir + '/' + file, True)
 
 def read_inactive_profiles():
+    if hasattr(read_inactive_profiles, 'already_read'):
+        # each autodep() run calls read_inactive_profiles, but that's a) superfluous and b) triggers a conflict because the inactive profiles are already loaded
+        # therefore don't do anything if the inactive profiles were already loaded
+        return
+
+    read_inactive_profiles.already_read = True
+
     if not os.path.exists(extra_profile_dir):
         return None
     try:
@@ -2288,7 +2336,7 @@ def parse_profile_data(data, file, do_include):
                     filelist[file] = hasher()
                 filelist[file]['include'][include_name] = True
             # If include is a directory
-            if os.path.isdir(profile_dir + '/' + include_name):
+            if os.path.isdir(get_include_path(include_name)):
                 for file_name in include_dir_filelist(profile_dir, include_name):
                     if not include.get(file_name, False):
                         load_include(file_name)
@@ -2558,7 +2606,13 @@ def write_single(prof_data, depth, allow, name, prefix, tail):
 
     if ref.get(name, False):
         for key in sorted(ref[name].keys()):
-            qkey = quote_if_needed(key)
+            if name == 'include':
+                if key.startswith('/'):
+                    qkey = '"%s"' % key
+                else:
+                    qkey = '<%s>' % quote_if_needed(key)
+            else:
+                qkey = quote_if_needed(key)
             data.append('%s%s%s%s%s' % (pre, allow, prefix, qkey, tail))
         if ref[name].keys():
             data.append('')
@@ -2597,7 +2651,7 @@ def write_pair(prof_data, depth, allow, name, prefix, sep, tail, fn):
     return data
 
 def write_includes(prof_data, depth):
-    return write_single(prof_data, depth, '', 'include', '#include <', '>')
+    return write_single(prof_data, depth, '', 'include', '#include ', '')
 
 def write_change_profile(prof_data, depth):
     data = []
@@ -3324,7 +3378,7 @@ def is_known_rule(profile, rule_type, rule_obj):
         incname = includelist.pop(0)
         checked.append(incname)
 
-        if os.path.isdir(profile_dir + '/' + incname):
+        if os.path.isdir(get_include_path(incname)):
             includelist += include_dir_filelist(profile_dir, incname)
         else:
             if include[incname][incname].get(rule_type, False):
@@ -3352,7 +3406,7 @@ def get_file_perms(profile, path, audit, deny):
             continue
         checked.append(incname)
 
-        if os.path.isdir(profile_dir + '/' + incname):
+        if os.path.isdir(get_include_path(incname)):
             includelist += include_dir_filelist(profile_dir, incname)
         else:
             incperms = include[incname][incname]['file'].get_perms_for_path(path, audit, deny)
@@ -3433,7 +3487,8 @@ def reload(bin_path):
 
 def get_include_data(filename):
     data = []
-    filename = profile_dir + '/' + filename
+    if not filename.startswith('/'):
+        filename = profile_dir + '/' + filename
     if os.path.exists(filename):
         with open_file_read(filename) as f_in:
             data = f_in.readlines()
@@ -3442,15 +3497,21 @@ def get_include_data(filename):
     return data
 
 def include_dir_filelist(profile_dir, include_name):
-    '''returns a list of files in the given profile_dir/include_name directory, except skippable files'''
+    '''returns a list of files in the given profile_dir/include_name directory,
+       except skippable files. If include_name is an absolute path, ignore
+       profile_dir.
+    '''
     files = []
-    for path in os.listdir(profile_dir + '/' + include_name):
+    include_name_abs = get_include_path(include_name)
+    for path in os.listdir(include_name_abs):
         path = path.strip()
         if is_skippable_file(path):
             continue
-        if os.path.isfile(profile_dir + '/' + include_name + '/' + path):
+        if os.path.isfile(include_name_abs + '/' + path):
             file_name = include_name + '/' + path
-            file_name = file_name.replace(profile_dir + '/', '')
+            # strip off profile_dir for non-absolute paths
+            if not include_name.startswith('/'):
+                file_name = file_name.replace(profile_dir + '/', '')
             files.append(file_name)
 
     return files
@@ -3459,17 +3520,18 @@ def load_include(incname):
     load_includeslist = [incname]
     while load_includeslist:
         incfile = load_includeslist.pop(0)
+        incfile_abs = get_include_path(incfile)
         if include.get(incfile, {}).get(incfile, False):
             pass  # already read, do nothing
-        elif os.path.isfile(profile_dir + '/' + incfile):
-            data = get_include_data(incfile)
+        elif os.path.isfile(incfile_abs):
+            data = get_include_data(incfile_abs)
             incdata = parse_profile_data(data, incfile, True)
             attach_profile_data(include, incdata)
         #If the include is a directory means include all subfiles
-        elif os.path.isdir(profile_dir + '/' + incfile):
+        elif os.path.isdir(incfile_abs):
             load_includeslist += include_dir_filelist(profile_dir, incfile)
         else:
-            raise AppArmorException("Include file %s not found" % (profile_dir + '/' + incfile) )
+            raise AppArmorException("Include file %s not found" % (incfile_abs))
 
     return 0
 
@@ -3567,4 +3629,3 @@ def init_aa(confdir="/etc/apparmor"):
     parser = conf.find_first_file(cfg['settings'].get('parser')) or '/sbin/apparmor_parser'
     if not os.path.isfile(parser) or not os.access(parser, os.EX_OK):
         raise AppArmorException('Can\'t find apparmor_parser at %s' % (parser))
-

utils/apparmor/logparser.py

@@ -118,6 +118,10 @@ class ReadLog:
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
 
+        if event.ouid != 18446744073709551615:  # 2^64 - 1
+            ev['fsuid'] = event.fsuid
+            ev['ouid'] = event.ouid
+
         if ev['operation'] and ev['operation'] == 'signal':
             ev['signal'] = event.signal
             ev['peer'] = event.peer
@@ -268,6 +272,13 @@ class ReadLog:
             if not validate_log_mode(hide_log_mode(dmask)):
                 raise AppArmorException(_('Log contains unknown mode %s') % dmask)
 
+            if e.get('ouid') is not None and e['fsuid'] == e['ouid']:
+                # mark as "owner" event
+                if '::' not in rmask:
+                    rmask = '%s::' % rmask
+                if '::' not in dmask:
+                    dmask = '%s::' % dmask
+
             # convert rmask and dmask to mode arrays
             e['denied_mask'],  e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2'])
             e['request_mask'], e['name2'] = log_str_to_mode(e['profile'], rmask, e['name2'])

utils/apparmor/regex.py

@@ -133,7 +133,7 @@ def parse_profile_start_line(line, filename):
     return result
 
 
-RE_INCLUDE = re.compile('^\s*#?include\s*<(?P<magicpath>.*)>' + RE_EOL)
+RE_INCLUDE = re.compile('^\s*#?include\s*(<(?P<magicpath>.*)>|"(?P<quotedpath>.*)"|(?P<unquotedpath>[^<>"]*))' + RE_EOL)
 
 def re_match_include(line):
     """Matches the path for include and returns the include path"""
@@ -142,10 +142,29 @@ def re_match_include(line):
     if not matches:
         return None
 
-    if not matches.group('magicpath').strip():
+    path = None
+    if matches.group('magicpath'):
+        path = matches.group('magicpath').strip()
+    elif matches.group('unquotedpath'):
+        # LP: #1738879 - parser doesn't handle unquoted paths everywhere
+        # path = matches.group('unquotedpath').strip()
+        raise AppArmorException(_('Syntax error: #include must use quoted path or <...>'))
+    elif matches.group('quotedpath'):
+        path = matches.group('quotedpath')
+        # LP: 1738880 - parser doesn't handle relative paths everywhere, and
+        # neither do we (see aa.py)
+        if len(path) > 0 and path[0] != '/':
+            raise AppArmorException(_('Syntax error: #include must use quoted path or <...>'))
+
+    # if path is empty or the empty string
+    if path is None or path == "":
         raise AppArmorException(_('Syntax error: #include rule with empty filename'))
 
-    return matches.group('magicpath')
+    # LP: #1738877 - parser doesn't handle files with spaces in the name
+    if re.search('\s', path):
+        raise AppArmorException(_('Syntax error: #include rule filename cannot contain spaces'))
+
+    return path
 
 def strip_parenthesis(data):
     '''strips parenthesis from the given string and returns the strip()ped result.

utils/apparmor/rule/__init__.py

@@ -46,6 +46,9 @@ class BaseRule(object):
     # defines if the (N)ew option is displayed
     can_edit = False
 
+    # defines if the '(O)wner permissions on/off' option is displayed
+    can_owner = False
+
     def __init__(self, audit=False, deny=False, allow_keyword=False,
                  comment='', log_event=None):
         '''initialize variables needed by all rule types'''

utils/apparmor/rule/file.py

@@ -104,6 +104,7 @@ class FileRule(BaseRule):
         if type(owner) is not bool:
             raise AppArmorBug('non-boolean value passed to owner flag')
         self.owner = owner
+        self.can_owner = owner  # offer '(O)wner permissions on/off' buttons only if the rule has the owner flag
 
         if type(file_keyword) is not bool:
             raise AppArmorBug('non-boolean value passed to file keyword flag')
@@ -241,9 +242,9 @@ class FileRule(BaseRule):
         if not self._is_covered_aare(self.path,         self.all_paths,         other_rule.path,        other_rule.all_paths,           'path'):
             return False
 
-        # TODO: check 'a' vs. 'w'
         # perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()...
-        if not self._is_covered_list(self.perms,        self.all_perms,         other_rule.perms,       other_rule.all_perms,           'perms', sanity_check=False):
+        # 'w' covers 'a', therefore use perms_with_a() to temporarily add 'a' if 'w' is present
+        if not self._is_covered_list(perms_with_a(self.perms), self.all_perms,  perms_with_a(other_rule.perms), other_rule.all_perms,   'perms', sanity_check=False):
             return False
 
         # ... and do our own sanity check
@@ -533,3 +534,15 @@ def split_perms(perm_string, deny):
             raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))
 
     return perms, exec_mode
+
+def perms_with_a(perms):
+    '''if perms includes 'w', add 'a' perms
+       - perms: the original permissions
+    '''
+    perms_with_a = set()
+    if perms:
+        perms_with_a = set(perms)
+        if 'w' in perms_with_a:
+            perms_with_a.add('a')
+
+    return perms_with_a

utils/apparmor/severity.py

@@ -185,7 +185,9 @@ class Severity(object):
                     # If any includes, load variables from them first
                     match = re_match_include(line)
                     if match:
-                        new_path = self.PROF_DIR + '/' + match
+                        new_path = match
+                        if not new_path.startswith('/'):
+                            new_path = self.PROF_DIR + '/' + match
                         self.load_variables(new_path)
                     else:
                         # Remove any comments

utils/check_po.pl

@@ -38,7 +38,7 @@ sub check_po_for_shortcuts {
               $msgid = $_;
             } 
             if ( /^.*msgstr*/ && $looking_for_msgstr ) {
-                unless (/^.*msgstr.*\(\w{1}?\)*/) {
+                unless (/^.*msgstr.*\(\w{1}?\)*/ or /^msgstr ""$/) {
                     $errors->{$filename}{$line} =  {
                                              "msgid" => $msgid,
                                              "msgstr" => $_,

utils/po/de.po

@@ -7,14 +7,14 @@ msgstr ""
 "Project-Id-Version: apparmor-utils\n"
 "Report-Msgid-Bugs-To: <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2014-09-14 19:29+0530\n"
-"PO-Revision-Date: 2017-04-20 12:04+0000\n"
-"Last-Translator: Christian Boltz <Unknown>\n"
+"PO-Revision-Date: 2017-12-20 02:04+0000\n"
+"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
 "Language-Team: German <de@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-04-21 05:29+0000\n"
-"X-Generator: Launchpad (build 18359)\n"
+"X-Launchpad-Export-Date: 2017-12-21 05:12+0000\n"
+"X-Generator: Launchpad (build 18511)\n"
 "Language: de\n"
 
 #: ../aa-genprof:56
@@ -312,7 +312,7 @@ msgstr "Netzwerkzugriff %(family)s %(type)s wird dem Profil verweigert."
 
 #: ../aa-autodep:23
 msgid "Generate a basic AppArmor profile by guessing requirements"
-msgstr "Erstelle ein Basis AppArmor Profil nach erwarteten Anforderungen"
+msgstr "Ein Basis-AppArmor-Profil nach erwarteten Anforderungen erstellen"
 
 #: ../aa-autodep:24
 msgid "overwrite existing profile"
@@ -340,7 +340,7 @@ msgstr "Das angegebene Programm in den Erzwingenmodus versetzen"
 
 #: ../aa-disable:23
 msgid "Disable the profile for the given programs"
-msgstr "Deaktiviere das Profil für die genannten Programme"
+msgstr "Das Profil für die angegebenen Programme deaktivieren"
 
 #: ../aa-unconfined:28
 msgid "Lists unconfined processes having tcp or udp ports"
@@ -348,7 +348,7 @@ msgstr "Zeigt uneingeschränkte Prozesse mit tcp oder udp Ports"
 
 #: ../aa-unconfined:29
 msgid "scan all processes from /proc"
-msgstr "Durchsuche alle Prozesse von /proc"
+msgstr "alle Prozesse aus /proc durchsuchen"
 
 #: ../aa-unconfined:81
 #, python-format
@@ -394,7 +394,7 @@ msgstr "%s wird in den Erzwingen-Modus versetzt."
 #: ../apparmor/aa.py:286
 #, python-format
 msgid "Unable to find basename for %s."
-msgstr ""
+msgstr "Basisname für %s kann nicht gefunden werden."
 
 #: ../apparmor/aa.py:301
 #, python-format
@@ -640,7 +640,7 @@ msgstr "Protokolleinträge von %s werden gelesen."
 #: ../apparmor/aa.py:2254
 #, python-format
 msgid "Updating AppArmor profiles in %s."
-msgstr "Aktualisiere AppArmor-Profile in %s."
+msgstr "AppArmor-Profile in %s werden aktualisiert."
 
 #: ../apparmor/aa.py:2323
 msgid ""
@@ -1038,11 +1038,11 @@ msgstr ""
 
 #: ../apparmor/ui.py:229
 msgid "(O)wner permissions on"
-msgstr "(B)esitzerberechtigungen an"
+msgstr "Be(s)itzerberechtigungen an"
 
 #: ../apparmor/ui.py:230
 msgid "(O)wner permissions off"
-msgstr "(B)esitzerberechtigungen aus"
+msgstr "Be(s)itzerberechtigungen aus"
 
 #: ../apparmor/ui.py:231
 msgid "(D)eny"

utils/po/es.po

@@ -8,14 +8,14 @@ msgstr ""
 "Project-Id-Version: apparmor\n"
 "Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
 "POT-Creation-Date: 2014-09-14 19:29+0530\n"
-"PO-Revision-Date: 2017-05-02 14:26+0000\n"
-"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"PO-Revision-Date: 2017-11-24 13:01+0000\n"
+"Last-Translator: Rodrigo <rodhos_hp@hotmail.com>\n"
 "Language-Team: Spanish <es@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-05-03 05:19+0000\n"
-"X-Generator: Launchpad (build 18366)\n"
+"X-Launchpad-Export-Date: 2017-11-25 05:12+0000\n"
+"X-Generator: Launchpad (build 18509)\n"
 
 #: ../aa-genprof:56
 msgid "Generate profile for the given program"
@@ -304,7 +304,7 @@ msgstr ""
 
 #: ../aa-complain:23
 msgid "Switch the given program to complain mode"
-msgstr ""
+msgstr "Cambia el programa dado al modo reclamar"
 
 #: ../aa-enforce:23
 msgid "Switch the given program to enforce mode"
@@ -355,7 +355,7 @@ msgstr ""
 #: ../apparmor/aa.py:264 ../apparmor/aa.py:548
 #, python-format
 msgid "Setting %s to complain mode."
-msgstr ""
+msgstr "Estableciendo %s al modo reclamar."
 
 #: ../apparmor/aa.py:271
 #, python-format

utils/test/Makefile

@@ -36,14 +36,24 @@ else
     PARSER=../../parser/apparmor_parser
 endif
 
-.PHONY: __libapparmor
+.PHONY: __libapparmor __parser
 __libapparmor:
 ifndef USE_SYSTEM
 	@if [ ! -f $(LD_LIBRARY_PATH)libapparmor.so ]; then \
 		echo "error: $(LD_LIBRARY_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
-		return 1; \
+		exit 1; \
+	fi
+endif
+
+__parser:
+ifndef USE_SYSTEM
+	@if [ ! -f $(PARSER) ]; then \
+		echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
+		echo "  1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
+		echo "  2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
+		exit 1; \
 	fi
 endif
 
@@ -67,10 +77,10 @@ endif
 clean:
 	rm -rf __pycache__/ .coverage htmlcov
 
-check: __libapparmor
+check: __libapparmor __parser
 	export PYTHONPATH=$(PYTHONPATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) LC_ALL=C __AA_CONFDIR=$(CONFDIR) __AA_BASEDIR=$(BASEDIR) __AA_PARSER=$(PARSER) ; $(foreach test, $(wildcard test-*.py), echo ; echo === $(test) === ; $(call pyalldo, $(test)))
 
-.coverage: $(wildcard ../aa-* ../apparmor/*.py test-*.py) __libapparmor
+.coverage: $(wildcard ../aa-* ../apparmor/*.py test-*.py) __libapparmor __parser
 	export PYTHONPATH=$(PYTHONPATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) LC_ALL=C __AA_CONFDIR=$(CONFDIR) __AA_BASEDIR=$(BASEDIR) __AA_PARSER=$(PARSER) ; $(COVERAGE_IGNORE_FAILURES_CMD) ; $(foreach test, $(wildcard test-*.py), echo ; echo === $(test) === ; $(PYTHON) -m coverage run --branch -p $(test); )
 	$(PYTHON) -m coverage combine
 

utils/test/test-aa.py

@@ -19,7 +19,7 @@ import sys
 
 import apparmor.aa  # needed to set global vars in some tests
 from apparmor.aa import (check_for_apparmor, get_output, get_reqs, get_interpreter_and_abstraction, create_new_profile,
-     get_profile_flags, set_profile_flags, set_options_audit_mode, is_skippable_file, is_skippable_dir,
+     get_profile_flags, set_profile_flags, set_options_audit_mode, set_options_owner_mode, is_skippable_file, is_skippable_dir,
      parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header,
      var_transform, serialize_parse_profile_start, get_file_perms, propose_file_rules)
 from apparmor.aare import AARE
@@ -414,6 +414,20 @@ class AaTest_set_options_audit_mode(AATest):
         new_options = set_options_audit_mode(rule_obj, options)
         self.assertEqual(new_options, expected)
 
+class AaTest_set_options_owner_mode(AATest):
+    tests = [
+        ((FileRule.parse('owner /foo/bar r,'),      ['/foo/bar r,', '/foo/* r,', '/** r,']                                  ), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']),
+        ((FileRule.parse('owner /foo/bar r,'),      ['/foo/bar r,', 'owner /foo/* r,', 'owner /** r,']                      ), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['/foo/bar r,', '/foo/* r,', '/** r,']                                  ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']                ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('audit owner /foo/bar r,'),['audit /foo/bar r,', 'audit /foo/* r,', '#include <abstractions/base>']), ['audit owner /foo/bar r,', 'audit owner /foo/* r,', '#include <abstractions/base>']),
+    ]
+
+    def _run_test(self, params, expected):
+        rule_obj, options = params
+        new_options = set_options_owner_mode(rule_obj, options)
+        self.assertEqual(new_options, expected)
+
 class AaTest_is_skippable_file(AATest):
     def test_not_skippable_01(self):
         self.assertFalse(is_skippable_file('bin.ping'))
@@ -859,6 +873,59 @@ class AaTest_propose_file_rules(AATest):
         proposals = propose_file_rules(profile, rule_obj)
         self.assertEqual(proposals, expected)
 
+
+class AaTest_propose_file_rules_with_absolute_includes(AATest):
+    tests = [
+        # log event path       and perms    expected proposals
+        (['/not/found/anywhere',    'r'],   ['/not/found/anywhere r,']),
+        (['/dev/null',              'w'],   ['/dev/null rw,']),
+        (['/some/random/include',   'r'],   ['/some/random/include rw,']),
+        (['/some/other/include',    'w'],   ['/some/other/* rw,', '/some/other/inc* rw,', '/some/other/include rw,']),
+    ]
+
+    def _run_test(self, params, expected):
+        self.createTmpdir()
+
+        #copy the local profiles to the test directory
+        self.profile_dir = '%s/profiles' % self.tmpdir
+        shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
+
+        # load the abstractions we need in the test
+        apparmor.aa.profiledir = self.profile_dir
+        apparmor.aa.load_include('abstractions/base')
+
+        abs_include1 = write_file(self.tmpdir, 'test-abs1', "/some/random/include rw,")
+        apparmor.aa.load_include(abs_include1)
+
+        abs_include2 = write_file(self.tmpdir, 'test-abs2', "/some/other/* rw,")
+        apparmor.aa.load_include(abs_include2)
+
+        abs_include3 = write_file(self.tmpdir, 'test-abs3', "/some/other/inc* rw,")
+        apparmor.aa.load_include(abs_include3)
+
+        profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
+        profile['include']['abstractions/base'] = False
+        profile['include'][abs_include1] = False
+        profile['include'][abs_include2] = False
+        profile['include'][abs_include3] = False
+
+        rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
+        proposals = propose_file_rules(profile, rule_obj)
+        self.assertEqual(proposals, expected)
+
+
+class AaTest_nonexistent_includes(AATest):
+    def test_bad_includes(self):
+        tests = [
+            "/nonexistent/absolute/path",
+            "nonexistent/relative/path",
+        ]
+
+        for i in tests:
+            with self.assertRaises(AppArmorException):
+                apparmor.aa.load_include(i)
+
+
 setup_aa(apparmor.aa)
 setup_all_loops(__name__)
 if __name__ == '__main__':

utils/test/test-file.py

@@ -585,6 +585,28 @@ class FileCoveredTest_05(FileCoveredTest):
         ('/foo mrwPx -> bar,'                           , [ False   , False         , False     , False     ]),
     ]
 
+class FileCoveredTest_06(FileCoveredTest):
+    rule = 'deny /foo w,'
+
+    tests = [
+        #   rule                                            equal     strict equal    covered     covered exact
+        ('/foo w,'                                      , [ False   , False         , False     , False     ]),
+        ('/foo a,'                                      , [ False   , False         , False     , False     ]),
+        ('deny /foo w,'                                 , [ True    , True          , True      , True      ]),
+        ('deny /foo a,'                                 , [ False   , False         , True      , True      ]),
+    ]
+
+class FileCoveredTest_07(FileCoveredTest):
+    rule = '/foo w,'
+
+    tests = [
+        #   rule                                            equal     strict equal    covered     covered exact
+        ('/foo w,'                                      , [ True    , True          , True      , True      ]),
+        ('/foo a,'                                      , [ False   , False         , True      , True      ]),
+        ('deny /foo w,'                                 , [ False   , False         , False     , False     ]),
+        ('deny /foo a,'                                 , [ False   , False         , False     , False     ]),
+    ]
+
 class FileCoveredTest_ManualOrInvalid(AATest):
     def AASetup(self):
         #FileRule#                 path,           perms,  exec_perms, target,         owner,  file_keyword,   leading_perms

utils/test/test-logparser.py

@@ -73,11 +73,13 @@ class TestParseEvent(unittest.TestCase):
             'attr': None,
             'denied_mask': 'r',
             'error_code': 13,
+            'fsuid': 1002,
             'info': 'Failed name lookup - disconnected path',
             'magic_token': 0,
             'name': 'var/run/nscd/passwd',
             'name2': None,
             'operation': 'file_mmap',
+            'ouid': 0,
             'parent': 0,
             'pid': 25333,
             'profile': '/sbin/klogd',

utils/test/test-regex_matches.py

@@ -437,17 +437,27 @@ class TestInvalid_parse_profile_start_line(AATest):
 
 class Test_re_match_include(AATest):
     tests = [
-        ('#include <abstractions/base>',            'abstractions/base'         ),
+        ('#include <abstractions/base>',            'abstractions/base'         ),  # magic path
         ('#include <abstractions/base> # comment',  'abstractions/base'         ),
         ('#include<abstractions/base>#comment',     'abstractions/base'         ),
         ('   #include    <abstractions/base>  ',    'abstractions/base'         ),
-        ('include <abstractions/base>',             'abstractions/base'         ), # not supported by parser
-        # ('include foo',                           'foo'                       ), # XXX not supported in tools yet
-        # ('include /foo/bar',                      '/foo/bar'                  ), # XXX not supported in tools yet
-        # ('include "foo"',                         'foo'                       ), # XXX not supported in tools yet
-        # ('include "/foo/bar"',                    '/foo/bar'                  ), # XXX not supported in tools yet
-        (' some #include <abstractions/base>',      None,                       ),
+        ('#include "/foo/bar"',                     '/foo/bar'                  ),  # absolute path
+        ('#include "/foo/bar" # comment',           '/foo/bar'                  ),
+        ('#include "/foo/bar"#comment',             '/foo/bar'                  ),
+        ('   #include "/foo/bar"  ',                '/foo/bar'                  ),
+        ('include <abstractions/base>',            'abstractions/base'          ),  # magic path
+        ('include <abstractions/base> # comment',  'abstractions/base'          ),
+        ('include<abstractions/base>#comment',     'abstractions/base'          ),
+        ('   include    <abstractions/base>  ',    'abstractions/base'          ),
+        ('include "/foo/bar"',                     '/foo/bar'                   ),  # absolute path
+        ('include "/foo/bar" # comment',           '/foo/bar'                   ),
+        ('include "/foo/bar"#comment',             '/foo/bar'                   ),
+        ('   include "/foo/bar"  ',                '/foo/bar'                   ),
+
+        (' some #include <abstractions/base>',      None,                       ),  # non-matching
         ('  /etc/fstab r,',                         None,                       ),
+        ('/usr/include r,',                         None,                       ),
+        ('/include r,',                             None,                       ),
     ]
 
     def _run_test(self, params, expected):
@@ -455,8 +465,53 @@ class Test_re_match_include(AATest):
 
 class TestInvalid_re_match_include(AATest):
     tests = [
-        ('#include <>',                             AppArmorException   ),
+        ('#include <>',                             AppArmorException   ),  # '#include'
         ('#include <  >',                           AppArmorException   ),
+        ('#include ""',                             AppArmorException   ),
+        ('#include "  "',                           AppArmorException   ),
+        ('#include',                                AppArmorException   ),
+        ('#include  ',                              AppArmorException   ),
+        ('#include "foo"',                          AppArmorException   ),  # LP: 1738880 (relative)
+        ('#include "foo" # comment',                AppArmorException   ),
+        ('#include "foo"#comment',                  AppArmorException   ),
+        ('   #include "foo"  ',                     AppArmorException   ),
+        ('#include "foo/bar"',                      AppArmorException   ),
+        ('#include "foo/bar" # comment',            AppArmorException   ),
+        ('#include "foo/bar"#comment',              AppArmorException   ),
+        ('   #include "foo/bar"  ',                 AppArmorException   ),
+        ('#include foo',                            AppArmorException   ),  # LP: 1738879 (no quotes)
+        ('#include foo/bar',                        AppArmorException   ),
+        ('#include /foo/bar',                       AppArmorException   ),
+        ('#include foo bar',                        AppArmorException   ),  # LP: 1738877 (space in name)
+        ('#include foo bar/baz',                    AppArmorException   ),
+        ('#include "foo bar"',                      AppArmorException   ),
+        ('#include /foo bar',                       AppArmorException   ),
+        ('#include "/foo bar"',                     AppArmorException   ),
+        ('#include "foo bar/baz"',                  AppArmorException   ),
+
+        ('include <>',                              AppArmorException   ),  # 'include'
+        ('include <  >',                            AppArmorException   ),
+        ('include ""',                              AppArmorException   ),
+        ('include "  "',                            AppArmorException   ),
+        ('include',                                 AppArmorException   ),
+        ('include  ',                               AppArmorException   ),
+        ('include "foo"',                           AppArmorException   ),  # LP: 1738880 (relative)
+        ('include "foo" # comment',                 AppArmorException   ),
+        ('include "foo"#comment',                   AppArmorException   ),
+        ('   include "foo"  ',                      AppArmorException   ),
+        ('include "foo/bar"',                       AppArmorException   ),
+        ('include "foo/bar" # comment',             AppArmorException   ),
+        ('include "foo/bar"#comment',               AppArmorException   ),
+        ('   include "foo/bar"  ',                  AppArmorException   ),
+        ('include foo',                             AppArmorException   ),  # LP: 1738879 (no quotes)
+        ('include foo/bar',                         AppArmorException   ),
+        ('include /foo/bar',                        AppArmorException   ),
+        ('include foo bar',                         AppArmorException   ),  # LP: 1738877 (space in name)
+        ('include foo bar/baz',                     AppArmorException   ),
+        ('include "foo bar"',                       AppArmorException   ),
+        ('include /foo bar',                        AppArmorException   ),
+        ('include "/foo bar"',                      AppArmorException   ),
+        ('include "foo bar/baz"',                   AppArmorException   ),
     ]
 
     def _run_test(self, params, expected):

utils/test/test-translations.py

@@ -23,6 +23,10 @@ class TestHotkeyConflicts(AATest):
     tests = [
         (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_OFF
         (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_NEW
+        (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_ON',  'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_ON
+        (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_OFF
+        (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_ON',  'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_ON
+        (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_OFF
         (['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'],                              True),  # aa.py save_profiles()
         (['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'],                                                        True),  # aa.py get_profile()
         (['CMD_UPLOAD_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ASK_LATER', 'CMD_ASK_NEVER', 'CMD_ABORT'],                                         True),  # aa.py console_select_and_upload_profiles()