parser: ignore feature abi rules

AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features.  This is especially
true for out of tree policy being shipped in other packages.

Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.

If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

.gitignore

@@ -1,4 +1,10 @@
 apparmor-*
+cscope.*
+binutils/aa-enabled
+binutils/aa-enabled.1
+binutils/aa-exec
+binutils/aa-exec.1
+binutils/po/*.mo
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
@@ -13,6 +19,37 @@ parser/parser_version.h
 parser/parser_yacc.c
 parser/parser_yacc.h
 parser/pod2htm*.tmp
+parser/af_rule.o
+parser/af_unix.o
+parser/common_optarg.o
+parser/dbus.o
+parser/lib.o
+parser/libapparmor_re/aare_rules.o
+parser/libapparmor_re/chfa.o
+parser/libapparmor_re/expr-tree.o
+parser/libapparmor_re/hfa.o
+parser/libapparmor_re/libapparmor_re.a
+parser/libapparmor_re/parse.o
+parser/mount.o
+parser/network.o
+parser/parser_alias.o
+parser/parser_common.o
+parser/parser_include.o
+parser/parser_interface.o
+parser/parser_lex.o
+parser/parser_main.o
+parser/parser_merge.o
+parser/parser_misc.o
+parser/parser_policy.o
+parser/parser_regex.o
+parser/parser_symtab.o
+parser/parser_variable.o
+parser/parser_yacc.o
+parser/policy_cache.o
+parser/profile.o
+parser/ptrace.o
+parser/rule.o
+parser/signal.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -26,7 +63,8 @@ parser/techdoc.aux
 parser/techdoc.log
 parser/techdoc.pdf
 parser/techdoc.toc
-profiles/apparmor.d/local/*.*
+profiles/apparmor.d/local/*
+!profiles/apparmor.d/local/README
 libraries/libapparmor/Makefile
 libraries/libapparmor/Makefile.in
 libraries/libapparmor/aclocal.m4
@@ -60,14 +98,22 @@ libraries/libapparmor/src/Makefile.in
 libraries/libapparmor/src/af_protos.h
 libraries/libapparmor/src/change_hat.lo
 libraries/libapparmor/src/features.lo
+libraries/libapparmor/src/features.o
 libraries/libapparmor/src/grammar.lo
+libraries/libapparmor/src/grammar.o
 libraries/libapparmor/src/kernel.lo
+libraries/libapparmor/src/kernel.o
 libraries/libapparmor/src/kernel_interface.lo
+libraries/libapparmor/src/kernel_interface.o
 libraries/libapparmor/src/libaalogparse.lo
+libraries/libapparmor/src/libaalogparse.o
 libraries/libapparmor/src/libimmunix_warning.lo
 libraries/libapparmor/src/policy_cache.lo
+libraries/libapparmor/src/policy_cache.o
 libraries/libapparmor/src/private.lo
+libraries/libapparmor/src/private.o
 libraries/libapparmor/src/scanner.lo
+libraries/libapparmor/src/scanner.o
 libraries/libapparmor/src/libapparmor.pc
 libraries/libapparmor/src/libapparmor.la
 libraries/libapparmor/src/libimmunix.la
@@ -75,7 +121,19 @@ libraries/libapparmor/src/grammar.c
 libraries/libapparmor/src/grammar.h
 libraries/libapparmor/src/scanner.c
 libraries/libapparmor/src/scanner.h
+libraries/libapparmor/src/test-suite.log
 libraries/libapparmor/src/tst_aalogmisc
+libraries/libapparmor/src/tst_aalogmisc.log
+libraries/libapparmor/src/tst_aalogmisc.o
+libraries/libapparmor/src/tst_aalogmisc.trs
+libraries/libapparmor/src/tst_features
+libraries/libapparmor/src/tst_features.log
+libraries/libapparmor/src/tst_features.o
+libraries/libapparmor/src/tst_features.trs
+libraries/libapparmor/src/tst_kernel
+libraries/libapparmor/src/tst_kernel.log
+libraries/libapparmor/src/tst_kernel.o
+libraries/libapparmor/src/tst_kernel.trs
 libraries/libapparmor/swig/Makefile
 libraries/libapparmor/swig/Makefile.in
 libraries/libapparmor/swig/perl/LibAppArmor.bs
@@ -89,6 +147,7 @@ libraries/libapparmor/swig/perl/MYMETA.json
 libraries/libapparmor/swig/perl/MYMETA.yml
 libraries/libapparmor/swig/perl/blib
 libraries/libapparmor/swig/perl/libapparmor_wrap.c
+libraries/libapparmor/swig/perl/libapparmor_wrap.o
 libraries/libapparmor/swig/perl/pm_to_blib
 libraries/libapparmor/swig/python/LibAppArmor.py
 libraries/libapparmor/swig/python/build/
@@ -98,6 +157,10 @@ libraries/libapparmor/swig/python/Makefile.in
 libraries/libapparmor/swig/python/setup.py
 libraries/libapparmor/swig/python/test/Makefile
 libraries/libapparmor/swig/python/test/Makefile.in
+libraries/libapparmor/swig/python/test/test-suite.log
+libraries/libapparmor/swig/python/test/test_python.py
+libraries/libapparmor/swig/python/test/test_python.py.log
+libraries/libapparmor/swig/python/test/test_python.py.trs
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
 libraries/libapparmor/testsuite/.deps
@@ -115,6 +178,7 @@ libraries/libapparmor/testsuite/lib/Makefile.in
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile
 libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
 libraries/libapparmor/testsuite/test_multi/out
+libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
 changehat/mod_apparmor/.libs
 utils/*.8
 utils/*.8.html
@@ -122,6 +186,14 @@ utils/*.5
 utils/*.5.html
 utils/*.tmp
 utils/po/*.mo
+utils/apparmor/*.pyc
+utils/apparmor/rule/*.pyc
+utils/test/.coverage
+utils/test/htmlcov/
+utils/vim/apparmor.vim
+utils/vim/apparmor.vim.5
+utils/vim/apparmor.vim.5.html
+utils/vim/pod2htmd.tmp
 tests/regression/apparmor/access
 tests/regression/apparmor/changehat
 tests/regression/apparmor/changehat_fail

Makefile

@@ -17,12 +17,9 @@ DIRS=libraries/libapparmor \
      profiles \
      tests
 
-#REPO_URL?=lp:apparmor
+# with conversion to git, we don't export from the remote
-# --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
+REPO_URL?=git@gitlab.com:apparmor/apparmor.git
-REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
+REPO_BRANCH?=apparmor-2.12
-# alternate possibilities to export from
-#REPO_URL=.
-#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
 
 COVERITY_DIR=cov-int
 RELEASE_DIR=apparmor-${VERSION}
@@ -31,7 +28,9 @@ __SETUP_DIR?=.
 # We create a separate version for tags because git can't handle tags
 # with embedded ~s in them. No spaces around '-' or they'll get
 # embedded in ${VERSION}
-TAG_VERSION=$(subst ~,-,${VERSION})
+# apparmor version tag format 'vX.Y.ZZ'
+# apparmor branch name format 'apparmor-X.Y'
+TAG_VERSION="v$(subst ~,-,${VERSION})"
 
 # Add exclusion entries arguments for tar here, of the form:
 #   --exclude dir_to_exclude --exclude other_dir
@@ -40,49 +39,52 @@ TAR_EXCLUSIONS=
 .PHONY: tarball
 tarball: clean
 	REPO_VERSION=`$(value REPO_VERSION_CMD)` && \
-	make export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
+	$(MAKE) export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
-	make setup __SETUP_DIR=${RELEASE_DIR} && \
+	$(MAKE) setup __SETUP_DIR=${RELEASE_DIR} && \
 	tar ${TAR_EXCLUSIONS} -cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
 
 .PHONY: snapshot
 snapshot: clean
 	$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
-	$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(REPO_VERSION))
+	$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(shell echo $(REPO_VERSION) | cut -d '-' -f 2-))
-	make export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
+	$(MAKE) export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
-	make setup __SETUP_DIR=${SNAPSHOT_NAME} && \
+	$(MAKE) setup __SETUP_DIR=${SNAPSHOT_NAME} && \
 	tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME}
 
 .PHONY: coverity
 coverity: snapshot
 	cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
 	$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
-		cov-build --dir $(COVERITY_DIR) -- make -C $(SNAPSHOT_NAME)/$(dir);)
+		cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir); \
+		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-$(subst /,.,$(dir)).txt ;)
+	$(foreach dir, libraries/libapparmor utils, \
+		cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir); \
+		mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
 	tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
 
 .PHONY: export_dir
 export_dir:
 	mkdir $(__EXPORT_DIR)
-	/usr/bin/bzr export --per-file-timestamps -r $(__REPO_VERSION) $(__EXPORT_DIR) $(REPO_URL)
+	/usr/bin/git archive --prefix=$(__EXPORT_DIR)/ --format tar $(__REPO_VERSION) | tar xv
-	echo "$(REPO_URL) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
+	echo "$(REPO_URL) $(REPO_BRANCH) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
 
 .PHONY: clean
 clean:
 	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
 	for dir in $(DIRS); do \
-		make -C $$dir clean; \
+		$(MAKE) -C $$dir clean; \
 	done
 
 .PHONY: setup
 setup:
 	cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
 	# parser has an extra doc to build
-	make -C $(__SETUP_DIR)/parser extra_docs
+	$(MAKE) -C $(__SETUP_DIR)/parser extra_docs
 	# libraries/libapparmor needs configure to have run before
 	# building docs
 	$(foreach dir, $(filter-out libraries/libapparmor tests, $(DIRS)), \
-		make -C $(__SETUP_DIR)/$(dir) docs;)
+		$(MAKE) -C $(__SETUP_DIR)/$(dir) docs;)
 
 .PHONY: tag
 tag:
-	bzr tag apparmor_${TAG_VERSION}
+	git tag -m 'AppArmor $(VERSION)' -s $(TAG_VERSION)
-

README.md

@@ -1,3 +1,9 @@
+# AppArmor
+
+[![Build status](https://gitlab.com/apparmor/apparmor/badges/master/build.svg)](https://gitlab.com/apparmor/apparmor/commits/master)
+[![Overall test coverage](https://gitlab.com/apparmor/apparmor/badges/master/coverage.svg)](https://gitlab.com/apparmor/apparmor/pipelines)
+[![Core Infrastructure Initiative Best Practices](https://bestpractices.coreinfrastructure.org/projects/1699/badge)](https://bestpractices.coreinfrastructure.org/projects/1699)
+
 ------------
 Introduction
 ------------
@@ -17,9 +23,27 @@ library, available under the LGPL license, which allows change_hat(2)
 and change_profile(2) to be used by non-GPL binaries).
 
 For more information, you can read the techdoc.pdf (available after
-building the parser) and by visiting the http://apparmor.net/ web
+building the parser) and by visiting the https://apparmor.net/ web
 site.
 
+----------------
+Getting in Touch
+----------------
+
+Please send all complaints, feature requests, rants about the software,
+and questions to the
+[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).
+
+Bug reports can be filed against the AppArmor project on
+[launchpad](https://bugs.launchpad.net/apparmor) or reported to the mailing
+list directly for those who wish not to register for an account on
+launchpad. See the
+[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)
+for more information.
+
+Security issues can be filed as security bugs on launchpad
+or directed to `security@apparmor.net`. Additional details can be found
+in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
 
 -------------
 Source Layout
@@ -27,6 +51,7 @@ Source Layout
 
 AppArmor consists of several different parts:
 
+```
 binutils/	source for basic utilities written in compiled languages
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
@@ -37,6 +62,7 @@ parser/		source for parser/loader and corresponding documentation
 profiles/	configuration files, reference profiles and abstractions
 tests/		regression and stress testsuites
 utils/		high-level utilities for working with AppArmor
+```
 
 --------------------------------------
 Important note on AppArmor kernel code
@@ -57,60 +83,86 @@ Building and Installing AppArmor Userspace
 ------------------------------------------
 
 To build and install AppArmor userspace on your system, build and install in
-the following order.
+the following order. Some systems may need to export various python-related
+environment variables to complete the build. For example, before building
+anything on these systems, use something along the lines of:
 
+```
+$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
+$ export PYTHON=/usr/bin/python3
+$ export PYTHON_VERSION=3
+$ export PYTHON_VERSIONS=python3
+```
 
 libapparmor:
+
+```
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
 $ sh ./configure --prefix=/usr --with-perl --with-python # see below
 $ make
 $ make check
 $ make install
+```
 
 [an additional optional argument to libapparmor's configure is --with-ruby, to
 generate Ruby bindings to libapparmor.]
 
 
 Binary Utilities:
+
+```
 $ cd binutils
 $ make
 $ make check
 $ make install
-
+```
-
-Utilities:
-$ cd utils
-$ make
-$ make check
-$ make install
-
 
 parser:
+
+```
 $ cd parser
 $ make		# depends on libapparmor having been built first
 $ make check
 $ make install
+```
 
 
+Utilities:
+
+```
+$ cd utils
+$ make
+$ make check
+$ make install
+```
+
 Apache mod_apparmor:
+
+```
 $ cd changehat/mod_apparmor
 $ make		# depends on libapparmor having been built first
 $ make install
+```
 
 
 PAM AppArmor:
+
+```
 $ cd changehat/pam_apparmor
 $ make		# depends on libapparmor having been built first
 $ make install
+```
 
 
 Profiles:
+
+```
 $ cd profiles
 $ make
 $ make check	# depends on the parser having been built first
 $ make install
-
+```
 
 [Note that for the parser, binutils, and utils, if you only wish to build/use
  some of the locale languages, you can override the default by passing
@@ -131,38 +183,50 @@ For details on structure and adding tests, see
 tests/regression/apparmor/README.
 
 To run:
+
+```
 $ cd tests/regression/apparmor (requires root)
 $ make
 $ sudo make tests
 $ sudo bash open.sh -r	 # runs and saves the last testcase from open.sh
-
+```
 
 Parser tests
 ------------
 For details on structure and adding tests, see parser/tst/README.
 
 To run:
+
+```
 $ cd parser/tst
 $ make
 $ make tests
-
+```
 
 Libapparmor
 -----------
 For details on structure and adding tests, see libraries/libapparmor/README.
+
+```
 $ cd libraries/libapparmor
 $ make check
+```
 
 Utils
 -----
 Tests for the Python utilities exist in the test/ subdirectory.
+
+```
 $ cd utils
 $ make check
+```
 
 The aa-decode utility to be tested can be overridden by
 setting up environment variable APPARMOR_DECODE; e.g.:
 
+```
 $ APPARMOR_DECODE=/usr/bin/aa-decode make check
+```
 
 Profile checks
 --------------
@@ -170,29 +234,44 @@ A basic consistency check to ensure that the parser and aa-logprof parse
 successfully the current set of shipped profiles. The system or other
 parser and logprof can be passed in by overriding the PARSER and LOGPROF
 variables.
+
+```
 $ cd profiles
 $ make && make check
+```
 
 Stress Tests
 ------------
 To run AppArmor stress tests:
+
+```
 $ make all
+```
 
 Use these:
+
+```
 $ ./change_hat
 $ ./child
 $ ./kill.sh
 $ ./open
 $ ./s.sh
+```
 
 Or run all at once:
+
+```
 $ ./stress.sh
+```
 
 Please note that the above will stress the system so much it may end up
 invoking the OOM killer.
 
 To run parser stress tests (requires /usr/bin/ruby):
+
+```
 $ ./stress.sh
+```
 
 (see stress.sh -h for options)
 
@@ -207,7 +286,10 @@ https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
 cov-build.
 
 To generate a compressed tarball of an intermediate Coverity directory:
+
+```
 $ make coverity
+```
 
 The compressed tarball is written to
 apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>

binutils/Makefile

@@ -114,7 +114,7 @@ $(LIBAPPARMOR_A):
 		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
-		return 1; \
+		exit 1; \
 	fi
 endif
 

binutils/aa-enabled.pod

@@ -89,6 +89,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<https://wiki.apparmor.net>.
 
 =cut

binutils/aa-exec.pod

@@ -88,6 +88,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
-aa_change_onexec(3) and L<http://wiki.apparmor.net>.
+aa_change_onexec(3) and L<https://wiki.apparmor.net>.
 
 =cut

binutils/po/de.po

@@ -8,14 +8,14 @@ msgstr ""
 "Project-Id-Version: apparmor\n"
 "Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
-"PO-Revision-Date: 2017-03-31 10:44+0000\n"
+"PO-Revision-Date: 2017-12-21 12:20+0000\n"
-"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
+"Last-Translator: Christian Boltz <Unknown>\n"
 "Language-Team: German <de@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-04-05 05:23+0000\n"
+"X-Launchpad-Export-Date: 2017-12-22 05:12+0000\n"
-"X-Generator: Launchpad (build 18335)\n"
+"X-Generator: Launchpad (build 18521)\n"
 "Language: de\n"
 
 #: ../aa_enabled.c:26
@@ -26,6 +26,10 @@ msgid ""
 "  -q | --quiet        Don't print out any messages\n"
 "  -h | --help         Print help\n"
 msgstr ""
+"%s: [Optionen]\n"
+"  Optionen:\n"
+"  -q | --quiet        Keine Nachrichten anzeigen\n"
+"  -h | --help         Hilfetext anzeigen\n"
 
 #: ../aa_enabled.c:45
 #, c-format
@@ -61,6 +65,7 @@ msgstr ""
 #, c-format
 msgid "Maybe - insufficient permissions to determine availability.\n"
 msgstr ""
+"Vielleicht - ungenügende Berechtigungen, um die Verfügbarkeit zu prüfen\n"
 
 #: ../aa_enabled.c:84
 #, c-format

changehat/mod_apparmor/Makefile

@@ -87,7 +87,7 @@ docs: ${MANPAGES} ${HTMLMANPAGES}
 install: ${TARGET} ${MANPAGES}
 	mkdir -p ${DESTDIR}/${APXS_INSTALL_DIR}
 	install -m 755 $< ${DESTDIR}/${APXS_INSTALL_DIR}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
 .PHONY: clean
 clean: pod_clean

changehat/mod_apparmor/mod_apparmor.pod

@@ -140,6 +140,6 @@ them at L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

common/Make.rules

@@ -42,10 +42,9 @@ endif
 
 define nl
 
-
 endef
 
-REPO_VERSION_CMD=[ -x /usr/bin/bzr ] && /usr/bin/bzr version-info --custom --template="{revno}" . 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
+REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
 
 ifndef PYTHON_VERSIONS
 PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)

common/Version

@@ -1 +1 @@
-2.11.95
+2.12.1

deprecated/utils/aa-genprof

@@ -138,7 +138,7 @@ my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
 END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
 sysctl_write($ratelimit_sysctl, 0);
 
-UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
+UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles"));
 
 UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events.  \n\nFor each AppArmor event, you will be given the  \nopportunity to choose whether the access should be  \nallowed or denied."));
 
@@ -195,7 +195,7 @@ for my $p (sort keys %helpers) {
 }
 
 UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
-UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttp://wiki.apparmor.net/index.php/Profiles\n"));
+UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n"));
 UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
 exit 0;
 

libraries/libapparmor/doc/aa_change_hat.pod

@@ -257,6 +257,6 @@ should be used.
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
 aa_getcon(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_change_profile.pod

@@ -204,6 +204,6 @@ separate processes should be used.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_features.pod

@@ -136,6 +136,9 @@ I<aa_features> family of functions that return -1 on error.
 All aa_features functions described above are present in libapparmor version
 2.10 and newer.
 
+aa_features_unref() saves the value of errno when called and restores errno
+before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at
@@ -143,6 +146,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-openat(2) and L<http://wiki.apparmor.net>.
+openat(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -115,6 +115,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_getcon.pod

@@ -132,6 +132,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
-aa_splitcon(3) and L<http://wiki.apparmor.net>.
+aa_splitcon(3) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_kernel_interface.pod

@@ -133,7 +133,7 @@ I<*kernel_interface> will point to an I<aa_kernel_interface> object that must
 be freed by aa_kernel_interface_unref(). -1 is returned on error, with errno
 set appropriately, and I<*kernel_interface> will be set to NULL.
 
-aa_kernel_features_ref() returns the value of I<kernel_features>.
+aa_kernel_interface_ref() returns the value of I<kernel_interface>.
 
 The aa_kernel_interface_load() family of functions, the
 aa_kernel_interface_replace() family of functions,
@@ -150,6 +150,9 @@ I<aa_kernel_interface> family of functions that return -1 on error.
 All aa_kernel_interface functions described above are present in libapparmor
 version 2.10 and newer.
 
+aa_kernel_interface_unref() saves the value of errno when called and restores
+errno before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at
@@ -157,6 +160,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-aa_features(3), openat(2) and L<http://wiki.apparmor.net>.
+aa_features(3), openat(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_policy_cache.pod

@@ -112,6 +112,9 @@ I<aa_policy_cache> family of functions that return -1 on error.
 All aa_policy_cache functions described above are present in libapparmor
 version 2.10 and newer.
 
+aa_policy_cache_unref() saves the value of errno when called and restores errno
+before exiting in libapparmor version 2.12 and newer.
+
 =head1 BUGS
 
 None known. If you find any, please report them at
@@ -120,6 +123,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 aa_features(3), aa_kernel_interface(3), openat(2) and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_query_label.pod

@@ -128,6 +128,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_getcon(2), aa_splitcon(3)
-and L<http://wiki.apparmor.net>.
+and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_splitcon.pod

@@ -67,6 +67,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-aa_getcon(2) and L<http://wiki.apparmor.net>.
+aa_getcon(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -216,6 +216,6 @@ separate processes should be used.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
-aa_getcon(2) and L<http://wiki.apparmor.net>.
+aa_getcon(2) and L<https://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/include/sys/apparmor.h

@@ -68,7 +68,7 @@ extern int aa_is_enabled(void);
 extern int aa_find_mountpoint(char **mnt);
 
 /* Prototypes for self directed domain transitions
- * see <http://apparmor.net>
+ * see <https://apparmor.net>
  * Please see the change_hat(2) manpage for information.
  */
 

libraries/libapparmor/src/Makefile.am

@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 5
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 2
 AA_LIB_AGE = 4
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/features.c

@@ -404,10 +404,7 @@ int aa_features_new(aa_features **features, int dirfd, const char *path)
 		 load_features_dir(dirfd, path, f->string, STRING_SIZE) :
 		 load_features_file(dirfd, path, f->string, STRING_SIZE);
 	if (retval == -1) {
-		int save = errno;
-
 		aa_features_unref(f);
-		errno = save;
 		return -1;
 	}
 
@@ -482,8 +479,12 @@ aa_features *aa_features_ref(aa_features *features)
  */
 void aa_features_unref(aa_features *features)
 {
+	int save = errno;
+
 	if (features && atomic_dec_and_test(&features->ref_count))
 		free(features);
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/src/kernel_interface.c

@@ -229,10 +229,7 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 	if (kernel_features) {
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
-		int save = errno;
-
 		aa_kernel_interface_unref(ki);
-		errno = save;
 		return -1;
 	}
 	ki->supports_setload = aa_features_supports(kernel_features, set_load);
@@ -240,11 +237,8 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 
 	if (!apparmorfs) {
 		if (find_iface_dir(&alloced_apparmorfs) == -1) {
-			int save = errno;
-
 			alloced_apparmorfs = NULL;
 			aa_kernel_interface_unref(ki);
-			errno = save;
 			return -1;
 		}
 		/* alloced_apparmorfs will be autofree'ed */
@@ -253,10 +247,7 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 
 	ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
 	if (ki->dirfd < 0) {
-		int save = errno;
-
 		aa_kernel_interface_unref(ki);
-		errno = save;
 		return -1;
 	}
 
@@ -283,12 +274,16 @@ aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interfa
  */
 void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
 {
+	int save = errno;
+
 	if (kernel_interface &&
 	    atomic_dec_and_test(&kernel_interface->ref_count)) {
 		if (kernel_interface->dirfd >= 0)
 			close(kernel_interface->dirfd);
 		free(kernel_interface);
 	}
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/src/policy_cache.c

@@ -159,8 +159,6 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 open:
 	pc->dirfd = openat(dirfd, path, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
 	if (pc->dirfd < 0) {
-		int save;
-
 		/* does the dir exist? */
 		if (create && errno == ENOENT) {
 			if (mkdirat(dirfd, path, 0700) == 0)
@@ -172,28 +170,20 @@ open:
 			PDEBUG("Cache directory '%s' does not exist\n", path);
 		}
 
-		save = errno;
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 
 	if (kernel_features) {
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
-		int save = errno;
-
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 	pc->kernel_features = kernel_features;
 
 	if (init_cache_features(pc, kernel_features, create)) {
-		int save = errno;
-
 		aa_policy_cache_unref(pc);
-		errno = save;
 		return -1;
 	}
 
@@ -220,6 +210,8 @@ aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache)
  */
 void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 {
+	int save = errno;
+
 	if (policy_cache && atomic_dec_and_test(&policy_cache->ref_count)) {
 		aa_features_unref(policy_cache->features);
 		aa_features_unref(policy_cache->kernel_features);
@@ -227,6 +219,8 @@ void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 			close(policy_cache->dirfd);
 		free(policy_cache);
 	}
+
+	errno = save;
 }
 
 /**

libraries/libapparmor/swig/perl/Makefile.am

@@ -12,6 +12,7 @@ LibAppArmor.pm: libapparmor_wrap.c
 
 Makefile.perl: Makefile.PL LibAppArmor.pm
 	$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+	sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
 	sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
 
 LibAppArmor.so: libapparmor_wrap.c Makefile.perl

libraries/libapparmor/swig/python/setup.py.in

@@ -5,7 +5,7 @@ setup(name          = 'LibAppArmor',
       version       = '@VERSION@',
       author        = 'AppArmor Dev Team',
       author_email  = 'apparmor@lists.ubuntu.com',
-      url           = 'http://wiki.apparmor.net',
+      url           = 'https://wiki.apparmor.net',
       description   = 'AppArmor python bindings',
       download_url  = 'https://launchpad.net/apparmor/+download',
       package_dir   = {'LibAppArmor': '@srcdir@'},

libraries/libapparmor/testsuite/test_multi/avc_syslog_01.profile

@@ -1,4 +1,4 @@
 /usr/sbin/cupsd {
-  /boot/ r,
+  owner /boot/ r,
 
 }

libraries/libapparmor/testsuite/test_multi/syslog_audit_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir {
-  /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
+  owner /tmp/sdtest.7283-14445-r31VAP/tmpdir/ w,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.profile

@@ -1,4 +1,4 @@
 "/home/steve/tmp/my prog.sh" {
-  "/home/steve/tmp/my prog.sh" r,
+  owner "/home/steve/tmp/my prog.sh" r,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.profile

@@ -1,4 +1,4 @@
 profile "test space" {
-  /lib/x86_64-linux-gnu/libdl-2.13.so r,
+  owner /lib/x86_64-linux-gnu/libdl-2.13.so r,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_syslog_link_01.profile

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link {
-  /tmp/sdtest.19088-12382-HWH57d/linkfile l,
+  owner /tmp/sdtest.19088-12382-HWH57d/linkfile l,
 
 }

libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile

@@ -1,4 +1,4 @@
 /usr/sbin/vsftpd {
-  /home/bane/foo r,
+  owner /home/bane/foo r,
 
 }

parser/Makefile

@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
 LOCALEDIR=/usr/share/locale
 MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5
 
-YACC	:= /usr/bin/bison
+YACC	:= bison
 YFLAGS	:= -d
-LEX	:= /usr/bin/flex
+LEX	:= flex
 LEXFLAGS = -B -v
 WARNINGS = -Wall
 EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
@@ -179,7 +179,7 @@ $(LIBAPPARMOR_A):
 		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
-		return 1; \
+		exit 1; \
 	fi
 endif
 

parser/README

@@ -2,19 +2,6 @@ The apparmor_parser allows you to add, replace, and remove AppArmor
 policy through the use of command line options. The default is to add.
 `apparmor_parser --help` shows what the command line options are.
 
-You can also find more information at http://wiki.apparmor.net
+You can also find more information at https://wiki.apparmor.net
-
-Please send all complaints, feature requests, rants about the software,
-and questions to the apparmor@lists.ubuntu.com mailing list. Bug
-reports can be filed against the AppArmor project on launchpad.net at
-https://launchpad.net/apparmor or reported to the mailing list directly
-for those who wish not to register for an account on launchpad.
-
-Security issues can be filed as security bugs on launchpad
-or directed to security@ubuntu.com. We will attempt to
-conform to the RFP vulnerability disclosure protocol:
-http://www.wiretrip.net/rfp/policy.html
-
-Thanks.
 
 -- The AppArmor development team

parser/apparmor.d.pod

@@ -55,7 +55,7 @@ B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
 
 B<ALIAS RULE> = 'alias' I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','
 
-B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
+B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> )
 
 B<ABS PATH> = '"' path '"' (the path is passed to open(2))
 
@@ -1414,13 +1414,17 @@ rules into a rule block.
 
 =head2 #include mechanism
 
-AppArmor provides an easy abstraction mechanism to group common file
+AppArmor provides an easy abstraction mechanism to group common
 access requirements; this abstraction is an extremely flexible way to
 grant site-specific rights and makes writing new AppArmor profiles very
 simple by assembling the needed building blocks for any given program.
 
 The use of '#include' is modelled directly after cpp(1); its use will
 replace the '#include' statement with the specified file's contents.
+The leading '#' is optional, and the '#include' keyword can be followed
+by an option conditional 'if exists' that specifies profile compilation
+should continue if the specified file or directory is not found.
+
 B<#include "/absolute/path"> specifies that F</absolute/path> should be
 used.  B<#include "relative/path"> specifies that F<relative/path> should
 be used, where the path is relative to the current working directory.
@@ -1607,6 +1611,6 @@ negative values match when specifying one or the other. Eg, 'rw' matches when
 
 apparmor(7), apparmor_parser(8), aa-complain(1),
 aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/apparmor.pod

@@ -70,9 +70,12 @@ with B<.> (except for the root B</>) so profiles are easier to manage
 (e.g. the F</usr/sbin/nscd> profile would be named F<usr.sbin.nscd>).
 
 Profiles are applied to a process at exec(3) time (as seen through the
-execve(2) system call); an already running process cannot be confined.
+execve(2) system call): once a profile is loaded for a program, that
-However, once a profile is loaded for a program, that program will be
+program will be confined on the next exec(3). If a process is already
-confined on the next exec(3).
+running under a profile, when one replaces that profile in the kernel,
+the updated profile is applied immediately to that process.
+On the other hand, a process that is already running unconfined cannot
+be confined.
 
 AppArmor supports the Linux kernel's securityfs filesystem, and makes
 available the list of the profiles currently loaded; to mount the
@@ -162,6 +165,6 @@ apparmor_parser(8), aa_change_hat(2), apparmor.d(5),
 subdomain.conf(5), aa-autodep(1), clean(1),
 auditd(8),
 aa-unconfined(8), aa-enforce(1), aa-complain(1), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/apparmor_parser.pod

@@ -46,7 +46,7 @@ program. The B<profiles> may be specified by file name or a directory
 name containing a set of profiles. If a directory is specified then the
 B<apparmor_parser> will try to do a profile load for each file in the
 directory that is not a dot file, or explicitly black listed (*.dpkg-new,
-*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.repnew, *.rpmsave, *orig, *.rej,
+*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.rpmnew, *.rpmsave, *orig, *.rej,
 *~). The B<apparmor_parser> will fall back to taking input from standard
 input if a profile or directory is not supplied.
 
@@ -376,6 +376,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor.d(5), subdomain.conf(5), aa_change_hat(2), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.
 
 =cut

parser/parser_lex.l

@@ -144,7 +144,7 @@ static int include_dir_cb(int dirfd unused, const char *name, struct stat *st,
 	return 0;
 }
 
-void include_filename(char *filename, int search)
+void include_filename(char *filename, int search, bool if_exists)
 {
 	FILE *include_file = NULL;
 	struct stat my_stat;
@@ -161,9 +161,12 @@ void include_filename(char *filename, int search)
 		include_file = fopen(fullpath, "r");
 	}
 
-	if (!include_file)
+	if (!include_file) {
+		if (if_exists)
+			return;
 		yyerror(_("Could not open '%s'"),
                         fullpath ? fullpath: filename);
+	}
 
 	if (fstat(fileno(include_file), &my_stat))
 		yyerror(_("fstat failed for '%s'"), fullpath);
@@ -200,7 +203,7 @@ MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
 
-ID_CHARS	[^ \t\n"!,]
+ID_CHARS	[^ \t\r\n"!,]
 ID 		{ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
 IDS		{ID}+
 POST_VAR_ID_CHARS	[^ \t\n"!,]{-}[=\+]
@@ -257,6 +260,8 @@ LT_EQUAL	<=
 %x UNIX_MODE
 %x CHANGE_PROFILE_MODE
 %x INCLUDE
+%x INCLUDE_EXISTS
+%x ABI_MODE
 
 %%
 
@@ -269,21 +274,59 @@ LT_EQUAL	<=
 	}
 %}
 
-<INITIAL,SUB_ID_WS,INCLUDE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
+<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
 	{WS}+	{  DUMP_PREPROCESS; /* Ignoring whitespace */ }
 }
 
-<INCLUDE>{
+<INCLUDE_EXISTS>{
-	(\<([^\> \t\n]+)\>|\"([^\" \t\n]+)\")	{	/* <filename> */
+	(\<([^"\>\t\r\n]+)\>|{QUOTED_ID})	{ /* <filename> | "filename" */
 		autofree char *filename = strndup(yytext, yyleng - 1);
-		include_filename(filename + 1, *filename == '<');
+		include_filename(filename + 1, *filename == '<', true);
 		POP_NODUMP();
 	}
 
-	[^\<\>\" \t\n]+ {	/* filename */
+	(\<{QUOTED_ID}\>)	{	/* <"filename"> */
-		include_filename(yytext, 0);
+		autofree char *filename = strndup(yytext, yyleng - 2);
+		include_filename(filename + 2, true, true);
 		POP_NODUMP();
 	}
+
+	({IDS}|{QUOTED_ID}) {	/* filename */
+		include_filename(yytext, 0, true);
+		POP_NODUMP();
+	}
+}
+
+<INCLUDE>{
+	(\<([^"\>\t\r\n]+)\>|{QUOTED_ID})	{ /* <filename> | "filename" */
+		autofree char *filename = strndup(yytext, yyleng - 1);
+		include_filename(filename + 1, *filename == '<', false);
+		POP_NODUMP();
+	}
+
+	(\<{QUOTED_ID}\>)	{	/* <"filename"> */
+		autofree char *filename = strndup(yytext, yyleng - 2);
+		include_filename(filename + 2, true, false);
+		POP_NODUMP();
+	}
+
+	({IDS}|{QUOTED_ID}) {	/* filename */
+		include_filename(yytext, 0, false);
+		POP_NODUMP();
+	}
+}
+
+<ABI_MODE>{
+	(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS})	{ /* <filename> | <"filename"> | "filename" | filename */
+		int lt = *yytext == '<'  ? 1 : 0;
+		char *filename = processid(yytext + lt, yyleng - lt*2);
+		bool exists = YYSTATE == INCLUDE_EXISTS;
+
+		if (!filename)
+			yyerror(_("Failed to process filename\n"));
+		yylval.id = filename;
+		POP_AND_RETURN(TOK_ID);
+	}
 }
 
 <<EOF>> {
@@ -527,6 +570,20 @@ LT_EQUAL	<=
 	}
 }
 
+#include{WS}+if{WS}+exists/{WS}.*\r?\n	{
+	/* Don't use PUSH() macro here as we don't want #include echoed out.
+	 * It needs to be handled specially
+	 */
+	yy_push_state(INCLUDE_EXISTS);
+}
+
+include{WS}+if{WS}+exists/{WS}	{
+	/* Don't use PUSH() macro here as we don't want #include echoed out.
+	 * It needs to be handled specially
+	 */
+	yy_push_state(INCLUDE_EXISTS);
+}
+
 #include/.*\r?\n	{
 	/* Don't use PUSH() macro here as we don't want #include echoed out.
 	 * It needs to be handled specially
@@ -623,6 +680,9 @@ include/{WS}	{
 	case TOK_UNIX:
 		state = UNIX_MODE;
 		break;
+	case TOK_ABI:
+		state = ABI_MODE;
+		break;
 	default: /* nothing */
 		break;
 	}
@@ -675,4 +735,6 @@ unordered_map<int, string> state_names = {
 	STATE_TABLE_ENT(UNIX_MODE),
 	STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
 	STATE_TABLE_ENT(INCLUDE),
+	STATE_TABLE_ENT(INCLUDE_EXISTS),
+	STATE_TABLE_ENT(ABI_MODE),
 };

parser/parser_main.c

@@ -759,6 +759,7 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 			return errno;
 		}
 	} else {
+		if (write_cache)
 			pwarn("%s: cannot use or update cache, disable, or force-complain via stdin\n", progname);
 	}
 
@@ -1124,7 +1125,7 @@ int main(int argc, char *argv[])
 		retval = aa_policy_cache_new(&policy_cache, features,
 					     AT_FDCWD, cacheloc, max_caches);
 		if (retval) {
-			if (errno != ENOENT && errno != EEXIST) {
+			if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
 				PERROR(_("Failed setting up policy cache (%s): %s\n"),
 				       cacheloc, strerror(errno));
 				return 1;

parser/parser_misc.c

@@ -111,6 +111,7 @@ static struct keyword_table keyword_table[] = {
 	{"trace",		TOK_TRACE},
 	{"tracedby",		TOK_TRACEDBY},
 	{"readby",		TOK_READBY},
+	{"abi",			TOK_ABI},
 
 	/* terminate */
 	{NULL, 0}

parser/parser_yacc.y

@@ -152,6 +152,7 @@ void add_local_entry(Profile *prof);
 %token TOK_TRACE
 %token TOK_TRACEDBY
 %token TOK_READBY
+%token TOK_ABI
 
  /* rlimits */
 %token TOK_RLIMIT
@@ -400,6 +401,7 @@ hat: hat_start profile_base
 preamble: { /* nothing */ }
 	| preamble alias { /* nothing */ };
 	| preamble varassign { /* nothing */ };
+	| preamble abi_rule { /* nothing */ };
 
 alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
@@ -615,6 +617,8 @@ rules:	{ /* nothing */
 		$$ = prof;
 	};
 
+rules: rules abi_rule { /* nothing */ }
+
 rules:  rules opt_prefix rule
 	{
 		PDEBUG("matched: rules rule\n");
@@ -1065,6 +1069,12 @@ opt_named_transition: { /* nothing */ $$ = NULL; }
 rule: file_rule { $$ = $1; }
 	| link_rule { $$ = $1; }
 
+abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE
+	{
+		pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname);
+		free($2);
+	};
+
 opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
 	| TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
 	| TOK_SAFE { $$ = EXEC_MODE_SAFE; };

parser/policy_cache.c

@@ -149,11 +149,11 @@ int setup_cache_tmp(const char **cachetmpname, const char *cachename)
 		/* Otherwise, set up to save a cached copy */
 		if (asprintf(&tmpname, "%s-XXXXXX", cachename) < 0) {
 			perror("asprintf");
-			exit(1);
+			return -1;
 		}
 		if ((cache_fd = mkstemp(tmpname)) < 0) {
 			perror("mkstemp");
-			exit(1);
+			return -1;
 		}
 		*cachetmpname = tmpname;
 	}

parser/subdomain.conf.pod

@@ -101,4 +101,4 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 =head1 SEE ALSO
 
 apparmor(7), apparmor_parser(8), and
-L<http://wiki.apparmor.net>.
+L<https://wiki.apparmor.net>.

parser/tst/Makefile

@@ -57,7 +57,7 @@ valgrind: $(PARSER) gen_xtrans gen_dbus
 	LANG=C ./valgrind_simple.py -p "$(PARSER)" -v simple_tests
 
 $(PARSER):
-	make -C $(PARSER_DIR) $(PARSER_BIN)
+	$(MAKE) -C $(PARSER_DIR) $(PARSER_BIN)
 
 clean:
 	find $(GEN_TRANS_DIRS) -type f | xargs rm -f

parser/tst/simple_tests/abi/bad_1.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT FAIL
+#=TODO
+
+abi "abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_10.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_11.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_12.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_2.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT FAIL
+#
+
+abi abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_3.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19"
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_4.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19 ubuntu,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_5.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes missing ,
+#=EXRESULT FAIL
+#
+
+abi abi/4.19
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/bad_6.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT FAIL
+#=TODO
+
+abi <abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_1.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT PASS
+#
+
+abi "abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_10.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_11.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=DISABLED
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_12.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_13.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#
+
+abi <"abi/4.19 ubuntu">,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_14.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi <abi/4.19> ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_15.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi "abi/4.19" ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_16.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi abi/4.19 ,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_17.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi<abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_18.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi"abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_2.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT PASS
+#
+
+abi "abi/4.19 ubuntu",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_20.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi <abi/4.19>,
+
+}

parser/tst/simple_tests/abi/ok_21.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi "abi/4.19",
+
+}

parser/tst/simple_tests/abi/ok_22.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi abi/4.19,
+
+}

parser/tst/simple_tests/abi/ok_3.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_4.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19 ubuntu",
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_5.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes
+#=EXRESULT PASS
+#
+
+abi abi/4.19,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_6.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT PASS
+#
+
+abi <abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_7.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19>,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_8.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi <abi/4.19 >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/abi/ok_9.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19 >,
+
+/does/not/exist {
+}

parser/tst/simple_tests/bare_include_tests/bad_11.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - non-existent include should fail
+#=EXRESULT FAIL
+#
+/does/not/exist {
+  #include "does-not-exist/does-not-exist"
+}

parser/tst/simple_tests/bare_include_tests/bad_12.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - mis-parsing include should fail
+#=EXRESULT FAIL
+#
+/does/not/exist {
+  #include "/does-not-exist/does-not-exist"
+}

parser/tst/simple_tests/bare_include_tests/bad_13.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION includes testing - non-existent include should fail
+#=EXRESULT FAIL
+#
+/does/not/exist {
+  #include "does-not-exist/does-not-exist"
+  #include <includes/base>
+}

parser/tst/simple_tests/bare_include_tests/bad_14.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION includes testing - non-existent include should fail
+#=EXRESULT FAIL
+#
+/does/not/exist {
+  #include <includes/base>
+  #include "../does-not-exist/does-not-exist"
+}

parser/tst/simple_tests/bare_include_tests/ok_11.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include "simple_tests/include_tests/includes_okay_helper.include"
+}

parser/tst/simple_tests/bare_include_tests/ok_12.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include "../tst/simple_tests/include_tests/includes_okay_helper.include"
+}

parser/tst/simple_tests/bare_include_tests/ok_13.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include "./simple_tests/include_tests/includes_okay_helper.include"
+}

parser/tst/simple_tests/bare_include_tests/ok_14.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION includes testing - test some "odd" locations of includes
+#=EXRESULT PASS
+#
+/does/not/exist {
+  /does/not/exist mr,   include <includes/base> /bin/true Px,
+  include "../tst/simple_tests/include_tests/includes_okay_helper.include" include <includes/base>
+}

parser/tst/simple_tests/bare_include_tests/ok_15.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION includes testing - basic include of a directory
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <includes/base>
+  include "simple_tests/includes/"
+  include <includes/base>
+}

parser/tst/simple_tests/bare_include_tests/ok_16.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include simple_tests/include_tests/includes_okay_helper.include
+}

parser/tst/simple_tests/bare_include_tests/ok_17.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include ../tst/simple_tests/include_tests/includes_okay_helper.include
+}

parser/tst/simple_tests/bare_include_tests/ok_18.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include ./simple_tests/include_tests/includes_okay_helper.include
+}

parser/tst/simple_tests/bare_include_tests/ok_19.sd

@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION includes testing - test some "odd" locations of includes
+#=EXRESULT PASS
+#
+/does/not/exist {
+  /does/not/exist mr,   include <includes/base> /bin/true Px,
+  include ../tst/simple_tests/include_tests/includes_okay_helper.include include <includes/base>
+}

parser/tst/simple_tests/bare_include_tests/ok_20.sd

@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION includes testing - basic include of a directory
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <includes/base>
+  include simple_tests/includes/
+  include <includes/base>
+}

parser/tst/simple_tests/bare_include_tests/ok_26.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include "simple_tests/include_tests/includes with space helper.include"
+}

parser/tst/simple_tests/bare_include_tests/ok_27.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include "simple_tests/include_tests/includes with space helper.include"  #comment
+}

parser/tst/simple_tests/bare_include_tests/ok_28.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <"include_tests/includes with space helper.include">
+}

parser/tst/simple_tests/bare_include_tests/ok_29.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <"include_tests/includes with space helper.include">  #comment
+}

parser/tst/simple_tests/bare_include_tests/ok_30.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <include_tests/includes with space helper.include>
+}

parser/tst/simple_tests/bare_include_tests/ok_31.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION includes testing - basic include of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include <include_tests/includes with space helper.include>    #comment
+}

parser/tst/simple_tests/bare_include_tests/ok_61.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION include if existss testing - basic include if exists of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include if exists "simple_tests/include_tests/includes_okay_helper.include"
+}

parser/tst/simple_tests/bare_include_tests/ok_62.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION include if existss testing - basic include if exists of global and local include
+#=EXRESULT PASS
+#
+/does/not/exist {
+  include if exists "../tst/simple_tests/include_tests/includes_okay_helper.include"
+}