Bump version to 2.10.3

Signed-off-by: John Johansen <john.johansen@canonical.com>

common/Version

@@ -1 +1 @@
-2.10.2
+2.10.3

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -121,7 +121,7 @@ class AAPythonBindingsTests(unittest.TestCase):
                     continue
                 else:
                     new_record[key] = str(value)
-            elif record.__getattr__(key):
+            elif value or value == '':
                 new_record[key] = str(value)
 
         return new_record

libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in

@@ -0,0 +1 @@
+Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2"

libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out

@@ -0,0 +1,12 @@
+START
+File: unconfined-change_hat.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1487719321.954:218
+Operation: change_hat
+Profile: unconfined
+Command: apache2
+Info: unconfined can not change_hat
+ErrorCode: 1
+PID: 19941
+Epoch: 1487719321
+Audit subid: 218

parser/af_unix.cc

@@ -196,16 +196,20 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 
 void unix_rule::downgrade_rule(Profile &prof) {
+	unsigned int mask = (unsigned int) -1;
+
 	if (!prof.net.allow && !prof.alloc_net_table())
 		yyerror(_("Memory allocation error."));
+	if (sock_type_n != -1)
+		mask = 1 << sock_type_n;
 	if (deny) {
-		prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.deny[AF_UNIX] |= mask;
 		if (!audit)
-			prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.quiet[AF_UNIX] |= mask;
 	} else {
-		prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.allow[AF_UNIX] |= mask;
 		if (audit)
-			prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.audit[AF_UNIX] |= mask;
 	}
 }
 

parser/apparmor.d.pod

@@ -109,7 +109,7 @@ capabilities(7))
 
 B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
 
-B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' ) ','
+B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' | 'smc' ) ','
 
 B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 

parser/libapparmor_re/expr-tree.h

@@ -672,7 +672,7 @@ public:
 
 	~hashedNodeVec()
 	{
-		delete nodes;
+		delete [] nodes;
 	}
 
 	unsigned long size()const { return len; }

parser/rc.apparmor.functions

@@ -451,34 +451,7 @@ __apparmor_restart() {
 
 	configure_owlsm
 	parse_profiles reload
-	# Clean out running profiles not associated with the current profile
-	# set, excluding the libvirt dynamically generated profiles.
-	# Note that we reverse sort the list of profiles to remove to
-	# ensure that child profiles (e.g. hats) are removed before the
-	# parent. We *do* need to remove the child profile and not rely
-	# on removing the parent profile when the profile has had its
-	# child profile names changed.
-	profiles_names_list | awk '
-BEGIN {
-  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {
-    str = sub(/ \((enforce|complain)\)$/, "", $0);
-    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
-      arr[$str] = $str
-  }
-}
 
-{ if (length(arr[$0]) > 0) { delete arr[$0] } }
-
-END {
-  for (key in arr)
-    if (length(arr[key]) > 0) {
-      printf("%s\n", arr[key])
-    }
-}
-' | LC_COLLATE=C sort -r | while IFS= read profile ; do
-		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
-	done
-	# will not catch all errors, but still better than nothing
 	rc=$?
 	aa_log_end_msg $rc
 	return $rc

profiles/apparmor.d/abstractions/apache2-common

@@ -8,6 +8,8 @@
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
   signal (receive) peer=/usr/sbin/apache2,
+  # Allow other hats to signal by default
+  signal peer=/usr/sbin/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 
@@ -25,3 +27,8 @@
 
   /dev/urandom            r,
 
+  # sasl-auth
+  /run/saslauthd/mux rw,
+
+  # OCSP stapling
+  /var/log/apache2/stapling-cache rw,

profiles/apparmor.d/abstractions/base

@@ -92,7 +92,7 @@
   /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/maps            r,
+  @{PROC}/@{pid}/{maps,auxv,status} r,
 
   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/*           r,

profiles/apparmor.d/abstractions/freedesktop.org

@@ -10,10 +10,10 @@
 # ------------------------------------------------------------------
 
   # system configuration
-  /usr/share/applications/               r,
-  /usr/share/applications/defaults.list  r,
-  /usr/share/applications/mimeinfo.cache r,
-  /usr/share/applications/*.desktop      r,
+  /usr/{,local/}share/applications/{*/,}               r,
+  /usr/{,local/}share/applications/{*/,}defaults.list  r,
+  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
+  /usr/{,local/}share/applications/{*/,}*.desktop      r,
   /usr/share/icons/               r,
   /usr/share/icons/**             r,
   /usr/share/pixmaps/             r,

profiles/apparmor.d/abstractions/nameservice

@@ -29,6 +29,7 @@
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 

profiles/apparmor.d/abstractions/perl

@@ -15,8 +15,8 @@
 
   /usr/lib{,32,64}/perl5/**                    r,
   /usr/lib{,32,64}/perl{,5}/**.so*             mr,
-  /usr/lib/@{multiarch}/perl{,5}/**            r,
-  /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
+  /usr/lib/@{multiarch}/perl{,5,-base}/**            r,
+  /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
 
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,

profiles/apparmor.d/abstractions/postfix-common

@@ -22,7 +22,7 @@
 
   /etc/mailname         r,
   /etc/postfix/*.cf     r,
-  /etc/postfix/*.db     r,
+  /etc/postfix/*.db     rk,
   @{PROC}/net/if_inet6  r,
   /usr/lib/postfix/*.so mr,
   /usr/lib{,32,64}/sasl2/*    mr,

profiles/apparmor.d/abstractions/python

@@ -10,18 +10,18 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
-  /usr/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
 
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-5]}/** r,
+  /etc/python{2.[4-7],3.[0-6]}/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -34,4 +34,4 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-5]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-6]}*/pyconfig.h r,

profiles/apparmor.d/abstractions/samba

@@ -11,6 +11,7 @@
 
   /etc/samba/* r,
   /usr/lib*/ldb/*.so mr,
+  /usr/lib*/samba/ldb/*.so mr,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,

profiles/apparmor.d/usr.lib.dovecot.anvil

@@ -18,6 +18,7 @@
   capability setuid,
   capability sys_chroot,
 
+  /run/dovecot/anvil rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -37,6 +37,9 @@
   /var/tmp/sieve_* rw,
   /var/tmp/smtp_* rw,
 
+  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-worker rw,
+  /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,

profiles/apparmor.d/usr.lib.dovecot.dovecot-lda

@@ -12,7 +12,7 @@
 #include <tunables/global>
 #include <tunables/dovecot>
 
-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
@@ -26,9 +26,11 @@
   /proc/*/mounts r,
   owner /tmp/dovecot.lda.* rw,
   /{var/,}run/dovecot/mounts r,
+  /run/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
   /usr/lib/dovecot/dovecot-lda mrix,
   /usr/sbin/sendmail Cx,
+  /usr/share/dovecot/protocols.d/ r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.dovecot-lda>

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -21,6 +21,8 @@
   capability setuid,
   deny capability block_suspend,
 
+  network unix stream,
+
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,
 
@@ -33,6 +35,7 @@
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,
+  /run/dovecot/login/imap rw,
   /{,var/}run/dovecot/auth-master rw,
   /{,var/}run/dovecot/mounts r,
 

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -22,9 +22,11 @@
 
   network inet stream,
   network inet6 stream,
+  network unix stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/anvil rw,
+  /{,var/}run/dovecot/login-master-notify* rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.lib.dovecot.ssl-params

@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 
+  /run/dovecot/login/ssl-params rw,
   /usr/lib/dovecot/ssl-params mr,
   /var/lib/dovecot/ssl-parameters.dat rw,
   /var/lib/dovecot/ssl-parameters.dat.tmp rwk,

profiles/apparmor.d/usr.sbin.dovecot

@@ -12,7 +12,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/dovecot {
+/usr/sbin/dovecot flags=(attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
@@ -36,21 +36,21 @@
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/anvil Px,
-  /usr/lib/dovecot/auth Px,
-  /usr/lib/dovecot/config Px,
-  /usr/lib/dovecot/dict Px,
+  /usr/lib/dovecot/anvil mrPx,
+  /usr/lib/dovecot/auth mrPx,
+  /usr/lib/dovecot/config mrPx,
+  /usr/lib/dovecot/dict mrPx,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
-  /usr/lib/dovecot/lmtp Px,
-  /usr/lib/dovecot/log Px,
-  /usr/lib/dovecot/managesieve Px,
+  /usr/lib/dovecot/lmtp mrPx,
+  /usr/lib/dovecot/log mrPx,
+  /usr/lib/dovecot/managesieve mrPx,
   /usr/lib/dovecot/managesieve-login Pxmr,
-  /usr/lib/dovecot/pop3 Px,
+  /usr/lib/dovecot/pop3 mrPx,
   /usr/lib/dovecot/pop3-login Pxmr,
   /usr/lib/dovecot/ssl-build-param rix,
-  /usr/lib/dovecot/ssl-params Px,
+  /usr/lib/dovecot/ssl-params mrPx,
   /usr/sbin/dovecot mrix,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,

profiles/apparmor.d/usr.sbin.traceroute

@@ -15,6 +15,7 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
 
+  deny capability net_admin, # noisy setsockopt() calls
   capability net_raw,
 
   network inet raw,
@@ -23,6 +24,7 @@
   /usr/sbin/traceroute mrix,
   /usr/bin/traceroute.db mrix,
   @{PROC}/net/route r,
+  @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.traceroute>

profiles/apparmor.d/usr.sbin.winbindd

@@ -20,6 +20,7 @@
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
+  /usr/lib*/samba/gensec/krb*.so mr,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,

profiles/apparmor/profiles/extras/usr.lib.postfix.anvil

@@ -13,7 +13,6 @@
 /usr/lib/postfix/anvil {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.bounce

@@ -13,7 +13,6 @@
 /usr/lib/postfix/bounce {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup

@@ -13,7 +13,6 @@
 /usr/lib/postfix/cleanup {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability net_bind_service,

profiles/apparmor/profiles/extras/usr.lib.postfix.error

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
 /usr/lib/postfix/error {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/error rmix,
+  @{PROC}/sys/kernel/ngroups_max r,
+  /usr/lib/postfix/error mrix,
+  owner /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.error rwk,
+  /var/spool/postfix/pid/unix.retry rwk,
+  owner /var/spool/postfix/private/defer w,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.flush

@@ -13,7 +13,6 @@
 /usr/lib/postfix/flush {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,10 @@
 /usr/lib/postfix/lmtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/lmtp rmix,
+  /usr/lib/postfix/lmtp mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.lmtp rwk,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.local

@@ -14,7 +14,6 @@
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/user-mail>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.master

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/master {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/nqmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pickup

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/pickup {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pipe

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,6 +13,14 @@
 
 /usr/lib/postfix/pipe {
   #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/postfix-common>
+
+  /usr/lib/postfix/pipe mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/private/bounce w,
+  /var/spool/postfix/private/defer w,
+  /var/spool/postfix/private/rewrite w,
+  /var/spool/postfix/private/trace w,
 
-  /usr/lib/postfix/pipe rmix,
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/qmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/qmqpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/qmqpd rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.showq

@@ -13,7 +13,6 @@
 /usr/lib/postfix/showq {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/showq                       rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.smtp

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.spawn

@@ -13,7 +13,6 @@
 /usr/lib/postfix/spawn {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/spawn rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite

@@ -13,7 +13,6 @@
 /usr/lib/postfix/trivial-rewrite {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/trivial-rewrite            rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.verify

@@ -13,7 +13,6 @@
 /usr/lib/postfix/verify {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/verify rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.virtual

@@ -13,7 +13,6 @@
 /usr/lib/postfix/virtual {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

tests/regression/apparmor/environ.c

@@ -63,6 +63,8 @@ int main(int argc, char *argv[])
 		if (retval == RET_CHLD_SUCCESS) {
 			printf("PASS\n");
 			retval = 0;
+		} else {
+			printf("FAIL: Child failed\n");
 		}
 
 	} else if (pid == 0) {

utils/Makefile

@@ -24,7 +24,7 @@ PERLTOOLS = aa-exec aa-notify
 PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
           aa-autodep aa-audit aa-complain aa-enforce aa-disable \
 	  aa-status aa-unconfined
-TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode
+TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown
 PYSETUP = python-tools-setup.py
 PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py)
 

utils/aa-audit.pod

@@ -6,7 +6,7 @@ aa-audit - set an AppArmor security profile to I<audit> mode.
 
 =head1 SYNOPSIS
 
-B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 
 =head1 OPTIONS
 
@@ -15,9 +15,12 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-r --remove>
 
-   Removes the audit mode for the profile.  
+   Removes the audit mode for the profile.
 
 =head1 DESCRIPTION
 

utils/aa-cleanprof.pod

@@ -6,7 +6,7 @@ aa-cleanprof - clean an existing AppArmor security profile.
 
 =head1 SYNOPSIS
 
-B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-s>]>
+B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload]> [I<-s>]>
 
 =head1 OPTIONS
 
@@ -15,6 +15,9 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-s --silent>
 
    Silently overwrites the profile without user prompt.
@@ -22,7 +25,7 @@ B<-s --silent>
 =head1 DESCRIPTION
 
 B<aa-cleanprof> is used to perform a cleanup on one or more profiles.
-The tool removes any existing superfluous rules (rules that are covered 
+The tool removes any existing superfluous rules (rules that are covered
 under an include or another rule), reorders the rules to group similar rules
 together and removes all comments from the file.
 

utils/aa-complain.pod

@@ -26,7 +26,7 @@ aa-complain - set an AppArmor security profile to I<complain> mode.
 
 =head1 SYNOPSIS
 
-B<< aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 
 =head1 OPTIONS
 
@@ -35,6 +35,9 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 =head1 DESCRIPTION
 
 B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.

utils/aa-disable.pod

@@ -26,7 +26,7 @@ aa-disable - disable an AppArmor security profile
 
 =head1 SYNOPSIS
 
-B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 
 =head1 OPTIONS
 
@@ -35,11 +35,14 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not unreload the profile after modifying it.
+
 =head1 DESCRIPTION
 
-B<aa-disable> is used to I<disable> one or more profiles. 
+B<aa-disable> is used to I<disable> one or more profiles.
 This command will unload the profile from the kernel and prevent the
-profile from being loaded on AppArmor startup. 
+profile from being loaded on AppArmor startup.
 The I<aa-enforce> and I<aa-complain> utilities may be used to to change
 this behavior.
 

utils/aa-enforce.pod

@@ -27,7 +27,7 @@ being disabled or I<complain> mode.
 
 =head1 SYNOPSIS
 
-B<< aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 
 =head1 OPTIONS
 
@@ -36,12 +36,15 @@ B<-d --dir / path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 =head1 DESCRIPTION
 
 B<aa-enforce> is used to set one or more profiles to I<enforce> mode.
 This command is only relevant in conjunction with the I<aa-complain> utility
 which sets a profile to complain mode and the I<aa-disable> utility which
-unloads and disables a profile. 
+unloads and disables a profile.
 The default mode for a security policy is enforce and the I<aa-complain>
 utility must be run to change this behavior.
 

utils/aa-remove-unknown

@@ -0,0 +1,108 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+#    Copyright (c) 2017 Canonical Ltd. (All rights reserved)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program. If not, see <http://www.gnu.org/licenses/>.
+# ----------------------------------------------------------------------
+
+APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
+APPARMORFS=/sys/kernel/security/apparmor
+PROFILES="${APPARMORFS}/profiles"
+REMOVE="${APPARMORFS}/.remove"
+
+DRY_RUN=0
+
+. $APPARMOR_FUNCTIONS
+
+usage() {
+	local progname="$1"
+	local rc="$2"
+	local msg="usage: ${progname} [options]\n
+Remove profiles unknown to the system
+
+Options:
+ -h, --help	Show this help message and exit
+ -n		Dry run; don't remove profiles"
+
+	if [ "$rc" -ne 0 ] ; then
+		echo "$msg" 1>&2
+	else
+		echo "$msg"
+	fi
+
+	exit "$rc"
+}
+
+if [ "$#" -gt 1 ] ; then
+	usage "$0" 1
+elif [ "$#" -eq 1 ] ; then
+	if [ "$1" = "-h" -o "$1" = "--help" ] ; then
+		usage "$0" 0
+	elif [ "$1" = "-n" ] ; then
+		DRY_RUN=1
+	else
+		usage "$0" 1
+	fi
+fi
+
+
+# We can't use a -r test here because while $PROFILES is world-readable,
+# apparmorfs may still return EACCES from open()
+#
+# We have to do this check because error checking awk's getline() below is
+# tricky and, as is, results in an infinite loop when apparmorfs returns an
+# error from open().
+if ! IFS= read line < "$PROFILES" ; then
+	echo "ERROR: Unable to read apparmorfs profiles file" 1>&2
+	exit 1
+elif [ ! -w "$REMOVE" ] ; then
+	echo "ERROR: Unable to write to apparmorfs remove file" 1>&2
+	exit 1
+fi
+
+# Clean out running profiles not associated with the current profile
+# set, excluding the libvirt dynamically generated profiles.
+# Note that we reverse sort the list of profiles to remove to
+# ensure that child profiles (e.g. hats) are removed before the
+# parent. We *do* need to remove the child profile and not rely
+# on removing the parent profile when the profile has had its
+# child profile names changed.
+profiles_names_list | awk '
+BEGIN {
+  while (getline < "'${PROFILES}'" ) {
+    str = sub(/ \((enforce|complain)\)$/, "", $0);
+    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
+      arr[$str] = $str
+  }
+}
+
+{ if (length(arr[$0]) > 0) { delete arr[$0] } }
+
+END {
+  for (key in arr)
+    if (length(arr[key]) > 0) {
+      printf("%s\n", arr[key])
+    }
+}
+' | LC_COLLATE=C sort -r | \
+	while IFS= read profile ; do
+		if [ "$DRY_RUN" -ne 0 ]; then
+			echo "Would remove '${profile}'"
+		else
+			echo "Removing '${profile}'"
+			echo -n "$profile" > "${REMOVE}"
+		fi
+	done
+
+# will not catch all errors, but still better than nothing
+exit $?

utils/aa-remove-unknown.pod

@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+aa-remove-unknown - remove unknown AppArmor profiles
+
+=head1 SYNOPSIS
+
+B<aa-remove-unknown> [option]
+
+=head1 DESCRIPTION
+
+B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare
+that list to the profiles currently loaded into the kernel, and then remove all
+of the loaded profiles that were not found in /etc/apparmor.d/. It will also
+report the name of each profile that it removes on standard out.
+
+=head1 OPTIONS
+
+=over 4
+
+=item -h, --help
+
+displays a short usage statement.
+
+=item -n
+
+dry run; only prints the names of profiles that would be removed
+
+=back
+
+=head1 EXAMPLES
+
+  $ sudo ./aa-remove-unknown -n
+  Would remove 'test//null-/usr/bin/whoami'
+  Would remove 'test'
+
+  $ sudo ./aa-remove-unknown
+  Removing 'test//null-/usr/bin/whoami'
+  Removing 'test'
+
+=head1 BUGS
+
+None. Please report any you find to Launchpad at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7)
+
+=cut

utils/aa-status.pod

@@ -92,23 +92,23 @@ following values:
 
 =over 4
 
-=item 0
+=item B<0>
 
 if apparmor is enabled and policy is loaded.
 
-=item 1
+=item B<1>
 
 if apparmor is not enabled/loaded.
 
-=item 2
+=item B<2>
 
 if apparmor is enabled but no policy is loaded.
 
-=item 3
+=item B<3>
 
 if the apparmor control files aren't available under /sys/kernel/security/.
 
-=item 4
+=item B<4>
 
 if the user running the script doesn't have enough privileges to read
 the apparmor control files.

utils/aa-unconfined

@@ -46,10 +46,10 @@ else:
     regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
     import subprocess
     if sys.version_info < (3, 0):
-        output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
+        output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
     else:
         #Python3 needs to translate a stream of bytes to string with specified encoding
-        output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
+        output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
 
     for line in output:
         match = regex_tcp_udp.search(line)

utils/apparmor/logparser.py

@@ -231,6 +231,8 @@ class ReadLog:
         if e['operation'] == 'change_hat':
             if aamode != 'HINT' and aamode != 'PERMITTING':
                 return None
+            if e['error_code'] == 1 and e['info'] == 'unconfined can not change_hat':
+                return None
             profile = e['name2']
             #hat = None
             if '//' in e['name2']:

utils/apparmor/rule/network.py

@@ -27,7 +27,7 @@ _ = init_translation()
 network_domain_keywords   = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                               'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                               'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
-                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
+                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm', 'smc' ]
 
 network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
 network_protocol_keywords = ['tcp', 'udp', 'icmp']

utils/apparmor/ui.py

@@ -64,8 +64,8 @@ def get_translated_hotkey(translated, cmsg=''):
     msg = 'PromptUser: ' + _('Invalid hotkey for')
 
     # Originally (\S) was used but with translations it would not work :(
-    if re.search('\((\S+)\)', translated, re.LOCALE):
-        return re.search('\((\S+)\)', translated, re.LOCALE).groups()[0]
+    if re.search('\((\S+)\)', translated):
+        return re.search('\((\S+)\)', translated).groups()[0]
     else:
         if cmsg:
             raise AppArmorException(cmsg)