Prepare for AppArmor 2.13.7 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -8,6 +8,7 @@ binutils/po/*.mo
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
+parser/generated_cap_names.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
@@ -163,8 +164,14 @@ libraries/libapparmor/swig/python/test/test-suite.log
 libraries/libapparmor/swig/python/test/test_python.py
 libraries/libapparmor/swig/python/test/test_python.py.log
 libraries/libapparmor/swig/python/test/test_python.py.trs
+libraries/libapparmor/swig/ruby/LibAppArmor.so
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
+libraries/libapparmor/swig/ruby/Makefile.new
+libraries/libapparmor/swig/ruby/Makefile.ruby
+libraries/libapparmor/swig/ruby/mkmf.log
 libraries/libapparmor/testsuite/.deps
 libraries/libapparmor/testsuite/.libs
 libraries/libapparmor/testsuite/Makefile

.gitlab-ci.yml

@@ -0,0 +1,54 @@
+---
+image: ubuntu:latest
+before_script:
+  - export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-notify2 python3-psutil python3-setuptools zlib1g-dev
+  - lsb_release -a
+  - uname -a
+
+# XXX - add a deploy stage to publish man pages, docs, and coverage
+# reports
+
+stages:
+  - build
+  - test
+
+build-all:
+  stage: build
+  artifacts:
+    name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
+    expire_in: 30 days
+    untracked: true
+    paths:
+        - libraries/libapparmor/
+        - parser/
+        - binutils/
+        - utils/
+        - changehat/mod_apparmor/
+        - changehat/pam_apparmor/
+        - profiles/
+  script:
+      - cd libraries/libapparmor && ./autogen.sh && PYTHON=/usr/bin/python3 ./configure --with-perl --with-python --prefix=/usr && make PYTHON=/usr/bin/python3 && cd ../.. || { cat config.log ; exit 1 ; }
+      - make -C parser
+      - make -C binutils
+      - make -C utils
+      - make -C changehat/mod_apparmor
+      - make -C changehat/pam_apparmor
+      - make -C profiles
+
+test-all:
+  stage: test
+  script:
+      - make -C libraries/libapparmor check PYTHON=/usr/bin/python3
+      - make -C parser check
+      - make -C binutils check
+      - make -C utils check PYFLAKES=/usr/bin/pyflakes3 PYTHON_VERSIONS=/usr/bin/python3
+      - make -C changehat/mod_apparmor check
+      - make -C profiles check-parser
+
+# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
+#      - make -C profiles check-profiles
+
+# test-pam_apparmor:
+#  - stage: test
+#  - script:
+#    - cd changehat/pam_apparmor && make check

Makefile

@@ -19,7 +19,7 @@ DIRS=libraries/libapparmor \
 
 # with conversion to git, we don't export from the remote
 REPO_URL?=git@gitlab.com:apparmor/apparmor.git
-REPO_BRANCH?=apparmor-2.12
+REPO_BRANCH?=apparmor-2.13
 
 COVERITY_DIR=cov-int
 RELEASE_DIR=apparmor-${VERSION}

README.md

@@ -45,6 +45,24 @@ Security issues can be filed as security bugs on launchpad
 or directed to `security@apparmor.net`. Additional details can be found
 in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
 
+
+--------------
+Privacy Policy
+--------------
+
+The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.
+
+The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.
+
+The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.
+
+Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.
+
+The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab and LaunchPad) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.
+
+Currently both GitLab an LaunchPad require a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.
+
+
 -------------
 Source Layout
 -------------
@@ -133,7 +151,7 @@ Utilities:
 ```
 $ cd utils
 $ make
-$ make check
+$ make check PYFLAKES=/usr/bin/pyflakes3
 $ make install
 ```
 

binutils/Makefile

@@ -54,6 +54,10 @@ TOOLS = aa-enabled aa-exec
 
 AALIB = -Wl,-Bstatic -lapparmor  -Wl,-Bdynamic -lpthread
 
+ifdef WITH_LIBINTL
+	AALIB += -lintl
+endif
+
 ifdef USE_SYSTEM
   # Using the system libapparmor so Makefile dependencies can't be used
   LIBAPPARMOR_A =

binutils/po/aa_enabled.pot

@@ -0,0 +1,67 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:36-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_enabled.c:21
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+
+#: ../aa_enabled.c:38
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr ""
+
+#: ../aa_enabled.c:42
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr ""
+
+#: ../aa_enabled.c:46
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr ""
+
+#: ../aa_enabled.c:51
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+
+#: ../aa_enabled.c:56
+#, c-format
+msgid "Error - %s\n"
+msgstr ""
+
+#: ../aa_enabled.c:70
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr ""
+
+#: ../aa_enabled.c:80
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr ""
+
+#: ../aa_enabled.c:90
+#, c-format
+msgid "Yes\n"
+msgstr ""

binutils/po/aa_exec.pot

@@ -0,0 +1,52 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Canonical Ltd
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
+"POT-Creation-Date: 2020-10-14 03:37-0700\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: ../aa_exec.c:48
+#, c-format
+msgid ""
+"USAGE: %s [OPTIONS] <prog> <args>\n"
+"\n"
+"Confine <prog> with the specified PROFILE.\n"
+"\n"
+"OPTIONS:\n"
+"  -p PROFILE, --profile=PROFILE\t\tPROFILE to confine <prog> with\n"
+"  -n NAMESPACE, --namespace=NAMESPACE\tNAMESPACE to confine <prog> in\n"
+"  -d, --debug\t\t\t\tshow messages with debugging information\n"
+"  -i, --immediate\t\t\tchange profile immediately instead of at exec\n"
+"  -v, --verbose\t\t\t\tshow messages with stats\n"
+"  -h, --help\t\t\t\tdisplay this help\n"
+"\n"
+msgstr ""
+
+#: ../aa_exec.c:63
+msgid "aa-exec: ERROR: "
+msgstr ""
+
+#: ../aa_exec.c:74
+msgid "aa-exec: DEBUG: "
+msgstr ""
+
+#: ../aa_exec.c:87
+msgid "\n"
+msgstr ""
+
+#: ../aa_exec.c:105
+#, c-format
+msgid "exec"
+msgstr ""

binutils/po/de.po

@@ -8,14 +8,14 @@ msgstr ""
 "Project-Id-Version: apparmor\n"
 "Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
-"PO-Revision-Date: 2017-12-21 12:20+0000\n"
-"Last-Translator: Christian Boltz <Unknown>\n"
+"PO-Revision-Date: 2018-02-09 23:55+0000\n"
+"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
 "Language-Team: German <de@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2017-12-22 05:12+0000\n"
-"X-Generator: Launchpad (build 18521)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: de\n"
 
 #: ../aa_enabled.c:26
@@ -59,15 +59,15 @@ msgstr "Nein – beim Start deaktiviert.\n"
 #: ../aa_enabled.c:77
 #, c-format
 msgid "Maybe - policy interface not available.\n"
-msgstr ""
+msgstr "Vielleicht – Richtlinienschnittstelle nicht verfügbar.\n"
 
 #: ../aa_enabled.c:81
 #, c-format
 msgid "Maybe - insufficient permissions to determine availability.\n"
 msgstr ""
-"Vielleicht - ungenügende Berechtigungen, um die Verfügbarkeit zu prüfen\n"
+"Vielleicht – ungenügende Berechtigungen, um die Verfügbarkeit zu prüfen\n"
 
 #: ../aa_enabled.c:84
 #, c-format
 msgid "Error - '%s'\n"
-msgstr "Fehler - »%s«\n"
+msgstr "Fehler – »%s«\n"

binutils/po/en_GB.po

@@ -14,8 +14,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: en_GB\n"
 
 #: ../aa_enabled.c:26

binutils/po/es.po

@@ -0,0 +1,71 @@
+# Spanish translation for apparmor
+# Copyright (c) 2019 Rosetta Contributors and Canonical Ltd 2019
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2019.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2019-06-09 14:01+0000\n"
+"Last-Translator: Adolfo Jayme <fitoschido@gmail.com>\n"
+"Language-Team: Spanish <es@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2019-06-10 04:32+0000\n"
+"X-Generator: Launchpad (build 18978)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [opciones]\n"
+"  opciones:\n"
+"  -q | --quiet        No emitir ningún mensaje\n"
+"  -h | --help         Mostrar la ayuda\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "opciones desconocidas o incompatibles\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "se desconoce la opción «%s»\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Sí\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "No; no disponible en este sistema.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "No; desactivado durante el arranque.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Quizá; interfaz de directiva no disponible.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr "Quizá; permisos insuficientes para determinar disponibilidad.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Error: «%s»\n"

binutils/po/id.po

@@ -14,8 +14,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: id\n"
 
 #: ../aa_enabled.c:26

binutils/po/pt.po

@@ -9,13 +9,13 @@ msgstr ""
 "Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
 "PO-Revision-Date: 2016-03-03 08:34+0000\n"
-"Last-Translator: Ivo Xavier <ivoxavier.8@gmail.com>\n"
+"Last-Translator: Ivo Xavier <ivofernandes12@gmail.com>\n"
 "Language-Team: Portuguese <pt@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: pt\n"
 
 #: ../aa_enabled.c:26

binutils/po/ru.po

@@ -9,13 +9,13 @@ msgstr ""
 "Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2015-11-28 10:23-0800\n"
 "PO-Revision-Date: 2016-03-29 14:46+0000\n"
-"Last-Translator: Eugene Marshal <Unknown>\n"
+"Last-Translator: Eugene Roskin <Unknown>\n"
 "Language-Team: Russian <ru@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: ru\n"
 
 #: ../aa_enabled.c:26

binutils/po/sv.po

@@ -0,0 +1,72 @@
+# Swedish translation for apparmor
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2018-09-08 03:51+0000\n"
+"Last-Translator: Jonatan Nyberg <Unknown>\n"
+"Language-Team: Swedish <sv@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [options]\n"
+"  flaggor:\n"
+"  -q | --quiet        Skriv inte ut några meddelanden\n"
+"  -h | --help         Skriv ut hjälp\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "okända eller inkompatibla flaggor\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "okänd flagga '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Ja\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Nej - inte tillgänglig på detta system.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Nej - inaktiverad vid uppstart.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Kanske - policy gränssnitt inte tillgängliga.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+"Kanske - otillräckliga behörigheter för att bestämma tillgängligheten.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Fel - '%s'\n"

binutils/po/tr.po

@@ -0,0 +1,72 @@
+# Turkish translation for apparmor
+# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
+# This file is distributed under the same license as the apparmor package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: apparmor\n"
+"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
+"POT-Creation-Date: 2015-11-28 10:23-0800\n"
+"PO-Revision-Date: 2018-05-19 23:10+0000\n"
+"Last-Translator: Kudret EMRE <kudretemre@hotmail.com>\n"
+"Language-Team: Turkish <tr@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
+
+#: ../aa_enabled.c:26
+#, c-format
+msgid ""
+"%s: [options]\n"
+"  options:\n"
+"  -q | --quiet        Don't print out any messages\n"
+"  -h | --help         Print help\n"
+msgstr ""
+"%s: [seçenekler]\n"
+"  seçenekler:\n"
+"  -q | --quiet        Hiçbir mesajı gösterme\n"
+"  -h | --help         Yardımı görüntüler\n"
+
+#: ../aa_enabled.c:45
+#, c-format
+msgid "unknown or incompatible options\n"
+msgstr "bilinmeyen veya uyumsuz seçenekler\n"
+
+#: ../aa_enabled.c:55
+#, c-format
+msgid "unknown option '%s'\n"
+msgstr "bilinmeyen seçenek '%s'\n"
+
+#: ../aa_enabled.c:64
+#, c-format
+msgid "Yes\n"
+msgstr "Evet\n"
+
+#: ../aa_enabled.c:71
+#, c-format
+msgid "No - not available on this system.\n"
+msgstr "Hayır - Bu sistemde kullanılabilir değil.\n"
+
+#: ../aa_enabled.c:74
+#, c-format
+msgid "No - disabled at boot.\n"
+msgstr "Hayır - önyüklemede devredışı bırakıldı.\n"
+
+#: ../aa_enabled.c:77
+#, c-format
+msgid "Maybe - policy interface not available.\n"
+msgstr "Belki - policy arayüzü kullanılabilir değil.\n"
+
+#: ../aa_enabled.c:81
+#, c-format
+msgid "Maybe - insufficient permissions to determine availability.\n"
+msgstr ""
+"Belki - kullanılabilir olup olmadığını denetlemek için yetersiz yetki.\n"
+
+#: ../aa_enabled.c:84
+#, c-format
+msgid "Error - '%s'\n"
+msgstr "Hata - '%s'\n"

changehat/pam_apparmor/Makefile

@@ -82,7 +82,7 @@ SECDIR ?= ${DESTDIR}/lib/security
 .PHONY: install
 install: $(NAME).so
 	install -m 755 -d $(SECDIR)
-	install -m 555 $(NAME).so $(SECDIR)/
+	install -m 755 $(NAME).so $(SECDIR)/
 	
 .PHONY: clean
 clean:

common/Make.rules

@@ -74,40 +74,6 @@ endif
 pod_clean:
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
-	@echo "$(CAPABILITIES)"
-
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
-	@echo "$(AF_NAMES)"
-
 # =====================
 # manpages
 # =====================

common/Version

@@ -1 +1 @@
-2.12.2
+2.13.7

common/list_af_names.sh

@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/PF_UNIX/d' \
+    -e 's/PF_LOCAL/PF_UNIX/' \
+    -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+  sort -n -k2

common/list_capabilities.sh

@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/CAP_EMPTY_SET/d' \
+    -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+  LC_ALL=C sort

kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch

@@ -1,12 +1,13 @@
-From a3b0cb6676a04cdad5cc357bc422d0398083b435 Mon Sep 17 00:00:00 2001
+From 2e7f6d0dc0f1d3642950f529b451af73fa1baf9c Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen@canonical.com>
 Date: Tue, 18 Jul 2017 23:27:23 -0700
-Subject: [PATCH 17/17] UBUNTU: SAUCE: apparmor: af_unix mediation
+Subject: [PATCH 2/2] apparmor: af_unix mediation
 
 af_socket mediation did not make it into 4.14 so add remaining out
 of tree patch
 
 Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
 ---
  security/apparmor/Makefile          |   3 +-
  security/apparmor/af_unix.c         | 651 ++++++++++++++++++++++++++++++++++++
@@ -23,10 +24,10 @@ Signed-off-by: John Johansen <john.johansen@canonical.com>
  create mode 100644 security/apparmor/include/af_unix.h
 
 diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-index dafdd387d42b..ef39226ff4aa 100644
+index e7ff2183532a..90c118f39e13 100644
 --- a/security/apparmor/Makefile
 +++ b/security/apparmor/Makefile
-@@ -4,7 +4,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+@@ -5,7 +5,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
  
  apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
                path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
@@ -694,7 +695,7 @@ index 000000000000..c6876db2dbde
 +	return error;
 +}
 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 125dad5c3fde..20cdb1c4b266 100644
+index 518d5928661b..63a8a462fc96 100644
 --- a/security/apparmor/apparmorfs.c
 +++ b/security/apparmor/apparmorfs.c
 @@ -2187,6 +2187,11 @@ static struct aa_sfs_entry aa_sfs_entry_ns[] = {
@@ -920,7 +921,7 @@ index 4364088a0b9e..26660a1a50b0 100644
  	if (!state)
  		return 0;
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index cc5ab23a2d84..0ede66d80a53 100644
+index 72b915dfcaf7..5533d2f1d9de 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
 @@ -26,6 +26,7 @@
@@ -1390,5 +1391,5 @@ index 33d54435f8d6..dd1953b08e58 100644
 +			 aa_label_sk_perm(label, op, request, sock->sk));
  }
 -- 
-2.11.0
+2.14.1
 

kernel-patches/v4.14/README

@@ -1,4 +1,4 @@
-This series is based on what is currently in linux-next scheduled for
-inclusion in 4.14
+This is based on v4.14 final
 
-af_unix-mediation is the last remaining patch that is out of tree
+base socket mediation and af_unix-mediation are the last two remaining
+patches that are out of tree

libraries/libapparmor/configure.ac

@@ -58,7 +58,7 @@ if test "$with_perl" = "yes"; then
    AC_PATH_PROG(PERL, perl)
    test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
    perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
-   AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
+   AS_IF([test -e "$perl_includedir/perl.h"], enable_perl=yes, enable_perl=no)
 fi
 
 
@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
 AC_HEADER_STDC
 AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
 
-AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv])
+AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray])
 
 AM_PROG_CC_C_O
 AC_C_CONST

libraries/libapparmor/doc/aa_features.pod

@@ -40,6 +40,8 @@ aa_features_is_equal - equality test for two aa_features objects
 
 aa_features_supports - provides aa_features object support status
 
+aa_features_id - provides unique identifier for an aa_features object
+
 =head1 SYNOPSIS
 
 B<#include E<lt>sys/apparmor.hE<gt>>
@@ -62,6 +64,8 @@ B<bool aa_features_is_equal(aa_features *features1, aa_features *features2);>
 
 B<bool aa_features_supports(aa_features *features, const char *str);>
 
+B<char *aa_features_id(aa_features *features);>
+
 Link with B<-lapparmor> when compiling.
 
 =head1 DESCRIPTION
@@ -108,6 +112,12 @@ the path, relative to the "apparmor/features/" directory of securityfs, of the
 feature to query. For example, to test if policy version 6 is supported, I<str>
 would be "policy/versions/v6".
 
+The aa_features_id() function returns a string representation of an
+identifier that can be used to uniquely identify an I<aa_features> object.
+The mechanism for generating the string representation is internal to
+libapparmor and subject to change but an example implementation is
+applying a hash function to the features string.
+
 =head1 RETURN VALUE
 
 The aa_features_new() family of functions return 0 on success and I<*features>
@@ -126,15 +136,20 @@ and false if they are not equal.
 aa_features_supports() returns true if the feature represented by I<str> is
 supported and false if it is not supported.
 
+aa_features_id() returns a string identifying I<features> which must be
+freed by the caller. NULL is returned on error, with errno set
+appropriately.
+
 =head1 ERRORS
 
 The errno value will be set according to the underlying error in the
-I<aa_features> family of functions that return -1 on error.
+I<aa_features> family of functions that return -1 or NULL on error.
 
 =head1 NOTES
 
-All aa_features functions described above are present in libapparmor version
-2.10 and newer.
+The aa_features_id() function can be found in libapparmor version
+2.13. All the other aa_feature functions described above are present
+in libapparmor version 2.10.
 
 aa_features_unref() saves the value of errno when called and restores errno
 before exiting in libapparmor version 2.12 and newer.

libraries/libapparmor/doc/aa_policy_cache.pod

@@ -34,6 +34,10 @@ aa_policy_cache_remove - removes all policy cache files under a path
 
 aa_policy_cache_replace_all - performs a kernel policy replacement of all cached policies
 
+aa_policy_cache_dir_path - returns the path to the aa_policy_cache directory
+
+aa_policy_cache_dir_path_preview - returns a preview of the path to the aa_policy_cache directory without an existing aa_policy_cache object
+
 =head1 SYNOPSIS
 
 B<#include E<lt>sys/apparmor.hE<gt>>
@@ -42,6 +46,8 @@ B<typedef struct aa_policy_cache aa_policy_cache;>
 
 B<int aa_policy_cache_new(aa_policy_cache **policy_cache, aa_features *kernel_features, int dirfd, const char *path, uint16_t max_caches);>
 
+B<int aa_policy_cache_add_ro_dir(aa_policy_cache *policy_cache, int dirfd, const char *path);>
+
 B<aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);>
 
 B<void aa_policy_cache_unref(aa_policy_cache *policy_cache);>
@@ -50,6 +56,10 @@ B<int aa_policy_cache_remove(int dirfd, const char *path);>
 
 B<int aa_policy_cache_replace_all(aa_policy_cache *policy_cache, aa_kernel_interface *kernel_interface);>
 
+B<char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache, int level);>
+
+B<char *aa_policy_cache_dir_path_preview(aa_features *kernel_features, int dirfd, const char *path);>
+
 Link with B<-lapparmor> when compiling.
 
 =head1 DESCRIPTION
@@ -59,19 +69,35 @@ policy cache files. The policy cache files are the binary representation of a
 human-readable AppArmor profile. The binary representation is the form that is
 loaded into the kernel.
 
-The aa_policy_cache_new() function creates an I<aa_policy_cache> object based
-upon a directory file descriptor and path. The I<path> must point to a
-directory. See the openat(2) man page for examples of I<dirfd> and I<path>. If
-I<kernel_features> is NULL, then the features of the current kernel are used.
-When specifying a valid I<kernel_features> object, it must be the compatible
-with the features of the kernel of interest. The value of I<max_caches> should
-be equal to the number of caches that should be allowed before old caches are
-automatically reaped. The definition of what is considered to be an old cache
-is private to libapparmor. Specifying 0 means that no new caches should be
-created and only existing, valid caches may be used. Specifying UINT16_MAX
-means that a new cache may be created and that the reaping of old caches is
-disabled. The allocated I<aa_policy_cache> object must be freed using
-aa_policy_cache_unref().
+The aa_policy_cache_new() function creates an I<aa_policy_cache>
+object based upon a directory file descriptor and path. See the
+openat(2) man page for examples of I<dirfd> and I<path>. The I<path>
+must point to a directory and it will be used as the basis for the
+location of policy cache files. See I<aa_policy_cache_dir_path> to
+find out which directory will be used to store the binary policy cache
+files. If additional overlay cache directories are used (see
+I<aa_policy_cache_add_ro_dir>) the directory specified in
+I<aa_policy_cache_new> is the first directory searched and is the
+writable overlay. If I<kernel_features> is NULL, then the features of
+the current kernel are used. When specifying a valid
+I<kernel_features> object, it must be compatible with the features
+of the kernel of interest.  The value of I<max_caches> should be equal
+to the number of caches that should be allowed before old caches are
+automatically reaped. The definition of what is considered to be an
+old cache is private to libapparmor. Specifying 0 means that no new
+caches should be created and only existing, valid caches may be used.
+Specifying UINT16_MAX means that a new cache may be created and that
+the reaping of old caches is disabled. The allocated
+I<aa_policy_cache> object must be freed using aa_policy_cache_unref().
+
+The aa_policy_cache_add_ro_dir() function adds an existing cache directory
+to the policy cache, as a readonly layer under the primary directory
+the cache was created with. When the cache is searched for an existing
+cache file the primary directory will be searched and then the readonly
+directories in the order that they were added to the policy cache.
+This allows the policy cache to be seeded with precompiled policy
+that can be updated by overlaying the read only cache file with one
+written to the primary cache dir.
 
 aa_policy_cache_ref() increments the reference count on the I<policy_cache>
 object.
@@ -90,6 +116,18 @@ the I<policy_cache> object. If I<kernel_interface> is NULL, then the current
 kernel interface is used. When specifying a valid I<kernel_interface> object,
 it must be the interface of the currently running kernel.
 
+The aa_policy_cache_dir_path() function provides the path to the cache
+directory for a I<policy_cache> object at I<level> in the policy cache
+overlay of cache directories. A I<level> of 0 will always be present
+and is the first directory to search in an overlay of cache
+directories, and will also be the writable cache directory
+layer. Binary policy cache files will be located in the directory
+returned by this function.
+
+The aa_policy_cache_dir_levels() function provides access to the number
+of directories that are being overlayed to create the policy cache.
+
+
 =head1 RETURN VALUE
 
 The aa_policy_cache_new() function returns 0 on success and I<*policy_cache>
@@ -102,15 +140,29 @@ aa_policy_cache_ref() returns the value of I<policy_cache>.
 aa_policy_cache_remove() and aa_policy_cache_replace_all() return 0 on success.
 -1 is returned on error, with errno set appropriately.
 
+aa_policy_cache_dir_path() returns a path string which must be freed by the
+caller. NULL is returned on error, with errno set appropriately.
+
+aa_policy_cache_dir_levels() returns a number indicating the number of
+directory levels there are associated with the I<policy_cache>.
+
+aa_policy_cache_dir_path_preview() is the same as
+aa_policy_cache_dir_path() except that it doesn't require an existing
+I<aa_policy_cache> object. This is useful if the calling program cannot
+create an I<aa_policy_cache> object due to lack of privileges needed to
+create the cache directory.
+
 =head1 ERRORS
 
 The errno value will be set according to the underlying error in the
-I<aa_policy_cache> family of functions that return -1 on error.
+I<aa_policy_cache> family of functions that return -1 or NULL on error.
 
 =head1 NOTES
 
-All aa_policy_cache functions described above are present in libapparmor
-version 2.10 and newer.
+All aa_policy_cache functions described above, except for the
+aa_policy_cache_dir_path() function was added in libapparmor version
+2.13. All the other aa_policy_cache functions described above are
+present in libapparmor version 2.10.
 
 aa_policy_cache_unref() saves the value of errno when called and restores errno
 before exiting in libapparmor version 2.12 and newer.

libraries/libapparmor/include/sys/apparmor.h

@@ -20,6 +20,7 @@
 
 #include <stdbool.h>
 #include <stdint.h>
+#include <sys/socket.h>
 #include <sys/types.h>
 
 #ifdef __cplusplus
@@ -154,6 +155,7 @@ extern int aa_features_write_to_file(aa_features *features,
 extern bool aa_features_is_equal(aa_features *features1,
 				 aa_features *features2);
 extern bool aa_features_supports(aa_features *features, const char *str);
+extern char *aa_features_id(aa_features *features);
 
 typedef struct aa_kernel_interface aa_kernel_interface;
 extern int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
@@ -186,12 +188,22 @@ extern int aa_policy_cache_new(aa_policy_cache **policy_cache,
 			       aa_features *kernel_features,
 			       int dirfd, const char *path,
 			       uint16_t max_caches);
+extern int aa_policy_cache_add_ro_dir(aa_policy_cache *policy_cache, int dirfd,
+				      const char *path);
 extern aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);
 extern void aa_policy_cache_unref(aa_policy_cache *policy_cache);
 
 extern int aa_policy_cache_remove(int dirfd, const char *path);
 extern int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 				       aa_kernel_interface *kernel_interface);
+extern int aa_policy_cache_no_dirs(aa_policy_cache *policy_cache);
+extern char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache, int n);
+extern int aa_policy_cache_dirfd(aa_policy_cache *policy_cache, int dir);
+extern int aa_policy_cache_open(aa_policy_cache *policy_cache, const char *name,
+				int flags);
+extern char *aa_policy_cache_filename(aa_policy_cache *policy_cache, const char *name);
+extern char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
+					      int dirfd, const char *path);
 
 #ifdef __cplusplus
 }

libraries/libapparmor/include/sys/apparmor_private.h

@@ -34,6 +34,8 @@ int _aa_asprintf(char **strp, const char *fmt, ...);
 
 int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		       int (* cb)(int, const char *, struct stat *, void *));
+int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
+			int (* cb)(int, const char *, struct stat *, void *));
 
 #ifdef __cplusplus
 }

libraries/libapparmor/m4/ac_python_devel.m4

@@ -64,7 +64,7 @@ variable to configure. See ``configure --help'' for reference.
         # Check if you have distutils, else fail
         #
         AC_MSG_CHECKING([for the distutils Python package])
-        ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
+        ac_distutils_result=`$PYTHON -c "import distutils" 2>&1 | grep -v DeprecationWarning`
         if test -z "$ac_distutils_result"; then
                 AC_MSG_RESULT([yes])
         else
@@ -75,12 +75,14 @@ $ac_distutils_result])
                 PYTHON_VERSION=""
         fi
 
+        AC_PATH_TOOL([PYTHON_CONFIG],[`basename $PYTHON`-config])
+
         #
         # Check for Python include path
         #
         AC_MSG_CHECKING([for Python include path])
-        if type $PYTHON-config; then
-                PYTHON_CPPFLAGS=`$PYTHON-config --includes`
+        if test -n "$PYTHON_CONFIG"; then
+                PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
         fi
         if test -z "$PYTHON_CPPFLAGS"; then
                 python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
@@ -97,8 +99,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
         # Check for Python library path
         #
         AC_MSG_CHECKING([for Python library path])
-        if type $PYTHON-config; then
-                PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
+        if test -n "$PYTHON_CONFIG"; then
+                PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
         fi
         if test -z "$PYTHON_LDFLAGS"; then
                 # (makes two attempts to ensure we've got a version number
@@ -139,7 +141,7 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
         if test -z "$PYTHON_EXTRA_LIBS"; then
            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
 conf = distutils.sysconfig.get_config_var; \
-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
+sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
         AC_SUBST(PYTHON_EXTRA_LIBS)
@@ -164,7 +166,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
         # save current global flags
         ac_save_LIBS="$LIBS"
         ac_save_CPPFLAGS="$CPPFLAGS"
-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
+        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         AC_TRY_LINK([
                 #include <Python.h>

libraries/libapparmor/src/Makefile.am

@@ -26,29 +26,29 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 5
-AA_LIB_REVISION = 2
-AA_LIB_AGE = 4
+AA_LIB_CURRENT = 7
+AA_LIB_REVISION = 3
+AA_LIB_AGE = 6
 
 SUFFIXES = .pc.in .pc
 
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = -Wall
+AM_CFLAGS = -Wall -flto-partition=none
 AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
 scanner.h: scanner.l
 	$(LEX) -v $<
 
 scanner.c: scanner.l
 
-af_protos.h: /usr/include/netinet/in.h
-	 LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
+af_protos.h:
+	 echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
-noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h
+noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
 
-libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c
+libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c PMurHash.c
 libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
 	-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
 

libraries/libapparmor/src/PMurHash.c

@@ -0,0 +1,317 @@
+/*-----------------------------------------------------------------------------
+ * MurmurHash3 was written by Austin Appleby, and is placed in the public
+ * domain.
+ *
+ * This implementation was written by Shane Day, and is also public domain.
+ *
+ * This is a portable ANSI C implementation of MurmurHash3_x86_32 (Murmur3A)
+ * with support for progressive processing.
+ */
+
+/*-----------------------------------------------------------------------------
+ 
+If you want to understand the MurmurHash algorithm you would be much better
+off reading the original source. Just point your browser at:
+http://code.google.com/p/smhasher/source/browse/trunk/MurmurHash3.cpp
+
+
+What this version provides?
+
+1. Progressive data feeding. Useful when the entire payload to be hashed
+does not fit in memory or when the data is streamed through the application.
+Also useful when hashing a number of strings with a common prefix. A partial
+hash of a prefix string can be generated and reused for each suffix string.
+
+2. Portability. Plain old C so that it should compile on any old compiler.
+Both CPU endian and access-alignment neutral, but avoiding inefficient code
+when possible depending on CPU capabilities.
+
+3. Drop in. I personally like nice self contained public domain code, making it
+easy to pilfer without loads of refactoring to work properly in the existing
+application code & makefile structure and mucking around with licence files.
+Just copy PMurHash.h and PMurHash.c and you're ready to go.
+
+
+How does it work?
+
+We can only process entire 32 bit chunks of input, except for the very end
+that may be shorter. So along with the partial hash we need to give back to
+the caller a carry containing up to 3 bytes that we were unable to process.
+This carry also needs to record the number of bytes the carry holds. I use
+the low 2 bits as a count (0..3) and the carry bytes are shifted into the
+high byte in stream order.
+
+To handle endianess I simply use a macro that reads a uint32_t and define
+that macro to be a direct read on little endian machines, a read and swap
+on big endian machines, or a byte-by-byte read if the endianess is unknown.
+
+-----------------------------------------------------------------------------*/
+
+
+#include "PMurHash.h"
+
+/* I used ugly type names in the header to avoid potential conflicts with
+ * application or system typedefs & defines. Since I'm not including any more
+ * headers below here I can rename these so that the code reads like C99 */
+#undef uint32_t
+#define uint32_t MH_UINT32
+#undef uint8_t
+#define uint8_t  MH_UINT8
+
+/* MSVC warnings we choose to ignore */
+#if defined(_MSC_VER)
+  #pragma warning(disable: 4127) /* conditional expression is constant */
+#endif
+
+/*-----------------------------------------------------------------------------
+ * Endianess, misalignment capabilities and util macros
+ *
+ * The following 3 macros are defined in this section. The other macros defined
+ * are only needed to help derive these 3.
+ *
+ * READ_UINT32(x)   Read a little endian unsigned 32-bit int
+ * UNALIGNED_SAFE   Defined if READ_UINT32 works on non-word boundaries
+ * ROTL32(x,r)      Rotate x left by r bits
+ */
+
+/* Convention is to define __BYTE_ORDER == to one of these values */
+#if !defined(__BIG_ENDIAN)
+  #define __BIG_ENDIAN 4321
+#endif
+#if !defined(__LITTLE_ENDIAN)
+  #define __LITTLE_ENDIAN 1234
+#endif
+
+/* I386 */
+#if defined(_M_IX86) || defined(__i386__) || defined(__i386) || defined(i386)
+  #define __BYTE_ORDER __LITTLE_ENDIAN
+  #define UNALIGNED_SAFE
+#endif
+
+/* gcc 'may' define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ to 1 (Note the trailing __),
+ * or even _LITTLE_ENDIAN or _BIG_ENDIAN (Note the single _ prefix) */
+#if !defined(__BYTE_ORDER)
+  #if defined(__LITTLE_ENDIAN__) && __LITTLE_ENDIAN__==1 || defined(_LITTLE_ENDIAN) && _LITTLE_ENDIAN==1
+    #define __BYTE_ORDER __LITTLE_ENDIAN
+  #elif defined(__BIG_ENDIAN__) && __BIG_ENDIAN__==1 || defined(_BIG_ENDIAN) && _BIG_ENDIAN==1
+    #define __BYTE_ORDER __BIG_ENDIAN
+  #endif
+#endif
+
+/* gcc (usually) defines xEL/EB macros for ARM and MIPS endianess */
+#if !defined(__BYTE_ORDER)
+  #if defined(__ARMEL__) || defined(__MIPSEL__)
+    #define __BYTE_ORDER __LITTLE_ENDIAN
+  #endif
+  #if defined(__ARMEB__) || defined(__MIPSEB__)
+    #define __BYTE_ORDER __BIG_ENDIAN
+  #endif
+#endif
+
+/* Now find best way we can to READ_UINT32 */
+#if __BYTE_ORDER==__LITTLE_ENDIAN
+  /* CPU endian matches murmurhash algorithm, so read 32-bit word directly */
+  #define READ_UINT32(ptr)   (*((uint32_t*)(ptr)))
+#elif __BYTE_ORDER==__BIG_ENDIAN
+  /* TODO: Add additional cases below where a compiler provided bswap32 is available */
+  #if defined(__GNUC__) && (__GNUC__>4 || (__GNUC__==4 && __GNUC_MINOR__>=3))
+    #define READ_UINT32(ptr)   (__builtin_bswap32(*((uint32_t*)(ptr))))
+  #else
+    /* Without a known fast bswap32 we're just as well off doing this */
+    #define READ_UINT32(ptr)   (ptr[0]|ptr[1]<<8|ptr[2]<<16|ptr[3]<<24)
+    #define UNALIGNED_SAFE
+  #endif
+#else
+  /* Unknown endianess so last resort is to read individual bytes */
+  #define READ_UINT32(ptr)   (ptr[0]|ptr[1]<<8|ptr[2]<<16|ptr[3]<<24)
+
+  /* Since we're not doing word-reads we can skip the messing about with realignment */
+  #define UNALIGNED_SAFE
+#endif
+
+/* Find best way to ROTL32 */
+#if defined(_MSC_VER)
+  #include <stdlib.h>  /* Microsoft put _rotl declaration in here */
+  #define ROTL32(x,r)  _rotl(x,r)
+#else
+  /* gcc recognises this code and generates a rotate instruction for CPUs with one */
+  #define ROTL32(x,r)  (((uint32_t)x << r) | ((uint32_t)x >> (32 - r)))
+#endif
+
+
+/*-----------------------------------------------------------------------------
+ * Core murmurhash algorithm macros */
+
+#define C1  (0xcc9e2d51)
+#define C2  (0x1b873593)
+
+/* This is the main processing body of the algorithm. It operates
+ * on each full 32-bits of input. */
+#define DOBLOCK(h1, k1) do{ \
+        k1 *= C1; \
+        k1 = ROTL32(k1,15); \
+        k1 *= C2; \
+        \
+        h1 ^= k1; \
+        h1 = ROTL32(h1,13); \
+        h1 = h1*5+0xe6546b64; \
+    }while(0)
+
+
+/* Append unaligned bytes to carry, forcing hash churn if we have 4 bytes */
+/* cnt=bytes to process, h1=name of h1 var, c=carry, n=bytes in c, ptr/len=payload */
+#define DOBYTES(cnt, h1, c, n, ptr, len) do{ \
+    int _i = cnt; \
+    while(_i--) { \
+        c = c>>8 | *ptr++<<24; \
+        n++; len--; \
+        if(n==4) { \
+            DOBLOCK(h1, c); \
+            n = 0; \
+        } \
+    } }while(0)
+
+/*---------------------------------------------------------------------------*/
+
+/* Main hashing function. Initialise carry to 0 and h1 to 0 or an initial seed
+ * if wanted. Both ph1 and pcarry are required arguments. */
+void PMurHash32_Process(uint32_t *ph1, uint32_t *pcarry, const void *key, int len)
+{
+  uint32_t h1 = *ph1;
+  uint32_t c = *pcarry;
+
+  const uint8_t *ptr = (uint8_t*)key;
+  const uint8_t *end;
+
+  /* Extract carry count from low 2 bits of c value */
+  int n = c & 3;
+
+#if defined(UNALIGNED_SAFE)
+  /* This CPU handles unaligned word access */
+
+  /* Consume any carry bytes */
+  int i = (4-n) & 3;
+  if(i && i <= len) {
+    DOBYTES(i, h1, c, n, ptr, len);
+  }
+
+  /* Process 32-bit chunks */
+  end = ptr + len/4*4;
+  for( ; ptr < end ; ptr+=4) {
+    uint32_t k1 = READ_UINT32(ptr);
+    DOBLOCK(h1, k1);
+  }
+
+#else /*UNALIGNED_SAFE*/
+  /* This CPU does not handle unaligned word access */
+
+  /* Consume enough so that the next data byte is word aligned */
+  int i = -(long)ptr & 3;
+  if(i && i <= len) {
+      DOBYTES(i, h1, c, n, ptr, len);
+  }
+
+  /* We're now aligned. Process in aligned blocks. Specialise for each possible carry count */
+  end = ptr + len/4*4;
+  switch(n) { /* how many bytes in c */
+  case 0: /* c=[----]  w=[3210]  b=[3210]=w            c'=[----] */
+    for( ; ptr < end ; ptr+=4) {
+      uint32_t k1 = READ_UINT32(ptr);
+      DOBLOCK(h1, k1);
+    }
+    break;
+  case 1: /* c=[0---]  w=[4321]  b=[3210]=c>>24|w<<8   c'=[4---] */
+    for( ; ptr < end ; ptr+=4) {
+      uint32_t k1 = c>>24;
+      c = READ_UINT32(ptr);
+      k1 |= c<<8;
+      DOBLOCK(h1, k1);
+    }
+    break;
+  case 2: /* c=[10--]  w=[5432]  b=[3210]=c>>16|w<<16  c'=[54--] */
+    for( ; ptr < end ; ptr+=4) {
+      uint32_t k1 = c>>16;
+      c = READ_UINT32(ptr);
+      k1 |= c<<16;
+      DOBLOCK(h1, k1);
+    }
+    break;
+  case 3: /* c=[210-]  w=[6543]  b=[3210]=c>>8|w<<24   c'=[654-] */
+    for( ; ptr < end ; ptr+=4) {
+      uint32_t k1 = c>>8;
+      c = READ_UINT32(ptr);
+      k1 |= c<<24;
+      DOBLOCK(h1, k1);
+    }
+  }
+#endif /*UNALIGNED_SAFE*/
+
+  /* Advance over whole 32-bit chunks, possibly leaving 1..3 bytes */
+  len -= len/4*4;
+
+  /* Append any remaining bytes into carry */
+  DOBYTES(len, h1, c, n, ptr, len);
+
+  /* Copy out new running hash and carry */
+  *ph1 = h1;
+  *pcarry = (c & ~0xff) | n;
+} 
+
+/*---------------------------------------------------------------------------*/
+
+/* Finalize a hash. To match the original Murmur3A the total_length must be provided */
+uint32_t PMurHash32_Result(uint32_t h, uint32_t carry, uint32_t total_length)
+{
+  uint32_t k1;
+  int n = carry & 3;
+  if(n) {
+    k1 = carry >> (4-n)*8;
+    k1 *= C1; k1 = ROTL32(k1,15); k1 *= C2; h ^= k1;
+  }
+  h ^= total_length;
+
+  /* fmix */
+  h ^= h >> 16;
+  h *= 0x85ebca6b;
+  h ^= h >> 13;
+  h *= 0xc2b2ae35;
+  h ^= h >> 16;
+
+  return h;
+}
+
+/*---------------------------------------------------------------------------*/
+
+/* Murmur3A compatable all-at-once */
+uint32_t PMurHash32(uint32_t seed, const void *key, int len)
+{
+  uint32_t h1=seed, carry=0;
+  PMurHash32_Process(&h1, &carry, key, len);
+  return PMurHash32_Result(h1, carry, len);
+}
+
+/*---------------------------------------------------------------------------*/
+
+/* Provide an API suitable for smhasher */
+void PMurHash32_test(const void *key, int len, uint32_t seed, void *out)
+{
+  uint32_t h1=seed, carry=0;
+  const uint8_t *ptr = (uint8_t*)key;
+  const uint8_t *end = ptr + len;
+
+#if 0 /* Exercise the progressive processing */
+  while(ptr < end) {
+    //const uint8_t *mid = ptr + rand()%(end-ptr)+1;
+    const uint8_t *mid = ptr + (rand()&0xF);
+    mid = mid<end?mid:end;
+    PMurHash32_Process(&h1, &carry, ptr, mid-ptr);
+    ptr = mid;
+  }
+#else
+  PMurHash32_Process(&h1, &carry, ptr, (int)(end-ptr));
+#endif
+  h1 = PMurHash32_Result(h1, carry, len);
+  *(uint32_t*)out = h1;
+}
+
+/*---------------------------------------------------------------------------*/

libraries/libapparmor/src/PMurHash.h

@@ -0,0 +1,64 @@
+/*-----------------------------------------------------------------------------
+ * MurmurHash3 was written by Austin Appleby, and is placed in the public
+ * domain.
+ *
+ * This implementation was written by Shane Day, and is also public domain.
+ *
+ * This is a portable ANSI C implementation of MurmurHash3_x86_32 (Murmur3A)
+ * with support for progressive processing.
+ */
+
+/* ------------------------------------------------------------------------- */
+/* Determine what native type to use for uint32_t */
+
+/* We can't use the name 'uint32_t' here because it will conflict with
+ * any version provided by the system headers or application. */
+
+/* First look for special cases */
+#if defined(_MSC_VER)
+  #define MH_UINT32 unsigned long
+#endif
+
+/* If the compiler says it's C99 then take its word for it */
+#if !defined(MH_UINT32) && ( \
+     defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L )
+  #include <stdint.h>
+  #define MH_UINT32 uint32_t
+#endif
+
+/* Otherwise try testing against max value macros from limit.h */
+#if !defined(MH_UINT32)
+  #include  <limits.h>
+  #if   (USHRT_MAX == 0xffffffffUL)
+    #define MH_UINT32 unsigned short
+  #elif (UINT_MAX == 0xffffffffUL)
+    #define MH_UINT32 unsigned int
+  #elif (ULONG_MAX == 0xffffffffUL)
+    #define MH_UINT32 unsigned long
+  #endif
+#endif
+
+#if !defined(MH_UINT32)
+  #error Unable to determine type name for unsigned 32-bit int
+#endif
+
+/* I'm yet to work on a platform where 'unsigned char' is not 8 bits */
+#define MH_UINT8  unsigned char
+
+
+/* ------------------------------------------------------------------------- */
+/* Prototypes */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void PMurHash32_Process(MH_UINT32 *ph1, MH_UINT32 *pcarry, const void *key, int len);
+MH_UINT32 PMurHash32_Result(MH_UINT32 h1, MH_UINT32 carry, MH_UINT32 total_length);
+MH_UINT32 PMurHash32(MH_UINT32 seed, const void *key, int len);
+
+void PMurHash32_test(const void *key, int len, MH_UINT32 seed, void *out);
+
+#ifdef __cplusplus
+}
+#endif

libraries/libapparmor/src/features.c

@@ -1,5 +1,5 @@
 /*
- *   Copyright (c) 2014
+ *   Copyright (c) 2014-2017
  *   Canonical, Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
@@ -20,6 +20,7 @@
 #include <ctype.h>
 #include <dirent.h>
 #include <fcntl.h>
+#include <inttypes.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
@@ -31,13 +32,16 @@
 #include <sys/apparmor.h>
 
 #include "private.h"
+#include "PMurHash.h"
 
 #define FEATURES_FILE "/sys/kernel/security/apparmor/features"
 
+#define HASH_SIZE (8 + 1) /* 32 bits binary to hex + NUL terminator */
 #define STRING_SIZE 8192
 
 struct aa_features {
 	unsigned int ref_count;
+	char hash[HASH_SIZE];
 	char string[STRING_SIZE];
 };
 
@@ -205,6 +209,29 @@ static ssize_t load_features_dir(int dirfd, const char *path,
 	return 0;
 }
 
+static int init_features_hash(aa_features *features)
+{
+	const char *string = features->string;
+	uint32_t seed = 5381;
+	uint32_t hash = seed, carry = 0;
+	size_t len = strlen(string);
+
+	/* portable murmur3 hash
+	 * https://github.com/aappleby/smhasher/wiki/MurmurHash3
+	 */
+	PMurHash32_Process(&hash, &carry, string, len);
+	hash = PMurHash32_Result(hash, carry, len);
+
+	if (snprintf(features->hash, HASH_SIZE,
+		     "%08" PRIx32, hash) >= HASH_SIZE) {
+		errno = ENOBUFS;
+		PERROR("Hash buffer full.");
+		return -1;
+	}
+
+	return 0;
+}
+
 static bool islbrace(int c)
 {
 	return c == '{';
@@ -408,6 +435,14 @@ int aa_features_new(aa_features **features, int dirfd, const char *path)
 		return -1;
 	}
 
+	if (init_features_hash(f) == -1) {
+		int save = errno;
+
+		aa_features_unref(f);
+		errno = save;
+		return -1;
+	}
+
 	*features = f;
 
 	return 0;
@@ -443,6 +478,15 @@ int aa_features_new_from_string(aa_features **features,
 
 	memcpy(f->string, string, size);
 	f->string[size] = '\0';
+
+	if (init_features_hash(f) == -1) {
+		int save = errno;
+
+		aa_features_unref(f);
+		errno = save;
+		return -1;
+	}
+
 	*features = f;
 
 	return 0;
@@ -577,3 +621,21 @@ bool aa_features_supports(aa_features *features, const char *str)
 
 	return true;
 }
+
+/**
+ * aa_features_id - provides unique identifier for an aa_features object
+ * @features: the features
+ *
+ * Allocates and returns a string representation of an identifier that can
+ * be used to uniquely identify an aa_features object. The mechanism for
+ * generating the string representation is internal to libapparmor and
+ * subject to change but an example implementation is applying a hash
+ * function to the features string.
+ *
+ * Returns: a string identifying @features which must be freed by the
+ * caller or NULL, with errno set, upon error
+ */
+char *aa_features_id(aa_features *features)
+{
+	return strdup(features->hash);
+}

libraries/libapparmor/src/grammar.y

@@ -19,7 +19,12 @@
 %{
 
 /* set the following to non-zero to get bison to emit debugging
- * information about tokens given and rules matched. */
+ * information about tokens given and rules matched.
+ * Also:
+ *   Uncomment the %defines
+ *   parse.error
+ *   parse.trace
+ */
 #define YYDEBUG 0
 #include <string.h>
 #include <aalogparse.h>
@@ -34,7 +39,9 @@ aa_log_record *ret_record;
  * emit messages when asked for. */
 void aalogparse_error(void *scanner, char const *s)
 {
-        //printf("ERROR: %s\n", s);
+#if (YYDEBUG != 0)
+	printf("ERROR: %s\n", s);
+#endif
 	ret_record->event = AA_RECORD_INVALID;
 }
 
@@ -68,6 +75,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %}
 
 %defines
+/* uncomment for debugging
+%define parse.error verbose
+%define parse.trace
+*/
+
 %define api.pure
 %lex-param{void *scanner}
 %parse-param{void *scanner}
@@ -128,6 +140,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_PEER_PID
 %token TOK_KEY_PROFILE
 %token TOK_KEY_PEER_PROFILE
+%token TOK_KEY_LABEL
+%token TOK_KEY_PEER_LABEL
 %token TOK_KEY_PEER
 %token TOK_AUDIT
 %token TOK_KEY_FAMILY
@@ -194,7 +208,7 @@ new_syntax:
 	| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
 	| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
 	| TOK_TYPE_LSM_AVC audit_msg key_list
-	| TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
+	| TOK_TYPE_USER_AVC audit_user_msg
 	;
 
 other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
@@ -218,6 +232,11 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	/* needs update: hard newline in handling mutiline log messages */
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
@@ -234,7 +253,13 @@ audit_dispatch:
 audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
 	;
 
-audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
+audit_user_msg_partial_tail: ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS TOK_SINGLE_QUOTE key_list
+	;
+
+audit_user_msg_tail: audit_user_msg_partial_tail TOK_SINGLE_QUOTE
+	;
+
+audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
 	;
 
 audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
@@ -292,6 +317,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->profile = $3;}
 	| TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
 	{ ret_record->peer_profile = $3;}
+	| TOK_KEY_LABEL TOK_EQUALS safe_string
+	{ ret_record->profile = $3;}
+	| TOK_KEY_PEER_LABEL TOK_EQUALS safe_string
+	{ ret_record->peer_profile = $3;}
 	| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->net_family = $3;}
 	| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING

libraries/libapparmor/src/kernel.c

@@ -43,6 +43,7 @@
 		__asm__ (".symver " #real "," #name "@" #version)
 #define default_symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@@" #version)
+#define DLLEXPORT __attribute__((visibility("default"),externally_visible))
 
 #define UNCONFINED		"unconfined"
 #define UNCONFINED_SIZE		strlen(UNCONFINED)
@@ -500,7 +501,7 @@ int aa_change_onexec(const char *profile)
 }
 
 /* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
-extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
+DLLEXPORT extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
 symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
 default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);
 
@@ -889,7 +890,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 
 /* export multiple aa_query_label symbols to compensate for downstream
  * releases with differing symbol versions. */
-extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
+DLLEXPORT extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
 symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
 default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
 

libraries/libapparmor/src/libapparmor.map

@@ -6,14 +6,14 @@
 
 IMMUNIX_1.0 {
   global:
-        change_hat;
+        change_hat; __old_change_hat;
   local:
         *;
 };
 
 APPARMOR_1.0 {
   global:
-        change_hat;
+        change_hat; __change_hat;
         parse_record;
         free_record;
   local:
@@ -24,7 +24,7 @@ APPARMOR_1.1 {
   global:
         aa_is_enabled;
         aa_find_mountpoint;
-        aa_change_hat;
+        aa_change_hat; __old_change_hat;
         aa_change_hatv;
         aa_change_hat_vargs;
         aa_change_profile;
@@ -37,7 +37,7 @@ APPARMOR_1.1 {
         free_record;
         aa_getprocattr_raw;
         aa_getprocattr;
-        aa_query_label;
+        aa_query_label; __aa_query_label;
 
 	# no more symbols here, please
 
@@ -47,7 +47,7 @@ APPARMOR_1.1 {
 
 APPARMOR_2.9 {
   global:
-	aa_query_label;
+	aa_query_label; query_label;
   local:
 	*;
 } APPARMOR_1.1;
@@ -95,9 +95,30 @@ APPARMOR_2.11 {
         *;
 } APPARMOR_2.10;
 
+APPARMOR_2.13 {
+  global:
+        aa_policy_cache_dir_path;
+        aa_policy_cache_dir_path_preview;
+	aa_policy_cache_no_dirs;
+	aa_policy_cache_dirfd;
+	aa_policy_cache_open;
+	aa_policy_cache_filename;
+        aa_features_id;
+  local:
+        *;
+} APPARMOR_2.11;
+
+APPARMOR_2.13.1 {
+  global:
+        aa_policy_cache_add_ro_dir;
+  local:
+        *;
+} APPARMOR_2.13;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
+		_aa_asprintf;
 		_aa_autofree;
 		_aa_autoclose;
 		_aa_autofclose;

libraries/libapparmor/src/policy_cache.c

@@ -1,5 +1,5 @@
 /*
- *   Copyright (c) 2014
+ *   Copyright (c) 2014-2017
  *   Canonical, Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
@@ -16,8 +16,11 @@
  *   Ltd.
  */
 
+#include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <fnmatch.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -29,31 +32,155 @@
 #include "private.h"
 
 #define CACHE_FEATURES_FILE	".features"
+#define MAX_POLICY_CACHE_OVERLAY_DIRS	4
 
 struct aa_policy_cache {
 	unsigned int ref_count;
 	aa_features *features;
 	aa_features *kernel_features;
-	int dirfd;
+	int n;
+	int dirfd[MAX_POLICY_CACHE_OVERLAY_DIRS];
 };
 
 static int clear_cache_cb(int dirfd, const char *path, struct stat *st,
 			  void *data unused)
 {
-	/* remove regular files */
-	if (S_ISREG(st->st_mode))
+	if (S_ISREG(st->st_mode)) {
+		/* remove regular files */
 		return unlinkat(dirfd, path, 0);
+	} else if (S_ISDIR(st->st_mode)) {
+		int retval;
+
+		retval = _aa_dirat_for_each(dirfd, path, NULL, clear_cache_cb);
+		if (retval)
+			return retval;
+
+		return unlinkat(dirfd, path, AT_REMOVEDIR);
+	}
 
 	/* do nothing with other file types */
 	return 0;
 }
 
+struct replace_all_cb_data {
+	aa_policy_cache *policy_cache;
+	aa_kernel_interface *kernel_interface;
+};
+
+static int replace_all_cb(int dirfd, const char *name, struct stat *st,
+			 void *cb_data)
+{
+	int retval = 0;
+
+	if (S_ISLNK(st->st_mode)) {
+		/*
+		 * symlinks in that cache are used to track file merging.
+		 * In the scanned overlay situation they can be skipped
+		 * as the combined entry will be one of none skipped
+		 * entries
+		 */
+	} else if (S_ISREG(st->st_mode) && st->st_size == 0) {
+		/*
+		 * empty file in the cache dir is used as a whiteout
+		 * to hide files in a lower layer. skip
+		 */
+	} else if (!S_ISDIR(st->st_mode) && !_aa_is_blacklisted(name)) {
+		struct replace_all_cb_data *data;
+
+		data = (struct replace_all_cb_data *) cb_data;
+		retval = aa_kernel_interface_replace_policy_from_file(data->kernel_interface,
+								      dirfd,
+								      name);
+	}
+
+	return retval;
+}
+
+static char *path_from_fd(int fd)
+{
+	autofree char *proc_path = NULL;
+	autoclose int proc_fd = -1;
+	struct stat proc_stat;
+	char *path;
+	ssize_t size, path_len;
+
+	if (asprintf(&proc_path, "/proc/self/fd/%d", fd) == -1) {
+		proc_path = NULL;
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	proc_fd = open(proc_path, O_RDONLY | O_CLOEXEC | O_PATH | O_NOFOLLOW);
+	if (proc_fd == -1)
+		return NULL;
+
+	if (fstat(proc_fd, &proc_stat) == -1)
+		return NULL;
+
+	if (!S_ISLNK(proc_stat.st_mode)) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	size = proc_stat.st_size;
+repeat:
+	path = malloc(size + 1);
+	if (!path)
+		return NULL;
+
+	/**
+	 * Since 2.6.39, symlink file descriptors opened with
+	 * (O_PATH | O_NOFOLLOW) can be used as the dirfd with an empty string
+	 * as the path. readlinkat() will operate on the symlink inode.
+	 */
+	path_len = readlinkat(proc_fd, "", path, size);
+	if (path_len == -1)
+		return NULL;
+	if (path_len == size) {
+		free(path);
+		size = size * 2;
+		goto repeat;
+	}
+	path[path_len] = '\0';
+	return path;
+}
+
+static int cache_check_features(int dirfd, const char *cache_name,
+				aa_features *features)
+{
+	aa_features *local_features = NULL;
+	autofree char *name = NULL;
+	bool rc;
+	int len;
+
+	len = asprintf(&name, "%s/%s", cache_name, CACHE_FEATURES_FILE);
+	if (len == -1) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* verify that cache dir .features matches */
+	if (aa_features_new(&local_features, dirfd, name)) {
+		PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);
+		return -1;
+	}
+
+	rc = aa_features_is_equal(local_features, features);
+	aa_features_unref(local_features);
+	if (!rc) {
+		errno = EEXIST;
+		return -1;
+	}
+
+	return 0;
+}
+
 static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
 {
-	if (aa_policy_cache_remove(policy_cache->dirfd, "."))
+	if (aa_policy_cache_remove(policy_cache->dirfd[0], "."))
 		return -1;
 
-	if (aa_features_write_to_file(features, policy_cache->dirfd,
+	if (aa_features_write_to_file(features, policy_cache->dirfd[0],
 				      CACHE_FEATURES_FILE) == -1)
 		return -1;
 
@@ -65,51 +192,176 @@ static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
 static int init_cache_features(aa_policy_cache *policy_cache,
 			       aa_features *kernel_features, bool create)
 {
-	bool call_create_cache = false;
-
-	if (aa_features_new(&policy_cache->features, policy_cache->dirfd,
-			    CACHE_FEATURES_FILE)) {
-		policy_cache->features = NULL;
-		if (!create || errno != ENOENT)
+	if (cache_check_features(policy_cache->dirfd[0], ".",
+				 kernel_features)) {
+		/* EEXIST must come before ENOENT for short circuit eval */
+		if (!create || errno == EEXIST || errno != ENOENT)
 			return -1;
+	} else
+		return 0;
 
-		/* The cache directory needs to be created */
-		call_create_cache = true;
-	} else if (!aa_features_is_equal(policy_cache->features,
-					 kernel_features)) {
-		if (!create) {
-			errno = EEXIST;
-			return -1;
-		}
-
-		/* The cache directory needs to be refreshed */
-		call_create_cache = true;
-	}
-
-	return call_create_cache ?
-		create_cache(policy_cache, kernel_features) : 0;
+	return create_cache(policy_cache, kernel_features);
 }
 
-struct replace_all_cb_data {
-	aa_policy_cache *policy_cache;
-	aa_kernel_interface *kernel_interface;
+struct miss_cb_data {
+	aa_features *features;
+	const char *path;
+	char *pattern;
+	char *cache_name;	/* return */
+	long n;
 };
 
-static int replace_all_cb(int dirfd unused, const char *name, struct stat *st,
-			 void *cb_data)
+/* called on cache collision or miss where cache isn't present */
+static int cache_miss_cb(int dirfd, const struct dirent *ent, void *arg)
 {
-	int retval = 0;
+	struct miss_cb_data *data = arg;
+	char *cache_name, *pos, *tmp;
+	long n;
+	int len;
 
-	if (!S_ISDIR(st->st_mode) && !_aa_is_blacklisted(name)) {
-		struct replace_all_cb_data *data;
+	/* TODO: update to tighter pattern match of just trailing #s */
+	if (fnmatch(data->pattern, ent->d_name, 0))
+		return 0;
 
-		data = (struct replace_all_cb_data *) cb_data;
-		retval = aa_kernel_interface_replace_policy_from_file(data->kernel_interface,
-								      data->policy_cache->dirfd,
-								      name);
+	/* entry matches <feature_id>.<n> pattern */
+	len = asprintf(&cache_name, "%s/%s", data->path, ent->d_name);
+	if (len == -1) {
+		errno = ENOMEM;
+		return -1;
+	}
+	if (!cache_check_features(dirfd, cache_name, data->features) || errno == ENOENT) {
+		/* found cache dir matching pattern */
+		data->cache_name = cache_name;
+		/* return 1 to stop iteration and signal dir found */
+		return 1;
+	}  else if (errno != EEXIST) {
+		PDEBUG("cache_check_features() failed for dirfd '%d' '%s'\n", dirfd, cache_name);
+		free(cache_name);
+		return -1;
+	}
+	free(cache_name);
+
+	/* check the cache dir # */
+	pos = strchr(ent->d_name, '.');
+	n = strtol(pos+1, &tmp, 10);
+	if (n == LONG_MIN || n == LONG_MAX || tmp == pos + 1)
+		return -1;
+	if (n > data->n)
+		data->n = n;
+
+	/* continue processing */
+	return 0;
+}
+
+/* will return cache_path on error if there is a collision */
+static int cache_dir_from_path_and_features(char **cache_path,
+					    int dirfd, const char *path,
+					    aa_features *features)
+{
+	autofree const char *features_id = NULL;
+	char *cache_dir;
+	size_t len;
+	int rc;
+
+	features_id = aa_features_id(features);
+	if (!features_id)
+		return -1;
+
+	len = asprintf(&cache_dir, "%s/%s.0", path, features_id);
+	if (len == -1)
+		return -1;
+
+	if (!cache_check_features(dirfd, cache_dir, features) || errno == ENOENT) {
+		PDEBUG("cache_dir_from_path_and_features() found '%s'\n", cache_dir);
+		*cache_path = cache_dir;
+		return 0;
+	} else if (errno != EEXIST) {
+		PDEBUG("cache_check_features() failed for dirfd '%d' %s\n", dirfd, cache_dir);
+		free(cache_dir);
+		return -1;
 	}
 
-	return retval;
+	PDEBUG("Cache collision '%s' falling back to next dir on fd '%d' path %s", cache_dir, dirfd, path);
+	free(cache_dir);
+
+	struct miss_cb_data data = {
+		.features = features,
+		.path = path,
+		.cache_name = NULL,
+		.n = -1,
+	};
+
+	if (asprintf(&data.pattern, "%s.*", features_id) == -1)
+		return -1;
+
+	rc = _aa_dirat_for_each2(dirfd, path, &data, cache_miss_cb);
+	free(data.pattern);
+	if (rc == 1) {
+		/* found matching feature dir */
+		PDEBUG("cache_dir_from_path_and_features() callback found '%s'\n", data.cache_name);
+		*cache_path = data.cache_name;
+		return 0;
+	} else if (rc) {
+		PDEBUG("cache_dir_from_path_and_features() callback returned an error'%m'\n");
+		return -1;
+	}
+	/* no dir found use 1 higher than highest dir n searched */
+	len = asprintf(&cache_dir, "%s/%s.%d", path, features_id, data.n + 1);
+	if (len == -1)
+		return -1;
+
+	PDEBUG("Cache collision no dir found using %d + 1 = %s\n", data.n + 1, cache_dir);
+	*cache_path = cache_dir;
+	return 0;
+}
+
+/* will return the cache_dir or NULL */
+static int open_or_create_cache_dir(aa_features *features, int dirfd,
+				    const char *path, bool create,
+				    char **cache_dir)
+{
+	int fd;
+
+	*cache_dir = NULL;
+	if (cache_dir_from_path_and_features(cache_dir, dirfd, path,
+					     features))
+		return -1;
+
+open:
+	fd = openat(dirfd, *cache_dir, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+	if (fd < 0) {
+		/* does the dir exist? */
+		if (create && errno == ENOENT) {
+			/**
+			 * 1) Attempt to create the cache location, such as
+			 *    /etc/apparmor.d/cache.d/
+			 * 2) Attempt to create the cache directory, for the
+			 *    passed in aa_features, such as
+			 *    /etc/apparmor.d/cache.d/<features_id>/
+			 * 3) Try to reopen the cache directory
+			 */
+			if (mkdirat(dirfd, path, 0700) == -1 &&
+			    errno != EEXIST) {
+				PERROR("Can't create cache location '%s': %m\n",
+				       path);
+			} else if (mkdirat(dirfd, *cache_dir, 0700) == -1 &&
+				   errno != EEXIST) {
+				PERROR("Can't create cache directory '%s': %m\n",
+				       *cache_dir);
+			} else {
+				goto open;
+			}
+		} else if (create) {
+			PERROR("Can't update cache directory '%s': %m\n", *cache_dir);
+		} else {
+			PDEBUG("Cache directory '%s' does not exist\n", *cache_dir);
+		}
+
+		PDEBUG("Could not open cache_dir: %m");
+		return -1;
+	}
+
+	return fd;
 }
 
 /**
@@ -133,8 +385,11 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 			aa_features *kernel_features,
 			int dirfd, const char *path, uint16_t max_caches)
 {
+	autofree char *cache_dir = NULL;
 	aa_policy_cache *pc;
 	bool create = max_caches > 0;
+	autofree const char *features_id = NULL;
+	int i, fd;
 
 	*policy_cache = NULL;
 
@@ -143,55 +398,79 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 		return -1;
 	}
 
-	if (max_caches > 1) {
-		errno = ENOTSUP;
-		return -1;
-	}
-
+	/* TODO: currently no reaping of caches in excess of max_caches */
 	pc = calloc(1, sizeof(*pc));
 	if (!pc) {
 		errno = ENOMEM;
 		return -1;
 	}
-	pc->dirfd = -1;
+	pc->n = 0;
+	for (i = 0; i < MAX_POLICY_CACHE_OVERLAY_DIRS; i++)
+		pc->dirfd[i] = -1;
 	aa_policy_cache_ref(pc);
 
-open:
-	pc->dirfd = openat(dirfd, path, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
-	if (pc->dirfd < 0) {
-		/* does the dir exist? */
-		if (create && errno == ENOENT) {
-			if (mkdirat(dirfd, path, 0700) == 0)
-				goto open;
-			PERROR("Can't create cache directory '%s': %m\n", path);
-		} else if (create) {
-			PERROR("Can't update cache directory '%s': %m\n", path);
-		} else {
-			PDEBUG("Cache directory '%s' does not exist\n", path);
-		}
-
-		aa_policy_cache_unref(pc);
-		return -1;
-	}
-
 	if (kernel_features) {
 		aa_features_ref(kernel_features);
 	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
 		aa_policy_cache_unref(pc);
+		PDEBUG("%s: Failed to obtain features %m\n", __FUNCTION__);
 		return -1;
 	}
-	pc->kernel_features = kernel_features;
+	pc->features = kernel_features;
+
+	fd = open_or_create_cache_dir(kernel_features, dirfd, path, create,
+				      &cache_dir);
+	if (fd == -1) {
+		aa_policy_cache_unref(pc);
+		PDEBUG("%s: Failed to open_or_create_dir %m\n", __FUNCTION__);
+		return -1;
+	}
+	pc->dirfd[0] = fd;
+	pc->n = 1;
 
 	if (init_cache_features(pc, kernel_features, create)) {
+		PDEBUG("%s: failed init_cache_features for dirfd '%d' name '%s' opened as pc->dirfd '%d'\n", __FUNCTION__, dirfd, cache_dir, pc->dirfd);
 		aa_policy_cache_unref(pc);
 		return -1;
 	}
 
+	PDEBUG("%s: created policy_cache for dirfd '%d' name '%s' opened as pc->dirfd '%d'\n", __FUNCTION__, dirfd, cache_dir, pc->dirfd);
 	*policy_cache = pc;
 
 	return 0;
 }
 
+/**
+ * aa_policy_cache_add_ro_dir - add an readonly dir layer to the policy cache
+ * @policy_cache: policy_cache to add the readonly dir to
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
+ * @path: path to the readonly policy cache
+ *
+ * Returns: 0 on success, -1 on error with errno set
+ */
+
+int aa_policy_cache_add_ro_dir(aa_policy_cache *policy_cache, int dirfd,
+			       const char *path)
+{
+	autofree char *cache_dir = NULL;
+	int fd;
+
+	if (policy_cache->n >= MAX_POLICY_CACHE_OVERLAY_DIRS) {
+		errno = ENOSPC;
+		PDEBUG("%s: exceeded number of supported cache overlays\n", __FUNCTION__);
+		return -1;
+	}
+	fd = open_or_create_cache_dir(policy_cache->features, dirfd, path,
+				      false, &cache_dir);
+	if (fd == -1) {
+		PDEBUG("%s: failed to open_or_create_cache_dir %m\n", __FUNCTION__);
+		return -1;
+	}
+	policy_cache->dirfd[policy_cache->n++] = fd;
+
+	return 0;
+}
+
 /**
  * aa_policy_cache_ref - increments the ref count of an aa_policy_cache object
  * @policy_cache: the policy_cache
@@ -210,13 +489,14 @@ aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache)
  */
 void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 {
-	int save = errno;
+	int i, save = errno;
 
 	if (policy_cache && atomic_dec_and_test(&policy_cache->ref_count)) {
 		aa_features_unref(policy_cache->features);
-		aa_features_unref(policy_cache->kernel_features);
-		if (policy_cache->dirfd != -1)
-			close(policy_cache->dirfd);
+		for (i = 0; i < MAX_POLICY_CACHE_OVERLAY_DIRS; i++) {
+			if (policy_cache->dirfd[i] != -1)
+				close(policy_cache->dirfd[i]);
+		}
 		free(policy_cache);
 	}
 
@@ -254,7 +534,7 @@ int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 	if (kernel_interface) {
 		aa_kernel_interface_ref(kernel_interface);
 	} else if (aa_kernel_interface_new(&kernel_interface,
-					   policy_cache->kernel_features,
+					   policy_cache->features,
 					   NULL) == -1) {
 		kernel_interface = NULL;
 		return -1;
@@ -262,10 +542,158 @@ int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 
 	cb_data.policy_cache = policy_cache;
 	cb_data.kernel_interface = kernel_interface;
-	retval = _aa_dirat_for_each(policy_cache->dirfd, ".", &cb_data,
-				    replace_all_cb);
+	retval = _aa_overlaydirat_for_each(policy_cache->dirfd, policy_cache->n,
+					   &cb_data, replace_all_cb);
 
 	aa_kernel_interface_unref(kernel_interface);
 
 	return retval;
 }
+
+/**
+ * aa_policy_cache_no_dirs - return the number of dirs making up the cache
+ * @policy_cache: the policy_cache
+ *
+ * Returns: The number of directories that the policy cache is composed of
+ */
+int aa_policy_cache_no_dirs(aa_policy_cache *policy_cache)
+{
+	return policy_cache->n;
+}
+
+/**
+ * aa_policy_cache_dir_path - returns the path to the aa_policy_cache directory
+ * @policy_cache: the policy_cache
+ * @dir: which dir in the policy cache to return the name of
+ *
+ * Returns: The path to the policy cache directory on success, NULL on
+ * error with errno set.
+ */
+char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache, int dir)
+{
+	char *path = NULL;
+
+	if (dir < 0 || dir >= policy_cache->n) {
+		PERROR("aa_policy_cache directory: %d does not exist\n", dir);
+		errno = ERANGE;
+	} else {
+		path = path_from_fd(policy_cache->dirfd[dir]);
+	}
+
+	if (!path)
+		PERROR("Can't return the path to the aa_policy_cache directory: %m\n");
+
+	return path;
+}
+
+/**
+ * aa_policy_cache_dirfd - returns the dirfd for a aa_policy_cache directory
+ * @policy_cache: the policy_cache
+ * @dir: which dir in the policy cache to return the dirfd of
+ *
+ * Returns: The dirfd to the @dir policy cache directory on success, -1 on
+ * error with errno set.
+ *
+ * caller is responsible for closing the returned dirfd
+ */
+int aa_policy_cache_dirfd(aa_policy_cache *policy_cache, int dir)
+{
+	if (dir < 0 || dir >= policy_cache->n) {
+		PERROR("aa_policy_cache directory: %d does not exist\n", dir);
+		errno = ERANGE;
+		return -1;
+	}
+
+	return dup(policy_cache->dirfd[dir]);
+}
+
+/* open cache file corresponding to name */
+int aa_policy_cache_open(aa_policy_cache *policy_cache, const char *name,
+			 int flags)
+{
+	int i, fd;
+
+	for (i = 0; i < policy_cache->n; i++) {
+		fd = openat(policy_cache->dirfd[i], name, flags);
+		if (fd != -1)
+			return fd;
+	}
+
+	return -1;
+}
+
+char *aa_policy_cache_filename(aa_policy_cache *policy_cache, const char *name)
+{
+	char *path;
+	autoclose int fd = aa_policy_cache_open(policy_cache, name, O_RDONLY);
+
+	if (fd == -1)
+		return NULL;
+	path = path_from_fd(fd);
+	if (!path)
+		PERROR("Can't return the path to the aa_policy_cache cachename: %m\n");
+
+	return path;
+}
+
+/**
+ * aa_policy_cache_dir_path_preview - returns the path to the aa_policy_cache directory
+ * @kernel_features: features representing a kernel (may be NULL if you want to
+ *                   use the features of the currently running kernel)
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
+ * @path: path to the policy cache
+ *
+ * Returns: The path to the policy cache directory on success, NULL on
+ * error with errno set.
+ */
+char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
+				       int dirfd, const char *path)
+{
+	autofree char *cache_loc = NULL;
+	autofree char *cache_dir = NULL;
+	char *dir_path;
+
+	if (kernel_features) {
+		aa_features_ref(kernel_features);
+	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
+		return NULL;
+	}
+
+	/**
+	 * Leave cache_loc set to NULL if dirfd is AT_FDCWD and handle a
+	 * NULL cache_loc in the asprintf() below
+	 */
+	if (dirfd != AT_FDCWD) {
+		cache_loc = path_from_fd(dirfd);
+		if (!cache_loc) {
+			int save = errno;
+
+			PERROR("Can't return the path to the aa_policy_cache cache location: %m\n");
+			aa_features_unref(kernel_features);
+			errno = save;
+			return NULL;
+		}
+	}
+
+	PDEBUG("Looking up cachedir path for AT_FDCWD\n");
+	if (cache_dir_from_path_and_features(&cache_dir, dirfd, path,
+					     kernel_features)) {
+		int save = errno;
+
+		PERROR("Can't return the path to the aa_policy_cache directory: %m\n");
+		aa_features_unref(kernel_features);
+		errno = save;
+		return NULL;
+	}
+
+	aa_features_unref(kernel_features);
+
+	if (asprintf(&dir_path, "%s%s%s",
+		     cache_loc ? : "", cache_loc ? "/" : "", cache_dir) == -1) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	PDEBUG("aa_policy_cache_dir_path_preview() returning '%s'\n", dir_path);
+	return dir_path;
+}

libraries/libapparmor/src/private.c

@@ -38,11 +38,24 @@
 #ifndef HAVE_SECURE_GETENV
  #ifdef HAVE___SECURE_GETENV
   #define secure_getenv __secure_getenv
+ #elif ENABLE_DEBUG_OUTPUT
+  #error Debug output is not possible without a secure_getenv() implementation.
  #else
-  #error neither secure_getenv nor __secure_getenv is available
+  #define secure_getenv(env) NULL
  #endif
 #endif
 
+/**
+ * Allow libapparmor to build on older glibcs and other libcs that do
+ * not support reallocarray.
+ */
+#ifndef HAVE_REALLOCARRY
+void *reallocarray(void *ptr, size_t nmemb, size_t size)
+{
+	return realloc(ptr, nmemb * size);
+}
+#endif
+
 struct ignored_suffix_t {
 	const char * text;
 	int len;
@@ -56,6 +69,10 @@ static struct ignored_suffix_t ignored_suffixes[] = {
 	{ ".dpkg-old", 9, 1 },
 	{ ".dpkg-dist", 10, 1 },
 	{ ".dpkg-bak", 9, 1 },
+	{ ".dpkg-remove", 12, 1 },
+	/* Archlinux packaging files */
+	{ ".pacsave", 8, 1 },
+	{ ".pacnew", 7, 1 },
 	/* RPM packaging files have traditionally not been silently
            ignored */
 	{ ".rpmnew", 7, 0 },
@@ -169,13 +186,252 @@ int _aa_asprintf(char **strp, const char *fmt, ...)
 	return rc;
 }
 
-static int dot_or_dot_dot_filter(const struct dirent *ent)
+/* stops on first error, can use errno or return value to communicate
+ * the goal is to use this to replace _aa_dirat_for_each, but that will
+ * be a different patch.
+ */
+int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
+			int (* cb)(int, const struct dirent *, void *))
 {
-	if (strcmp(ent->d_name, ".") == 0 ||
-	    strcmp(ent->d_name, "..") == 0)
-		return 0;
+	autoclose int cb_dirfd = -1;
+	int fd_for_dir = -1;
+	const struct dirent *ent;
+	DIR *dir;
+	int save, rc;
 
-	return 1;
+	if (!cb || !name) {
+		errno = EINVAL;
+		return -1;
+	}
+	save = errno;
+
+	cb_dirfd = openat(dirfd, name, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+	if (cb_dirfd == -1) {
+		PDEBUG("could not open directory fd '%d' '%s': %m\n", dirfd, name);
+		return -1;
+	}
+	/* dup cd_dirfd because fdopendir has claimed the fd passed to it */
+	fd_for_dir = dup(cb_dirfd);
+	if (fd_for_dir == -1) {
+		PDEBUG("could not dup directory fd '%s': %m\n", name);
+		return -1;
+	}
+	dir = fdopendir(fd_for_dir);
+	if (!dir) {
+		PDEBUG("could not open directory '%s' from fd '%d': %m\n", name, fd_for_dir);
+		close(fd_for_dir);
+		return -1;
+	}
+
+	while ((ent = readdir(dir))) {
+		if (cb) {
+			rc = (*cb)(cb_dirfd, ent, data);
+			if (rc) {
+				PDEBUG("dir_for_each callback failed for '%s'\n",
+				       ent->d_name);
+				goto out;
+			}
+		}
+	}
+	errno = save;
+
+out:
+	closedir(dir);
+	return rc;
+}
+
+
+#define max(a, b) \
+   ({ __typeof__ (a) _a = (a); \
+       __typeof__ (b) _b = (b); \
+     _a > _b ? _a : _b; })
+#define CHUNK 32
+struct overlaydir {
+	int dirfd;
+	struct dirent *dent;
+};
+
+static int insert(struct overlaydir **overlayptr, int *max_size, int *size,
+		  int pos, int remaining, int dirfd, struct dirent *ent)
+{
+	struct overlaydir *overlay = *overlayptr;
+	int i, chunk = max(remaining, CHUNK);
+
+	if (size + 1 >= max_size) {
+		struct overlaydir *tmp = reallocarray(overlay,
+						      *max_size + chunk,
+						      sizeof(*overlay));
+		if (tmp == NULL)
+			return -1;
+		overlay = tmp;
+	}
+	*max_size += chunk;
+	(*size)++;
+	for (i = *size; i > pos; i--)
+		overlay[i] = overlay[i - 1];
+	overlay[pos].dirfd = dirfd;
+	overlay[pos].dent = ent;
+
+	*overlayptr = overlay;
+	return 0;
+}
+
+#define merge(overlay, n_overlay, max_size, list, n_list, dirfd)	\
+({									\
+	int y, z;							\
+	int rc = 0;							\
+									\
+	for (y = 0, z = 0; y < n_overlay && z < n_list; ) {		\
+		int res = strcmp(overlay[y].dent->d_name, list[z]->d_name);\
+		if (res < 0) {						\
+			y++;						\
+			continue;					\
+		} else if (res == 0) {					\
+			free(list[z]);					\
+			list[z] = NULL;					\
+			y++;						\
+			z++;						\
+		} else {						\
+			if ((rc = insert(&overlay, &max_size, &n_overlay, y,\
+					 n_list - z, dirfd, list[z])))	\
+				goto fail;				\
+			y++;						\
+			list[z++] = NULL;				\
+		}							\
+	}								\
+	while (z < n_list) {						\
+		if ((rc = insert(&overlay, &max_size, &n_overlay, y,	\
+				 n_list - z, dirfd,list[z])))		\
+			goto fail;					\
+		y++;							\
+		list[z++] = NULL;					\
+	}								\
+									\
+fail:									\
+	rc;								\
+})
+
+static ssize_t readdirfd(int dirfd, struct dirent ***out,
+			  int (*dircmp)(const struct dirent **, const struct dirent **))
+{
+	struct dirent **dents = NULL, *dent;
+	ssize_t n = 0;
+	size_t i;
+	int save;
+	DIR *dir;
+
+	*out = NULL;
+
+	/*
+	 * closedir(dir) will close the underlying fd, so we need
+	 * to dup first
+	 */
+	if ((dirfd = dup(dirfd)) < 0) {
+		PDEBUG("dup of dirfd failed: %m\n");
+		return -1;
+	}
+
+	if ((dir = fdopendir(dirfd)) == NULL) {
+		PDEBUG("fdopendir of dirfd failed: %m\n");
+		close(dirfd);
+		return -1;
+	}
+
+	/* Get number of directory entries */
+	while ((dent = readdir(dir)) != NULL) {
+		if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
+			continue;
+		n++;
+	}
+	rewinddir(dir);
+
+	dents = calloc(n, sizeof(struct dirent *));
+	if (!dents)
+		goto fail;
+
+	for (i = 0; i < n; ) {
+		if ((dent = readdir(dir)) == NULL) {
+			PDEBUG("readdir of entry[%d] failed: %m\n", i);
+			goto fail;
+		}
+
+		if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
+			continue;
+
+		dents[i] = malloc(sizeof(*dents[i]));
+		if (!dents[i])
+			goto fail;
+		memcpy(dents[i], dent, sizeof(*dent));
+		i++;
+	}
+
+	if (dircmp)
+		qsort(dents, n, sizeof(struct dirent *), (int (*)(const void *, const void *))dircmp);
+
+	*out = dents;
+	closedir(dir);
+	return n;
+
+fail:
+	save = errno;
+	if (dents) {
+		for (i = 0; i < n; i++)
+			free(dents[i]);
+	}
+	free(dents);
+	closedir(dir);
+	errno = save;
+	return -1;
+}
+
+int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
+			int (* cb)(int, const char *, struct stat *, void *))
+{
+	autofree struct dirent **list = NULL;
+	autofree struct overlaydir *overlay = NULL;
+	int i, k;
+	int n_list, size = 0, max_size = 0;
+	int rc = 0;
+
+	for (i = 0; i < n; i++) {
+		n_list = readdirfd(dirfd[i], &list, alphasort);
+		if (n_list == -1) {
+			PDEBUG("scandirat of dirfd[%d] failed: %m\n", i);
+			return -1;
+		}
+		if (merge(overlay, size, max_size, list, n_list, dirfd[i])) {
+			for (k = 0; k < n_list; k++)
+				free(list[k]);
+			for (k = 0; k < size; k++)
+				free(overlay[k].dent);
+			return -1;
+		}
+	}
+
+	for (rc = 0, i = 0; i < size; i++) {
+		/* Must cycle through all dirs so that each one is autofreed */
+		autofree struct dirent *dent = overlay[i].dent;
+		struct stat my_stat;
+
+		if (rc)
+			continue;
+
+		if (fstatat(overlay[i].dirfd, dent->d_name, &my_stat,
+			    AT_SYMLINK_NOFOLLOW)) {
+			PDEBUG("stat failed for '%s': %m\n", dent->d_name);
+			rc = -1;
+			continue;
+		}
+
+		if (cb(overlay[i].dirfd, dent->d_name, &my_stat, data)) {
+			PDEBUG("dir_for_each callback failed for '%s'\n",
+			       dent->d_name);
+			rc = -1;
+			continue;
+		}
+	}
+
+	return rc;
 }
 
 /**
@@ -219,8 +475,7 @@ int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		return -1;
 	}
 
-	num_dirs = scandirat(cb_dirfd, ".", &namelist,
-			     dot_or_dot_dot_filter, NULL);
+	num_dirs = readdirfd(cb_dirfd, &namelist, NULL);
 	if (num_dirs == -1) {
 		PDEBUG("scandirat of directory '%s' failed: %m\n", name);
 		return -1;

libraries/libapparmor/src/private.h

@@ -17,6 +17,7 @@
 #ifndef _AA_PRIVATE_H
 #define _AA_PRIVATE_H 1
 
+#include <dirent.h>
 #include <stdbool.h>
 #include <sys/apparmor_private.h>
 
@@ -51,4 +52,7 @@ void print_debug(const char *fmt, ...);
 void atomic_inc(unsigned int *v);
 bool atomic_dec_and_test(unsigned int *v);
 
+int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
+			int (* cb)(int, const struct dirent *, void *));
+
 #endif /* _AA_PRIVATE_H */

libraries/libapparmor/src/scanner.l

@@ -131,6 +131,8 @@ key_pid			"pid"
 key_peer_pid		"peer_pid"
 key_profile		"profile"
 key_peer_profile	"peer_profile"
+key_label		"label"
+key_peer_label		"peer_label"
 key_family		"family"
 key_sock_type		"sock_type"
 key_protocol		"protocol"
@@ -314,6 +316,8 @@ yy_flex_debug = 0;
 {key_peer_pid}		{ return(TOK_KEY_PEER_PID); }
 {key_profile}		{ BEGIN(safe_string); return(TOK_KEY_PROFILE); }
 {key_peer_profile}	{ BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
+{key_label}		{ BEGIN(safe_string); return(TOK_KEY_LABEL); }
+{key_peer_label}	{ BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
 {key_family}		{ return(TOK_KEY_FAMILY); }
 {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }

libraries/libapparmor/swig/python/test/Makefile.am

@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_builddir)/config.status
 
 CLEANFILES = test_python.py
 
-# bah, how brittle is this?
-PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")'
+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 
 TESTS	= test_python.py
 TESTS_ENVIRONMENT = \

libraries/libapparmor/swig/python/test/buildpath.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python3
+# the build path has changed in setuptools 62.1:
+# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894
+import sys
+import sysconfig
+import setuptools
+
+
+if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+    identifier = sys.implementation.cache_tag
+else:
+    identifier = "%d.%d" % sys.version_info[:2]
+print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -74,7 +74,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         libapparmor.free_record(swig_record)
 
         expected = self.parse_output_file(outfile)
-        self.assertEquals(expected, record,
+        self.assertEqual(expected, record,
                           "expected records did not match\n" +
                           "expected = %s\nactual = %s" % (expected, record))
 
@@ -90,7 +90,7 @@ class AAPythonBindingsTests(unittest.TestCase):
             line = l.rstrip('\n')
             count += 1
             if line == "START":
-                self.assertEquals(count, 1,
+                self.assertEqual(count, 1,
                                   "Unexpected output format in %s" % (outfile))
                 continue
             else:
@@ -109,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):
 
         new_record = dict()
         for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
-            value = record.__getattr__(key)
+            value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]
             elif key == "version":

libraries/libapparmor/testsuite/test_multi.c

@@ -14,6 +14,7 @@ int main(int argc, char **argv)
 	FILE *testcase;
 	char log_line[1024];
 	aa_log_record *test = NULL;
+	size_t size;
 	int ret = -1;
 
 	if (argc != 2)
@@ -32,14 +33,14 @@ int main(int argc, char **argv)
 		return(1);
 	}
 
-	if (fgets(log_line, 1023, testcase) == NULL)
-	{
+	size = fread(log_line, 1, 1023, testcase);
+	if (ferror(testcase)) {
 		fprintf(stderr, "Could not read testcase.\n");
 		fclose(testcase);
 		return(1);
 	}
-
 	fclose(testcase);
+	log_line[size] = 0;
 
 	test = parse_record(log_line);
 

libraries/libapparmor/testsuite/test_multi/symlink.in

@@ -0,0 +1 @@
+Aug  3 00:00:41 liuchao-virtual-machine kernel: [ 4362.615262] audit: type=1400 audit(1596384041.705:290): apparmor="DENIED" operation="symlink" profile="/home/test.sh" name="/home/b.c" pid=8016 comm="ln" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/symlink.out

@@ -0,0 +1,15 @@
+START
+File: symlink.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1596384041.705:290
+Operation: symlink
+Mask: c
+Denied Mask: c
+fsuid: 0
+ouid: 0
+Profile: /home/test.sh
+Name: /home/b.c
+Command: ln
+PID: 8016
+Epoch: 1596384041
+Audit subid: 290

libraries/libapparmor/testsuite/test_multi/symlink.profile

@@ -0,0 +1,4 @@
+/home/test.sh {
+  owner /home/b.c w,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_08.in

@@ -0,0 +1 @@
+Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_08.out

@@ -0,0 +1,18 @@
+START
+File: testcase_dbus_08.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1561053426.749:186
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
+Peer profile: unconfined
+Name: org.freedesktop.systemd1
+Command: /usr/bin/dbus-daemon
+PID: 20596
+Peer PID: 1
+DBus bus: system
+DBus path: /org/freedesktop/systemd1
+DBus interface: org.freedesktop.systemd1.Manager
+DBus member: LookupDynamicUserByName
+Epoch: 1561053426
+Audit subid: 186

libraries/libapparmor/testsuite/test_multi/testcase_dbus_08.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
+  dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.in

@@ -0,0 +1,2 @@
+Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined"
+                  exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.out

@@ -0,0 +1,18 @@
+START
+File: testcase_dbus_09.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1561053426.749:186
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
+Peer profile: unconfined
+Name: org.freedesktop.systemd1
+Command: /usr/bin/dbus-daemon
+PID: 20596
+Peer PID: 1
+DBus bus: system
+DBus path: /org/freedesktop/systemd1
+DBus interface: org.freedesktop.systemd1.Manager
+DBus member: LookupDynamicUserByName
+Epoch: 1561053426
+Audit subid: 186

libraries/libapparmor/testsuite/test_multi/testcase_dbus_09.profile

@@ -0,0 +1,3 @@
+/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
+  dbus send bus=system path=/org/freedesktop/systemd1  interface=org.freedesktop.systemd1.Manager  member=LookupDynamicUserByName peer=( name=org.freedesktop.systemd1, label=unconfined),
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_10.in

@@ -0,0 +1 @@
+Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined"

libraries/libapparmor/testsuite/test_multi/testcase_dbus_10.out

@@ -0,0 +1,17 @@
+START
+File: testcase_dbus_10.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1561053426.749:186
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
+Peer profile: unconfined
+Name: org.freedesktop.systemd1
+PID: 20596
+Peer PID: 1
+DBus bus: system
+DBus path: /org/freedesktop/systemd1
+DBus interface: org.freedesktop.systemd1.Manager
+DBus member: LookupDynamicUserByName
+Epoch: 1561053426
+Audit subid: 186

libraries/libapparmor/testsuite/test_multi/testcase_dbus_10.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
+  dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
+
+}

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1562529588.082:3153): apparmor="DENIED" operation="open" profile="unbalanced_parenthesis" name="/dev/shm/test(me" pid=888 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.out

@@ -0,0 +1,15 @@
+START
+File: unbalanced_parenthesis.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1562529588.082:3153
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: unbalanced_parenthesis
+Name: /dev/shm/test(me
+Command: cat
+PID: 888
+Epoch: 1562529588
+Audit subid: 3153

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.profile

@@ -0,0 +1,4 @@
+profile unbalanced_parenthesis {
+  owner /dev/shm/test(me r,
+
+}

parser/Makefile

@@ -2,6 +2,8 @@
 #    Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
 #    NOVELL (All rights reserved)
 #
+#    Copyright (c) Christian Boltz 2018
+#
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
@@ -22,10 +24,13 @@ include $(COMMONDIR)/Make.rules
 
 DESTDIR=/
 APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
+SBINDIR=${DESTDIR}/sbin
+USR_SBINDIR=${DESTDIR}/usr/sbin
+SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
 CONFDIR=/etc/apparmor
 INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
 LOCALEDIR=/usr/share/locale
-MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5
+MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 aa-teardown.8
 
 YACC	:= bison
 YFLAGS	:= -d
@@ -89,6 +94,10 @@ AAREOBJECTS = $(AAREOBJECT)
 AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS)
 AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
 
+ifdef WITH_LIBINTL
+	AALIB += -lintl
+endif
+
 ifdef USE_SYSTEM
   # Using the system libapparmor so Makefile dependencies can't be used
   LIBAPPARMOR_A =
@@ -276,14 +285,23 @@ parser_version.h: Makefile
 # as well as the filtering that occurs for network protocols that
 # apparmor should not mediate.
 
-.PHONY: af_names.h
-af_names.h:
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
-cap_names.h: /usr/include/linux/capability.h
-	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+generated_cap_names.h: /usr/include/linux/capability.h
+	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+
+cap_names.h: generated_cap_names.h base_cap_names.h
+	@LC_ALL=C sed -e 's/\([^,]*,[^,]*,\) CAP_[A-Z0-9_]\+,/\1 NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h | grep '^\+[^+]' ; \
+	if [ $$? -eq 1 ] ; then \
+		cp base_cap_names.h $@ ; \
+	else \
+		echo "Error: new capabilities detected please update base_cap_names.h with values from generated_cap_names.h" ; \
+		LC_ALL=C sed -e 's/\([^,]*,[^,]*,\) CAP_[A-Z0-9_]\+,/\1 NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h ; \
+		exit 1; \
+	fi
 
 tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
@@ -299,10 +317,7 @@ tests: apparmor_parser ${TESTS}
 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
 	$(Q)$(MAKE) -s -C tst tests
 
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
@@ -314,12 +329,9 @@ install-redhat:
 	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
 
 .PHONY: install-suse
-install-suse:
-	install -m 755 -d $(DESTDIR)/etc/init.d
-	install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
-	install -m 755 -d $(DESTDIR)/sbin
-	ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
-	ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
+install-suse: install-systemd
+	install -m 755 -d $(SBINDIR)
+	ln -sf service $(SBINDIR)/rcapparmor
 
 .PHONY: install-slackware
 install-slackware:
@@ -361,12 +373,14 @@ INSTALLDEPS+=install-$(DISTRO)
 endif
 
 .PHONY: install
-install: install-indep install-arch
+install:
+	$(MAKE) install-indep
+	$(MAKE) install-arch
 
 .PHONY: install-arch
 install-arch: $(INSTALLDEPS)
-	install -m 755 -d $(DESTDIR)/sbin
-	install -m 755 ${TOOLS} $(DESTDIR)/sbin
+	install -m 755 -d $(SBINDIR)
+	install -m 755 ${TOOLS} $(SBINDIR)
 
 .PHONY: install-indep
 install-indep: indep
@@ -379,6 +393,14 @@ install-indep: indep
 	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
+.PHONY: install-systemd
+install-systemd:
+	install -m 755 -d $(SYSTEMD_UNIT_DIR)
+	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
+	install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
+	install -m 755 -d $(USR_SBINDIR)
+	install -m 755 aa-teardown $(USR_SBINDIR)
+
 ifndef VERBOSE
 .SILENT: clean
 endif
@@ -392,9 +414,10 @@ clean: pod_clean
 	rm -f parser_version.h
 	rm -f $(NAME)*.tar.gz $(NAME)*.tgz
 	rm -f af_names.h
-	rm -f cap_names.h
+	rm -f cap_names.h generated_cap_names.h
 	rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/
 	$(MAKE) -s -C $(AAREDIR) clean
 	$(MAKE) -s -C po clean
 	$(MAKE) -s -C tst clean
 
+FORCE:

parser/aa-teardown

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+test $# = 0 || {
+	echo "Usage: $0"
+	echo
+	echo "Unloads all AppArmor profiles"
+	exit 1
+}
+
+/lib/apparmor/apparmor.systemd stop

parser/aa-teardown.pod

@@ -0,0 +1,40 @@
+# ----------------------------------------------------------------------
+#    Copyright (c) 2018 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+
+=pod
+
+=head1 NAME
+
+aa-teardown - unload all AppArmor profiles
+
+=head1 SYNOPSIS
+
+B<aa-teardown>
+
+=head1 DESCRIPTION
+
+aa-teardown unloads all AppArmor profiles
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), and L<https://wiki.apparmor.net>.
+
+=cut

parser/af_unix.cc

@@ -151,9 +151,11 @@ int unix_rule::expand_variables(void)
 	error = expand_entry_variables(&addr);
 	if (error)
 		return error;
+	filter_slashes(addr);
 	error = expand_entry_variables(&peer_addr);
 	if (error)
 		return error;
+	filter_slashes(peer_addr);
 
 	return 0;
 }
@@ -202,14 +204,18 @@ void unix_rule::downgrade_rule(Profile &prof) {
 		yyerror(_("Memory allocation error."));
 	if (sock_type_n != -1)
 		mask = 1 << sock_type_n;
-	if (deny) {
-		prof.net.deny[AF_UNIX] |= mask;
-		if (!audit)
-			prof.net.quiet[AF_UNIX] |= mask;
-	} else {
+	if (!deny) {
 		prof.net.allow[AF_UNIX] |= mask;
 		if (audit)
 			prof.net.audit[AF_UNIX] |= mask;
+	} else {
+		/* deny rules have to be dropped because the downgrade makes
+		 * the rule less specific meaning it will make the profile more
+		 * restrictive and may end up denying accesses that might be
+		 * allowed by the profile.
+		 */
+		if (warnflags & WARN_RULE_NOT_ENFORCED)
+			warn_once(prof.name, "deny unix socket rule not enforced, can't be downgraded to generic network rule\n");
 	}
 }
 

parser/apparmor.d.pod

@@ -111,7 +111,7 @@ capabilities(7))
 
 B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
 
-B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' | 'smc' ) ','
+B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' ) ','
 
 B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
@@ -271,7 +271,7 @@ B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' |
 B<EXEC TARGET> = name
   Requires I<EXEC TRANSITION> specified.
 
-B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>
+B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> '-E<gt>' I<FILEGLOB>
 
 B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
 
@@ -664,7 +664,7 @@ and other operations that are typically reserved for the root user.
 
 AppArmor supports simple coarse grained network mediation.  The network
 rule restrict all socket(2) based operations.  The mediation done is
-a course grained check on whether a socket of a given type and family
+a coarse-grained check on whether a socket of a given type and family
 can be created, read, or written.  There is no mediation based of port
 number or protocol beyond tcp, udp, and raw.  Network netlink(7) rules may
 only specify type 'dgram' and 'raw'.
@@ -1047,7 +1047,7 @@ Example AppArmor DBus rules:
          peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
 
     # Allow receive access for all unconfined peers
-    dbus receive peer=(label=unconfined)),
+    dbus receive peer=(label=unconfined),
 
     # Allow eavesdropping on the system bus
     dbus eavesdrop bus=system,
@@ -1167,7 +1167,7 @@ E.G.
 
     network unix stream,   =>  unix stream,
 
-Fine grained mediation rules however can not be lossly converted back
+Fine grained mediation rules however can not be losslessly converted back
 to the coarse grained network rule; e.g.
 
    unix bind addr=@example,
@@ -1279,6 +1279,7 @@ provided AppArmor policy:
   @{apparmorfs}
   @{sys}
   @{tid}
+  @{run}
   @{XDG_DESKTOP_DIR}
   @{XDG_DOWNLOAD_DIR}
   @{XDG_TEMPLATES_DIR}

parser/apparmor.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Load AppArmor profiles
+DefaultDependencies=no
+Before=sysinit.target
+After=systemd-journald-audit.socket
+# profile cache
+After=var.mount var-lib.mount
+ConditionSecurity=apparmor
+
+[Service]
+Type=oneshot
+ExecStart=/lib/apparmor/apparmor.systemd reload
+ExecReload=/lib/apparmor/apparmor.systemd reload
+
+# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
+# from running processes (and not being able to re-apply it later).
+# Upstream systemd developers refused to implement an option that allows overriding
+# this behaviour, therefore we have to make ExecStop a no-op to error out on the
+# safe side.
+#
+# If you really want to unload all AppArmor profiles, run   aa-teardown
+ExecStop=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

parser/apparmor.systemd

@@ -0,0 +1,101 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+#    Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+
+APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
+
+aa_action()
+{
+    echo "$1"
+    shift
+    "$@"
+    return $?
+}
+
+aa_log_warning_msg()
+{
+    echo "Warning: $*"
+}
+
+aa_log_failure_msg()
+{
+    echo "Error: $*"
+}
+
+aa_log_action_start()
+{
+    echo "$@"
+}
+
+aa_log_action_end()
+{
+    printf ""
+}
+
+aa_log_daemon_msg()
+{
+    echo "$@"
+}
+
+aa_log_skipped_msg()
+{
+    echo "Skipped: $*"
+}
+
+aa_log_end_msg()
+{
+    printf ""
+}
+
+# source apparmor function library
+if [ -f "${APPARMOR_FUNCTIONS}" ]; then
+	# shellcheck source=rc.apparmor.functions
+	. "${APPARMOR_FUNCTIONS}"
+else
+	aa_log_failure_msg "Unable to find AppArmor initscript functions"
+	exit 1
+fi
+
+case "$1" in
+	start)
+		apparmor_start
+		rc=$?
+		;;
+	stop)
+		apparmor_stop
+		rc=$?
+		;;
+	restart|reload|force-reload)
+		apparmor_restart
+		rc=$?
+		;;
+	try-restart)
+		apparmor_try_restart
+		rc=$?
+		;;
+	kill)
+		apparmor_kill
+		rc=$?
+		;;
+	status)
+		apparmor_status
+		rc=$?
+		;;
+	*)
+		exit 1
+		;;
+esac
+exit "$rc"

parser/apparmor_parser.pod

@@ -46,9 +46,10 @@ program. The B<profiles> may be specified by file name or a directory
 name containing a set of profiles. If a directory is specified then the
 B<apparmor_parser> will try to do a profile load for each file in the
 directory that is not a dot file, or explicitly black listed (*.dpkg-new,
-*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.rpmnew, *.rpmsave, *orig, *.rej,
-*~). The B<apparmor_parser> will fall back to taking input from standard
-input if a profile or directory is not supplied.
+*.dpkg-old, *.dpkg-dist, *.dpkg-bak, *.dpkg-remove, *.pacsave, *.pacnew,
+*.rpmnew, *.rpmsave, *.orig, *.rej, *~).
+The B<apparmor_parser> will fall back to taking input from standard input if
+a profile or directory is not supplied.
 
 The input supplied to B<apparmor_parser> should be in the format described in
 apparmor.d(5).
@@ -232,8 +233,28 @@ inconsistent state
 
 =item -L, --cache-loc
 
-Set the location of the cache directory.  If not specified the cache location
-defaults to /etc/apparmor.d/cache
+Set the location(s) of the cache directory. This option can accept a
+comma separated list of directories, which will be searched in order
+to find a matching cache. The first matching cache file found is used
+even if a directory later in the search order may contain a newer cache
+file.
+
+If multiple directories are specified and --write-cache has been specified
+then cache writes will be made to the first directory in the list, all
+other directories will be treated as read only.
+
+If a cache directory name needs to have a comma as part of the name, it
+can be specified by using a backslash to escape the comma character in
+the directory name.
+
+If not specified the cache location defaults to /var/cache/apparmor
+
+=item --print-cache-dir
+
+Print the cache directory location. This path will be a subdirectory of the
+directory specified by --cache-loc. The subdirectory used will be influenced by
+the features available in the currently running kernel or by the features
+specified with the --match-string or --features-file options.
 
 =item -Q, --skip-kernel-load
 
@@ -293,12 +314,15 @@ Eg.
   -jx4    OR --jobs=x4                  sets the jobs to # of cpus * 4
   -jx1   is equivalent to   -jauto
 
-The default value is the number of cpus in the system.
+The default value is the number of cpus in the system. Note that if jobs
+is a positive integer number the --jobs-max parameter is automatically
+set to the same value.
 
 =item --max-jobs n
 
-Set a hard cap on the value that can be specified by the --jobs flag.
-It takes the same set of options available to the --jobs option, and
+When --jobs is set to a scaling value (ie. auto or xN) the specify a
+hard cap on the value that can be specified by the --jobs flag.  It
+takes the same set of options available to the --jobs option, and
 defaults to 8*cpus
 
 =item -O n, --optimize=n
@@ -334,6 +358,17 @@ This option tells the parser to not attempt to rebuild the cache on
 failure, instead the parser continues on with processing the remaining
 profiles.
 
+=item --config-file
+
+Specify the config file to use instead of
+/etc/apparmor/parser.conf. This option will be processed early before
+regular options regardless of the order it is specified in.
+
+=item --print-config-file
+
+Print the config file location that will be used.
+
+
 =back
 
 =head1 CONFIG FILE

parser/base_cap_names.h

@@ -0,0 +1,82 @@
+{"audit_control", CAP_AUDIT_CONTROL},
+
+{"audit_read", CAP_AUDIT_READ},
+
+{"audit_write", CAP_AUDIT_WRITE},
+
+{"block_suspend", CAP_BLOCK_SUSPEND},
+
+{"bpf", CAP_BPF},
+
+{"checkpoint_restore", CAP_CHECKPOINT_RESTORE},
+
+{"chown", CAP_CHOWN},
+
+{"dac_override", CAP_DAC_OVERRIDE},
+
+{"dac_read_search", CAP_DAC_READ_SEARCH},
+
+{"fowner", CAP_FOWNER},
+
+{"fsetid", CAP_FSETID},
+
+{"ipc_lock", CAP_IPC_LOCK},
+
+{"ipc_owner", CAP_IPC_OWNER},
+
+{"kill", CAP_KILL},
+
+{"lease", CAP_LEASE},
+
+{"linux_immutable", CAP_LINUX_IMMUTABLE},
+
+{"mac_admin", CAP_MAC_ADMIN},
+
+{"mac_override", CAP_MAC_OVERRIDE},
+
+{"mknod", CAP_MKNOD},
+
+{"net_admin", CAP_NET_ADMIN},
+
+{"net_bind_service", CAP_NET_BIND_SERVICE},
+
+{"net_broadcast", CAP_NET_BROADCAST},
+
+{"net_raw", CAP_NET_RAW},
+
+{"perfmon", CAP_PERFMON},
+
+{"setfcap", CAP_SETFCAP},
+
+{"setgid", CAP_SETGID},
+
+{"setpcap", CAP_SETPCAP},
+
+{"setuid", CAP_SETUID},
+
+{"syslog", CAP_SYSLOG},
+
+{"sys_admin", CAP_SYS_ADMIN},
+
+{"sys_boot", CAP_SYS_BOOT},
+
+{"sys_chroot", CAP_SYS_CHROOT},
+
+{"sys_module", CAP_SYS_MODULE},
+
+{"sys_nice", CAP_SYS_NICE},
+
+{"sys_pacct", CAP_SYS_PACCT},
+
+{"sys_ptrace", CAP_SYS_PTRACE},
+
+{"sys_rawio", CAP_SYS_RAWIO},
+
+{"sys_resource", CAP_SYS_RESOURCE},
+
+{"sys_time", CAP_SYS_TIME},
+
+{"sys_tty_config", CAP_SYS_TTY_CONFIG},
+
+{"wake_alarm", CAP_WAKE_ALARM},
+

parser/dbus.cc

@@ -179,6 +179,7 @@ int dbus_rule::expand_variables(void)
 	error = expand_entry_variables(&path);
 	if (error)
 		return error;
+	filter_slashes(path);
 	error = expand_entry_variables(&interface);
 	if (error)
 		return error;

parser/libapparmor_re/Makefile

@@ -10,6 +10,7 @@ endif
 
 TARGET=libapparmor_re.a
 
+AR ?= ar
 CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
 CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
 
@@ -22,7 +23,7 @@ all : ${TARGET}
 UNITTESTS = tst_parse
 
 libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o
-	ar ${ARFLAGS} $@ $^
+	${AR} ${ARFLAGS} $@ $^
 
 expr-tree.o: expr-tree.cc expr-tree.h
 

parser/libapparmor_re/aare_rules.cc

@@ -126,9 +126,10 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
 
 /* create a dfa from the ruleset
  * returns: buffer contain dfa tables, @size set to the size of the tables
- *          else NULL on failure
+ *          else NULL on failure, @min_match_len set to the shortest string
+ *          that can match the dfa for determining xmatch priority.
  */
-void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
+void *aare_rules::create_dfa(size_t *size, int *min_match_len, dfaflags_t flags)
 {
 	char *buffer = NULL;
 
@@ -150,6 +151,7 @@ void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
 			root = new AltNode(root, new CatNode(tmp, i->first));
 		}
 	}
+	*min_match_len = root->min_match_len();
 
 	/* dumping of the none simplified tree without -O no-expr-simplify
 	 * is broken because we need to build the tree above first, and

parser/libapparmor_re/aare_rules.h

@@ -104,7 +104,7 @@ class aare_rules {
 		      uint32_t audit, dfaflags_t flags);
 	bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
 			  const char **rulev, dfaflags_t flags);
-	void *create_dfa(size_t *size, dfaflags_t flags);
+	void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags);
 };
 
 #endif				/* __LIBAA_RE_RULES_H */

parser/libapparmor_re/expr-tree.h

@@ -123,6 +123,19 @@ public:
 	virtual void compute_firstpos() = 0;
 	virtual void compute_lastpos() = 0;
 	virtual void compute_followpos() { }
+
+	/*
+	 * min_match_len determines the smallest string that can match the
+	 * syntax tree. This is used to determine the priority of a regex.
+	 */
+	virtual int min_match_len() { return 0; }
+	/*
+	 * contains_null returns if the expression tree contains a null character.
+	 * Null characters indicate that the rest of the DFA matches the xattrs and
+	 * not the path. This is used to compute min_match_len.
+	 */
+	virtual bool contains_null() { return false; }
+
 	virtual int eq(Node *other) = 0;
 	virtual ostream &dump(ostream &os) = 0;
 	void dump_syntax_tree(ostream &os);
@@ -257,6 +270,17 @@ public:
 		return os << c;
 	}
 
+	int min_match_len()
+	{
+		if (c == 0) {
+			// Null character indicates end of string.
+			return 0;
+		}
+		return 1;
+	}
+
+	bool contains_null() { return c == 0; }
+
 	uchar c;
 };
 
@@ -298,6 +322,24 @@ public:
 		return os << ']';
 	}
 
+	int min_match_len()
+	{
+		if (contains_null()) {
+			return 0;
+		}
+		return 1;
+	}
+
+	bool contains_null()
+	{
+		for (Chars::iterator i = chars.begin(); i != chars.end(); i++) {
+			if (*i == 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	Chars chars;
 };
 
@@ -346,6 +388,24 @@ public:
 		return os << ']';
 	}
 
+	int min_match_len()
+	{
+		if (contains_null()) {
+			return 0;
+		}
+		return 1;
+	}
+
+	bool contains_null()
+	{
+		for (Chars::iterator i = chars.begin(); i != chars.end(); i++) {
+			if (*i == 0) {
+				return false;
+			}
+		}
+		return true;
+	}
+
 	Chars chars;
 };
 
@@ -369,6 +429,8 @@ public:
 		return 0;
 	}
 	ostream &dump(ostream &os) { return os << "."; }
+
+	bool contains_null() { return true; }
 };
 
 /* Match a node zero or more times. (This is a unary operator.) */
@@ -396,6 +458,8 @@ public:
 		child[0]->dump(os);
 		return os << ")*";
 	}
+
+	bool contains_null() { return child[0]->contains_null(); }
 };
 
 /* Match a node one or more times. (This is a unary operator.) */
@@ -423,6 +487,8 @@ public:
 		child[0]->dump(os);
 		return os << ")+";
 	}
+	int min_match_len() { return child[0]->min_match_len(); }
+	bool contains_null() { return child[0]->contains_null(); }
 };
 
 /* Match a pair of consecutive nodes. */
@@ -470,6 +536,22 @@ public:
 		return os;
 	}
 	void normalize(int dir);
+	int min_match_len()
+	{
+		int len = child[0]->min_match_len();
+		if (child[0]->contains_null()) {
+			// Null characters are used to indicate when the DFA transitions
+			// from matching the path to matching the xattrs. If the left child
+			// contains a null character, the right side doesn't contribute to
+			// the path match.
+			return len;
+		}
+		return len + child[1]->min_match_len();
+	}
+	bool contains_null()
+	{
+		return child[0]->contains_null() || child[1]->contains_null();
+	}
 };
 
 /* Match one of two alternative nodes. */
@@ -507,6 +589,20 @@ public:
 		return os;
 	}
 	void normalize(int dir);
+	int min_match_len()
+	{
+		int m1, m2;
+		m1 = child[0]->min_match_len();
+		m2 = child[1]->min_match_len();
+		if (m1 < m2) {
+			return m1;
+		}
+		return m2;
+	}
+	bool contains_null()
+	{
+		return child[0]->contains_null() || child[1]->contains_null();
+	}
 };
 
 class SharedNode: public ImportantNode {

parser/mount.cc

@@ -486,18 +486,32 @@ ostream &mnt_rule::dump(ostream &os)
 /* does not currently support expansion of vars in options */
 int mnt_rule::expand_variables(void)
 {
+	struct value_list *ent;
 	int error = 0;
 
 	error = expand_entry_variables(&mnt_point);
 	if (error)
 		return error;
+	filter_slashes(mnt_point);
 	error = expand_entry_variables(&device);
 	if (error)
 		return error;
+	filter_slashes(device);
 	error = expand_entry_variables(&trans);
 	if (error)
 		return error;
 
+	list_for_each(dev_type, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+	list_for_each(opts, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+
 	return 0;
 }
 

parser/parser.h

@@ -171,13 +171,23 @@ extern int preprocess_only;
 
 
 #ifdef DEBUG
-#define PDEBUG(fmt, args...) fprintf(stderr, "parser: " fmt, ## args)
+#define PDEBUG(fmt, args...)				\
+do {							\
+	int pdebug_error = errno;			\
+	fprintf(stderr, "parser: " fmt, ## args);	\
+	errno = pdebug_error;				\
+} while (0)
 #else
 #define PDEBUG(fmt, args...)	/* Do nothing */
 #endif
 #define NPDEBUG(fmt, args...)	/* Do nothing */
 
-#define PERROR(fmt, args...) fprintf(stderr, fmt, ## args)
+#define PERROR(fmt, args...)			\
+do {						\
+	int perror_error = errno;		\
+	fprintf(stderr, fmt, ## args);		\
+	errno = perror_error;			\
+} while (0)
 
 #ifndef TRUE
 #define TRUE	(1)
@@ -357,6 +367,7 @@ extern int post_process_entry(struct cod_entry *entry);
 extern int process_policydb(Profile *prof);
 
 extern int process_policy_ents(Profile *prof);
+extern void filter_slashes(char *path);
 
 /* parser_variable.c */
 int expand_entry_variables(char **name);

parser/parser_alias.c

@@ -25,6 +25,8 @@
 #include "parser.h"
 #include "profile.h"
 
+typedef int (*comparison_fn_t)(const void *, const void *);
+
 struct alias_rule {
 	char *from;
 	char *to;

parser/parser_lex.l

@@ -24,6 +24,7 @@
 %option noyywrap
 %option nounput
 %option stack
+%option nodefault
 
 %{
 #include <stdio.h>
@@ -179,6 +180,7 @@ void include_filename(char *filename, int search, bool if_exists)
 		yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
         } else if (S_ISDIR(my_stat.st_mode)) {
 		struct cb_struct data = { fullpath, filename };
+		update_mru_tstamp(include_file, fullpath);
 		fclose(include_file);
 		include_file = NULL;
 		if (dirat_for_each(AT_FDCWD, fullpath, &data, include_dir_cb)) {
@@ -240,7 +242,16 @@ ADD_ASSIGN	\+=
 ARROW		->
 LT_EQUAL	<=
 
-/* IF adding new state please update state_names table at eof */
+/* IF adding new state please update state_names table and default rule (just
+ * above the state_names table) at the eof.
+ *
+ * The nodefault option is set so missing adding to the default rule isn't
+ * fatal but can't take advantage of additional debug the default rule might
+ * have.
+ *
+ * If a state is not added to the default rule it can result in the message
+ * "flex scanner jammed"
+ */
 %x SUB_ID
 %x SUB_ID_WS
 %x SUB_VALUE
@@ -274,7 +285,7 @@ LT_EQUAL	<=
 	}
 %}
 
-<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
+<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
 	{WS}+	{  DUMP_PREPROCESS; /* Ignoring whitespace */ }
 }
 
@@ -469,6 +480,7 @@ LT_EQUAL	<=
 	\\\n	{ DUMP_PREPROCESS; current_lineno++ ; }
 
 	\r?\n	{
+		/* don't use shared rule because we need POP() here */
 		DUMP_PREPROCESS;
 		current_lineno++;
 		POP();
@@ -605,7 +617,7 @@ include/{WS}	{
 
 {CARET}		{ PUSH_AND_RETURN(SUB_ID, TOK_CARET); }
 
-{ARROW}		{ RETURN_TOKEN(TOK_ARROW); }
+{ARROW}		{ PUSH_AND_RETURN(SUB_ID_WS, TOK_ARROW); }
 
 {EQUALS}	{ PUSH_AND_RETURN(ASSIGN_MODE, TOK_EQUALS); }
 
@@ -695,18 +707,20 @@ include/{WS}	{
 			POP_NODUMP();
 		RETURN_TOKEN(TOK_END_OF_RULE);
 	}
+}
 
-	\r?\n		{
+<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
+	\r?\n	{
 		DUMP_PREPROCESS;
 		current_lineno++;
 	}
 }
 
-<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
-	[^\n]	{
+<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODE,INCLUDE,INCLUDE_EXISTS,ABI_MODE>{
+	(.|\n)	{
 		DUMP_PREPROCESS;
 		/* Something we didn't expect */
-		yyerror(_("Found unexpected character: '%s'"), yytext);
+		yyerror(_("Lexer found unexpected character: '%s' (0x%x) in state: %s"), yytext, yytext[0], state_names[YY_START].c_str());
 	}
 }
 %%

parser/parser_main.c

@@ -2,7 +2,7 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
- *   Copyright (c) 2010 - 2013
+ *   Copyright (c) 2010 - 2018
  *   Canonical Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
@@ -59,8 +59,10 @@
 #define PRIVILEGED_OPS (kernel_load)
 #define UNPRIVILEGED_OPS (!(PRIVILEGED_OPS))
 
+#define EARLY_ARG_CONFIG_FILE 141
+
 const char *parser_title	= "AppArmor parser";
-const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2012 Canonical Ltd.";
+const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2018 Canonical Ltd.";
 
 int opt_force_complain = 0;
 int binary_input = 0;
@@ -97,12 +99,20 @@ long jobs_scale = 0;			/* number of chance to resample online
 					 */
 bool debug_jobs = false;
 
+#define MAX_CACHE_LOCS 4
+
 struct timespec cache_tstamp, mru_policy_tstamp;
 
 static char *apparmorfs = NULL;
-static char *cacheloc = NULL;
+static const char *cacheloc[MAX_CACHE_LOCS];
+static int cacheloc_n = 0;
+static bool print_cache_dir = false;
+
+static aa_features *compile_features = NULL;
+static aa_features *kernel_features = NULL;
+
+static const char *config_file = "/etc/apparmor/parser.conf";
 
-static aa_features *features = NULL;
 
 /* Make sure to update BOTH the short and long_options */
 static const char *short_options = "ad::f:h::rRVvI:b:BCD:NSm:M:qQn:XKTWkL:O:po:j:";
@@ -133,9 +143,6 @@ struct option long_options[] = {
 	{"skip-read-cache",	0, 0, 'T'},
 	{"write-cache",		0, 0, 'W'},
 	{"show-cache",		0, 0, 'k'},
-	{"skip-bad-cache",	0, 0, 129},	/* no short option */
-	{"purge-cache",		0, 0, 130},	/* no short option */
-	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"cache-loc",		1, 0, 'L'},
 	{"debug",		2, 0, 'd'},
 	{"dump",		1, 0, 'D'},
@@ -143,12 +150,21 @@ struct option long_options[] = {
 	{"optimize",		1, 0, 'O'},
 	{"Optimize",		1, 0, 'O'},
 	{"preprocess",		0, 0, 'p'},
+	{"jobs",		1, 0, 'j'},
+	{"skip-bad-cache",	0, 0, 129},	/* no short option */
+	{"purge-cache",		0, 0, 130},	/* no short option */
+	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"abort-on-error",	0, 0, 132},	/* no short option */
 	{"skip-bad-cache-rebuild",	0, 0, 133},	/* no short option */
 	{"warn",		1, 0, 134},	/* no short option */
 	{"debug-cache",		0, 0, 135},	/* no short option */
-	{"jobs",		1, 0, 'j'},
 	{"max-jobs",		1, 0, 136},	/* no short option */
+	{"print-cache-dir",	0, 0, 137},	/* no short option */
+	{"kernel-features",	1, 0, 138},	/* no short option */
+	{"compile-features",	1, 0, 139},	/* no short option */
+	{"print-config-file",	0, 0, 140},	/* no short option */
+	{"config-file",		1, 0, EARLY_ARG_CONFIG_FILE},	/* early option, no short option */
+
 	{NULL, 0, 0, 0},
 };
 
@@ -178,7 +194,9 @@ static void display_usage(const char *command)
 	       "-I n, --Include n	Add n to the search path\n"
 	       "-f n, --subdomainfs n	Set location of apparmor filesystem\n"
 	       "-m n, --match-string n  Use only features n\n"
-	       "-M n, --features-file n Use only features in file n\n"
+	       "-M n, --features-file n Set compile & kernel features to file n\n"
+	       "--compile-features n    Compile features set in file n\n"
+	       "--kernel-features n     Kernel features set in file n\n"
 	       "-n n, --namespace n	Set Namespace for the profile\n"
 	       "-X, --readimpliesX	Map profile read permissions to mr\n"
 	       "-k, --show-cache	Report cache hit/miss details\n"
@@ -188,7 +206,8 @@ static void display_usage(const char *command)
 	       "    --skip-bad-cache	Don't clear cache if out of sync\n"
 	       "    --purge-cache	Clear cache regardless of its state\n"
 	       "    --debug-cache       Debug cache file checks\n"
-	       "-L, --cache-loc n	Set the location of the profile cache\n"
+	       "    --print-cache-dir	Print the cache directory path\n"
+	       "-L, --cache-loc n	Set the location of the profile caches\n"
 	       "-q, --quiet		Don't emit warnings\n"
 	       "-v, --verbose		Show profile names as they load\n"
 	       "-Q, --skip-kernel-load	Do everything except loading into kernel\n"
@@ -202,6 +221,8 @@ static void display_usage(const char *command)
 	       "--max-jobs n		Hard cap on --jobs. Default 8*cpus\n"
 	       "--abort-on-error	Abort processing of profiles on first error\n"
 	       "--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel\n"
+	       "--config-file n		Specify the parser config file location, processed early before other options.\n"
+	       "--print-config		Print config file location\n"
 	       "--warn n		Enable warnings (see --help=warn)\n"
 	       ,command);
 }
@@ -222,6 +243,55 @@ void display_warn(const char *command)
 	print_flag_table(warnflag_table);
 }
 
+/* Parse comma separated cachelocations. Commas can be escaped by \, */
+static int parse_cacheloc(const char *arg, const char **cacheloc, int max_size)
+{
+	const char *s = arg;
+	const char *p = arg;
+	int n = 0;
+
+	while(*p) {
+		if (*p == '\\') {
+			if (*(p + 1) != 0)
+				p++;
+		} else if (*p == ',') {
+			if (p != s) {
+				char *tmp;
+				if (n == max_size) {
+					errno = E2BIG;
+					return -1;
+				}
+				tmp = (char *) malloc(p - s + 1);
+				if (tmp == NULL)
+					return -1;
+				memcpy(tmp, s, p - s);
+				tmp[p - s] = 0;
+				cacheloc[n] = tmp;
+				n++;
+			}
+			p++;
+			s = p;
+		} else
+			p++;
+	}
+	if (p != s) {
+		char *tmp;
+		if (n == max_size) {
+			errno = E2BIG;
+			return -1;
+		}
+		tmp = (char *) malloc(p - s + 1);
+		if (tmp == NULL)
+			return -1;
+		memcpy(tmp, s, p - s);
+		tmp[p - s] = 0;
+		cacheloc[n] = tmp;
+		n++;
+	}
+
+	return n;
+}
+
 /* Treat conf file like options passed on command line
  */
 static int getopt_long_file(FILE *f, const struct option *longopts,
@@ -319,6 +389,16 @@ static long process_jobs_arg(const char *arg, const char *val) {
 	return n;
 }
 
+
+bool early_arg(int c) {
+	switch(c) {
+	case EARLY_ARG_CONFIG_FILE:
+		return true;
+	}
+
+	return false;
+}
+
 /* process a single argment from getopt_long
  * Returns: 1 if an action arg, else 0
  */
@@ -329,8 +409,7 @@ static int process_arg(int c, char *optarg)
 	switch (c) {
 	case 0:
 		PERROR("Assert, in getopt_long handling\n");
-		display_usage(progname);
-		exit(0);
+		exit(1);
 		break;
 	case 'a':
 		count++;
@@ -439,8 +518,6 @@ static int process_arg(int c, char *optarg)
 		}
 		break;
 	case 'O':
-		skip_read_cache = 1;
-
 		if (!handle_flag_table(optflag_table, optarg,
 				       &dfaflags)) {
 			PERROR("%s: Invalid --Optimize option %s\n",
@@ -449,7 +526,7 @@ static int process_arg(int c, char *optarg)
 		}
 		break;
 	case 'm':
-		if (aa_features_new_from_string(&features,
+		if (aa_features_new_from_string(&compile_features,
 						optarg, strlen(optarg))) {
 			fprintf(stderr,
 				"Failed to parse features string: %m\n");
@@ -457,12 +534,37 @@ static int process_arg(int c, char *optarg)
 		}
 		break;
 	case 'M':
-		if (aa_features_new(&features, AT_FDCWD, optarg)) {
+		if (compile_features)
+			aa_features_unref(compile_features);
+		if (kernel_features)
+			aa_features_unref(kernel_features);
+		if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
 			fprintf(stderr,
 				"Failed to load features from '%s': %m\n",
 				optarg);
 			exit(1);
 		}
+		kernel_features = aa_features_ref(compile_features);
+		break;
+	case 138:
+		if (kernel_features)
+			aa_features_unref(kernel_features);
+		if (aa_features_new(&kernel_features, AT_FDCWD, optarg)) {
+			fprintf(stderr,
+				"Failed to load kernel features from '%s': %m\n",
+				optarg);
+			exit(1);
+		}
+		break;
+	case 139:
+		if (compile_features)
+			aa_features_unref(compile_features);
+		if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
+			fprintf(stderr,
+				"Failed to load compile features from '%s': %m\n",
+				optarg);
+			exit(1);
+		}
 		break;
 	case 'q':
 		conf_verbose = 0;
@@ -507,7 +609,11 @@ static int process_arg(int c, char *optarg)
 		skip_bad_cache_rebuild = 1;
 		break;
 	case 'L':
-		cacheloc = strdup(optarg);
+		cacheloc_n = parse_cacheloc(optarg, cacheloc, MAX_CACHE_LOCS);
+		if (cacheloc_n == -1) {
+			PERROR("%s: Invalid --cacheloc option '%s' %m\n", progname, optarg);
+			exit(1);
+		}
 		break;
 	case 'Q':
 		kernel_load = 0;
@@ -532,12 +638,28 @@ static int process_arg(int c, char *optarg)
 		break;
 	case 'j':
 		jobs = process_jobs_arg("-j", optarg);
+		if (jobs != JOBS_AUTO && jobs < LONG_MAX)
+			jobs_max = jobs;
 		break;
 	case 136:
 		jobs_max = process_jobs_arg("max-jobs", optarg);
 		break;
+	case 137:
+		kernel_load = 0;
+		print_cache_dir = true;
+		break;
+	case EARLY_ARG_CONFIG_FILE:
+		config_file = strdup(optarg);
+		if (!config_file) {
+			PERROR("%s: %m", progname);
+			exit(1);
+		}
+		break;
+	case 140:
+		printf("%s\n", config_file);
+		break;
 	default:
-		display_usage(progname);
+		/* 'unrecognized option' error message gets printed by getopt_long() */
 		exit(1);
 		break;
 	}
@@ -545,21 +667,36 @@ static int process_arg(int c, char *optarg)
 	return count;
 }
 
+static void process_early_args(int argc, char *argv[])
+{
+	int c, o;
+
+	while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1)
+	{
+		if (early_arg(c))
+			process_arg(c, optarg);
+	}
+
+	/* reset args, so we are ready for a second pass */
+	optind = 1;
+}
+
 static int process_args(int argc, char *argv[])
 {
 	int c, o;
 	int count = 0;
 	option = OPTION_ADD;
 
+	opterr = 1;
 	while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1)
 	{
-		count += process_arg(c, optarg);
+		if (!early_arg(c))
+			count += process_arg(c, optarg);
 	}
 
 	if (count > 1) {
 		PERROR("%s: Too many actions given on the command line.\n",
 		       progname);
-		display_usage(progname);
 		exit(1);
 	}
 
@@ -574,8 +711,10 @@ static int process_config_file(const char *name)
 	int c, o;
 
 	f = fopen(name, "r");
-	if (!f)
+	if (!f) {
+		pwarn("config file '%s' not found\n", name);
 		return 0;
+	}
 
 	while ((c = getopt_long_file(f, long_options, &optarg, &o)) != -1)
 		process_arg(c, optarg);
@@ -592,7 +731,6 @@ int have_enough_privilege(void)
 	if (uid != 0 && euid != 0) {
 		PERROR(_("%s: Sorry. You need root privileges to run this program.\n\n"),
 		       progname);
-		display_usage(progname);
 		return EPERM;
 	}
 
@@ -623,33 +761,37 @@ no_match:
 	perms_create = 1;
 }
 
-static void set_supported_features(void)
+static void set_supported_features(aa_features *kernel_features unused)
 {
 	/* has process_args() already assigned a match string? */
-	if (!features && aa_features_new_from_kernel(&features) == -1) {
+	if (!compile_features && aa_features_new_from_kernel(&compile_features) == -1) {
 		set_features_by_match_file();
 		return;
 	}
 
+	/*
+	 * TODO: intersect with actual kernel features to get proper
+	 * rule down grades for a give kernel
+	 */
 	perms_create = 1;
-	kernel_supports_policydb = aa_features_supports(features, "file");
-	kernel_supports_network = aa_features_supports(features, "network");
-	kernel_supports_unix = aa_features_supports(features,
+	kernel_supports_policydb = aa_features_supports(compile_features, "file");
+	kernel_supports_network = aa_features_supports(compile_features, "network");
+	kernel_supports_unix = aa_features_supports(compile_features,
 						    "network/af_unix");
-	kernel_supports_mount = aa_features_supports(features, "mount");
-	kernel_supports_dbus = aa_features_supports(features, "dbus");
-	kernel_supports_signal = aa_features_supports(features, "signal");
-	kernel_supports_ptrace = aa_features_supports(features, "ptrace");
-	kernel_supports_setload = aa_features_supports(features,
+	kernel_supports_mount = aa_features_supports(compile_features, "mount");
+	kernel_supports_dbus = aa_features_supports(compile_features, "dbus");
+	kernel_supports_signal = aa_features_supports(compile_features, "signal");
+	kernel_supports_ptrace = aa_features_supports(compile_features, "ptrace");
+	kernel_supports_setload = aa_features_supports(compile_features,
 						       "policy/set_load");
-	kernel_supports_diff_encode = aa_features_supports(features,
+	kernel_supports_diff_encode = aa_features_supports(compile_features,
 							   "policy/diff_encode");
-	kernel_supports_stacking = aa_features_supports(features,
+	kernel_supports_stacking = aa_features_supports(compile_features,
 							"domain/stack");
 
-	if (aa_features_supports(features, "policy/versions/v7"))
+	if (aa_features_supports(compile_features, "policy/versions/v7"))
 		kernel_abi_version = 7;
-	else if (aa_features_supports(features, "policy/versions/v6"))
+	else if (aa_features_supports(compile_features, "policy/versions/v6"))
 		kernel_abi_version = 6;
 
 	if (!kernel_supports_diff_encode)
@@ -657,6 +799,33 @@ static void set_supported_features(void)
 		dfaflags &= ~DFA_CONTROL_DIFF_ENCODE;
 }
 
+static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path)
+{
+	autofree char *cache_dir = NULL;
+
+	cache_dir = aa_policy_cache_dir_path_preview(features, dirfd, path);
+	if (!cache_dir) {
+		PERROR(_("Unable to print the cache directory: %m\n"));
+		return false;
+	}
+
+	printf("%s\n", cache_dir);
+	return true;
+}
+
+static bool do_print_cache_dirs(aa_features *features, const char **cacheloc,
+				int cacheloc_n)
+{
+	int i;
+
+	for (i = 0; i < cacheloc_n; i++) {
+		if (!do_print_cache_dir(features, AT_FDCWD, cacheloc[i]))
+			return false;
+	}
+
+	return true;
+}
+
 int process_binary(int option, aa_kernel_interface *kernel_interface,
 		   const char *profilename)
 {
@@ -741,10 +910,11 @@ int test_for_dir_mode(const char *basename, const char *linkdir)
 }
 
 int process_profile(int option, aa_kernel_interface *kernel_interface,
-		    const char *profilename, const char *cachedir)
+		    const char *profilename, aa_policy_cache *pc)
 {
 	int retval = 0;
 	autofree const char *cachename = NULL;
+	autofree const char *writecachename = NULL;
 	autofree const char *cachetmpname = NULL;
 	autoclose int cachetmp = -1;
 	const char *basename = NULL;
@@ -761,6 +931,7 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 	} else {
 		if (write_cache)
 			pwarn("%s: cannot use or update cache, disable, or force-complain via stdin\n", progname);
+		skip_cache = write_cache = 0;
 	}
 
 	reset_parser(profilename);
@@ -785,9 +956,17 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
  		}
 
 		/* setup cachename and tstamp */
-		if (!force_complain && !skip_cache) {
-			cachename = cache_filename(cachedir, basename);
-			valid_read_cache(cachename);
+		if (!force_complain && pc) {
+			cachename = aa_policy_cache_filename(pc, basename);
+			if (!cachename) {
+				autoclose int fd = aa_policy_cache_open(pc,
+								basename,
+								O_RDONLY);
+				if (fd != -1)
+					pwarn(_("Could not get cachename for '%s'\n"), basename);
+			} else {
+				valid_read_cache(cachename);
+			}
 		}
 
 	}
@@ -819,8 +998,6 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 			if (!retval || skip_bad_cache_rebuild)
 				return retval;
 		}
-
-		cachetmp = setup_cache_tmp(&cachetmpname, cachename);
 	}
 
 	if (show_cache)
@@ -856,15 +1033,27 @@ int process_profile(int option, aa_kernel_interface *kernel_interface,
 		goto out;
 	}
 
+	if (pc && write_cache && !force_complain) {
+		writecachename = cache_filename(pc, 0, basename);
+		if (!writecachename) {
+			pwarn("Cache write disabled: Cannot create cache file name '%s': %m\n", basename);
+			write_cache = 0;
+		}
+		cachetmp = setup_cache_tmp(&cachetmpname, writecachename);
+		if (cachetmp == -1) {
+			pwarn("Cache write disabled: Cannot create setup tmp cache file '%s': %m\n", writecachename);
+			write_cache = 0;
+		}
+	}
 	/* cache file generated by load_policy */
 	retval = load_policy(option, kernel_interface, cachetmp);
 	if (retval == 0 && write_cache) {
 		if (cachetmp == -1) {
 			unlink(cachetmpname);
-			PERROR("Warning failed to create cache: %s\n",
+			pwarn("Warning failed to create cache: %s\n",
 			       basename);
 		} else {
-			install_cache(cachetmpname, cachename);
+			install_cache(cachetmpname, writecachename);
 		}
 	}
 out:
@@ -899,8 +1088,11 @@ do {									\
 		work_sync_one(RESULT);					\
 } while (0)
 
+/* returns -1 if work_spawn fails, not a return value of any unit of work */
 #define work_spawn(WORK, RESULT)					\
-do {									\
+({									\
+	int localrc = 0;						\
+	do {								\
 	/* what to do to avoid fork() overhead when single threaded	\
 	if (jobs == 1) {						\
 		// no parallel work so avoid fork() overhead		\
@@ -937,11 +1129,17 @@ do {									\
 			fprintf(stderr, "    JOBS SPAWN: created %ld ...\n", njobs);									\
 	} else {							\
 		/* error */						\
-		if (debug_jobs)						\
-			fprintf(stderr, "    JOBS SPAWN: failed error: %d) ...\n", errno);								\
+		if (debug_jobs)	{					\
+			int error = errno;				\
+			fprintf(stderr, "    JOBS SPAWN: failed error: %d) ...\n", errno);	\
+			errno = error;					\
+		}							\
 		RESULT(errno);						\
+		localrc = -1;						\
 	}								\
-} while (0)
+	} while (0);							\
+	localrc;							\
+})
 
 
 /* sadly C forces us to do this with exit, long_jump or returning error
@@ -987,6 +1185,8 @@ static void setup_parallel_compile(void)
 	if (maxn == -1)
 		/* unable to determine number of processors, default to 1 */
 		maxn = 1;
+	if (jobs < 0 || jobs == JOBS_AUTO)
+		jobs_scale = 1;
 	jobs = compute_jobs(n, jobs);
 	jobs_max = compute_jobs(maxn, jobs_max);
 
@@ -994,7 +1194,7 @@ static void setup_parallel_compile(void)
 		pwarn("%s: Warning capping number of jobs to %ld * # of cpus == '%ld'",
 		      progname, jobs_max, jobs);
 		jobs = jobs_max;
-	} else if (jobs < jobs_max)
+	} else if (jobs_scale && jobs < jobs_max)
 		/* the bigger the difference the more sample chances given */
 		jobs_scale = jobs_max + 1 - n;
 
@@ -1006,7 +1206,7 @@ static void setup_parallel_compile(void)
 struct dir_cb_data {
 	aa_kernel_interface *kernel_interface;
 	const char *dirname;	/* name of the parent dir */
-	const char *cachedir;	/* path to the cache sub directory */
+	aa_policy_cache *policy_cache;	/* policy_cache to use */
 };
 
 /* data - pointer to a dir_cb_data */
@@ -1018,11 +1218,15 @@ static int profile_dir_cb(int dirfd unused, const char *name, struct stat *st,
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
-		if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0)
+		if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0) {
 			PERROR(_("Out of memory"));
-		work_spawn(process_profile(option, cb_data->kernel_interface,
-					   path, cb_data->cachedir),
-			   handle_work_result);
+			handle_work_result(errno);
+			return -1;
+		}
+		rc = work_spawn(process_profile(option,
+						cb_data->kernel_interface,
+						path, cb_data->policy_cache),
+				handle_work_result);
 	}
 	return rc;
 }
@@ -1036,28 +1240,32 @@ static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
-		if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0)
+		if (asprintf(&path, "%s/%s", cb_data->dirname, name) < 0) {
 			PERROR(_("Out of memory"));
-		work_spawn(process_binary(option, cb_data->kernel_interface,
-					   path),
-			    handle_work_result);
+			handle_work_result(errno);
+			return -1;
+		}
+		rc = work_spawn(process_binary(option,
+					       cb_data->kernel_interface,
+					       path),
+				handle_work_result);
 	}
 	return rc;
 }
 
 static void setup_flags(void)
 {
-	/* Get the match string to determine type of regex support needed */
-	set_supported_features();
-
 	/* Gracefully handle AppArmor kernel without compatibility patch */
-	if (!features) {
+	if (!kernel_features && aa_features_new_from_kernel(&kernel_features) == -1) {
 		PERROR("Cache read/write disabled: interface file missing. "
 			"(Kernel needs AppArmor 2.4 compatibility patch.)\n");
 		write_cache = 0;
 		skip_read_cache = 1;
 		return;
 	}
+
+	/* Get the match string to determine type of regex support needed */
+	set_supported_features(kernel_features);
 }
 
 int main(int argc, char *argv[])
@@ -1073,7 +1281,8 @@ int main(int argc, char *argv[])
 
 	init_base_dir();
 
-	process_config_file("/etc/apparmor/parser.conf");
+	process_early_args(argc, argv);
+	process_config_file(config_file);
 	optind = process_args(argc, argv);
 
 	setup_parallel_compile();
@@ -1093,7 +1302,7 @@ int main(int argc, char *argv[])
 	setup_flags();
 
 	if (!(UNPRIVILEGED_OPS) &&
-	    aa_kernel_interface_new(&kernel_interface, features, apparmorfs) == -1) {
+	    aa_kernel_interface_new(&kernel_interface, kernel_features, apparmorfs) == -1) {
 		PERROR(_("Warning: unable to find a suitable fs in %s, is it "
 		       "mounted?\nUse --subdomainfs to override.\n"),
 		       MOUNTED_FS);
@@ -1101,18 +1310,22 @@ int main(int argc, char *argv[])
 	}
 
 	if ((!skip_cache && (write_cache || !skip_read_cache)) ||
-	    force_clear_cache) {
-		uint16_t max_caches = write_cache && cond_clear_cache ? 1 : 0;
+	    print_cache_dir || force_clear_cache) {
+		uint16_t max_caches = write_cache && cond_clear_cache ? (uint16_t) (-1) : 0;
 
-		if (!cacheloc && asprintf(&cacheloc, "%s/cache", basedir) == -1) {
-			PERROR(_("Memory allocation error."));
-			return 1;
+		if (!cacheloc[0]) {
+			cacheloc[0] = "/var/cache/apparmor";
+			cacheloc_n = 1;
 		}
+		if (print_cache_dir)
+			return do_print_cache_dirs(kernel_features, cacheloc,
+						   cacheloc_n) ? 0 : 1;
 
 		if (force_clear_cache) {
-			if (aa_policy_cache_remove(AT_FDCWD, cacheloc)) {
+			/* only ever write to the first cacheloc location */
+			if (aa_policy_cache_remove(AT_FDCWD, cacheloc[0])) {
 				PERROR(_("Failed to clear cache files (%s): %s\n"),
-				       cacheloc, strerror(errno));
+				       cacheloc[0], strerror(errno));
 				return 1;
 			}
 
@@ -1121,26 +1334,34 @@ int main(int argc, char *argv[])
 
 		if (create_cache_dir)
 			pwarn(_("The --create-cache-dir option is deprecated. Please use --write-cache.\n"));
-
-		retval = aa_policy_cache_new(&policy_cache, features,
-					     AT_FDCWD, cacheloc, max_caches);
+		retval = aa_policy_cache_new(&policy_cache, kernel_features,
+					     AT_FDCWD, cacheloc[0], max_caches);
 		if (retval) {
 			if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
 				PERROR(_("Failed setting up policy cache (%s): %s\n"),
-				       cacheloc, strerror(errno));
+				       cacheloc[0], strerror(errno));
 				return 1;
 			}
 
 			if (show_cache) {
 				if (max_caches > 0)
 					PERROR("Cache write disabled: Cannot create cache '%s': %m\n",
-					       cacheloc);
+					       cacheloc[0]);
 				else
-					PERROR("Cache read/write disabled: Policy cache is invalid\n");
+					PERROR("Cache read/write disabled: Policy cache is invalid: %m\n");
 			}
 
 			write_cache = 0;
-			skip_read_cache = 1;
+		} else {
+			if (show_cache)
+				PERROR("Cache: added primary location '%s'\n", cacheloc[0]);
+			for (i = 1; i < cacheloc_n; i++) {
+				if (aa_policy_cache_add_ro_dir(policy_cache, AT_FDCWD,
+							       cacheloc[i])) {
+					pwarn("Cache: failed to add read only location '%s', does not contain valid cache directory for the specified feature set\n", cacheloc[i]);
+				} else if (show_cache)
+					pwarn("Cache: added readonly location '%s'\n", cacheloc[i]);
+			}
 		}
 	}
 
@@ -1157,11 +1378,14 @@ int main(int argc, char *argv[])
 		}
 		/* skip stdin if we've seen other command line arguments */
 		if (i == argc && optind != argc)
-			continue;
+			goto cleanup;
 
 		if (profilename && stat(profilename, &stat_file) == -1) {
+			last_error = errno;
 			PERROR("File %s not found, skipping...\n", profilename);
-			continue;
+			if (abort_on_error)
+				break;
+			goto cleanup;
 		}
 
 		if (profilename && S_ISDIR(stat_file.st_mode)) {
@@ -1171,25 +1395,32 @@ int main(int argc, char *argv[])
 
 			memset(&cb_data, 0, sizeof(struct dir_cb_data));
 			cb_data.dirname = profilename;
-			cb_data.cachedir = cacheloc;
+			cb_data.policy_cache = policy_cache;
 			cb_data.kernel_interface = kernel_interface;
 			cb = binary_input ? binary_dir_cb : profile_dir_cb;
 			if ((retval = dirat_for_each(AT_FDCWD, profilename,
 						     &cb_data, cb))) {
+				last_error = errno;
 				PDEBUG("Failed loading profiles from %s\n",
 				       profilename);
+				if (abort_on_error)
+					break;
 			}
 		} else if (binary_input) {
+			/* ignore return as error is handled in work_spawn */
 			work_spawn(process_binary(option, kernel_interface,
 						  profilename),
 				   handle_work_result);
 		} else {
+			/* ignore return as error is handled in work_spawn */
 			work_spawn(process_profile(option, kernel_interface,
-						   profilename, cacheloc),
+						   profilename, policy_cache),
 				   handle_work_result);
 		}
 
-		if (profilename) free(profilename);
+	cleanup:
+		if (profilename)
+			free(profilename);
 		profilename = NULL;
 	}
 	work_sync(handle_work_result);

parser/parser_misc.c

@@ -61,9 +61,14 @@ int is_blacklisted(const char *name, const char *path)
 	return !retval ? 0 : 1;
 }
 
+/*
+ * WARNING: if the format of the following table is changed then
+ *          the Makefile targets, cap_names.h and generated_cap_names.h
+ *          must be updated.
+ */
 struct keyword_table {
 	const char *keyword;
-	int token;
+	unsigned int token;
 };
 
 static struct keyword_table keyword_table[] = {
@@ -165,12 +170,59 @@ static int get_table_token(const char *name unused, struct keyword_table *table,
 	return -1;
 }
 
+
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE		29
+#endif
+
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL	30
+#endif
+
+#ifndef CAP_SETFCAP
+#define CAP_SETFCAP		31
+#endif
+
+#ifndef CAP_MAC_OVERRIDE
+#define CAP_MAC_OVERRIDE	32
+#endif
+
+#ifndef CAP_MAC_ADMIN
+#define CAP_MAC_ADMIN		33
+#endif
+
+#ifndef CAP_SYSLOG
+#define CAP_SYSLOG		34
+#endif
+
+#ifndef CAP_WAKE_ALARM
+#define CAP_WAKE_ALARM		35
+#endif
+
+#ifndef CAP_BLOCK_SUSPEND
+#define CAP_BLOCK_SUSPEND	36
+#endif
+
+#ifndef CAP_AUDIT_READ
+#define CAP_AUDIT_READ		37
+#endif
+
+#ifndef CAP_PERFMON
+#define CAP_PERFMON		38
+#endif
+
+#ifndef CAP_BPF
+#define CAP_BPF			39
+#endif
+
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE	40
+#endif
+
 static struct keyword_table capability_table[] = {
 	/* capabilities */
 	#include "cap_names.h"
-#ifndef CAP_SYSLOG
-	{"syslog", 34},
-#endif
+
 	/* terminate */
 	{NULL, 0}
 };
@@ -832,52 +884,16 @@ void debug_cod_entries(struct cod_entry *list)
 	}
 }
 
-
-static const char *capnames[] = {
-	"chown",
-	"dac_override",
-	"dac_read_search",
-	"fowner",
-	"fsetid",
-	"kill",
-	"setgid",
-	"setuid",
-	"setpcap",
-	"linux_immutable",
-	"net_bind_service",
-	"net_broadcast",
-	"net_admin",
-	"net_raw",
-	"ipc_lock",
-	"ipc_owner",
-	"sys_module",
-	"sys_rawio",
-	"sys_chroot",
-	"sys_ptrace",
-	"sys_pacct",
-	"sys_admin",
-	"sys_boot",
-	"sys_nice",
-	"sys_resource",
-	"sys_time",
-	"sys_tty_config",
-	"mknod",
-	"lease",
-	"audit_write",
-	"audit_control",
-	"setfcap",
-	"mac_override",
-	"syslog",
-};
-
 const char *capability_to_name(unsigned int cap)
 {
-	const char *capname;
+	int i;
 
-	capname = (cap < (sizeof(capnames) / sizeof(char *))
-		   ? capnames[cap] : "invalid-capability");
+	for (i = 0; capability_table[i].keyword; i++) {
+		if (capability_table[i].token == cap)
+			return capability_table[i].keyword;
+	}
 
-	return capname;
+	return "invalid-capability";
 }
 
 void __debug_capabilities(uint64_t capset, const char *name)
@@ -885,10 +901,10 @@ void __debug_capabilities(uint64_t capset, const char *name)
 	unsigned int i;
 
 	printf("%s:", name);
-	for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
-		if (((1ull << i) & capset) != 0) {
-			printf (" %s", capability_to_name(i));
-		}
+
+	for (i = 0; capability_table[i].keyword; i++) {
+		if ((1ull << capability_table[i].token) & capset)
+			printf (" %s", capability_table[i].keyword);
 	}
 	printf("\n");
 }

parser/parser_policy.c

@@ -204,9 +204,8 @@ static int profile_add_hat_rules(Profile *prof)
 {
 	struct cod_entry *entry;
 
-	/* TODO: ??? fix logic for when to add to hat/base vs. local */
-	/* don't add hat rules for local_profiles or base profiles */
-	if (prof->local || prof->hat_table.empty())
+	/* don't add hat rules if not hat or profile doesn't have hats */
+	if (!prof->flags.hat || !prof->hat_table.empty())
 		return 0;
 
 	/* add entry to hat */

parser/parser_regex.c

@@ -47,7 +47,7 @@ enum error_type {
  * that's a distinct namespace in linux) and trailing slashes.
  * NOTE: modifies in place the contents of the path argument */
 
-static void filter_slashes(char *path)
+void filter_slashes(char *path)
 {
 	char *sptr, *dptr;
 	BOOL seen_slash = 0;
@@ -473,17 +473,13 @@ static int process_profile_name_xmatch(Profile *prof)
 				ptype = convert_aaregex_to_pcre(alt->name, 0,
 								glob_default,
 								tbuf, &len);
-				if (ptype == ePatternBasic)
-					len = strlen(alt->name);
-				if (len < prof->xmatch_len)
-					prof->xmatch_len = len;
 				if (!rules->add_rule(tbuf.c_str(), 0, AA_MAY_EXEC, 0, dfaflags)) {
 					delete rules;
 					return FALSE;
 				}
 			}
 		}
-		prof->xmatch = rules->create_dfa(&prof->xmatch_size, dfaflags);
+		prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, dfaflags);
 		delete rules;
 		if (!prof->xmatch)
 			return FALSE;
@@ -568,6 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		int pos;
 		vec[0] = tbuf.c_str();
 		if (entry->link_name) {
+			filter_slashes(entry->link_name);
 			ptype = convert_aaregex_to_pcre(entry->link_name, 0, glob_default, lbuf, &pos);
 			if (ptype == ePatternInvalid)
 				return FALSE;
@@ -679,8 +676,9 @@ int process_profile_regex(Profile *prof)
 		goto out;
 
 	if (prof->dfa.rules->rule_count > 0) {
+		int xmatch_len = 0;
 		prof->dfa.dfa = prof->dfa.rules->create_dfa(&prof->dfa.size,
-							    dfaflags);
+							    &xmatch_len, dfaflags);
 		delete prof->dfa.rules;
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
@@ -815,7 +813,9 @@ int process_profile_policydb(Profile *prof)
 		goto out;
 
 	if (prof->policy.rules->rule_count > 0) {
-		prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size, dfaflags);
+		int xmatch_len = 0;
+		prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size,
+														  &xmatch_len, dfaflags);
 		delete prof->policy.rules;
 
 		prof->policy.rules = NULL;

parser/parser_symtab.c

@@ -25,6 +25,9 @@
 #include "immunix.h"
 #include "parser.h"
 
+typedef int (*comparison_fn_t)(const void *, const void *);
+typedef void (*__free_fn_t)(void *);
+
 enum var_type {
 	sd_boolean,
 	sd_set,

parser/po/af.po

@@ -14,15 +14,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: af\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -32,97 +32,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "Slegte skryfposisie\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "Toelating geweier\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "Geheue is opgebruik\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "Profiel pas nie aan by protokol nie\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "Profiel stem nie ooreen met handtekening nie\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "Profiel bestaan reeds\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "Profiel bestaan nie\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: Kan \"%s\" nie byvoeg nie.  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: Kan \"%s\" nie vervang nie.  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s: Kan \"%s\" nie verskuif nie.  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: Kan nie na stdout toe skryf nie\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: BEWEER: Ongeldige opsie: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "Byvoeging vir \"%s\" was suksesvol.\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "Vervanging van \"%s\" was suksesvol.\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "Verwydering van \"%s\" was suksesvol.\n"
@@ -133,6 +142,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr "PANIEK slegs inkrementbuffer %p pos %p uitbr %p grootte %d res %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -143,16 +153,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "Kan %s - %s nie open nie\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -168,21 +181,23 @@ msgstr "kan profiel nie seriemaak nie %s\n"
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr "%s: Kan nie volledige profielinskrywing skryf nie\n"
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -197,18 +212,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr "Onverwagte karakter gevind: '%s'"
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -217,7 +232,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -227,21 +242,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr "%s: Kon geheue vir subdomeinbasis-hegpunt nie toeken nie\n"
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -250,7 +265,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -266,42 +281,49 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr "Geheuetoekenningsfout."
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr "%s: Foute in lêer gevind. Staking.\n"
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 "Uitvoerende kwalifiseerder 'i' is ongeldig, konflikterende kwalifiseerder "
 "reeds gespesifisieer"
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -309,24 +331,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -337,131 +359,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr "Kon inskrywings nie saamvleg nie. Geheue is opgebruik\n"
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr "Beweer: `reël' het NUL teruggestuur."
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr "Beweer: `hat-reël' het NUL teruggestuur."
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr "ontbreek daar ’n reëleindkarakter? (inskrywing: %s)"
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -471,12 +495,12 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr "%s: Onwettige open {, nesting van groeperings nie toegelaat nie\n"
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr "%s: Regex-groeperingsfout: Ongeldige aantal items tussen {}\n"
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
@@ -484,7 +508,7 @@ msgstr ""
 "%s: Regex-groeperingsfout: Ongeldige sluiting }, geen ooreenstemmende oop "
 "nie { bespeur\n"
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -496,17 +520,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr "%s: Interne bufferoorvloei bespeur, %d karakters oorskry\n"
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr "%s: Kan insetreël '%s' nie ontleed nie\n"
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -519,17 +543,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -560,30 +584,31 @@ msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 "%s: Foute gevind in die kombineer van reëls tydens naprosessering. Staking.\n"
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -598,11 +623,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -618,41 +643,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/apparmor-parser.pot

@@ -1,5 +1,5 @@
 # SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR NOVELL, Inc.
+# Copyright (C) YEAR Canonical Ltd
 # This file is distributed under the same license as the PACKAGE package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
-"POT-Creation-Date: 2014-09-13 00:11-0700\n"
+"POT-Creation-Date: 2020-10-14 03:35-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,95 +17,106 @@ msgstr ""
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: ../parser_include.c:113 ../parser_include.c:111
+#: ../parser_include.c:113 ../parser_include.c:111 ../parser_include.c:114
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123 ../parser_include.c:121
+#: ../parser_include.c:123 ../parser_include.c:121 ../parser_include.c:124
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
 
-#: ../parser_include.c:137
+#: ../parser_include.c:137 ../parser_include.c:140
 #, c-format
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147 ../parser_include.c:151
+#: ../parser_include.c:147 ../parser_include.c:151 ../parser_include.c:154
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
 #: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
+#: ../parser_interface.c:52
 msgid "Bad write position\n"
 msgstr ""
 
 #: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
+#: ../parser_interface.c:55
 msgid "Permission denied\n"
 msgstr ""
 
 #: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
+#: ../parser_interface.c:58
 msgid "Out of memory\n"
 msgstr ""
 
 #: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
+#: ../parser_interface.c:61
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
 #: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
+#: ../parser_interface.c:64
 msgid "Profile doesn't conform to protocol\n"
 msgstr ""
 
 #: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
+#: ../parser_interface.c:67
 msgid "Profile does not match signature\n"
 msgstr ""
 
 #: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
+#: ../parser_interface.c:70
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
 #: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
+#: ../parser_interface.c:73
 msgid "Profile already exists\n"
 msgstr ""
 
 #: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
+#: ../parser_interface.c:76
 msgid "Profile doesn't exist\n"
 msgstr ""
 
 #: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
+#: ../parser_interface.c:79
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
 #: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
+#: ../parser_interface.c:82
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
-#: ../parser_interface.c:116 ../parser_interface.c:119
-#: ../parser_interface.c:96
+#: ../parser_interface.c:116 ../parser_interface.c:119 ../parser_interface.c:96
+#: ../parser_interface.c:100
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
-#: ../parser_interface.c:101
+#: ../parser_interface.c:101 ../parser_interface.c:105
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
-#: ../parser_interface.c:106
+#: ../parser_interface.c:106 ../parser_interface.c:110
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
-#: ../parser_interface.c:111
+#: ../parser_interface.c:111 ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
-#: ../parser_interface.c:115
+#: ../parser_interface.c:115 ../parser_interface.c:119
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
@@ -113,24 +124,25 @@ msgstr ""
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
 #: ../parser_interface.c:118 ../parser_interface.c:142
+#: ../parser_interface.c:122 ../parser_interface.c:146
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
-#: ../parser_interface.c:127
+#: ../parser_interface.c:127 ../parser_interface.c:131
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
-#: ../parser_interface.c:131
+#: ../parser_interface.c:131 ../parser_interface.c:135
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
-#: ../parser_interface.c:135
+#: ../parser_interface.c:135 ../parser_interface.c:139
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -141,7 +153,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
-#: ../parser_interface.c:446
+#: ../parser_interface.c:446 ../parser_interface.c:448
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -186,12 +198,12 @@ msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
-#: ../parser_interface.c:593
+#: ../parser_interface.c:593 ../parser_interface.c:551
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169 parser_lex.l:168
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
@@ -211,7 +223,7 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139 parser_lex.l:138
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
@@ -222,7 +234,7 @@ msgstr ""
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428 parser_lex.l:477
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -232,6 +244,7 @@ msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
 #: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
+#: ../parser_common.c:107
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -242,6 +255,7 @@ msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
 #: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
+#: ../parser_main.c:1302
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -249,6 +263,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
+#: ../parser_main.c:730
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
@@ -256,6 +271,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
+#: ../parser_main.c:736
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -264,7 +280,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946 ../parser_main.c:860
+#: ../parser_main.c:946 ../parser_main.c:860 ../parser_main.c:925
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -286,26 +302,36 @@ msgstr ""
 #: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
 #: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
 #: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
-#: ../network.c:314 ../af_unix.cc:203
+#: ../network.c:314 ../af_unix.cc:203 ../parser_misc.c:729 parser_yacc.y:315
+#: parser_yacc.y:339 parser_yacc.y:493 parser_yacc.y:503 parser_yacc.y:614
+#: parser_yacc.y:695 parser_yacc.y:702 parser_yacc.y:1116 parser_yacc.y:1164
+#: parser_yacc.y:1200 parser_yacc.y:1204 parser_yacc.y:1214 parser_yacc.y:1224
+#: parser_yacc.y:1318 parser_yacc.y:1396 parser_yacc.y:1529 parser_yacc.y:1534
+#: parser_yacc.y:1608 parser_yacc.y:1626 parser_yacc.y:1633 parser_yacc.y:1682
+#: ../network.c:315 ../af_unix.cc:204
 msgid "Memory allocation error."
 msgstr ""
 
 #: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
+#: ../parser_main.c:866
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
+#: ../parser_main.c:870
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
+#: ../parser_main.c:1019
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
 #: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
+#: ../parser_misc.c:322
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
@@ -313,14 +339,17 @@ msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
 #: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
+#: ../parser_misc.c:363 ../parser_misc.c:370
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
 #: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
+#: ../parser_misc.c:387
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
+#: ../parser_misc.c:398
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -329,22 +358,26 @@ msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
 #: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
+#: ../parser_misc.c:406 ../parser_misc.c:447
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
 #: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
+#: ../parser_misc.c:433 ../parser_misc.c:441
 #, c-format
 msgid "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
+#: ../parser_misc.c:489
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
 #: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
+#: ../parser_misc.c:511
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -356,10 +389,12 @@ msgid "AppArmor parser error: %s\n"
 msgstr ""
 
 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
+#: ../parser_merge.c:71
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
+#: ../parser_merge.c:93
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
@@ -368,119 +403,122 @@ msgstr ""
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348 parser_yacc.y:373
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384 parser_yacc.y:409
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506 parser_yacc.y:537
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510 parser_yacc.y:541
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513 parser_yacc.y:544
 msgid "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516 parser_yacc.y:547
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530 parser_yacc.y:561
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552 parser_yacc.y:583
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
 #: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
+#: parser_yacc.y:627
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
-#: parser_yacc.y:598 parser_yacc.y:630
+#: parser_yacc.y:598 parser_yacc.y:630 parser_yacc.y:631 parser_yacc.y:663
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602 parser_yacc.y:635
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633 parser_yacc.y:666
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
 #: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
+#: parser_yacc.y:693
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786 parser_yacc.y:819
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810 parser_yacc.y:857
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819 parser_yacc.y:866
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992 parser_yacc.y:1029
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092 parser_yacc.y:1126
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060 parser_yacc.y:1093
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062 parser_yacc.y:1095
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064 parser_yacc.y:1097
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109 parser_yacc.y:1143
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
-#: parser_yacc.y:1145 parser_yacc.y:1155
+#: parser_yacc.y:1145 parser_yacc.y:1155 parser_yacc.y:1179 parser_yacc.y:1189
 msgid "Invalid network entry."
 msgstr ""
 
 #: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
+#: parser_yacc.y:1554
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525 parser_yacc.y:1569
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531 parser_yacc.y:1575
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -491,17 +529,20 @@ msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
 #: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
+#: ../parser_regex.c:295
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
 #: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
+#: ../parser_regex.c:301
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
 #: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
+#: ../parser_regex.c:392
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -514,16 +555,19 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
 #: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
+#: ../parser_regex.c:408
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
 #: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
+#: ../parser_regex.c:452
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
 #: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
+#: ../parser_policy.c:378
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -537,16 +581,19 @@ msgid ""
 msgstr ""
 
 #: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
+#: ../parser_policy.c:335
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
+#: ../parser_policy.c:365
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
 #: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
+#: ../parser_policy.c:358
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -586,7 +633,7 @@ msgid "Feature buffer full."
 msgstr ""
 
 #: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
-#: ../parser_main.c:1041
+#: ../parser_main.c:1041 ../parser_main.c:1218 ../parser_main.c:1240
 msgid "Out of memory"
 msgstr ""
 
@@ -615,11 +662,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575 parser_yacc.y:621
+#: parser_yacc.y:575 parser_yacc.y:621 parser_yacc.y:654
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612 parser_yacc.y:658
+#: parser_yacc.y:612 parser_yacc.y:658 parser_yacc.y:691
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -635,41 +682,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357 parser_yacc.y:1613
+#: parser_yacc.y:1357 parser_yacc.y:1613 parser_yacc.y:1656
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374 parser_yacc.y:1628
+#: parser_yacc.y:1374 parser_yacc.y:1628 parser_yacc.y:1671
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381 parser_yacc.y:1635
+#: parser_yacc.y:1381 parser_yacc.y:1635 parser_yacc.y:1678
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398 parser_yacc.y:1650
+#: parser_yacc.y:1398 parser_yacc.y:1650 parser_yacc.y:1693
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241 ../parser_regex.c:236
+#: ../parser_regex.c:241 ../parser_regex.c:236 ../parser_regex.c:253
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257 ../parser_regex.c:256
+#: ../parser_regex.c:257 ../parser_regex.c:256 ../parser_regex.c:273
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366 ../parser_policy.c:339
+#: ../parser_policy.c:366 ../parser_policy.c:339 ../parser_policy.c:342
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396 ../parser_policy.c:369
+#: ../parser_policy.c:396 ../parser_policy.c:369 ../parser_policy.c:372
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""
@@ -689,51 +736,170 @@ msgstr ""
 msgid "Error: Could not read cache file '%s', skipping...\n"
 msgstr ""
 
-#: ../parser_misc.c:575
+#: ../parser_misc.c:575 ../parser_misc.c:558
 #, c-format
 msgid "Internal: unexpected %s mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:599
+#: ../parser_misc.c:599 ../parser_misc.c:582
 #, c-format
 msgid "Internal error generated invalid %s perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:703
+#: parser_yacc.y:703 parser_yacc.y:736
 msgid "owner prefix not allowed on mount rules"
 msgstr ""
 
-#: parser_yacc.y:720
+#: parser_yacc.y:720 parser_yacc.y:753
 msgid "owner prefix not allowed on dbus rules"
 msgstr ""
 
-#: parser_yacc.y:736
+#: parser_yacc.y:736 parser_yacc.y:769
 msgid "owner prefix not allowed on signal rules"
 msgstr ""
 
-#: parser_yacc.y:752
+#: parser_yacc.y:752 parser_yacc.y:785
 msgid "owner prefix not allowed on ptrace rules"
 msgstr ""
 
-#: parser_yacc.y:768
+#: parser_yacc.y:768 parser_yacc.y:801 parser_yacc.y:821
 msgid "owner prefix not allowed on unix rules"
 msgstr ""
 
-#: parser_yacc.y:794
+#: parser_yacc.y:794 parser_yacc.y:837
 msgid "owner prefix not allowed on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1293
+#: parser_yacc.y:1293 parser_yacc.y:1313
 #, c-format
 msgid "dbus rule: invalid conditional group %s=()"
 msgstr ""
 
-#: parser_yacc.y:1371
+#: parser_yacc.y:1371 parser_yacc.y:1391
 #, c-format
 msgid "unix rule: invalid conditional group %s=()"
 msgstr ""
 
-#: ../parser_regex.c:368
+#: ../parser_regex.c:368 ../parser_regex.c:399
 #, c-format
 msgid "%s: Regex error: trailing '\\' escape character\n"
 msgstr ""
+
+#: ../parser_interface.c:496
+#, c-format
+msgid "Unable to open stdout - %s\n"
+msgstr ""
+
+#: ../parser_interface.c:505
+#, c-format
+msgid "Unable to open output file - %s\n"
+msgstr ""
+
+#: parser_lex.l:337
+msgid "Failed to process filename\n"
+msgstr ""
+
+#: parser_lex.l:723
+#, c-format
+msgid "Lexer found unexpected character: '%s' (0x%x) in state: %s"
+msgstr ""
+
+#: ../parser_main.c:806
+#, c-format
+msgid "Unable to print the cache directory: %m\n"
+msgstr ""
+
+#: ../parser_main.c:842
+#, c-format
+msgid "Error: Could not load profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:852
+#, c-format
+msgid "Error: Could not replace profile %s: %s\n"
+msgstr ""
+
+#: ../parser_main.c:857
+#, c-format
+msgid "Error: Invalid load option specified: %d\n"
+msgstr ""
+
+#: ../parser_main.c:964
+#, c-format
+msgid "Could not get cachename for '%s'\n"
+msgstr ""
+
+#: ../parser_main.c:1323
+#, c-format
+msgid "Failed to clear cache files (%s): %s\n"
+msgstr ""
+
+#: ../parser_main.c:1332
+msgid ""
+"The --create-cache-dir option is deprecated. Please use --write-cache.\n"
+msgstr ""
+
+#: ../parser_main.c:1337
+#, c-format
+msgid "Failed setting up policy cache (%s): %s\n"
+msgstr ""
+
+#: ../parser_misc.c:694
+#, c-format
+msgid "Namespace not terminated: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:696
+#, c-format
+msgid "Empty namespace: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:698
+#, c-format
+msgid "Empty named transition profile name: %s\n"
+msgstr ""
+
+#: ../parser_misc.c:700
+#, c-format
+msgid "Unknown error while parsing label: %s\n"
+msgstr ""
+
+#: parser_yacc.y:322
+msgid "Profile names must begin with a '/' or a namespace"
+msgstr ""
+
+#: parser_yacc.y:344
+msgid "Profile attachment must begin with a '/' or variable."
+msgstr ""
+
+#: parser_yacc.y:906
+msgid "RLIMIT 'cpu' no units specified using default units of seconds\n"
+msgstr ""
+
+#: parser_yacc.y:918
+msgid ""
+"RLIMIT 'rttime' no units specified using default units of microseconds\n"
+msgstr ""
+
+#: parser_yacc.y:1074
+#, c-format
+msgid "%s: Profile abi not supported, falling back to system abi.\n"
+msgstr ""
+
+#: parser_yacc.y:1519
+msgid "Exec condition is required when unsafe or safe keywords are present"
+msgstr ""
+
+#: parser_yacc.y:1521
+msgid "Exec condition must begin with '/'."
+msgstr ""
+
+#: ../parser_regex.c:98
+#, c-format
+msgid "%s: Invalid glob type %d\n"
+msgstr ""
+
+#: ../parser_regex.c:615
+#, c-format
+msgid "The current kernel does not support stacking of named transitions: %s\n"
+msgstr ""

parser/po/ar.po

@@ -12,15 +12,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: ar\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr "خطأ: نفدت الذاكرة.\n"
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr "خطأ: basedir %s ليس دليلاً، يتم الآن التخطي.\n"
@@ -30,97 +30,106 @@ msgstr "خطأ: basedir %s ليس دليلاً، يتم الآن التخطي.\n
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr "خطأ: تعذرت إضافة الدليل %s إلى مسار البحث.\n"
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr "خطأ: تعذر تخصيص الذاكرة.\n"
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "موضع كتابة غير صالح\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "الإذن مرفوض\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "نفدت الذاكرة\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "ملف التعريف غير متوافق مع البروتوكول\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "ملف التعريف غير متوافق مع التوقيع\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr "لا تدعم الوحدة النمطية Apparmor إصدار ملف التعريف\n"
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "ملف التعريف موجود بالفعل\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "ملف التعريف غير موجود\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: تعذرت إضافة \"%s\".  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: تعذر استبدال \"%s\".  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s: تعذرت إزالة \"%s\".  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: تعذرت الكتابة إلى stdout\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: تأكيد: خيار غير صالح: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "نجحت الإضافة لـ \"%s\".\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "نجح الاستبدال لـ \"%s\".\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "نجحت الإزالة لـ \"%s\".\n"
@@ -132,6 +141,7 @@ msgstr ""
 "PANIC ذاكرة وسيطة للزيادة غير صالحة %p pos %p ext %p size %d res %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -142,16 +152,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "تعذر فتح %s - %s\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr "خطأ في تخصيص الذاكرة: تعذرت إزالة ^%s\n"
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr "خطأ في تخصيص الذاكرة: تعذرت إزالة %s:%s."
@@ -167,21 +180,23 @@ msgstr "تعذر تعيين تسلسل ملف التعريف %s\n"
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr "%s: تعذرت كتابة إدخال ملف التعريف بالكامل\n"
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -196,18 +211,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr "تم العثور على حرف غير متوقع: '%s'"
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -216,7 +231,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr "(network_mode) تم العثور على حرف غير متوقع: '%s'"
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -226,7 +241,7 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr "%s: تعذر تخصيص ذاكرة لنقطة توصيل قاعدة المجال الفرعي\n"
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -235,7 +250,7 @@ msgstr ""
 "تحذير: تعذر العثور على نظام ملفات مناسب في %s، هل تم توصيله؟\n"
 "استخدم --subdomainfs لتجاوزه.\n"
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
@@ -245,7 +260,7 @@ msgstr ""
 "البرنامج.\n"
 "\n"
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -257,7 +272,7 @@ msgstr ""
 "\n"
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr "خطأ: تعذرت قراءة ملف التعريف %s: %s.\n"
@@ -273,25 +288,32 @@ msgstr "خطأ: تعذرت قراءة ملف التعريف %s: %s.\n"
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr "خطأ في تخصيص الذاكرة."
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr "%s: تم العثور على أخطاء في الملف. يتم الآن الإيقاف.\n"
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
@@ -300,15 +322,15 @@ msgstr ""
 "راجع صفحة الدليل apparmor.d(5) للحصول على التفاصيل.\n"
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr "لا يمكن استخدام الإذنين 'a' و'w' المتعارضين معًا."
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr "المؤهل التنفيذي 'i' غير صالح، تم تحديد مؤهل متعارض بالفعل"
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -318,24 +340,24 @@ msgstr ""
 "العملية غير المقيدة؛ راجع 'man 5 apparmor.d' للحصول على التفاصيل.\n"
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr "المؤهل التنفيذي '%c' غير صالح، تم تحديد المؤهل المتعارض بالفعل"
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr "المؤهل التنفيذي '%c%c' غير صالح، تم تحديد مؤهل متعارض بالفعل"
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr "داخلي: حرف وضع غير متوقع '%c' في الإدخال"
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr "تسبب خطأ داخلي في إنشاء إذن غير صالح 0x%llx\n"
@@ -346,60 +368,61 @@ msgstr "تسبب خطأ داخلي في إنشاء إذن غير صالح 0x%llx
 msgid "AppArmor parser error: %s\n"
 msgstr "خطأ في محلل AppArmor: %s\n"
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr "تعذر دمج الإدخالات. نفدت الذاكرة\n"
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr "فشل إنشاء الاسم المستعار %s -> %s\n"
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr "لم تعد علامة ملف التعريف 'تصحيح الأخطاء' صالحة."
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr "علامة ملف تعريف غير صالحة: %s."
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr "تأكيد: أرجعت \"القاعدة\" قيمة خالية."
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
@@ -407,74 +430,75 @@ msgstr ""
 "وضع غير صالح، في قواعد الرفض يجب وضع 'x' قبل المؤهل التنفيذي 'i' أو 'p' أو "
 "'u'"
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 "وضع غير صالح، يجب وضع 'x' بعد المؤهل التنفيذي 'i' أو 'p' أو 'c' أو 'u'"
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr "وضع غير صالح، يجب وضع المؤهل التنفيذي 'i' أو 'p' أو 'u' قبل 'x'"
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr "تأكيد: أرجعت `network_rule' بروتوكولاً غير صالح."
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr "تأكيد: أرجع `change_profile' قيمة خالية."
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr "تأكيد: أرجعت \"hat rule\" قيمة خالية."
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr "تأكيد: أرجعت `local_profile rule' قيمة خالية."
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr "إلغاء تعيين المتغير المنطقي %s المستخدم في تعبير if"
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr "قاعدة غير آمنة بدون أذونات تنفيذ"
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr "لا يمكن استخدام المجموعة الفرعية إلا مع قواعد الارتباط."
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr "تعارض بين الارتباط والأذونات التنفيذية في قاعدة ملف عند استخدام ->"
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 "لا يُسمح باستخدام أذونات الارتباط في عملية انتقال ملف تعريف معروفة.\n"
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr "حرف نهاية سطر مفقود؟ (إدخال: %s)"
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr "إدخال الشبكة غير صالح."
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr "إمكانية غير صالحة %s."
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -484,19 +508,19 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr "%s: فتح غير شرعي (، غير مسموح بتجميعات متداخلة\n"
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr "%s: خطأ في تجميع Regex: عدد غير صالح للبنود بين {}\n"
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 "%s: خطأ في تجميع Regex: إغلاق غير صالح }، لا يوجد فتح متوافق ( تم اكتشافه\n"
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -511,17 +535,17 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 "%s: تم اكتشاف تجاوز سعة الذاكرة الوسيطة الداخلية، %d تم تجاوز الأحرف\n"
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr "%s: تعذر تحليل سطر الإدخال '%s'\n"
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr "خطأ أثناء دمج القواعد لملف التعريف %s، فشل التحميل\n"
@@ -538,17 +562,17 @@ msgstr ""
 "\tغير مسموح باستخدام '*' و'?' ونطاقات الأحرف والتبديلات.\n"
 "\tلا يمكن استخدام '**' إلا في نهاية القاعدة.\n"
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr "خطأ أثناء معالجة تعبيرات regex لملف التعريف %s، فشل التحميل\n"
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr "خطأ أثناء توسيع متغيرات ملف التعريف %s، فشل التحميل\n"
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr "خطأ أثناء إضافة قاعدة وصول hat لملف التعريف %s\n"
@@ -581,30 +605,31 @@ msgstr ""
 "%s: تم العثور على أخطاء أثناء المعالجة اللاحقة لقواعد الدمج. يتم الآن "
 "الإيقاف.\n"
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -619,11 +644,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -639,41 +664,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/bg.po

@@ -15,15 +15,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: bg\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -33,97 +33,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr ""
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr ""
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr ""
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr ""
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr ""
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr ""
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr ""
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -134,6 +143,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -144,16 +154,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr ""
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -169,21 +182,23 @@ msgstr ""
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -198,18 +213,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -218,7 +233,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -228,21 +243,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -251,7 +266,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -267,40 +282,47 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr ""
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -308,24 +330,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -336,131 +358,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -470,18 +494,18 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -493,17 +517,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -516,17 +540,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -556,30 +580,31 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -594,11 +619,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -614,41 +639,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/bn.po

@@ -9,15 +9,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: bn\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -27,97 +27,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "লেখার খারাপ অবস্থান\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "অনুমতি অস্বীকার করা হয়েছে\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "স্মৃতি পরিপূর্ণ\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "প্রোফাইল প্রোটোকল মেনে চলে না\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "প্রোফাইল স্বাক্ষরের সাথে মেলে না\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "প্রোফাইল ইতোমধ্যেই বিদ্যমান\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "প্রোফাইলের অস্তিত্ব নেই\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: \"%s\" যোগ করতে পারে নি।  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: \"%s\" প্রতিস্থাপন করতে পারে নি।  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s: \"%s\" অপসারণ করতে পারে নি।  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: stdout এ লিখতে অক্ষম\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: ASSERT: অবৈধ বিকল্প: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "\"%s\" এর ক্ষেত্রে যোগ করা সফল হয়েছে।\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "\"%s\" এর ক্ষেত্রে প্রতিস্থাপন সফল হয়েছে।\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "\"%s\"এর ক্ষেত্রে অপসারণ সফল হয়েছে।\n"
@@ -128,6 +137,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr "PANIC খারাপ ইনক্রিমেন্ট বাফার %p pos %p ext %p size %d res %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -138,16 +148,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "%s খুলতে পারে নি - %s\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -163,21 +176,23 @@ msgstr "%s প্রোফাইল ক্রমিক করতে পারে
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr "%s: সমগ্র প্রোফাইল এনট্রি লিখতে অক্ষম\n"
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -192,18 +207,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr "অপ্রত্যাশিত অক্ষর পাওয়া গেছে: '%s'"
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -212,7 +227,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -222,21 +237,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr "%s: সাবডোমেনবেস মাউন্ট পয়েন্টের জন্যে স্মৃতি বন্টন করতে পারে নি\n"
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -245,7 +260,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -261,40 +276,47 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr "স্মৃতি বন্টনে ত্রুটি।"
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr "%s: ফাইলে ত্রুটি পাওয়া গেছে। বাতিল করছে।\n"
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr "Exec কোয়ালিফায়ার 'i' অবৈধ, বিবাদমান কোয়ালিফায়ার ইতোমধ্যেই বিদ্যমান"
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -302,24 +324,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -330,131 +352,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr "এনট্রিগুলি একীভূত করতে পারে নি।স্মৃতি পরিপূর্ণ\n"
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr "দৃঢ় ঘোষণা: `rule' NULL ফেরত পাঠিয়েছে।"
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr "দৃঢ় ঘোষণা: `hat rule' NULL ফেরত পাঠিয়েছে।"
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr "লাইন সমাপ্তির অক্ষর অনুপস্থিত? (এনট্রি: %s)"
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -464,19 +488,19 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr "%s: অবৈধ খোলা {, নেস্টিং গ্রুপিংয়ের অনুমতি নেই\n"
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr "%s: Regex দলবদ্ধকরণের ত্রুটি: {} এর মধ্যে অবৈধ সংখ্যক বস্তু\n"
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 "%s: Regex দলবদ্ধকরণের ত্রুটি: অবৈধ বন্ধ }, কোন মিলযুক্ত খোলা{ পাওয়া যায় নি\n"
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -489,17 +513,17 @@ msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 "%s: অভ্যন্তরীণ বাফার অতিপ্রবাহের সন্ধান পাওয়া গেছে,  %d গুলি অক্ষর বেশি\n"
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr "%s: ইনপুট ফাইল '%s' পার্স করতে অক্ষম\n"
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -512,17 +536,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -553,30 +577,31 @@ msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 "%s: পোস্টপ্রসেসিং নিয়মাবলী একীভূত করায় ত্রুটি পাওয়া গেছে। বাতিল করছে।\n"
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -591,11 +616,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -611,41 +636,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/bs.po

@@ -14,15 +14,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: bs\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr "Greška: Nema više memorije.\n"
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr "Greška: osnovni direktorij %s nije direktorij, preskačem.\n"
@@ -32,97 +32,106 @@ msgstr "Greška: osnovni direktorij %s nije direktorij, preskačem.\n"
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr "Greška: Ne mogu dodati direktorij  %s u stazu koja se traži.\n"
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr "Greška: Ne mogu alocirati memoriju.\n"
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "Neipravan položaj za zapisivanje\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "Odobrenje odbijeno\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "Nedostaje mi slobodne memorije\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr "Ne mogu kopirati profil: Loša memorijska adresa\n"
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "Profil ne odgovara protokolu\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "Profil ne odgovara potpisu\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr "Verzija profila nije podržana Apparmor modulom\n"
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "Profil već postoji\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "Profil ne postoji\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr "Dozvola odbijena; pokušao da učita profil, dok je zatvoren?\n"
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr "Nepoznata greška (%d): %s\n"
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: Ne mogu dodati \"%s\".  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: Ne mogu zamijeniti \"%s\".  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s : Ne mogu ukloniti  \"%s\".  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: Ne mogu pisati na stdout\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr "%s: Ne mogu pisati u izlaznu datoteku\n"
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: PROVJERA: Neispravan izbor: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "Dodavanje je uspjelo za \"%s\".\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "Zamjena je uspjela za \"%s\".\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "Uklanjanje je uspjelo za \"%s\".\n"
@@ -134,6 +143,7 @@ msgstr ""
 "PANIKA neispravan inkrementalni spremnik %p pol %p ekst %p vel %d raz %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr "profil %s mrežna pravila nisu primijenjena\n"
@@ -144,16 +154,19 @@ msgstr "Nepoznat tip uzorka\n"
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "Ne mogu otvoriti %s - %s\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr "Greška memorijske alokacije: Ne mogu ukloniti ^%s\n"
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr "Greška memorijske alokacije: Ne mogu ukloniti %s:%s."
@@ -169,21 +182,23 @@ msgstr ""
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -198,18 +213,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -218,7 +233,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -228,21 +243,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -251,7 +266,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -267,40 +282,47 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr ""
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -308,24 +330,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -336,131 +358,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -470,18 +494,18 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -493,17 +517,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -516,17 +540,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -556,30 +580,31 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -594,11 +619,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -614,41 +639,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/ca.po

@@ -14,15 +14,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: ca\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -32,97 +32,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "Posició d'escriptura incorrecta\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "Permís denegat\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "Sense memòria\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "El perfil no és compatible amb el protocol\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "El perfil no coincideix amb la signatura\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "El perfil ja existeix\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "El perfil no existeix\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: no es pot afegir \"%s\".  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: no es pot reemplaçar \"%s\".  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s: no es pot eliminar \"%s\".  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: no es pot escriure a l'stdout\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: confirmació: l'opció no vàlida: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "\"%s\" s'ha afegit correctament.\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "\"%s\" s'ha reemplaçat correctament.\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "\"%s\" s'ha eliminat correctament.\n"
@@ -135,6 +144,7 @@ msgstr ""
 "mida %d res. %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -145,16 +155,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "No es pot obrir %s - %s\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -170,21 +183,23 @@ msgstr "no es pot serialitzar el perfil %s\n"
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr "%s: no es pot escriure tota l'entrada del perfil\n"
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -199,18 +214,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr "S'ha trobat un caràcter inesperat: '%s'"
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -219,7 +234,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -231,21 +246,21 @@ msgstr ""
 "%s: no s'ha pogut assignar memòria per al punt de muntatge de la base de "
 "subdomini\n"
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -254,7 +269,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -270,42 +285,49 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr "S'ha produït un error d'assignació de memòria."
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr "%s: s'han detectat errors al fitxer. S'avortarà l'operació.\n"
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 "El qualificador d'execució 'i' no és vàlid; entra en conflicte amb un "
 "qualificador ja especificat"
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -313,24 +335,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -341,131 +363,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr "No s'han pogut fusionar les entrades. Sense memòria\n"
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr "Confirmació: `rule' ha retornat NULL."
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr "Confirmació: 'hat rule' ha retornat NULL."
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr "falta un caràcter de final de línia? (entrada: %s)"
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -476,14 +500,14 @@ msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 "%s: l'obertura { no és vàlida, no es permet la imbricació d'agrupaments\n"
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 "%s: s'ha produït un error d'agrupament d'expressions regulars: el nombre "
 "d'elements entre {} no és vàlid\n"
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
@@ -491,7 +515,7 @@ msgstr ""
 "%s: s'ha produït un error d'agrupament d'expressions regulars: el tancament "
 "} no és vàlid; no s'ha detectat cap obertura { coincident\n"
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -505,17 +529,17 @@ msgstr ""
 "%s: s'ha detectat un desbordament de la memòria intermèdia interna, s'han "
 "excedit %d caràcters\n"
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr "%s: no es pot analitzar la línia d'entrada '%s'\n"
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -528,17 +552,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -570,30 +594,31 @@ msgstr ""
 "%s: s'han detectat errors en combinar el postprocessament de regles. "
 "S'avortarà l'operació.\n"
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -608,11 +633,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -628,41 +653,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/ce.po

@@ -14,15 +14,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:14+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: ce\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -32,97 +32,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr ""
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr ""
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr ""
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr ""
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr ""
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr ""
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr ""
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -133,6 +142,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -143,16 +153,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr ""
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -168,21 +181,23 @@ msgstr ""
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -197,18 +212,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -217,7 +232,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -227,21 +242,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -250,7 +265,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -266,40 +281,47 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr ""
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -307,24 +329,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -335,131 +357,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -469,18 +493,18 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -492,17 +516,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -515,17 +539,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -555,30 +579,31 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -593,11 +618,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -613,41 +638,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/cs.po

@@ -12,15 +12,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:32+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: cs\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr "Chyba: Nedostatek paměti\n"
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr "Chyba: Základní adresář %s není adresář, přeskakuje se.\n"
@@ -30,97 +30,106 @@ msgstr "Chyba: Základní adresář %s není adresář, přeskakuje se.\n"
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr "Chyba: Adresář %s nelze přidat ke hledané cestě.\n"
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr "Chyba: Nelze přidělit paměť\n"
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr "Špatná pozice zápisu\n"
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr "Oprávnění odepřeno\n"
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr "Nedostatek paměti\n"
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr "Profil neodpovídá protokolu\n"
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr "Profil neodpovídá podpisu\n"
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr "Modul Apparmor nepodporuje verzi profilu.\n"
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr "Profil již existuje\n"
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr "Profil neexistuje\n"
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr "%s: Nelze přidat \"%s\".  "
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr "%s: Nelze nahradit \"%s\".  "
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr "%s: Nelze odstranit \"%s\".  "
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr "%s: nelze zapisovat na standardní výstup\n"
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr "%s: ASSERT: neplatná volba: %d\n"
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr "Přidání uspělo pro \"%s\".\n"
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr "Nahrazení uspělo pro \"%s\".\n"
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr "Odstranění uspělo pro \"%s\".\n"
@@ -131,6 +140,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr "PANIKA: chybný přírůstkový buffer %p pos %p ext %p size %d res %p\n"
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -141,16 +151,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr "Nelze otevřít %s - %s\n"
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr "Chyba alokace paměti: není možné odebrat ^%s\n"
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr "Chyba alokace paměti: není možné odebrat %s:%s."
@@ -166,21 +179,23 @@ msgstr "nelze serializovat profil %s\n"
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr "%s: Nelze zapsat celý záznam profilu\n"
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -195,18 +210,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr "Nalezen neočekávaný znak: '%s'"
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -215,7 +230,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr "(režim_sítě) Nalezen neplatný znak: '%s'"
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -225,7 +240,7 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr "%s: Nelze alokovat paměť pro bod připojení subdomainbase\n"
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
@@ -234,7 +249,7 @@ msgstr ""
 "Upozornění: Nelze nalézt vhodný souborový systém v %s, je připojen?\n"
 "Možnost lze přepsat pomocí možnosti --subdomainfs.\n"
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
@@ -243,7 +258,7 @@ msgstr ""
 "%s: Ke spuštění tohoto programu jsou třeba práva správce.\n"
 "\n"
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -257,7 +272,7 @@ msgstr ""
 "\n"
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr "Chyba: Nelze číst profil %s: %s.\n"
@@ -273,25 +288,32 @@ msgstr "Chyba: Nelze číst profil %s: %s.\n"
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr "Chyba alokace paměti."
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr "%s: Chyby v souboru. Ukončuji.\n"
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
@@ -301,17 +323,17 @@ msgstr ""
 "Podrobnosti naleznete v manuálové stránce apparmor.d(5).\n"
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr "Oprávnění 'a' a 'w' se vzájemně vylučují."
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 "Exec kvalifikátor 'i' je neplatný, byl již specifikován konfliktní "
 "kvalifikátor"
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -322,7 +344,7 @@ msgstr ""
 "stránka 'man 5 apparmor.d'.\n"
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
@@ -330,7 +352,7 @@ msgstr ""
 "kvalifikátor."
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
@@ -338,12 +360,12 @@ msgstr ""
 "Exec kvalifikátor '%c%c' je neplatný, byl již specifikován konfliktní "
 "kvalifikátor"
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr "Vnitřní: Neznámý znak režimu '%c' na vstupu."
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr "Vnitřní chyba způsobila neplatné perm 0x%llx\n"
@@ -354,133 +376,135 @@ msgstr "Vnitřní chyba způsobila neplatné perm 0x%llx\n"
 msgid "AppArmor parser error: %s\n"
 msgstr "Chyba parseru AppArmor: %s\n"
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr "Nelze sloučit záznamy. Nedostatek paměti\n"
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr "Nelze vytvořit alias %s -> %s\n"
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr "Příznak profilu 'debug' již není platný."
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr "Neplatný příznak profilu: %s."
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr "Assert: `rule' vrátil NULL."
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 "Neplatný režim, před 'x' musí být exec kvalifikátor 'i', 'p' nebo 'u'"
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 "Neplatný režim, před 'x' musí být exec kvalifikátor 'i', 'p', 'c' nebo 'u'"
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr "Neplatný režim, před 'x' musí být kvalifikátor 'i', 'p' nebo 'u'."
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr "Assert: `pravidlo_sítě' vrací neplatný protokol."
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr "Assert: `změna_profilu' vrátila hodnotu NULL."
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr "Assert: 'hat rule' vrátil NULL."
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr "Assert: 'local_profile rule' vrátil NULL."
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr "Ve výrazu 'if' byla použita nenastavená booleovská proměnná %s."
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr "nebezpečné pravidlo nemá oprávnění ke spuštění"
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr "podskupina může být použita pouze s pravidly odkazů."
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr "link a exec perms konflikt souboru pravidel používajícím ->"
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr "link perms nejsou povoleny na přechodu pojmenovaného profilu.\n"
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr "chybí znak konce řádku?  (záznam: %s)"
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr "Neplatná položka sítě."
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr "Neplatná schopnost %s."
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -490,12 +514,12 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr "%s: nepovolená otvírací {, vnořené seskupování není povoleno\n"
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr "%s: Chyba seskupování regex: neplatný počet položek mezi {}\n"
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
@@ -503,7 +527,7 @@ msgstr ""
 "%s: Chyba seskupování regex: neplatná uzavírací }, nenalezena odpovídající "
 "otevírací {\n"
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -517,17 +541,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr "%s: Detekováno vnitřní přetečení zásobníku, přesáhlo %d znaků\n"
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr "%s: Nelze analyzovat vstupní řádku '%s'\n"
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -544,20 +568,20 @@ msgstr ""
 "\t'*', '?', rozsahy znaků a střídání nejsou povoleny.\n"
 "\t'**' lze použít pouze na konci pravidla.\n"
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 "CHYBA při zpracování regulárních výrazů pro profil %s, došlo k chybě při "
 "načítání.\n"
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 "CHYBA při rozšíření proměnných pro profil %s, došlo k chybě při načítání.\n"
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr "Chyba při přidání pravidla pro přístup k hat pro profil %s\n"
@@ -589,30 +613,31 @@ msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 "%s: Nalezeny chyby při postprocesingu kombinačních pravidel. Ukončuji.\n"
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -627,11 +652,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -647,41 +672,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""

parser/po/cy.po

@@ -14,15 +14,15 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
-"X-Generator: Launchpad (build 18053)\n"
+"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
+"X-Generator: Launchpad (build 18928)\n"
 "Language: cy\n"
 
-#: ../parser_include.c:113
+#: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
 msgstr ""
 
-#: ../parser_include.c:123
+#: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
 msgstr ""
@@ -32,97 +32,106 @@ msgstr ""
 msgid "Error: Could not add directory %s to search path.\n"
 msgstr ""
 
-#: ../parser_include.c:147
+#: ../parser_include.c:147 ../parser_include.c:151
 msgid "Error: Could not allocate memory.\n"
 msgstr ""
 
-#: ../parser_interface.c:69 ../parser_interface.c:72
+#: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
 msgstr ""
 
-#: ../parser_interface.c:72 ../parser_interface.c:75
+#: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
 msgstr ""
 
-#: ../parser_interface.c:75 ../parser_interface.c:78
+#: ../parser_interface.c:75 ../parser_interface.c:78 ../parser_interface.c:55
 msgid "Out of memory\n"
 msgstr ""
 
-#: ../parser_interface.c:78 ../parser_interface.c:81
+#: ../parser_interface.c:78 ../parser_interface.c:81 ../parser_interface.c:58
 msgid "Couldn't copy profile: Bad memory address\n"
 msgstr ""
 
-#: ../parser_interface.c:81 ../parser_interface.c:84
+#: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
 msgstr ""
 
-#: ../parser_interface.c:84 ../parser_interface.c:87
+#: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
 msgstr ""
 
-#: ../parser_interface.c:87 ../parser_interface.c:90
+#: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
 msgstr ""
 
-#: ../parser_interface.c:90 ../parser_interface.c:93
+#: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
 msgstr ""
 
-#: ../parser_interface.c:93 ../parser_interface.c:96
+#: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
 msgstr ""
 
-#: ../parser_interface.c:96 ../parser_interface.c:99
+#: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 
-#: ../parser_interface.c:99 ../parser_interface.c:102
+#: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
 msgstr ""
 
 #: ../parser_interface.c:116 ../parser_interface.c:119
+#: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:121 ../parser_interface.c:124
+#: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:126 ../parser_interface.c:129
+#: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
 msgstr ""
 
 #: ../parser_interface.c:131 ../parser_interface.c:134
+#: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
 msgstr ""
 
 #: ../parser_interface.c:135 ../parser_interface.c:138
+#: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
 msgstr ""
 
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
+#: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
 msgstr ""
 
 #: ../parser_interface.c:147 ../parser_interface.c:150
+#: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:151 ../parser_interface.c:154
+#: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
 msgstr ""
 
 #: ../parser_interface.c:155 ../parser_interface.c:158
+#: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
 msgstr ""
@@ -133,6 +142,7 @@ msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 msgstr ""
 
 #: ../parser_interface.c:656 ../parser_interface.c:658
+#: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
 msgstr ""
@@ -143,16 +153,19 @@ msgstr ""
 
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
+#: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
 msgstr ""
 
 #: ../parser_interface.c:776 ../parser_interface.c:768
+#: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
 msgstr ""
 
 #: ../parser_interface.c:789 ../parser_interface.c:781
+#: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
 msgstr ""
@@ -168,21 +181,23 @@ msgstr ""
 
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
+#: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
 msgstr ""
 
 #: ../parser_interface.c:839 ../parser_interface.c:831
+#: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
 msgstr ""
 
-#: parser_lex.l:100 parser_lex.l:163
+#: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
 msgstr ""
 
-#: parser_lex.l:104 parser_lex.l:167
+#: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
 msgstr ""
@@ -197,18 +212,18 @@ msgstr ""
 msgid "stat failed for '%s'"
 msgstr ""
 
-#: parser_lex.l:155 parser_lex.l:133
+#: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
 msgstr ""
 
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
-#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586
+#: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
 msgstr ""
 
-#: parser_lex.l:386 parser_lex.l:418
+#: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
 msgstr ""
 
@@ -217,7 +232,7 @@ msgstr ""
 msgid "(network_mode) Found unexpected character: '%s'"
 msgstr ""
 
-#: ../parser_main.c:333 ../parser_common.c:61
+#: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
 msgstr ""
@@ -227,21 +242,21 @@ msgstr ""
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
 
-#: ../parser_main.c:577 ../parser_main.c:616
+#: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
 msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 
-#: ../parser_main.c:597 ../parser_main.c:635
+#: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
 msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 
-#: ../parser_main.c:604 ../parser_main.c:642
+#: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
 msgid ""
 "%s: Warning! You've set this program setuid root.\n"
@@ -250,7 +265,7 @@ msgid ""
 msgstr ""
 
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
-#: ../parser_main.c:946
+#: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
 msgstr ""
@@ -266,40 +281,47 @@ msgstr ""
 #: parser_yacc.y:1042 parser_yacc.y:1078 parser_yacc.y:1082 parser_yacc.y:1092
 #: parser_yacc.y:1102 parser_yacc.y:1201 parser_yacc.y:1223 parser_yacc.y:1234
 #: parser_yacc.y:1309 parser_yacc.y:1327 parser_yacc.y:1334 parser_yacc.y:1385
+#: ../parser_main.c:735 ../parser_main.c:923 ../parser_main.c:1133
+#: ../parser_main.c:1187 parser_yacc.y:311 parser_yacc.y:462 parser_yacc.y:472
+#: parser_yacc.y:583 parser_yacc.y:662 parser_yacc.y:669 parser_yacc.y:1130
+#: parser_yacc.y:1166 parser_yacc.y:1170 parser_yacc.y:1180 parser_yacc.y:1190
+#: parser_yacc.y:1298 parser_yacc.y:1376 parser_yacc.y:1479 parser_yacc.y:1490
+#: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
+#: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
 msgstr ""
 
-#: ../parser_main.c:740 ../parser_main.c:872
+#: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:744 ../parser_main.c:876
+#: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
 msgstr ""
 
-#: ../parser_main.c:910 ../parser_main.c:1058
+#: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
 msgstr ""
 
-#: ../parser_misc.c:426 ../parser_misc.c:597
+#: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
-#: ../parser_misc.c:645
+#: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
 msgstr ""
 
-#: ../parser_misc.c:491 ../parser_misc.c:662
+#: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:502 ../parser_misc.c:673
+#: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
 msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
@@ -307,24 +329,24 @@ msgid ""
 msgstr ""
 
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
-#: ../parser_misc.c:722
+#: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
-#: ../parser_misc.c:716
+#: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
 #, c-format
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 
-#: ../parser_misc.c:593 ../parser_misc.c:764
+#: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
 msgstr ""
 
-#: ../parser_misc.c:615 ../parser_misc.c:786
+#: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
 msgstr ""
@@ -335,131 +357,133 @@ msgstr ""
 msgid "AppArmor parser error: %s\n"
 msgstr ""
 
-#: ../parser_merge.c:92 ../parser_merge.c:91
+#: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
 msgstr ""
 
-#: ../parser_merge.c:111 ../parser_merge.c:113
+#: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
 msgstr ""
 
-#: parser_yacc.y:236 parser_yacc.y:277
+#: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
 msgstr ""
 
-#: parser_yacc.y:260 parser_yacc.y:302
+#: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 
-#: parser_yacc.y:296 parser_yacc.y:338
+#: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
 msgstr ""
 
-#: parser_yacc.y:417 parser_yacc.y:460
+#: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 
-#: parser_yacc.y:421 parser_yacc.y:464
+#: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 
-#: parser_yacc.y:424 parser_yacc.y:467
+#: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 
-#: parser_yacc.y:427 parser_yacc.y:470
+#: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 
-#: parser_yacc.y:441 parser_yacc.y:484
+#: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
 msgstr ""
 
-#: parser_yacc.y:463 parser_yacc.y:506
+#: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
 msgstr ""
 
-#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548
+#: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
 msgstr ""
 
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
+#: parser_yacc.y:598 parser_yacc.y:630
 msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:524 parser_yacc.y:556
+#: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:549 parser_yacc.y:587
+#: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 
-#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614
+#: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
 msgstr ""
 
-#: parser_yacc.y:649 parser_yacc.y:696
+#: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:680 parser_yacc.y:720
+#: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:689 parser_yacc.y:729
+#: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
 msgstr ""
 
-#: parser_yacc.y:824 parser_yacc.y:885
+#: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
 msgstr ""
 
-#: parser_yacc.y:882 parser_yacc.y:986
+#: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
 msgstr ""
 
-#: parser_yacc.y:901 parser_yacc.y:954
+#: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
 msgstr ""
 
-#: parser_yacc.y:903 parser_yacc.y:956
+#: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
 msgstr ""
 
-#: parser_yacc.y:905 parser_yacc.y:958
+#: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
 msgstr ""
 
-#: parser_yacc.y:921 parser_yacc.y:1003
+#: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
 msgstr ""
 
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
+#: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
 msgstr ""
 
-#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254
+#: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
 msgstr ""
 
-#: parser_yacc.y:1066 parser_yacc.y:1269
+#: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
 msgstr ""
 
-#: parser_yacc.y:1072 parser_yacc.y:1275
+#: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
 msgstr ""
@@ -469,18 +493,18 @@ msgstr ""
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
 
-#: ../parser_regex.c:265 ../parser_regex.c:274
+#: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
 
-#: ../parser_regex.c:271 ../parser_regex.c:280
+#: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 
-#: ../parser_regex.c:337 ../parser_regex.c:343
+#: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
 msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
@@ -492,17 +516,17 @@ msgstr ""
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
 msgstr ""
 
-#: ../parser_regex.c:355 ../parser_regex.c:361
+#: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
 msgstr ""
 
-#: ../parser_regex.c:397 ../parser_regex.c:405
+#: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 
-#: ../parser_policy.c:202 ../parser_policy.c:402
+#: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
@@ -515,17 +539,17 @@ msgid ""
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 
-#: ../parser_policy.c:279 ../parser_policy.c:359
+#: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:306 ../parser_policy.c:389
+#: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:390 ../parser_policy.c:382
+#: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
 msgstr ""
@@ -555,30 +579,31 @@ msgstr ""
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
 
-#: parser_lex.l:180
+#: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
 msgstr ""
 
-#: ../parser_main.c:660
+#: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
 msgstr ""
 
-#: ../parser_main.c:1115 ../parser_main.c:1132
+#: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
+#: ../parser_main.c:1041
 msgid "Out of memory"
 msgstr ""
 
-#: ../parser_main.c:1182
+#: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1185
+#: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
 msgstr ""
 
-#: ../parser_main.c:1188
+#: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
 msgstr ""
@@ -593,11 +618,11 @@ msgstr ""
 msgid "Internal error generated invalid DBus perm 0x%x\n"
 msgstr ""
 
-#: parser_yacc.y:575
+#: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
 msgstr ""
 
-#: parser_yacc.y:612
+#: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
 msgstr ""
 
@@ -613,41 +638,41 @@ msgstr ""
 msgid "owner prefix not allow on capability rules"
 msgstr ""
 
-#: parser_yacc.y:1357
+#: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
 msgstr ""
 
-#: parser_yacc.y:1374
+#: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
 msgstr ""
 
-#: parser_yacc.y:1381
+#: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
 msgstr ""
 
-#: parser_yacc.y:1398
+#: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
 msgstr ""
 
-#: ../parser_regex.c:241
+#: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 
-#: ../parser_regex.c:257
+#: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 
-#: ../parser_policy.c:366
+#: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 
-#: ../parser_policy.c:396
+#: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""