Prepare for AppArmor 2.13.9 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

common/Version

@@ -1 +1 @@
-2.13.7
+2.13.9

libraries/libapparmor/src/Makefile.am

@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 7
-AA_LIB_REVISION = 3
+AA_LIB_REVISION = 4
 AA_LIB_AGE = 6
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/scanner.l

@@ -161,6 +161,7 @@ key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
@@ -345,6 +346,7 @@ yy_flex_debug = 0;
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in

@@ -0,0 +1 @@
+Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out

@@ -0,0 +1,15 @@
+START
+File: testcase_dbus_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1671125537.724:209
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
+Peer profile: unconfined
+Command: /usr/local/bin/dbus-broker
+DBus bus: session
+DBus path: /org/freedesktop/DBus
+DBus interface: org.freedesktop.DBus
+DBus member: Hello
+Epoch: 1671125537
+Audit subid: 209

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor/tests/regression/apparmor/dbus_message {
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
+
+}

parser/af_unix.cc

@@ -105,8 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
 
 unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
-	af_rule("unix"), addr(NULL), peer_addr(NULL),
-	audit(0), deny(0)
+	af_rule("unix"), addr(NULL), peer_addr(NULL)
 {
 	move_conditionals(conds);
 	move_peer_conditionals(peer_conds);
@@ -130,7 +129,7 @@ ostream &unix_rule::dump_local(ostream &os)
 {
 	af_rule::dump_local(os);
 	if (addr)
-		os << "addr='" << addr << "'";
+		os << " addr='" << addr << "'";
 	return os;
 }
 
@@ -138,7 +137,7 @@ ostream &unix_rule::dump_peer(ostream &os)
 {
 	af_rule::dump_peer(os);
 	if (peer_addr)
-		os << "addr='" << peer_addr << "'";
+		os << " addr='" << peer_addr << "'";
 	return os;
 }
 

parser/af_unix.h

@@ -36,9 +36,6 @@ class unix_rule: public af_rule {
 public:
 	char *addr;
 	char *peer_addr;
-	int mode;
-	int audit;
-	bool deny;
 
 	unix_rule(unsigned int type_p, bool audit_p, bool denied);
 	unix_rule(int mode, struct cond_entry *conds,

parser/apparmor.d.pod

@@ -135,7 +135,7 @@ B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
 
 B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
 
-B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
+B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nostrictatime' | 'lazytime' | 'nolazytime' | 'nouser' | 'user' | 'symfollow' | 'nosymfollow' )
 
 B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
 

parser/mount.cc

@@ -98,6 +98,9 @@
  *	nomand
  * #define MS_DIRSYNC	128		Directory modifications are synchronous
  *	dirsync
+ * #define MS_NOSYMFOLLOW	256 	Do not follow symlinks
+ *	symfollow
+ *	nosymfollow
  * #define MS_NOATIME	1024		Do not update access times
  *	noatime
  *	atime
@@ -139,6 +142,9 @@
  * #define MS_STRICTATIME	(1<<24)	Always perform atime updates
  *	strictatime
  *	nostrictatime
+ * #define MS_LAZYTIME (1<<25)	Update the on-disk [acm]times lazily
+ *	lazytime
+ *	nolazytime
  * #define MS_NOSEC	(1<<28)
  * #define MS_BORN		(1<<29)
  * #define MS_ACTIVE	(1<<30)
@@ -247,6 +253,8 @@ static struct mnt_keyword_table mnt_opts_table[] = {
 	{"mand",		MS_MAND, 0},
 	{"nomand",		0, MS_MAND},
 	{"dirsync",		MS_DIRSYNC, 0},
+	{"symfollow",		0, MS_NOSYMFOLLOW},
+	{"nosymfollow",		MS_NOSYMFOLLOW, 0},
 	{"atime",		0, MS_NOATIME},
 	{"noatime",		MS_NOATIME, 0},
 	{"diratime",		0, MS_NODIRATIME},
@@ -284,6 +292,9 @@ static struct mnt_keyword_table mnt_opts_table[] = {
 	{"iversion",		MS_IVERSION, 0},
 	{"noiversion",		0, MS_IVERSION},
 	{"strictatime",		MS_STRICTATIME, 0},
+	{"nostrictatime",	0, MS_STRICTATIME},
+	{"lazytime",		MS_LAZYTIME, 0},
+	{"nolazytime",		0, MS_LAZYTIME},
 	{"user",		0, (unsigned int) MS_NOUSER},
 	{"nouser",		(unsigned int) MS_NOUSER, 0},
 
@@ -299,6 +310,22 @@ static struct mnt_keyword_table mnt_conds_table[] = {
 	{NULL, 0, 0}
 };
 
+static ostream &dump_flags(ostream &os,
+			    pair <unsigned int, unsigned int> flags)
+{
+	for (int i = 0; mnt_opts_table[i].keyword; i++) {
+		if ((flags.first & mnt_opts_table[i].set) ||
+		    (flags.second & mnt_opts_table[i].clear))
+			os << mnt_opts_table[i].keyword;
+	}
+	return os;
+}
+
+ostream &operator<<(ostream &os, pair<unsigned int, unsigned int> flags)
+{
+	return dump_flags(os, flags);
+}
+
 static int find_mnt_keyword(struct mnt_keyword_table *table, const char *name)
 {
 	int i;
@@ -321,7 +348,7 @@ int is_valid_mnt_cond(const char *name, int src)
 
 static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
 {
-	unsigned int flags = 0;
+	unsigned int flags = 0, invflags = 0;
 	*inv = 0;
 
 	struct value_list *entry, *tmp, *prev = NULL;
@@ -330,11 +357,11 @@ static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
 		i = find_mnt_keyword(mnt_opts_table, entry->value);
 		if (i != -1) {
 			flags |= mnt_opts_table[i].set;
-			*inv |= mnt_opts_table[i].clear;
+			invflags |= mnt_opts_table[i].clear;
 			PDEBUG(" extracting mount flag %s req: 0x%x inv: 0x%x"
 			       " => req: 0x%x inv: 0x%x\n",
 			       entry->value, mnt_opts_table[i].set,
-			       mnt_opts_table[i].clear, flags, *inv);
+			       mnt_opts_table[i].clear, flags, invflags);
 			if (prev)
 				prev->next = tmp;
 			if (entry == *list)
@@ -345,9 +372,27 @@ static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
 			prev = entry;
 	}
 
+	if (inv)
+		*inv = invflags;
+
 	return flags;
 }
 
+static bool conflicting_flags(unsigned int flags, unsigned int inv)
+{
+	if (flags & inv) {
+		for (int i = 0; i < 31; i++) {
+			unsigned int mask = 1 << i;
+			if ((flags & inv) & mask) {
+				cerr << "conflicting flag values = "
+				     << flags << ", " << inv << "\n";
+			}
+		}
+		return true;
+	}
+	return false;
+}
+
 static struct value_list *extract_fstype(struct cond_entry **conds)
 {
 	struct value_list *list = NULL;
@@ -370,22 +415,19 @@ static struct value_list *extract_fstype(struct cond_entry **conds)
 	return list;
 }
 
-static struct value_list *extract_options(struct cond_entry **conds, int eq)
+static struct cond_entry *extract_options(struct cond_entry **conds, int eq)
 {
-	struct value_list *list = NULL;
-
-	struct cond_entry *entry, *tmp, *prev = NULL;
+	struct cond_entry *list = NULL, *entry, *tmp, *prev = NULL;
 
 	list_for_each_safe(*conds, entry, tmp) {
 		if ((strcmp(entry->name, "options") == 0 ||
 		     strcmp(entry->name, "option") == 0) &&
 		    entry->eq == eq) {
 			list_remove_at(*conds, prev, entry);
-			PDEBUG("  extracting option %s\n", entry->name);
-			list_append(entry->vals, list);
-			list = entry->vals;
-			entry->vals = NULL;
-			free_cond_entry(entry);
+			PDEBUG("  extracting %s %s\n", entry->name, entry->eq ? 
+"=" : "in");
+			list_append(entry, list);
+			list = entry;
 		} else
 			prev = entry;
 	}
@@ -393,60 +435,129 @@ static struct value_list *extract_options(struct cond_entry **conds, int eq)
 	return list;
 }
 
+static void perror_conds(const char *rule, struct cond_entry *conds)
+{
+	struct cond_entry *entry;
+
+	list_for_each(conds, entry) {
+		PERROR(  "unsupported %s condition '%s%s(...)'\n", rule, entry->name, entry->eq ? "=" : " in ");
+	}
+}
+
+static void perror_vals(const char *rule, struct value_list *vals)
+{
+	struct value_list *entry;
+
+	list_for_each(vals, entry) {
+		PERROR(  "unsupported %s value '%s'\n", rule, entry->value);
+	}
+}
+
+static void process_one_option(struct cond_entry *&opts, unsigned int &flags,
+			       unsigned int &inv_flags)
+{
+	struct cond_entry *entry;
+	struct value_list *vals;
+
+	entry = list_pop(opts);
+	vals = entry->vals;
+	entry->vals = NULL;
+	/* fail if there are any unknown optional flags */
+	if (opts) {
+		PERROR("  unsupported multiple 'mount options %s(...)'\n", entry->eq ? "=" : " in ");
+		exit(1);
+	}
+	free_cond_entry(entry);
+
+	flags = extract_flags(&vals, &inv_flags);
+	if (vals) {
+		perror_vals("mount option", vals);
+		exit(1);
+	}
+}
+
 mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
 		   struct cond_entry *dst_conds unused, char *mnt_point_p,
 		   int allow_p):
 	mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
-	flags(0), inv_flags(0), audit(0), deny(0)
+	flagsv(0), opt_flagsv(0), audit(0), deny(0)
 {
 	/* FIXME: dst_conds are ignored atm */
 	dev_type = extract_fstype(&src_conds);
 
 	if (src_conds) {
-		struct value_list *list = extract_options(&src_conds, 0);
+		/* move options in () to local list */
+		struct cond_entry *opts_in = extract_options(&src_conds, 0);
 
-		opts = extract_options(&src_conds, 1);
-		if (opts)
-			flags = extract_flags(&opts, &inv_flags);
+		if (opts_in) {
+			unsigned int tmpflags = 0, tmpinv_flags = 0;
+			struct cond_entry *entry;
 
-		if (list) {
-			unsigned int tmpflags, tmpinv_flags = 0;
-
-			tmpflags = extract_flags(&list, &tmpinv_flags);
-			/* these flags are optional so set both */
-			tmpflags |= tmpinv_flags;
-			tmpinv_flags |= tmpflags;
-
-			flags |= tmpflags;
-			inv_flags |= tmpinv_flags;
-
-			if (opts)
-				list_append(opts, list);
-			else if (list)
-				opts = list;
+			while ((entry = list_pop(opts_in))) {
+				process_one_option(entry, tmpflags,
+						   tmpinv_flags);
+				/* optional flags if set/clear mean the same
+				 * thing and can be represented by a single
+				 * bitset, also there is no need to check for
+				 * conflicting flags when they are optional
+				 */
+				opt_flagsv.push_back(tmpflags | tmpinv_flags);
+			}
 		}
+
+		/* move options=() to opts list */
+		struct cond_entry *opts_eq = extract_options(&src_conds, 1);
+		if (opts_eq) {
+			unsigned int tmpflags = 0, tmpinv_flags = 0;
+			struct cond_entry *entry;
+
+			while ((entry = list_pop(opts_eq))) {
+				process_one_option(entry, tmpflags,
+						   tmpinv_flags);
+				/* throw away tmpinv_flags, only needed in
+				 * consistancy check
+				 */
+				if (allow_p & AA_DUMMY_REMOUNT)
+					tmpflags |= MS_REMOUNT;
+
+				if (conflicting_flags(tmpflags, tmpinv_flags)) {
+					PERROR("conflicting flags in the rule\n");
+					exit(1);
+				}
+
+				flagsv.push_back(tmpflags);
+			}
+		}
+
+		if (src_conds) {
+			perror_conds("mount", src_conds);
+			exit(1);
+		}
+	}
+
+	if (!(flagsv.size() + opt_flagsv.size())) {
+		/* no flag options, and not remount, allow everything */
+		if (allow_p & AA_DUMMY_REMOUNT) {
+			flagsv.push_back(MS_REMOUNT);
+			opt_flagsv.push_back(MS_REMOUNT_FLAGS & ~MS_REMOUNT);
+		} else {
+			flagsv.push_back(MS_ALL_FLAGS);
+			opt_flagsv.push_back(MS_ALL_FLAGS);
+		}
+	} else if (!(flagsv.size())) {
+		/* no flags but opts set */
+		if (allow_p & AA_DUMMY_REMOUNT)
+			flagsv.push_back(MS_REMOUNT);
+		else
+			flagsv.push_back(0);
+	} else if (!(opt_flagsv.size())) {
+		opt_flagsv.push_back(0);
 	}
 
 	if (allow_p & AA_DUMMY_REMOUNT) {
 		allow_p = AA_MAY_MOUNT;
-		flags |= MS_REMOUNT;
-		inv_flags = 0;
-	} else if (!(flags | inv_flags)) {
-		/* no flag options, and not remount, allow everything */
-		flags = MS_ALL_FLAGS;
-		inv_flags = MS_ALL_FLAGS;
 	}
-
 	allow = allow_p;
-
-	if (src_conds) {
-		PERROR("  unsupported mount conditions\n");
-		exit(1);
-	}
-	if (opts) {
-		PERROR("  unsupported mount options\n");
-		exit(1);
-	}
 }
 
 ostream &mnt_rule::dump(ostream &os)
@@ -460,7 +571,11 @@ ostream &mnt_rule::dump(ostream &os)
 	else
 		os << "error: unknonwn mount perm";
 
-	os << " (0x" << hex << flags << " - 0x" << inv_flags << ") ";
+	for (unsigned int i = 0; i < flagsv.size(); i++)
+		os << " flags=(0x" << hex << flagsv[i] << ")";
+	for (unsigned int i = 0; i < opt_flagsv.size(); i++)
+		os << " flags in (0x" << hex << opt_flagsv[i] << ")";
+
 	if (dev_type) {
 		os << " type=";
 		print_value_list(dev_type);
@@ -516,7 +631,7 @@ int mnt_rule::expand_variables(void)
 }
 
 static int build_mnt_flags(char *buffer, int size, unsigned int flags,
-			   unsigned int inv_flags)
+			   unsigned int opt_flags)
 {
 	char *p = buffer;
 	int i, len = 0;
@@ -529,7 +644,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		return TRUE;
 	}
 	for (i = 0; i <= 31; ++i) {
-		if ((flags & inv_flags) & (1 << i))
+		if ((opt_flags) & (1 << i))
 			len = snprintf(p, size, "(\\x%02x|)", i + 1);
 		else if (flags & (1 << i))
 			len = snprintf(p, size, "\\x%02x", i + 1);
@@ -595,7 +710,9 @@ static void warn_once(const char *name)
 	}
 }
 
-int mnt_rule::gen_policy_re(Profile &prof)
+
+int mnt_rule::gen_policy_remount(Profile &prof, int &count,
+				 unsigned int flags, unsigned int opt_flags)
 {
 	std::string mntbuf;
 	std::string devbuf;
@@ -604,215 +721,332 @@ int mnt_rule::gen_policy_re(Profile &prof)
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
-	int count = 0;
-	unsigned int tmpflags, tmpinv_flags;
+	int tmpallow;
 
-	if (!kernel_supports_mount) {
-		warn_once(prof.name);
-		return RULE_NOT_SUPPORTED;
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* remount can't be conditional on device and type */
+	/* rule class single byte header */
+	mntbuf.assign(class_mount_hdr);
+	if (mnt_point) {
+		/* both device && mnt_point or just mnt_point */
+		if (!convert_entry(mntbuf, mnt_point))
+			goto fail;
+		vec[0] = mntbuf.c_str();
+	} else {
+		if (!convert_entry(mntbuf, device))
+			goto fail;
+		vec[0] = mntbuf.c_str();
 	}
+	/* skip device */
+	vec[1] = default_match_pattern;
+	/* skip type */
+	vec[2] = default_match_pattern;
+
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_REMOUNT_FLAGS,
+			     opt_flags & MS_REMOUNT_FLAGS))
+		goto fail;
+
+	vec[3] = flagsbuf;
+
+	if (opts)
+		tmpallow = AA_MATCH_CONT;
+	else
+		tmpallow = allow;
+
+	/* rule for match without required data || data MATCH_CONT */
+	if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
+					     audit | AA_AUDIT_MNT_DATA, 4,
+					     vec, dfaflags))
+		goto fail;
+	count++;
+
+	if (opts) {
+		/* rule with data match required */
+		optsbuf.clear();
+		if (!build_mnt_opts(optsbuf, opts))
+			goto fail;
+		vec[4] = optsbuf.c_str();
+		if (!prof.policy.rules->add_rule_vec(deny, allow,
+						     audit | AA_AUDIT_MNT_DATA,
+						     5, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count,
+				    unsigned int flags, unsigned int opt_flags)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* bind mount rules can't be conditional on dev_type or data */
+	/* rule class single byte header */
+	mntbuf.assign(class_mount_hdr);
+	if (!convert_entry(mntbuf, mnt_point))
+		goto fail;
+	vec[0] = mntbuf.c_str();
+	if (!clear_and_convert_entry(devbuf, device))
+		goto fail;
+	vec[1] = devbuf.c_str();
+	/* skip type */
+	vec[2] = default_match_pattern;
+
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_BIND_FLAGS,
+			     opt_flags & MS_BIND_FLAGS))
+		goto fail;
+	vec[3] = flagsbuf;
+	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
+					     dfaflags))
+		goto fail;
+	count++;
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
+					   unsigned int flags,
+					   unsigned int opt_flags)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	char *mountpoint = mnt_point;
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* change type base rules can specify the mount point by using
+	 * the parser token position reserved to device. that's why if
+	 * the mount point is not specified, we use device in its
+	 * place. this is a deprecated behavior.
+	 *
+	 * change type base rules can not be conditional on device
+	 * (source), device type or data
+	 */
+	/* rule class single byte header */
+	mntbuf.assign(class_mount_hdr);
+	if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
+		PERROR("source and mount point cannot be used at the "
+		       "same time for propagation type flags");
+		goto fail;
+	} else if (device && !mnt_point) {
+		pwarn(_("The use of source as mount point for "
+			"propagation type flags is deprecated.\n"));
+		mountpoint = device;
+	}
+	if (!convert_entry(mntbuf, mountpoint))
+		goto fail;
+	vec[0] = mntbuf.c_str();
+	/* skip device and type */
+	vec[1] = default_match_pattern;
+	vec[2] = default_match_pattern;
+
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MAKE_FLAGS,
+			     opt_flags & MS_MAKE_FLAGS))
+		goto fail;
+	vec[3] = flagsbuf;
+	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
+					     dfaflags))
+		goto fail;
+	count++;
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_move_mount(Profile &prof, int &count,
+				    unsigned int flags, unsigned int opt_flags)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* mount move rules can not be conditional on dev_type,
+	 * or data
+	 */
+	/* rule class single byte header */
+	mntbuf.assign(class_mount_hdr);
+	if (!convert_entry(mntbuf, mnt_point))
+		goto fail;
+	vec[0] = mntbuf.c_str();
+	if (!clear_and_convert_entry(devbuf, device))
+		goto fail;
+	vec[1] = devbuf.c_str();
+	/* skip type */
+	vec[2] = default_match_pattern;
+
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_MOVE_FLAGS,
+			     opt_flags & MS_MOVE_FLAGS))
+		goto fail;
+	vec[3] = flagsbuf;
+	if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
+					     dfaflags))
+		goto fail;
+	count++;
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
+				   unsigned int flags, unsigned int opt_flags)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	char flagsbuf[PATH_MAX + 3];
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	int tmpallow;
+
+	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
+
+	/* rule class single byte header */
+	mntbuf.assign(class_mount_hdr);
+	if (!convert_entry(mntbuf, mnt_point))
+		goto fail;
+	vec[0] = mntbuf.c_str();
+	if (!clear_and_convert_entry(devbuf, device))
+		goto fail;
+	vec[1] = devbuf.c_str();
+	typebuf.clear();
+	if (!build_list_val_expr(typebuf, dev_type))
+		goto fail;
+	vec[2] = typebuf.c_str();
+
+	if (!build_mnt_flags(flagsbuf, PATH_MAX, flags & MS_NEW_FLAGS,
+			     opt_flags & MS_NEW_FLAGS))
+		goto fail;
+	vec[3] = flagsbuf;
+
+	if (opts)
+		tmpallow = AA_MATCH_CONT;
+	else
+		tmpallow = allow;
+
+	/* rule for match without required data || data MATCH_CONT */
+	if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
+					     audit | AA_AUDIT_MNT_DATA, 4,
+					     vec, dfaflags))
+		goto fail;
+	count++;
+
+	if (opts) {
+		/* rule with data match required */
+		optsbuf.clear();
+		if (!build_mnt_opts(optsbuf, opts))
+			goto fail;
+		vec[4] = optsbuf.c_str();
+		if (!prof.policy.rules->add_rule_vec(deny, allow,
+						     audit | AA_AUDIT_MNT_DATA,
+						     5, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+
+	return RULE_OK;
+
+fail:
+	return RULE_ERROR;
+}
+
+int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
+			     unsigned int opt_flags)
+{
+	/*
+	 * XXX: added !flags to cover cases like:
+	 * mount options in (bind) /d -> /4,
+	 */
+	if ((allow & AA_MAY_MOUNT) && (!flags || flags == MS_ALL_FLAGS)) {
+		/* no mount flags specified, generate multiple rules */
+		if (!device && !dev_type &&
+		    gen_policy_remount(prof, count, flags, opt_flags) == RULE_ERROR)
+			return RULE_ERROR;
+		if (!dev_type && !opts &&
+		    gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
+			return RULE_ERROR;
+		if (!dev_type && !opts &&
+		    gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
+			return RULE_ERROR;
+		if (!dev_type && !opts &&
+		    gen_policy_move_mount(prof, count, flags, opt_flags) == RULE_ERROR)
+			return RULE_ERROR;
+
+		return gen_policy_new_mount(prof, count, flags, opt_flags);
+	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
+		   && !device && !dev_type) {
+		return gen_policy_remount(prof, count, flags, opt_flags);
+	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
+		   && !dev_type && !opts) {
+		return gen_policy_bind_mount(prof, count, flags, opt_flags);
+	} else if ((allow & AA_MAY_MOUNT) &&
+		   (flags & (MS_MAKE_CMDS))
+		   && !dev_type && !opts) {
+		return gen_policy_change_mount_type(prof, count, flags, opt_flags);
+	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
+		   && !dev_type && !opts) {
+		return gen_policy_move_mount(prof, count, flags, opt_flags);
+	} else if ((allow & AA_MAY_MOUNT) &&
+		   ((flags | opt_flags) & ~MS_CMDS)) {
+		/* generic mount if flags are set that are not covered by
+		 * above commands
+		 */
+		return gen_policy_new_mount(prof, count, flags, opt_flags);
+	} /* else must be RULE_OK for some rules */
+
+	return RULE_OK;
+}
+
+int mnt_rule::gen_policy_re(Profile &prof)
+{
+	std::string mntbuf;
+	std::string devbuf;
+	std::string typebuf;
+	std::string optsbuf;
+	char class_mount_hdr[64];
+	const char *vec[5];
+	int count = 0;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
 	/* a single mount rule may result in multiple matching rules being
 	 * created in the backend to cover all the possible choices
 	 */
-
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_REMOUNT)
-	    && !device && !dev_type) {
-		int tmpallow;
-		/* remount can't be conditional on device and type */
-		/* rule class single byte header */
-		mntbuf.assign(class_mount_hdr);
-		if (mnt_point) {
-			/* both device && mnt_point or just mnt_point */
-			if (!convert_entry(mntbuf, mnt_point))
+	for (size_t i = 0; i < flagsv.size(); i++) {
+		for (size_t j = 0; j < opt_flagsv.size(); j++) {
+			if (gen_flag_rules(prof, count, flagsv[i], opt_flagsv[j]) == RULE_ERROR)
 				goto fail;
-			vec[0] = mntbuf.c_str();
-		} else {
-			if (!convert_entry(mntbuf, device))
-				goto fail;
-			vec[0] = mntbuf.c_str();
-		}
-		/* skip device */
-		vec[1] = default_match_pattern;
-		/* skip type */
-		vec[2] = default_match_pattern;
-
-		tmpflags = flags;
-		tmpinv_flags = inv_flags;
-		if (tmpflags != MS_ALL_FLAGS)
-			tmpflags &= MS_REMOUNT_FLAGS;
-		if (tmpinv_flags != MS_ALL_FLAGS)
-			tmpflags &= MS_REMOUNT_FLAGS;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
-			goto fail;
-		vec[3] = flagsbuf;
-
-		if (opts)
-			tmpallow = AA_MATCH_CONT;
-		else
-			tmpallow = allow;
-
-		/* rule for match without required data || data MATCH_CONT */
-		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
-					      audit | AA_AUDIT_MNT_DATA, 4,
-					      vec, dfaflags))
-			goto fail;
-		count++;
-
-		if (opts) {
-			/* rule with data match required */
-			optsbuf.clear();
-			if (!build_mnt_opts(optsbuf, opts))
-				goto fail;
-			vec[4] = optsbuf.c_str();
-			if (!prof.policy.rules->add_rule_vec(deny, allow,
-						      audit | AA_AUDIT_MNT_DATA,
-						      5, vec, dfaflags))
-				goto fail;
-			count++;
-		}
-	}
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_BIND)
-	    && !dev_type && !opts) {
-		/* bind mount rules can't be conditional on dev_type or data */
-		/* rule class single byte header */
-		mntbuf.assign(class_mount_hdr);
-		if (!convert_entry(mntbuf, mnt_point))
-			goto fail;
-		vec[0] = mntbuf.c_str();
-		if (!clear_and_convert_entry(devbuf, device))
-			goto fail;
-		vec[1] = devbuf.c_str();
-		/* skip type */
-		vec[2] = default_match_pattern;
-
-		tmpflags = flags;
-		tmpinv_flags = inv_flags;
-		if (tmpflags != MS_ALL_FLAGS)
-			tmpflags &= MS_BIND_FLAGS;
-		if (tmpinv_flags != MS_ALL_FLAGS)
-			tmpflags &= MS_BIND_FLAGS;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
-			goto fail;
-		vec[3] = flagsbuf;
-		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
-			goto fail;
-		count++;
-	}
-	if ((allow & AA_MAY_MOUNT) &&
-	    (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
-	    && !device && !dev_type && !opts) {
-		/* change type base rules can not be conditional on device,
-		 * device type or data
-		 */
-		/* rule class single byte header */
-		mntbuf.assign(class_mount_hdr);
-		if (!convert_entry(mntbuf, mnt_point))
-			goto fail;
-		vec[0] = mntbuf.c_str();
-		/* skip device and type */
-		vec[1] = default_match_pattern;
-		vec[2] = default_match_pattern;
-
-		tmpflags = flags;
-		tmpinv_flags = inv_flags;
-		if (tmpflags != MS_ALL_FLAGS)
-			tmpflags &= MS_MAKE_FLAGS;
-		if (tmpinv_flags != MS_ALL_FLAGS)
-			tmpflags &= MS_MAKE_FLAGS;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
-			goto fail;
-		vec[3] = flagsbuf;
-		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
-			goto fail;
-		count++;
-	}
-	if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
-	    && !dev_type && !opts) {
-		/* mount move rules can not be conditional on dev_type,
-		 * or data
-		 */
-		/* rule class single byte header */
-		mntbuf.assign(class_mount_hdr);
-		if (!convert_entry(mntbuf, mnt_point))
-			goto fail;
-		vec[0] = mntbuf.c_str();
-		if (!clear_and_convert_entry(devbuf, device))
-			goto fail;
-		vec[1] = devbuf.c_str();
-		/* skip type */
-		vec[2] = default_match_pattern;
-
-		tmpflags = flags;
-		tmpinv_flags = inv_flags;
-		if (tmpflags != MS_ALL_FLAGS)
-			tmpflags &= MS_MOVE_FLAGS;
-		if (tmpinv_flags != MS_ALL_FLAGS)
-			tmpflags &= MS_MOVE_FLAGS;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
-			goto fail;
-		vec[3] = flagsbuf;
-		if (!prof.policy.rules->add_rule_vec(deny, allow, audit, 4, vec,
-						    dfaflags))
-			goto fail;
-		count++;
-	}
-	if ((allow & AA_MAY_MOUNT) &&
-	    (flags | inv_flags) & ~MS_CMDS) {
-		int tmpallow;
-		/* generic mount if flags are set that are not covered by
-		 * above commands
-		 */
-		/* rule class single byte header */
-		mntbuf.assign(class_mount_hdr);
-		if (!convert_entry(mntbuf, mnt_point))
-			goto fail;
-		vec[0] = mntbuf.c_str();
-		if (!clear_and_convert_entry(devbuf, device))
-			goto fail;
-		vec[1] = devbuf.c_str();
-		typebuf.clear();
-		if (!build_list_val_expr(typebuf, dev_type))
-			goto fail;
-		vec[2] = typebuf.c_str();
-
-		tmpflags = flags;
-		tmpinv_flags = inv_flags;
-		if (tmpflags != MS_ALL_FLAGS)
-			tmpflags &= ~MS_CMDS;
-		if (tmpinv_flags != MS_ALL_FLAGS)
-			tmpinv_flags &= ~MS_CMDS;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX, tmpflags, tmpinv_flags))
-			goto fail;
-		vec[3] = flagsbuf;
-
-		if (opts)
-			tmpallow = AA_MATCH_CONT;
-		else
-			tmpallow = allow;
-
-		/* rule for match without required data || data MATCH_CONT */
-		if (!prof.policy.rules->add_rule_vec(deny, tmpallow,
-					      audit | AA_AUDIT_MNT_DATA, 4,
-					      vec, dfaflags))
-			goto fail;
-		count++;
-
-		if (opts) {
-			/* rule with data match required */
-			optsbuf.clear();
-			if (!build_mnt_opts(optsbuf, opts))
-				goto fail;
-			vec[4] = optsbuf.c_str();
-			if (!prof.policy.rules->add_rule_vec(deny, allow,
-						      audit | AA_AUDIT_MNT_DATA,
-						      5, vec, dfaflags))
-				goto fail;
-			count++;
 		}
 	}
 	if (allow & AA_MAY_UMOUNT) {

parser/mount.h

@@ -20,6 +20,7 @@
 #define __AA_MOUNT_H
 
 #include <ostream>
+#include <vector>
 
 #include "parser.h"
 #include "rule.h"
@@ -39,6 +40,8 @@
 #define MS_MAND		(1 << 6)
 #define MS_NOMAND	0
 #define MS_DIRSYNC	(1 << 7)
+#define MS_SYMFOLLOW	0
+#define MS_NOSYMFOLLOW	(1 << 8)
 #define MS_NODIRSYNC	0
 #define MS_NOATIME	(1 << 10)
 #define MS_ATIME	0
@@ -61,6 +64,7 @@
 #define MS_IVERSION	(1 << 23)
 #define MS_NOIVERSION	0
 #define MS_STRICTATIME	(1 << 24)
+#define MS_LAZYTIME	(1 << 25)
 #define MS_NOUSER	(1 << 31)
 #define MS_USER		0
 
@@ -74,12 +78,14 @@
 
 #define MS_ALL_FLAGS	(MS_RDONLY | MS_NOSUID | MS_NODEV | MS_NOEXEC | \
 			 MS_SYNC | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
+			 MS_NOSYMFOLLOW | \
 			 MS_NOATIME | MS_NODIRATIME | MS_BIND | MS_RBIND | \
 			 MS_MOVE | MS_VERBOSE | MS_ACL | \
 			 MS_UNBINDABLE | MS_RUNBINDABLE | \
 			 MS_PRIVATE | MS_RPRIVATE | \
 			 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED | \
-			 MS_RELATIME | MS_IVERSION | MS_STRICTATIME | MS_USER)
+			 MS_RELATIME | MS_IVERSION | MS_STRICTATIME | \
+			 MS_LAZYTIME | MS_USER)
 
 /* set of flags we don't use but define (but not with the kernel values)
  *  for MNT_FLAGS
@@ -94,16 +100,15 @@
 			 MS_KERNMOUNT | MS_STRICTATIME)
 
 #define MS_BIND_FLAGS (MS_BIND | MS_RBIND)
-#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_RUNBINDABLE | \
+#define MS_MAKE_CMDS (MS_UNBINDABLE | MS_RUNBINDABLE | \
 			MS_PRIVATE | MS_RPRIVATE | \
-			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED) | \
-		       (MS_ALL_FLAGS & ~(MNT_FLAGS)))
+			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_MAKE_FLAGS  (MS_ALL_FLAGS & ~(MNT_FLAGS))
 #define MS_MOVE_FLAGS (MS_MOVE)
 
-#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | \
-		 MS_UNBINDABLE | MS_RUNBINDABLE | MS_PRIVATE | MS_RPRIVATE | \
-		 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
+#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | MS_MAKE_CMDS)
 #define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT & ~MS_BIND & ~MS_RBIND))
+#define MS_NEW_FLAGS (MS_ALL_FLAGS & ~MS_CMDS)
 
 #define MNT_SRC_OPT 1
 #define MNT_DST_OPT 2
@@ -121,6 +126,19 @@
 
 
 class mnt_rule: public rule_t {
+	int gen_policy_remount(Profile &prof, int &count, unsigned int flags,
+			       unsigned int opt_flags);
+	int gen_policy_bind_mount(Profile &prof, int &count, unsigned int flags,
+				  unsigned int opt_flags);
+	int gen_policy_change_mount_type(Profile &prof, int &count,
+					 unsigned int flags,
+					 unsigned int opt_flags);
+	int gen_policy_move_mount(Profile &prof, int &count, unsigned int flags,
+				  unsigned int opt_flags);
+	int gen_policy_new_mount(Profile &prof, int &count, unsigned int flags,
+				 unsigned int opt_flags);
+	int gen_flag_rules(Profile &prof, int &count, unsigned int flags,
+			   unsigned int opt_flags);
 public:
 	char *mnt_point;
 	char *device;
@@ -128,7 +146,7 @@ public:
 	struct value_list *dev_type;
 	struct value_list *opts;
 
-	unsigned int flags, inv_flags;
+	std::vector<unsigned int> flagsv, opt_flagsv;
 
 	int allow, audit;
 	int deny;

parser/parser.h

@@ -204,6 +204,7 @@ do {						\
 #endif
 
 
+#define list_first(LIST) (LIST)
 #define list_for_each(LIST, ENTRY) \
 	for ((ENTRY) = (LIST); (ENTRY); (ENTRY) = (ENTRY)->next)
 #define list_for_each_safe(LIST, ENTRY, TMP) \
@@ -237,6 +238,16 @@ do {						\
 	prev;				\
 })
 
+#define list_pop(LIST)				\
+({						\
+	typeof(LIST) _entry = (LIST);		\
+	if (LIST) {				\
+		(LIST) = (LIST)->next;		\
+		_entry->next = NULL;		\
+	}					\
+	_entry;					\
+})
+
 #define list_remove_at(LIST, PREV, ENTRY)			\
 	if (PREV)						\
 		(PREV)->next = (ENTRY)->next;			\

parser/tst/simple_tests/mount/bad_1.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule with incompatible options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(rw, ro) -> /foo,
+}

parser/tst/simple_tests/mount/bad_2.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule with incompatible options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(rw ro) -> /foo,
+}

parser/tst/simple_tests/mount/bad_3.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule with incompatible options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(rw ro) fstype=procfs -> /foo,
+}

parser/tst/simple_tests/mount/bad_4.sd

@@ -1,6 +1,6 @@
 #
-#=Description basic mount rule
-#=EXRESULT PASS
+#=Description basic mount rule with incompatible options
+#=EXRESULT FAIL
 #
 /usr/bin/foo {
   mount options=(rw ro) fstype=(procfs) none -> /foo,

parser/tst/simple_tests/mount/bad_opt_29.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting = options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(strictatime, nostrictatime) -> /foo,
+}

parser/tst/simple_tests/mount/bad_opt_30.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting = options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(lazytime, nolazytime) -> /foo,
+}

parser/tst/simple_tests/mount/bad_opt_31.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting = options
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+  mount options=(symfollow, nosymfollow) -> /foo,
+}

parser/tst/simple_tests/mount/ok_16.sd

@@ -3,5 +3,5 @@
 #=EXRESULT PASS
 #
 /usr/bin/foo {
-  mount options=(rw, ro) -> /foo,
+  mount options=(rw nosuid) -> /foo,
 }

parser/tst/simple_tests/mount/ok_17.sd

@@ -1,7 +0,0 @@
-#
-#=Description basic mount rule
-#=EXRESULT PASS
-#
-/usr/bin/foo {
-  mount options=(rw ro) -> /foo,
-}

parser/tst/simple_tests/mount/ok_18.sd

@@ -1,7 +0,0 @@
-#
-#=Description basic mount rule
-#=EXRESULT PASS
-#
-/usr/bin/foo {
-  mount options=(rw ro) fstype=procfs -> /foo,
-}

parser/tst/simple_tests/mount/ok_opt_56.sd

@@ -0,0 +1,8 @@
+#
+#=Description basic rules to test the "nostrictatime" mount option
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=nostrictatime /a -> /1,
+  mount options=(nostrictatime) /b -> /2,
+  mount options in (nostrictatime) /d -> /4,
+}

parser/tst/simple_tests/mount/ok_opt_57.sd

@@ -0,0 +1,8 @@
+#
+#=Description basic rules to test the "lazytime" mount option
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=lazytime /a -> /1,
+  mount options=(lazytime) /b -> /2,
+  mount options in (lazytime) /d -> /4,
+}

parser/tst/simple_tests/mount/ok_opt_58.sd

@@ -0,0 +1,8 @@
+#
+#=Description basic rules to test the "nolazytime" mount option
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=nolazytime /a -> /1,
+  mount options=(nolazytime) /b -> /2,
+  mount options in (nolazytime) /d -> /4,
+}

parser/tst/simple_tests/mount/ok_opt_59.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic rules to test the "strictatime" mount option in combination
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw,strictatime) /c -> /3,
+  mount options in (ro,strictatime) /e -> /5,
+}

parser/tst/simple_tests/mount/ok_opt_60.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic rules to test the "nostrictatime" mount option in combination
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw,nostrictatime) /c -> /3,
+  mount options in (ro,nostrictatime) /e -> /5,
+}

parser/tst/simple_tests/mount/ok_opt_61.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic rules to test the "lazytime" mount option in combination
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw,lazytime) /c -> /3,
+  mount options in (ro,lazytime) /e -> /5,
+}

parser/tst/simple_tests/mount/ok_opt_62.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic rules to test the "nolazytime" mount option in combination
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw,nolazytime) /c -> /3,
+  mount options in (ro,nolazytime) /e -> /5,
+}

parser/tst/simple_tests/mount/ok_opt_63.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting options with in
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (strictatime, nostrictatime) -> /foo,
+}

parser/tst/simple_tests/mount/ok_opt_64.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting options with in
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (lazytime, nolazytime) -> /foo,
+}

parser/tst/simple_tests/mount/ok_opt_65.sd

@@ -0,0 +1,8 @@
+#
+#=Description basic rules to test the "nosymfollow" mount option
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=nosymfollow /a -> /1,
+  mount options=(nosymfollow) /b -> /2,
+  mount options in (nosymfollow) /d -> /4,
+}

parser/tst/simple_tests/mount/ok_opt_66.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic rules to test the "symfollow" mount option in combination
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw,symfollow) /c -> /3,
+  mount options in (ro,symfollow) /e -> /5,
+}

parser/tst/simple_tests/mount/ok_opt_67.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule conflicting options with in
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (symfollow, nosymfollow) -> /foo,
+}

parser/tst/simple_tests/mount/ok_opt_68.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=unbindable /1,
+  mount options=(unbindable) /2,
+  mount options=(rw,unbindable) /3,
+  mount options in (unbindable) /4,
+  mount options in (ro,unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_69.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=runbindable /1,
+  mount options=(runbindable) /2,
+  mount options=(rw,runbindable) /3,
+  mount options in (runbindable) /4,
+  mount options in (ro,runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_70.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rprivate /1,
+  mount options=(rprivate) /2,
+  mount options=(rw,rprivate) /3,
+  mount options in (rprivate) /4,
+  mount options in (ro,rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_71.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=private /1,
+  mount options=(private) /2,
+  mount options=(rw,private) /3,
+  mount options in (private) /4,
+  mount options in (ro,private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_72.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=slave /1,
+  mount options=(slave) /2,
+  mount options=(rw,slave) /3,
+  mount options in (slave) /4,
+  mount options in (ro,slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_73.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rslave /1,
+  mount options=(rslave) /2,
+  mount options=(rw,rslave) /3,
+  mount options in (rslave) /4,
+  mount options in (ro,rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_74.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=shared /1,
+  mount options=(shared) /2,
+  mount options=(rw,shared) /3,
+  mount options in (shared) /4,
+  mount options in (ro,shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_75.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rshared /1,
+  mount options=(rshared) /2,
+  mount options=(rw,rshared) /3,
+  mount options in (rshared) /4,
+  mount options in (ro,rshared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_76.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-unbindable /1,
+  mount options=(make-unbindable) /2,
+  mount options=(rw,make-unbindable) /3,
+  mount options in (make-unbindable) /4,
+  mount options in (ro,make-unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_77.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-runbindable /1,
+  mount options=(make-runbindable) /2,
+  mount options=(rw,make-runbindable) /3,
+  mount options in (make-runbindable) /4,
+  mount options in (ro,make-runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_78.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-private /1,
+  mount options=(make-private) /2,
+  mount options=(rw,make-private) /3,
+  mount options in (make-private) /4,
+  mount options in (ro,make-private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_79.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rprivate /1,
+  mount options=(make-rprivate) /2,
+  mount options=(rw,make-rprivate) /3,
+  mount options in (make-rprivate) /4,
+  mount options in (ro,make-rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_80.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-slave /1,
+  mount options=(make-slave) /2,
+  mount options=(rw,make-slave) /3,
+  mount options in (make-slave) /4,
+  mount options in (ro,make-slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_81.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-shared /1,
+  mount options=(make-shared) /2,
+  mount options=(rw,make-shared) /3,
+  mount options in (make-shared) /4,
+  mount options in (ro,make-shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_82.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rslave /1,
+  mount options=(make-rslave) /2,
+  mount options=(rw,make-rslave) /3,
+  mount options in (make-rslave) /4,
+  mount options in (ro,make-rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_83.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rshared /1,
+  mount options=(make-rshared) /2,
+  mount options=(rw,make-rshared) /3,
+  mount options in (make-rshared) /4,
+  mount options in (ro,make-rshared) /5,
+}

profiles/apparmor.d/abstractions/base

@@ -34,8 +34,8 @@
   /usr/share/locale-langpack/**  r,
   /usr/share/locale/**           r,
   /usr/share/**/locale/**        r,
-  /usr/share/zoneinfo/           r,
-  /usr/share/zoneinfo/**         r,
+  /usr/share/zoneinfo{,-icu}/    r,
+  /usr/share/zoneinfo{,-icu}/**  r,
   /usr/share/X11/locale/**       r,
   /run/systemd/journal/dev-log w,
   # systemd native journal API (see sd_journal_print(4))
@@ -60,6 +60,7 @@
   /etc/ld.so.conf                r,
   /etc/ld.so.conf.d/{,*.conf}    r,
   /etc/ld.so.preload             r,
+  /etc/ld-musl-*.path            r,
   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,

profiles/apparmor.d/abstractions/freedesktop.org

@@ -18,7 +18,7 @@
   @{system_share_dirs}/mime/** r,
 
   # per-user configurations
-  owner @{HOME}/.icons/                 r,
+  owner @{HOME}/.icons/{,**}            r,
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,

profiles/apparmor.d/abstractions/nvidia

@@ -21,8 +21,12 @@
 
   @{sys}/devices/system/memory/block_size_bytes r,
 
+  owner @{HOME}/.cache/nvidia/ w,
+  owner @{HOME}/.cache/nvidia/GLCache/ rw,
+  owner @{HOME}/.cache/nvidia/GLCache/** rwk,
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,
+  owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),

profiles/apparmor.d/abstractions/openssl

@@ -9,6 +9,7 @@
 # ------------------------------------------------------------------
 
   /etc/ssl/openssl.cnf r,
+  /etc/ssl/openssl-*.cnf r,
   /etc/ssl/{engdef,engines}.d/ r,
   /etc/ssl/{engdef,engines}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,

profiles/apparmor.d/abstractions/snap_browsers

@@ -38,5 +38,6 @@ profile snap_browsers {
   /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
 
   /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
   # add other browsers here
 }

profiles/apparmor.d/lsb_release

@@ -28,6 +28,8 @@ profile lsb_release {
   /{usr/,}bin/dash ixr,
   /usr/bin/basename ixr,
   /usr/bin/dpkg-query ixr,
+  /usr/bin/cat ixr,
+  /usr/bin/cut ixr,
   /usr/bin/getopt ixr,
   /usr/bin/sed ixr,
   /usr/bin/tr ixr,

profiles/apparmor.d/nvidia_modprobe

@@ -52,10 +52,10 @@ profile nvidia_modprobe {
     # System files
 
     /etc/modprobe.d/{,*.conf} r,
-    /etc/nvidia/current/*.conf r,
+    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
     @{sys}/module/ipmi_devintf/initstate r,
     @{sys}/module/ipmi_msghandler/initstate r,
-    @{sys}/module/nvidia/initstate r,
+    @{sys}/module/{drm,nvidia}/initstate r,
     @{PROC}/cmdline r,
   }
 

profiles/apparmor.d/sbin.syslogd

@@ -29,6 +29,8 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
   /dev/log                      wl,
   /var/lib/*/dev/log            wl,
 
+  /dev/kmsg                     r,
+  /proc/kmsg                    r,
   /dev/tty*                     w,
   /dev/xconsole                 rw,
   /etc/syslog.conf              r,

profiles/apparmor.d/usr.sbin.nscd

@@ -39,6 +39,13 @@ profile nscd /usr/{bin,sbin}/nscd {
   @{PROC}/@{pid}/fd/* r,
   @{PROC}/@{pid}/mounts r,
 
+  # systemd-userdb
+  /{etc,run,run/host,/usr/lib}/userdb/ r,
+  /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
+
+  # needed by unscd
+  @{run}/systemd/notify w,
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.nscd>
 }

profiles/apparmor.d/usr.sbin.smbd

@@ -42,6 +42,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/{bin,sbin}/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+  /var/lib/nscd/netgroup r,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/dbus/system_bus_socket rw,

profiles/apparmor/profiles/extras/usr.lib.postfix.tlsmgr

@@ -15,6 +15,7 @@
 profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,

tests/regression/apparmor/Makefile

@@ -69,8 +69,8 @@ endif # USE_SYSTEM
 
 CFLAGS += -g -O0 -Wall -Wstrict-prototypes
 
-USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
-
+SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
 
 SRC=access.c \
     at_secure.c \
@@ -307,6 +307,9 @@ unix_socket_client: unix_socket_client.c unix_socket_common.o
 unix_socket: unix_socket.c unix_socket_common.o unix_socket_client
 	${CC} ${CFLAGS} ${LDFLAGS} $(filter-out unix_socket_client, $^) -o $@ ${LDLIBS}
 
+mount: mount.c
+	${CC} ${CFLAGS} -std=gnu99 ${LDFLAGS} $^ -o $@ ${LDLIBS}
+
 tests: all
 	@if [ `whoami` = "root" ] ;\
 	then \

tests/regression/apparmor/aa_exec_wrapper.sh

@@ -16,7 +16,7 @@ fi
 out=$($1 -- cat /proc/self/attr/current 2>&1)
 rc=$?
 
-if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then
+if [ $rc -eq 0 ] && [ "$out" = "$2" ]; then
 	echo PASS
 	exit 0
 elif [ $rc -ne 0 ]; then

tests/regression/apparmor/capabilities.sh

@@ -97,7 +97,7 @@ for TEST in ${TESTS} ; do
 
 	# no capabilities allowed
 	genprofile ${my_entries}
-	if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
+	if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
 	    # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
 	    # capability + ptrace rule needed between pids
 	    runchecktest "${TEST} -- no caps" pass ${my_arg}
@@ -111,9 +111,9 @@ for TEST in ${TESTS} ; do
 
 	# iterate through each of the capabilities
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
+		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
-		elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
+		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass
 		else
 			expected_result=fail
@@ -126,7 +126,7 @@ for TEST in ${TESTS} ; do
 	# a subprofile.
 	settest ${testwrapper}
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
-	if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
+	if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
 	    # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
 	    # capability + ptrace rule needed between pids
 	    runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
@@ -139,9 +139,9 @@ for TEST in ${TESTS} ; do
 	runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
 
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
+		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
-		elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
+		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass
 		else
 			expected_result=fail
@@ -156,75 +156,75 @@ cap=sys_chroot
 settest syscall_chroot
 
 # test deny keyword works
-genprofile cap:${cap}:deny ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, deny keyword" fail ${syscall_chroot_args}
 
 # test allow keyword works
-genprofile cap:${cap}:allow ${syscall_chroot_extra_entries}
+genprofile qual=allow:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow keyword" pass ${syscall_chroot_args}
 
 ### allow/deny overlap tests ###
 
 # test allow & deny keyword behavior, allow first
-genprofile cap:${cap}:allow cap:${cap}:deny ${syscall_chroot_extra_entries}
+genprofile qual=allow:cap:${cap} qual=deny:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, allow first" fail ${syscall_chroot_args}
 
 # test implicit allow & deny keyword behavior, allow first
-genprofile cap:${cap} cap:${cap}:deny ${syscall_chroot_extra_entries}
+genprofile cap:${cap} qual=deny:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, allow first" fail ${syscall_chroot_args}
 
 # test allow & deny keyword behavior, deny first
-genprofile cap:${cap}:deny cap:${cap}:allow ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:${cap} qual=allow:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, deny first" fail ${syscall_chroot_args}
 
 # test implicit allow & deny keyword behavior, deny first
-genprofile cap:${cap}:deny cap:${cap} ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:${cap} cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, deny first" fail ${syscall_chroot_args}
 
 # test allow all & deny all capability keyword behavior, allow first
-genprofile cap:ALL:allow cap:ALL:deny ${syscall_chroot_extra_entries}
+genprofile qual=allow:cap:ALL qual=deny:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, allow first" fail ${syscall_chroot_args}
 
 # test implicit allow all & deny all capability keyword behavior, allow first
-genprofile cap:ALL cap:ALL:deny ${syscall_chroot_extra_entries}
+genprofile cap:ALL qual=deny:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny all caps keyword, allow first" fail ${syscall_chroot_args}
 
 # test allow all & deny all capability keyword behavior, deny first
-genprofile cap:ALL:deny cap:ALL:allow ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:ALL qual=allow:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, deny first" fail ${syscall_chroot_args}
 
 # test implicit allow all & deny all capability keyword behavior, deny first
-genprofile cap:ALL:deny cap:ALL ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:ALL cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all caps keyword, deny first" fail ${syscall_chroot_args}
 
 # test allow all & deny keywords behavior, allow first
-genprofile cap:ALL:allow cap:${cap}:deny ${syscall_chroot_extra_entries}
+genprofile qual=allow:cap:ALL qual=deny:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, allow first" fail ${syscall_chroot_args}
 
 # test implicit allow all & deny keywords behavior, allow first
-genprofile cap:ALL cap:${cap}:deny ${syscall_chroot_extra_entries}
+genprofile cap:ALL qual=deny:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, allow first" fail ${syscall_chroot_args}
 
 # test allow all & deny keywords behavior, deny first
-genprofile cap:${cap}:deny cap:ALL:allow ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:${cap} qual=allow:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, deny first" fail ${syscall_chroot_args}
 
 # test implicit allow all & deny keywords behavior, deny first
-genprofile cap:${cap}:deny cap:ALL ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:${cap} cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, deny first" fail ${syscall_chroot_args}
 
 # test allow & deny all keywords behavior, allow first
-genprofile cap:${cap}:allow cap:ALL:deny ${syscall_chroot_extra_entries}
+genprofile qual=allow:cap:${cap} qual=deny:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, allow first" fail ${syscall_chroot_args}
 
 # test implicit allow & deny all keywords behavior, allow first
-genprofile cap:${cap} cap:ALL:deny ${syscall_chroot_extra_entries}
+genprofile cap:${cap} qual=deny:cap:ALL ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, allow first" fail ${syscall_chroot_args}
 
 # test allow & deny all keywords behavior, deny first
-genprofile cap:ALL:deny cap:${cap}:allow ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:ALL qual=allow:cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, deny first" fail ${syscall_chroot_args}
 
 # test implicit allow & deny all keywords behavior, deny first
-genprofile cap:ALL:deny cap:${cap} ${syscall_chroot_extra_entries}
+genprofile qual=deny:cap:ALL cap:${cap} ${syscall_chroot_extra_entries}
 runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, deny first" fail ${syscall_chroot_args}

tests/regression/apparmor/changeprofile.sh

@@ -47,7 +47,7 @@ runchecktest "NO CHANGEPROFILE (access parent file)" pass nochange $file
 runchecktest "NO CHANGEPROFILE (access sub file)" fail nochange $subfile
 
 errno=EACCES
-if [ "$(kernel_features domain/stack)" == "true" ]; then
+if [ "$(kernel_features domain/stack)" = "true" ]; then
 	# The returned errno changed in the set of kernel patches that
 	# introduced AppArmor profile stacking
 	errno=ENOENT

tests/regression/apparmor/coredump.sh

@@ -18,7 +18,7 @@ cleancorefile()
 checkcorefile()
 {
 	# global _testdesc _pfmode _known outfile
-	if [ ${1:0:1} == "x" ] ; then
+	if [ ${1:0:1} = "x" ] ; then
 		requirement=${1#x}
 		_known=" (known problem)"
         else

tests/regression/apparmor/deleted.sh

@@ -65,7 +65,9 @@ okperm=rwl
 badperm=wl
 af_unix=""
 
-if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
+if [ "$(kernel_features network_v8)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
+	af_unix="unix:create"
+elif [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
 	af_unix="unix:create"
 fi
 

tests/regression/apparmor/exec_qual.sh

@@ -57,7 +57,7 @@ local_runchecktest()
 
 	checktestbg
 
-	if [ "$teststatus" == "pass" -a -n "$actual_confinement" -a "$actual_confinement" != "$expected_confinement" ]
+	if [ "$teststatus" = "pass" -a -n "$actual_confinement" -a "$actual_confinement" != "$expected_confinement" ]
 	then
 		 echo "Error: ${testname} failed. Test '${_testdesc}' actual confinement '$actual_confinement' differed from expected confinement '$expected_confinement'"
 		testfailed

tests/regression/apparmor/exec_stack.sh

@@ -43,11 +43,19 @@ stackthirdok="change_profile->:&$thirdtest"
 
 touch $file $otherfile $sharedfile $thirdfile
 
-if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then
-    elfmmap="m"
-else
-    elfmmap=""
-fi
+# We used to do a conditional test (below) for mmap permissions to
+# address the change introduced by
+# 9f834ec18defc369d73ccf9e87a2790bfa05bf46 but there are too many
+# kernels in the wild with a backport/cherrypick of that commit that
+# skipped cherry-picking 34c426acb75cc21bdf84685e106db0c1a3565057
+# meaning the below conditional check has the wrong results for those
+# kernels. Since this test is not about testing mmap just always add
+# the mmap perm
+#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" = "true" ]; then
+#    elfmmap="m"
+#else
+#    elfmmap=""
+#fi
 
 # Verify file access and contexts by an unconfined process
 runchecktest "EXEC_STACK (unconfined - file)" pass -f $file
@@ -72,7 +80,7 @@ runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
 
 # Verify file access and contexts by 2 stacked profiles
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
-	image=$othertest addimage:$test $otherok $sharedok $getcon $test:r$elfmmap
+	image=$othertest addimage:$test $otherok $sharedok $getcon $test:rm
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
 runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
@@ -85,7 +93,7 @@ runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${t
 # Verify file access and contexts by 3 stacked profiles
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
 	image=$othertest addimage:$test $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
-	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:r$elfmmap
+	image=$thirdtest addimage:$test $thirdok $sharedok $getcon $test:rm
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
 runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
@@ -95,7 +103,7 @@ runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${third
 
 genprofile -I $sharedok $stackotherok $stackthirdok $test:"rix -> &$othertest" -- \
 	image=$othertest addimage:$test $sharedok $stackthirdok $test:"rix -> &$thirdtest" -- \
-	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:r$elfmmap
+	image=$thirdtest addimage:$test $sharedok $stackthirdok $test:rm
 # Triggered an AppArmor WARN in the initial stacking patch set
 runchecktest "EXEC_STACK (3 stacked - old AA WARN)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
 
@@ -126,7 +134,7 @@ runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $tes
 
 # Verify file access and contexts in mixed mode
 genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
-	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:r$elfmmap
+	image=$othertest flag:complain addimage:$test $otherok $sharedok $getcon $test:rm
 runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
 runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
 runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile

tests/regression/apparmor/mkprofile.pl

@@ -35,10 +35,17 @@ sub usage {
   print STDERR "Usage $0 [--nowarn|--escape] execname [rules]\n";
   print STDERR "      $0 --help\n";
   print STDERR "      $0 --stdin\n";
+  print STDERR "Options:\n";
   print STDERR "  nowarn:      don't warn if execname does not exist\n";
   print STDERR "  nodefault:   don't include default rules/ldd output\n";
   print STDERR "  escape:      escape stuff that would be treated as regexs\n";
   print STDERR "  help:        print this message\n";
+  print STDERR "Rule Qualifiers:\n";
+  print STDERR "  qualifiers can optionally be added to a rule with 'qual='\n";
+  print STDERR "  Examples:\n";
+  print STDERR "    /path/to/file:rw\n";
+  print STDERR "    qual=audit:/path/to/file:rw\n";
+  print STDERR "    qual=audit,deny:/path/to/file:rw\n";
 }
 
 # genprofile passes in $bin:w as default rule atm
@@ -139,185 +146,183 @@ sub gen_binary($) {
   }
 }
 
-sub gen_netdomain($) {
-  my $rule = shift;
+sub gen_netdomain($@) {
+  my ($rule, $qualifier) = @_;
   # only split on single ':'s
   my @rules = split (/(?<!:):(?!:)/, $rule);
   # convert '::' to ':' -- for port designations
   foreach (@rules) { s/::/:/g; }
-  push (@{$output_rules{$hat}}, "  @rules,\n");
+  push (@{$output_rules{$hat}}, "  ${qualifier}@rules,\n");
 }
 
-sub gen_network($) {
-  my $rule = shift;
+sub gen_network($@) {
+  my ($rule, $qualifier) = @_;
   my @rules = split (/:/, $rule);
-  push (@{$output_rules{$hat}}, "  @rules,\n");
+  push (@{$output_rules{$hat}}, "  ${qualifier}@rules,\n");
 }
 
-sub gen_unix($) {
-  my $rule = shift;
+sub gen_unix($@) {
+  my ($rule, $qualifier) = @_;
   if ($rule =~ /^unix:ALL$/) {
     push (@{$output_rules{$hat}}, "  unix,\n");
   } else {
     $rule =~ s/:/ /g;
-    push(@{$output_rules{$hat}}, "  " . $rule . ",\n");
+    push(@{$output_rules{$hat}}, "  " . $qualifier . $rule . ",\n");
   }
 }
 
-sub gen_cap($) {
-  my $rule = shift;
+sub gen_cap($@) {
+  my ($rule, $qualifier) = @_;
   my @rules = split (/:/, $rule);
   if (@rules == 2) {
     if ($rules[1] =~ /^ALL$/) {
-      push (@{$output_rules{$hat}}, "  capability,\n");
+      push (@{$output_rules{$hat}}, "  ${qualifier}capability,\n");
     } else {
-      push (@{$output_rules{$hat}}, "  capability $rules[1],\n");
-    }
-  } elsif (@rules == 3) {
-    if ($rules[1] =~ /^ALL$/) {
-      push (@{$output_rules{$hat}}, "  $rules[2] capability,\n");
-    } else {
-      push (@{$output_rules{$hat}}, "  $rules[2] capability $rules[1],\n");
+      push (@{$output_rules{$hat}}, "  ${qualifier}capability $rules[1],\n");
     }
   } else {
     (!$nowarn) && print STDERR "Warning: invalid capability description '$rule', ignored\n";
   }
 }
 
-sub gen_ptrace($) {
-    my $rule = shift;
+sub gen_ptrace($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  ptrace,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}ptrace,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  ptrace $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}ptrace $rules[1],\n");
 	}
     } elsif (@rules == 3) {
-	push (@{$output_rules{$hat}}, "  ptrace $rules[1] $rules[2],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}ptrace $rules[1] $rules[2],\n");
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid ptrace description '$rule', ignored\n";
     }
 }
 
-sub gen_signal($) {
-    my $rule = shift;
+sub gen_signal($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  signal,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}signal,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  signal $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}signal $rules[1],\n");
 	}
     } elsif (@rules == 3) {
-	push (@{$output_rules{$hat}}, "  signal $rules[1] $rules[2],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}signal $rules[1] $rules[2],\n");
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid signal description '$rule', ignored\n";
     }
 }
 
-sub gen_mount($) {
-    my $rule = shift;
+sub gen_mount($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  mount,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}mount,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  mount $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1],\n");
 	}
     } elsif (@rules == 3) {
-	push (@{$output_rules{$hat}}, "  mount $rules[1] $rules[2],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1] $rules[2],\n");
     } elsif (@rules == 4) {
-	push (@{$output_rules{$hat}}, "  mount $rules[1] $rules[2] $rules[3],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1] $rules[2] $rules[3],\n");
     } elsif (@rules == 5) {
-	push (@{$output_rules{$hat}}, "  mount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1] $rules[2] $rules[3] $rules[4],\n");
     } elsif (@rules == 6) {
-	push (@{$output_rules{$hat}}, "  mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
     } elsif (@rules == 7) {
-	push (@{$output_rules{$hat}}, "  mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid mount description '$rule', ignored\n";
     }
 }
 
-sub gen_remount($) {
-    my $rule = shift;
+sub gen_remount($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  remount,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}remount,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  remount $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1],\n");
 	}
     } elsif (@rules == 3) {
-	push (@{$output_rules{$hat}}, "  remount $rules[1] $rules[2],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1] $rules[2],\n");
     } elsif (@rules == 4) {
-	push (@{$output_rules{$hat}}, "  remount $rules[1] $rules[2] $rules[3],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1] $rules[2] $rules[3],\n");
     } elsif (@rules == 5) {
-	push (@{$output_rules{$hat}}, "  remount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1] $rules[2] $rules[3] $rules[4],\n");
     } elsif (@rules == 6) {
-	push (@{$output_rules{$hat}}, "  remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
     } elsif (@rules == 7) {
-	push (@{$output_rules{$hat}}, "  remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid remount description '$rule', ignored\n";
     }
 }
 
-sub gen_umount($) {
-    my $rule = shift;
+sub gen_umount($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  umount,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}umount,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  umount $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1],\n");
 	}
     } elsif (@rules == 3) {
-	push (@{$output_rules{$hat}}, "  umount $rules[1] $rules[2],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1] $rules[2],\n");
     } elsif (@rules == 4) {
-	push (@{$output_rules{$hat}}, "  umount $rules[1] $rules[2] $rules[3],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1] $rules[2] $rules[3],\n");
     } elsif (@rules == 5) {
-	push (@{$output_rules{$hat}}, "  umount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1] $rules[2] $rules[3] $rules[4],\n");
     } elsif (@rules == 6) {
-	push (@{$output_rules{$hat}}, "  umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
     } elsif (@rules == 7) {
-	push (@{$output_rules{$hat}}, "  umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+	push (@{$output_rules{$hat}}, "  ${qualifier}umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid umount description '$rule', ignored\n";
     }
 }
 
-sub gen_pivot_root($) {
-    my $rule = shift;
+sub gen_pivot_root($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-	    push (@{$output_rules{$hat}}, "  pivot_root,\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}pivot_root,\n");
 	} else {
-	    push (@{$output_rules{$hat}}, "  pivot_root $rules[1],\n");
+	    push (@{$output_rules{$hat}}, "  ${qualifier}pivot_root $rules[1],\n");
 	}
     } else {
 	(!$nowarn) && print STDERR "Warning: invalid pivot_root description '$rule', ignored\n";
     }
 }
 
-sub gen_file($) {
-  my $rule = shift;
+sub gen_file($@) {
+  my ($rule, $qualifier) = @_;
+  if (!$qualifier) {
+    $qualifier = "";
+  }
+
   my @rules = split (/:/, $rule);
   # default: file rules
   if (@rules == 1) {
       # support raw rules
-      push (@{$output_rules{$hat}}, "  $rules[0],\n");
+      push (@{$output_rules{$hat}}, "  ${qualifier}$rules[0],\n");
   } elsif (@rules == 2) {
     if ($escape) {
       $rules[0]=~ s/(["[\]{}\:])/\\$1/g;
       $rules[0]=~ s/(\#)/\\043/g;
     }
     if ($rules[0]=~ /[\s\!\"\^]/) {
-      push (@{$output_rules{$hat}}, "  \"$rules[0]\" $rules[1],\n");
+      push (@{$output_rules{$hat}}, "  ${qualifier}\"$rules[0]\" $rules[1],\n");
     } else {
-      push (@{$output_rules{$hat}}, "  $rules[0] $rules[1],\n");
+      push (@{$output_rules{$hat}}, "  ${qualifier}$rules[0] $rules[1],\n");
     }
   } else {
     (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
@@ -334,33 +339,33 @@ sub gen_flag($) {
   }
 }
 
-sub gen_change_profile($) {
-    my $rule = shift;
+sub gen_change_profile($@) {
+    my ($rule, $qualifier) = @_;
     my @rules = split (/:/, $rule);
     if (@rules == 2) {
 	if ($rules[1] =~ /^ALL$/) {
-            push (@{$output_rules{$hat}}, "  change_profile,\n",);
+            push (@{$output_rules{$hat}}, "  ${qualifier}change_profile,\n",);
 	} else {
-            push (@{$output_rules{$hat}}, "  change_profile -> $rules[1],\n",);
+            push (@{$output_rules{$hat}}, "  ${qualifier}change_profile -> $rules[1],\n",);
 	}
     } elsif (@rules == 3) {
-        push (@{$output_rules{$hat}}, "  change_profile $rules[1] -> $rules[2],\n",);
+        push (@{$output_rules{$hat}}, "  ${qualifier}change_profile $rules[1] -> $rules[2],\n",);
     } elsif (@rules == 4) {
-        push (@{$output_rules{$hat}}, "  change_profile $rules[1] $rules[2] -> $rules[3],\n",);
+        push (@{$output_rules{$hat}}, "  ${qualifier}change_profile $rules[1] $rules[2] -> $rules[3],\n",);
     } else {
         (!$nowarn) && print STDERR "Warning: invalid change_profile description '$rule', ignored\n";
     }
 }
 
-sub gen_hat($) {
-  my $rule = shift;
+sub gen_hat($@) {
+  my ($rule, $qualifier) = @_;
   my @rules = split (/:/, $rule);
   if (@rules != 2) {
     (!$nowarn) && print STDERR "Warning: invalid hat description '$rule', ignored\n";
   } else {
     $hat = $rules[1];
     # give every profile/hat access to change_hat
-    @{$output_rules{$hat}} = ( "  /proc/*/attr/current w,\n",);
+    @{$output_rules{$hat}} = ( "  ${qualifier}/proc/*/attr/current w,\n",);
   }
 }
 
@@ -398,39 +403,47 @@ sub gen_from_args() {
   }
 
   for my $rule (@ARGV) {
+    my $qualifier = "";
+    if ($rule =~ /^qual=([^:]*):(.*)/) {
+      # Strip qualifiers from rule to pass as separate argument
+      $qualifier = "$1 ";
+      $rule = $2;
+      $qualifier =~ s/,/ /g;
+    }
+
     #($fn, @rules) = split (/:/, $rule);
     if ($rule =~ /^(tcp|udp)/) {
       # netdomain rules
-      gen_netdomain($rule);
+      gen_netdomain($rule, $qualifier);
     } elsif ($rule =~ /^network:/) {
-      gen_network($rule);
+      gen_network($rule, $qualifier);
     } elsif ($rule =~ /^unix:/) {
-      gen_unix($rule);
+      gen_unix($rule, $qualifier);
     } elsif ($rule =~ /^cap:/) {
-      gen_cap($rule);
+      gen_cap($rule, $qualifier);
     } elsif ($rule =~ /^ptrace:/) {
-      gen_ptrace($rule);
+      gen_ptrace($rule, $qualifier);
     } elsif ($rule =~ /^signal:/) {
-      gen_signal($rule);
+      gen_signal($rule, $qualifier);
     } elsif ($rule =~ /^mount:/) {
-      gen_mount($rule);
+      gen_mount($rule, $qualifier);
     } elsif ($rule =~ /^remount:/) {
-      gen_remount($rule);
+      gen_remount($rule, $qualifier);
     } elsif ($rule =~ /^umount:/) {
-      gen_umount($rule);
+      gen_umount($rule, $qualifier);
     } elsif ($rule =~ /^pivot_root:/) {
-      gen_pivot_root($rule);
+      gen_pivot_root($rule, $qualifier);
     } elsif ($rule =~ /^flag:/) {
       gen_flag($rule);
     } elsif ($rule =~ /^hat:/) {
-      gen_hat($rule);
+      gen_hat($rule, $qualifier);
     } elsif ($rule =~ /^change_profile:/) {
-      gen_change_profile($rule);
+      gen_change_profile($rule, $qualifier);
     } elsif ($rule =~ /^addimage:/) {
       gen_addimage($rule);
       $addimage = 1;
     } else {
-      gen_file($rule);
+      gen_file($rule, $qualifier);
     }
   }
 

tests/regression/apparmor/mount.c

@@ -14,27 +14,163 @@
 #include <sys/stat.h>
 #include <sys/mount.h>
 #include <string.h>
+#include <stdlib.h>
+
+struct mnt_keyword_table {
+	const char *keyword;
+	unsigned long set;
+	unsigned long clear;
+};
+
+static struct mnt_keyword_table mnt_opts_table[] = {
+	{ "rw", 0, MS_RDONLY }, /* read-write */
+	{ "ro", MS_RDONLY, 0 }, /* read-only */
+
+	{ "exec",   0, MS_NOEXEC }, /* permit execution of binaries */
+	{ "noexec", MS_NOEXEC, 0 }, /* don't execute binaries */
+
+	{ "suid",   0, MS_NOSUID }, /* honor suid executables */
+	{ "nosuid", MS_NOSUID, 0 }, /* don't honor suid executables */
+
+	{ "dev",   0, MS_NODEV }, /* interpret device files  */
+	{ "nodev", MS_NODEV, 0 }, /* don't interpret devices */
+
+	{ "async", 0, MS_SYNCHRONOUS }, /* asynchronous I/O */
+	{ "sync",  MS_SYNCHRONOUS, 0 }, /* synchronous I/O */
+
+	{ "loud",   0, MS_SILENT }, /* print out messages. */
+	{ "silent", MS_SILENT, 0 }, /* be quiet  */
+
+	{ "nomand", 0, MS_MANDLOCK }, /* forbid mandatory locks on this FS */
+	{ "mand",   MS_MANDLOCK, 0 }, /* allow mandatory locks on this FS */
+
+	{ "atime",   0, MS_NOATIME }, /* update access time */
+	{ "noatime", MS_NOATIME, 0 }, /* do not update access time */
+
+	{ "noiversion", 0, MS_I_VERSION }, /* don't update inode I_version time */
+	{ "iversion",   MS_I_VERSION, 0 }, /* update inode I_version time */
+
+	{ "diratime",   0, MS_NODIRATIME }, /* update dir access times */
+	{ "nodiratime", MS_NODIRATIME, 0 }, /* do not update dir access times */
+
+	{ "nostrictatime", 0, MS_STRICTATIME }, /* kernel default atime */
+	{ "strictatime",   MS_STRICTATIME, 0 }, /* strict atime semantics */
+
+/* MS_LAZYTIME added in 4.0 kernel */
+#ifdef MS_LAZYTIME
+	{ "nolazytime", 0, MS_LAZYTIME },
+	{ "lazytime",   MS_LAZYTIME, 0 }, /* update {a,m,c}time on the in-memory inode only */
+#endif
+
+	{ "acl",   MS_POSIXACL, 0 },
+	{ "noacl", 0, MS_POSIXACL },
+
+	{ "norelatime", 0, MS_RELATIME },
+	{ "relatime",   MS_RELATIME, 0 },
+
+	{ "dirsync", MS_DIRSYNC, 0 }, /* synchronous directory modifications */
+	{ "nodirsync", 0, MS_DIRSYNC },
+
+/* MS_NOSYMFOLLOW added in 5.10 kernel */
+#ifdef MS_NOSYMFOLLOW
+	{ "nosymfollow", MS_NOSYMFOLLOW, 0 },
+	{ "symfollow",   0, MS_NOSYMFOLLOW },
+#endif
+
+	{ "bind",        MS_BIND,                0 }, /* remount part of the tree elsewhere */
+	{ "rbind",       MS_BIND | MS_REC,       0 }, /* idem, plus mounted subtrees */
+	{ "unbindable",  MS_UNBINDABLE,          0 }, /* unbindable */
+	{ "runbindable", MS_UNBINDABLE | MS_REC, 0 },
+	{ "private",     MS_PRIVATE,             0 }, /* private */
+	{ "rprivate",    MS_PRIVATE | MS_REC,    0 },
+	{ "slave",       MS_SLAVE,               0 }, /* slave */
+	{ "rslave",      MS_SLAVE | MS_REC,      0 },
+	{ "shared",      MS_SHARED,              0 }, /* shared */
+	{ "rshared",     MS_SHARED | MS_REC,     0 },
+
+	{ "move", MS_MOVE, 0 },
+
+	{ "remount", MS_REMOUNT, 0 },
+};
+
+const unsigned int mnt_opts_table_size =
+	sizeof(mnt_opts_table) / sizeof(struct mnt_keyword_table);
+
+
+unsigned long get_mnt_opt_bit(char *key)
+{
+	for (unsigned int i = 0; i < mnt_opts_table_size; i++) {
+		if (strcmp(mnt_opts_table[i].keyword, key) == 0) {
+			return mnt_opts_table[i].set;
+		}
+	}
+	fprintf(stderr, "FAIL: invalid option\n");
+	exit(1);
+}
+
+static void usage(char *prog_name)
+{
+	fprintf(stderr, "Usage: %s mount|umount <source> <target> [options]\n", prog_name);
+	fprintf(stderr, "Options are:\n");
+	fprintf(stderr, "-o        flags sent to the mount syscall\n");
+	fprintf(stderr, "-d        data sent to the mount syscall\n");
+	exit(1);
+}
 
 int main(int argc, char *argv[])
 {
-	if (argc != 4) {
-		fprintf(stderr, "usage: %s [mount|umount] loopdev mountpoint\n",
-			argv[0]);
-		return 1;
+	char *options = NULL;
+	char *data = NULL;
+	int index;
+	int c;
+	char *op, *source, *target, *token;
+	unsigned long flags = 0;
+
+	while ((c = getopt (argc, argv, "o:d:h")) != -1) {
+		switch (c)
+		{
+		case 'o':
+			options = optarg;
+			break;
+		case 'd':
+			data = optarg;
+			break;
+		case 'h':
+			usage(argv[0]);
+			break;
+		default:
+			break;
+		}
 	}
 
-	if (strcmp(argv[1], "mount") == 0) {
-		if (mount(argv[2], argv[3], "ext2", 0xc0ed0000 | MS_NODEV, NULL ) == -1) {
+	index = optind;
+	if (argc - optind < 3) {
+		fprintf(stderr, "FAIL: missing positional arguments\n");
+		usage(argv[0]);
+	}
+
+	op = argv[index++];
+	source = argv[index++];
+	target = argv[index++];
+
+	if (options) {
+		token = strtok(options, ",");
+		while (token) {
+			flags |= get_mnt_opt_bit(token);
+			token = strtok(NULL, ",");
+		}
+	}
+
+	if (strcmp(op, "mount") == 0) {
+		if (mount(source, target, "ext2", flags, data) == -1) {
 			fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
-				argv[2], argv[3], 
-				strerror(errno));
+				source, target,	strerror(errno));
 			return errno;
 		}
-	} else if (strcmp(argv[1], "umount") == 0) {
-		if (umount(argv[3]) == -1) {
+	} else if (strcmp(op, "umount") == 0) {
+		if (umount(target) == -1) {
 			fprintf(stderr, "FAIL: umount %s failed - %s\n",
-				argv[3],
-				strerror(errno));
+				target, strerror(errno));
 			return errno;
 		}
 	} else {

tests/regression/apparmor/mount.sh

@@ -28,9 +28,11 @@ bin=$pwd
 
 mount_file=$tmpdir/mountfile
 mount_point=$tmpdir/mountpoint
+mount_point2=$tmpdir/mountpoint2
 mount_bad=$tmpdir/mountbad
 loop_device="unset" 
 fstype="ext2"
+root_was_shared="no"
 
 setup_mnt() {
 	/bin/mount -n -t${fstype} ${loop_device} ${mount_point}
@@ -41,6 +43,10 @@ remove_mnt() {
 	if [ $? -eq 0 ] ; then
 		/bin/umount -t${fstype} ${mount_point}
 	fi
+	mountpoint -q "${mount_point2}"
+	if [ $? -eq 0 ] ; then
+		/bin/umount -t${fstype} ${mount_point2}
+	fi
 	mountpoint -q "${mount_bad}"
 	if [ $? -eq 0 ] ; then
 		/bin/umount -t${fstype} ${mount_bad}
@@ -53,12 +59,16 @@ mount_cleanup() {
 	then
 		/sbin/losetup -d ${loop_device} &> /dev/null
 	fi
+	if [ "${root_was_shared}" = "yes" ] ; then
+		mount --make-shared /
+	fi
 }
 do_onexit="mount_cleanup"
 
 dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
 /sbin/mkfs -t${fstype} -F ${mount_file} > /dev/null 2> /dev/null
 /bin/mkdir ${mount_point}
+/bin/mkdir ${mount_point2}
 /bin/mkdir ${mount_bad}
 
 # in a modular udev world, the devices won't exist until the loopback
@@ -71,6 +81,199 @@ fi
 loop_device=$(losetup -f) || fatalerror 'Unable to find a free loop device'
 /sbin/losetup "$loop_device" ${mount_file} > /dev/null 2> /dev/null
 
+# systemd mounts / and everything under it MS_SHARED which does
+# not work with "move", so attempt to detect it, and remount /
+# MS_PRIVATE temporarily. snippet from pivot_root.sh
+FINDMNT=/bin/findmnt
+if [ -x "${FINDMNT}" ] && ${FINDMNT} -no PROPAGATION / > /dev/null 2>&1 ; then
+	if [ "$(${FINDMNT} -no PROPAGATION /)" == "shared" ] ; then
+		root_was_shared="yes"
+	fi
+elif [ "$(ps hp1  -ocomm)" = "systemd" ] ; then
+	# no findmnt or findmnt doesn't know the PROPAGATION column,
+	# but init is systemd so assume rootfs is shared
+	root_was_shared="yes"
+fi
+if [ "${root_was_shared}" = "yes" ] ; then
+	mount --make-private /
+fi
+
+options=(
+	# default and non-default options
+	"rw,ro"
+	"exec,noexec"
+	"suid,nosuid"
+	"dev,nodev"
+	"async,sync"
+	"loud,silent"
+	"nomand,mand"
+	"atime,noatime"
+	"noiversion,iversion"
+	"diratime,nodiratime"
+	"nostrictatime,strictatime"
+	"norelatime,relatime"
+	"nodirsync,dirsync"
+	"noacl,acl"
+)
+
+# Options added in newer kernels
+new_options=(
+	"nolazytime,lazytime"
+	"symfollow,nosymfollow"
+)
+
+prop_options=(
+	"unbindable"
+	"runbindable"
+	"private"
+	"rprivate"
+	"slave"
+	"rslave"
+	"shared"
+	"rshared"
+)
+
+combinations=()
+
+setup_all_combinations() {
+	n=${#options[@]}
+	for (( i = 1; i < (1 << n); i++ )); do
+		list=()
+		for (( j = 0; j < n; j++ )); do
+			if (( (1 << j) & i )); then
+				current_options="${options[j]}"
+				nondefault=${current_options#*,}
+				list+=("$nondefault")
+			fi
+		done
+		combination=$(IFS=,; printf "%s" "${list[*]}")
+		combinations+=($combination)
+	done
+}
+
+run_all_combinations_test() {
+	for combination in "${combinations[@]}"; do
+		if [ "$(parser_supports "mount options=($combination),")" = "true" ] ; then
+			genprofile cap:sys_admin "mount:options=($combination)"
+			runchecktest "MOUNT (confined cap mount combination pass test $combination)" pass mount ${loop_device} ${mount_point} -o $combination
+			remove_mnt
+
+			genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($combination)"
+			runchecktest "MOUNT (confined cap mount combination deny test $combination)" fail mount ${loop_device} ${mount_point} -o $combination
+			remove_mnt
+		else
+			echo "    not supported by parser - skipping mount option=($combination),"
+		fi
+
+		genprofile cap:sys_admin "mount:options=(rw)"
+		runchecktest "MOUNT (confined cap mount combination fail test $combination)" fail mount ${loop_device} ${mount_point} -o $combination
+		remove_mnt
+	done
+}
+
+test_nonfs_options() {
+	if [ "$(parser_supports "mount options=($1),")" != "true" ] ; then
+	        echo "    not supported by parser - skipping mount options=($1),"
+		return
+	fi
+
+	genprofile cap:sys_admin "mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount $1)" pass mount ${loop_device} ${mount_point} -o $1
+	remove_mnt
+
+	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount deny $1)" fail mount ${loop_device} ${mount_point} -o $1
+	remove_mnt
+
+	genprofile cap:sys_admin "mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount bad option $2)" fail mount ${loop_device} ${mount_point} -o $2
+	remove_mnt
+}
+
+test_dir_options() {
+	if [ "$(parser_supports "mount options=($1),")" != "true" ] ; then
+		echo "    not supported by parser - skipping mount option=($1),"
+		return
+	fi
+
+	genprofile cap:sys_admin "mount:ALL"
+	runchecktest "MOUNT (confined cap mount dir setup $1)" pass mount ${loop_device} ${mount_point}
+	genprofile cap:sys_admin "mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount dir $1)" pass mount ${mount_point} ${mount_point2} -o $1
+	remove_mnt
+
+	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount dir setup 2 $1)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (confined cap mount dir deny $1)" fail mount ${mount_point} ${mount_point2} -o $1
+	remove_mnt
+}
+
+test_propagation_options() {
+	if [ "$(parser_supports "mount options=($1),")" != "true" ] ; then
+		echo "    not supported by parser - skipping mount option=($1),"
+		return
+	fi
+
+	genprofile cap:sys_admin "mount:ALL"
+	runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
+	genprofile cap:sys_admin "mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
+	remove_mnt
+
+	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
+	runchecktest "MOUNT (confined cap mount propagation deny setup 2 $1)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (confined cap mount propagation deny $1)" fail mount none ${mount_point} -o $1
+	remove_mnt
+}
+
+test_remount() {
+	# setup by mounting first
+	genprofile cap:sys_admin "mount:ALL"
+	runchecktest "MOUNT (confined cap mount remount setup)" pass mount ${loop_device} ${mount_point}
+
+	genprofile cap:sys_admin "mount:options=(remount)"
+	runchecktest "MOUNT (confined cap mount remount option)" pass mount ${loop_device} ${mount_point} -o remount
+
+	genprofile cap:sys_admin "remount:ALL"
+	runchecktest "MOUNT (confined cap mount remount)" pass mount ${loop_device} ${mount_point} -o remount
+
+	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=(remount)"
+	runchecktest "MOUNT (confined cap mount remount deny option)" fail mount ${loop_device} ${mount_point} -o remount
+
+	genprofile cap:sys_admin "qual=deny:remount:ALL"
+	runchecktest "MOUNT (confined cap mount remount deny)" fail mount ${loop_device} ${mount_point} -o remount
+
+	# TODO: add test for remount options
+	remove_mnt
+}
+
+test_options() {
+	for i in "${options[@]}"; do
+		default="${i%,*}"
+		nondefault="${i#*,}"
+
+		test_nonfs_options $default $nondefault
+		test_nonfs_options $nondefault $default
+	done
+
+	for i in "bind" "rbind" "move"; do
+		test_dir_options $i
+	done
+
+	for i in "${prop_options[@]}"; do
+		test_propagation_options $i
+	done
+
+	test_remount
+
+	# the following combinations tests take a long time to complete
+	# setup_all_combinations
+	# run_all_combinations_test
+}
 
 # TEST 1.  Make sure can mount and umount unconfined
 runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
@@ -80,6 +283,43 @@ setup_mnt
 runchecktest "UMOUNT (unconfined)" pass umount ${loop_device} ${mount_point}
 remove_mnt
 
+# Check mount options that may not be available on this kernel
+for i in "${new_options[@]}"; do
+	default="${i%,*}"
+	if "$bin/mount" mount ${loop_device} ${mount_point} -o $default > /dev/null 2>&1; then
+		remove_mnt
+		options+=($i)
+	else
+		echo "    not supported by kernel - skipping mount options=($i),"
+	fi
+done
+
+for i in "${options[@]}"; do
+	default="${i%,*}"
+	nondefault="${i#*,}"
+
+	runchecktest "MOUNT (unconfined mount $default)" pass mount ${loop_device} ${mount_point} -o $default
+	remove_mnt
+	runchecktest "MOUNT (unconfined mount $nondefault)" pass mount ${loop_device} ${mount_point} -o $nondefault
+	remove_mnt
+done
+
+for i in "bind" "rbind" "move"; do
+	runchecktest "MOUNT (unconfined mount setup $i)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (unconfined mount $i)" pass mount ${mount_point} ${mount_point2} -o $i
+	remove_mnt
+done
+
+for i in "${prop_options[@]}"; do
+	runchecktest "MOUNT (unconfined mount dir setup $i)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (unconfined mount dir $i)" pass mount none ${mount_point} -o $i
+	remove_mnt
+done
+
+runchecktest "MOUNT (unconfined mount remount setup)" pass mount ${loop_device} ${mount_point}
+runchecktest "MOUNT (unconfined mount remount)" pass mount ${loop_device} ${mount_point} -o remount
+remove_mnt
+
 # TEST A2.  confine MOUNT no perms
 genprofile
 runchecktest "MOUNT (confined no perm)" fail mount ${loop_device} ${mount_point}
@@ -91,6 +331,7 @@ remove_mnt
 
 
 if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+	echo "    mount rules not supported, using capability check ..."
 	genprofile capability:sys_admin
 	runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
 	remove_mnt
@@ -157,6 +398,7 @@ else
 	runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
 	remove_mnt
 
+	test_options
 fi
 
-#need tests for move mount, remount, bind mount, chroot
+#need tests for chroot

tests/regression/apparmor/named_pipe.sh

@@ -38,7 +38,7 @@ badchild=r
 # Add genprofile params that are common to all hats here
 common=""
 
-if [ "$(kernel_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
+if [ "$(kernel_features signal)" = "true" -a "$(parser_supports 'signal,')" = "true" ] ; then
 	# Allow send/receive of all signals
 	common="${common} signal:ALL"
 fi

tests/regression/apparmor/onexec.sh

@@ -44,7 +44,7 @@ do_test()
     shift 4
 
     desc="ONEXEC $desc ($prof -> $target_prof)"
-    if [ "$target_prof" == "nochange" ] ; then
+    if [ "$target_prof" = "nochange" ] ; then
         runchecktest "$desc" $res -l "$prof" -- "$@"
     else
         runchecktest "$desc" $res -O "$target_prof" -l "$prof" -L "$target_prof" -- "$@"

tests/regression/apparmor/pivot_root.sh

@@ -50,7 +50,7 @@ do_onexit="pivot_root_cleanup"
 # MS_PRIVATE temporarily.
 FINDMNT=/bin/findmnt
 if [ -x "${FINDMNT}" ] && ${FINDMNT} -no PROPAGATION / > /dev/null 2>&1 ; then
-	if [ "$(${FINDMNT} -no PROPAGATION /)" == "shared" ] ; then
+	if [ "$(${FINDMNT} -no PROPAGATION /)" = "shared" ] ; then
 		root_was_shared="yes"
 	fi
 elif [ "$(ps hp1  -ocomm)" = "systemd" ] ; then

tests/regression/apparmor/prologue.inc

@@ -86,6 +86,19 @@ requires_kernel_features()
 	fi
 }
 
+requires_any_of_kernel_features()
+{
+	while [ $# -gt 0 ]; do
+		local res=$(kernel_features "$1")
+		if [ "$res" = "true" ] ; then
+			return 0;
+		fi
+		shift
+	done
+	echo "$res. Skipping tests ..."
+	exit 0
+}
+
 # requires_namespace_interface() - exit if namespace interface is not available
 requires_namespace_interface()
 {

tests/regression/apparmor/ptrace.sh

@@ -55,7 +55,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper ${bin_true}
 runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true}
 
 
-if [ "$(kernel_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
+if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then
 	. $bin/ptrace_v6.inc
 else
 	. $bin/ptrace_v5.inc

tests/regression/apparmor/query_label.sh

@@ -93,7 +93,7 @@ querytest()
 	runchecktest "$desc" "$pf" "$expect" "$label" "$perms" $*
 }
 
-if [ "$(kernel_features dbus)" == "true" ]; then
+if [ "$(kernel_features dbus)" = "true" ]; then
     # Check querying of a label that the kernel doesn't know about
     # aa_query_label() should return an error
     expect anything
@@ -217,7 +217,7 @@ fi
 genqueryprofile "file,"
 expect allow
 perms file exec,write,read,append,create,delete,setattr,getattr,chmod,chown,link,linksubset,lock,exec_mmap
-if [ "$(kernel_features query/label/multi_transaction)" == "true" ] ; then
+if [ "$(kernel_features query/label/multi_transaction)" = "true" ] ; then
     querytest "QUERY file (all base perms #1)" pass /anything
     querytest "QUERY file (all base perms #2)" pass /everything
 else

tests/regression/apparmor/socketpair.sh

@@ -37,7 +37,7 @@ af_unix_create_label=""
 af_unix_inherit=""
 aa_enabled="/sys/module/apparmor/parameters/enabled:r"
 
-if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
+if [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
 	# descriptors have send,receive perms in its profile
 	af_unix_create="unix:(create,getopt)"

tests/regression/apparmor/swap.sh

@@ -29,7 +29,7 @@ bin=$pwd
 
 # check if we can run the test at all
 fstype=$(stat -f --format '%T' "${tmpdir}")
-if [ "${fstype}" == "tmpfs" ] ; then
+if [ "${fstype}" = "tmpfs" ] ; then
 	echo "ERROR: tmpdir '${tmpdir}' is of type tmpfs; can't mount a swapfile on it" 1>&2
 	echo "ERROR: skipping swap tests" 1>&2
 	num_testfailures=1

tests/regression/apparmor/unix_fd_server.sh

@@ -27,7 +27,9 @@ okperm=rw
 badperm=w
 af_unix=""
 
-if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
+if [ "$(kernel_features network_v8)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
+	af_unix="unix:create"
+elif [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
 	af_unix="unix:create"
 fi
 
@@ -137,7 +139,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
 sleep 1
 rm -f ${socket}
 
-if [ "$(kernel_features policy/network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
+if [ "$(kernel_features policy/network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ] ; then
     # FAIL - confined client, no access to the socket file
 
     genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix 

tests/regression/apparmor/unix_socket_pathname.sh

@@ -29,7 +29,7 @@ bin=$pwd
 . $bin/prologue.inc
 requires_kernel_features policy/versions/v6
 #af_mask for downgrade test af_unix for full test
-requires_kernel_features network/af_mask
+requires_any_of_kernel_features network/af_mask network_v8/af_mask
 
 settest unix_socket
 
@@ -43,9 +43,9 @@ message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
 okserver=w
 badserver1=r
 badserver2=
-if [ "$(kernel_features policy/versions/v7)" == "true" ] ; then
+if [ "$(kernel_features policy/versions/v7)" = "true" ] ; then
 	okserver=rw
-	badserver2=w
+#	badserver2=w
 fi
 
 # af_unix support requires 'unix create' to call socket()
@@ -54,9 +54,16 @@ fi
 # af_unix support requires 'unix getattr' to call getsockname()
 af_unix_okserver=
 af_unix_okclient=
-if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
+if ( [ "$(kernel_features network_v8/af_unix)" = "true" ] ||
+     [ "$(kernel_features network/af_unix)" = "true" ] ) &&
+     [ "$(parser_supports 'unix,')" = "true" ] ; then
 	af_unix_okserver="create,setopt"
 	af_unix_okclient="create,getopt,setopt,getattr"
+elif [ "$(kernel_features network_v8)" = "true" ] ; then
+#	af_unix_okserver="create,setopt"
+#	af_unix_okclient="create,getopt,setopt,getattr"
+    af_unix_okserver="create"
+    af_unix_okclient="create"
 fi
 
 okclient=rw
@@ -88,7 +95,7 @@ testsocktype()
 	#   https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176
 	# get resolved
 	local ex_result="pass"
-	if [ "${socktype}" == "dgram" ] ; then
+	if [ "${socktype}" = "dgram" ] ; then
 		ex_result="xpass"
 	fi
 

utils/apparmor/aa.py

@@ -1247,7 +1247,12 @@ def handle_children(profile, hat, root):
                                 profile_changes[pid] = '%s' % profile
 
                         # Check profile exists for px
-                        if not os.path.exists(get_profile_filename_from_attachment(exec_target, True)):
+                        if exec_target.startswith(('/', '@', '{')):
+                              prof_filename = get_profile_filename_from_attachment(exec_target, True)
+                        else:  # named exec
+                              prof_filename = get_profile_filename_from_profile_name(exec_target, True)
+
+                        if not os.path.exists(prof_filename):
                             ynans = 'y'
                             if 'i' in exec_mode:
                                 ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')
@@ -2006,7 +2011,7 @@ def collapse_log():
                                             elif access == 'eavesdrop':
                                                 dbus_event = DbusRule(access, bus, DbusRule.ALL,    DbusRule.ALL,   DbusRule.ALL, DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
                                             else:
-                                                raise AppArmorBug('unexpected dbus access: %s')
+                                                raise AppArmorBug('unexpected dbus access: {}'.format(access))
 
                                             if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
                                                 log_dict[aamode][profile][hat]['dbus'].add(dbus_event)

utils/apparmor/logparser.py

@@ -343,7 +343,7 @@ class ReadLog:
         elif e['operation'] == 'signal':
             return(e['pid'], e['parent'], 'signal',
                              [profile, hat, prog, aamode, e['denied_mask'], e['signal'], e['peer']])
-        elif e['operation'].startswith('dbus_'):
+        elif e['operation'] and e['operation'].startswith('dbus_'):
             return(e['pid'], e['parent'], 'dbus',
                              [profile, hat, prog, aamode, e['denied_mask'], e['bus'], e['path'], e['name'], e['interface'], e['member'], e['peer_profile']])
         else:
@@ -431,7 +431,9 @@ class ReadLog:
     def op_type(self, event):
         """Returns the operation type if known, unkown otherwise"""
 
-        if ( event['operation'].startswith('file_') or event['operation'].startswith('inode_') or event['operation'] in self.OP_TYPE_FILE_OR_NET ):
+        if event['operation'] and (event['operation'].startswith('file_') or
+                                   event['operation'].startswith('inode_') or
+                                   event['operation'] in self.OP_TYPE_FILE_OR_NET):
             # file or network event?
             if event['family'] and event['protocol'] and event['sock_type']:
                 # 'unix' events also use keywords like 'connect', but protocol is 0 and should therefore be filtered out

utils/test/test-parser-simple-tests.py

@@ -76,6 +76,10 @@ exception_not_raised = [
     'file/bad_re_brace_1.sd',
     'file/bad_re_brace_2.sd',
     'file/bad_re_brace_3.sd',
+    'mount/bad_1.sd',
+    'mount/bad_2.sd',
+    'mount/bad_3.sd',
+    'mount/bad_4.sd',
     'mount/bad_opt_10.sd',
     'mount/bad_opt_11.sd',
     'mount/bad_opt_12.sd',
@@ -100,6 +104,9 @@ exception_not_raised = [
     'mount/bad_opt_7.sd',
     'mount/bad_opt_8.sd',
     'mount/bad_opt_9.sd',
+    'mount/bad_opt_29.sd',
+    'mount/bad_opt_30.sd',
+    'mount/bad_opt_31.sd',
     'profile/flags/flags_bad10.sd',
     'profile/flags/flags_bad11.sd',
     'profile/flags/flags_bad12.sd',