Prepare for AppArmor 2.13.11 release

- update version file

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

common/Version

@@ -1 +1 @@
-2.13.8
+2.13.11

libraries/libapparmor/doc/aa_getcon.pod

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 
 The confinement data is too large to fit in the supplied buffer.
 
+=item B<ENOPROTOOPT>
+
+The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
+mainly when the kernel lacks 'fine grained unix mediation' support. It also
+can happen on LSM stacking kernels where another LSM has claimed this
+interface and decides to return this error, although this is really a
+corner case.
+
 =back
 
 =head1 NOTES

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
 
- $ echo -n "stackprofile profile_a" > /proc/self/attr/current
+ $ echo -n "stack profile_a" > /proc/self/attr/current
 
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
 
- $ echo -n "stackexec profile_a" > /proc/self/attr/exec
+ $ echo -n "stack profile_a" > /proc/self/attr/exec
 
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
 
      # Needed for aa_stack_profile()
+     change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

parser/mount.cc

@@ -831,15 +831,28 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
+	char *mountpoint = mnt_point;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
-	/* change type base rules can not be conditional on device,
-	 * device type or data
+	/* change type base rules can specify the mount point by using
+	 * the parser token position reserved to device. that's why if
+	 * the mount point is not specified, we use device in its
+	 * place. this is a deprecated behavior.
+	 *
+	 * change type base rules can not be conditional on device
+	 * (source), device type or data
 	 */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
-	if (!convert_entry(mntbuf, mnt_point))
+	if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
+		PERROR("source and mount point cannot be used at the "
+		       "same time for propagation type flags");
+		goto fail;
+	} else if (device && !mnt_point) {
+		mountpoint = device;
+	}
+	if (!convert_entry(mntbuf, mountpoint))
 		goto fail;
 	vec[0] = mntbuf.c_str();
 	/* skip device and type */
@@ -981,7 +994,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		if (!dev_type && !opts &&
 		    gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
-		if (!device && !dev_type && !opts &&
+		if ((!device || !mnt_point) && !dev_type && !opts &&
 		    gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
 		if (!dev_type && !opts &&
@@ -997,7 +1010,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		return gen_policy_bind_mount(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) &&
 		   (flags & (MS_MAKE_CMDS))
-		   && !device && !dev_type && !opts) {
+		   && (!device || !mnt_point) && !dev_type && !opts) {
 		return gen_policy_change_mount_type(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
 		   && !dev_type && !opts) {

parser/parser_interface.c

@@ -273,7 +273,7 @@ static inline void sd_write_aligned_blob(std::ostringstream &buf, void *b, int b
 	buf.write((const char *) b, b_size);
 }
 
-static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char *name)
+static void sd_write_strn(std::ostringstream &buf, const char *b, int size, const char *name)
 {
 	sd_write_name(buf, name);
 	sd_write8(buf, SD_STRING);
@@ -281,7 +281,7 @@ static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char
 	buf.write(b, size);
 }
 
-static inline void sd_write_string(std::ostringstream &buf, char *b, const char *name)
+static inline void sd_write_string(std::ostringstream &buf, const char *b, const char *name)
 {
 	sd_write_strn(buf, b, strlen(b) + 1, name);
 }
@@ -378,11 +378,7 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 	sd_write_struct(buf, "profile");
 	if (flattened) {
 		assert(profile->parent);
-		autofree char *name = (char *) malloc(3 + strlen(profile->name) + strlen(profile->parent->name));
-		if (!name)
-			return;
-		sprintf(name, "%s//%s", profile->parent->name, profile->name);
-		sd_write_string(buf, name, NULL);
+		sd_write_string(buf, profile->get_name(false).c_str(), NULL);
 	} else {
 		sd_write_string(buf, profile->name, NULL);
 	}

parser/tst/equality.sh

@@ -563,6 +563,17 @@ verify_binary_equality "link rules slash filtering" \
                         @{BAR}=/mnt/
                            /t { link @{FOO}/foo -> @{BAR}/bar, }" \
 
+
+# This can potentially fail as ideally it requires a better dfa comparison
+# routine as it can generates hormomorphic dfas. The enumeration of the
+# dfas dumped will be different, even if the binary is the same
+# Note: this test in the future will require -O filter-deny and
+# -O minimize and -O remove-unreachable.
+verify_binary_equality "mount specific deny doesn't affect non-overlapping" \
+			"/t { mount options=bind /e/ -> /**, }" \
+			"/t { audit deny mount /s/** -> /**,
+			      mount options=bind /e/ -> /**, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1

parser/tst/simple_tests/mount/bad_opt_32.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(slave) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_35.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rslave) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_36.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(unbindable) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_37.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(runbindable) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_38.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(private) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_39.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rprivate) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_40.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(shared) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_41.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rshared) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/ok_opt_68.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=unbindable /1,
+  mount options=(unbindable) /2,
+  mount options=(rw,unbindable) /3,
+  mount options in (unbindable) /4,
+  mount options in (ro,unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_69.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=runbindable /1,
+  mount options=(runbindable) /2,
+  mount options=(rw,runbindable) /3,
+  mount options in (runbindable) /4,
+  mount options in (ro,runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_70.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rprivate /1,
+  mount options=(rprivate) /2,
+  mount options=(rw,rprivate) /3,
+  mount options in (rprivate) /4,
+  mount options in (ro,rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_71.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=private /1,
+  mount options=(private) /2,
+  mount options=(rw,private) /3,
+  mount options in (private) /4,
+  mount options in (ro,private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_72.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=slave /1,
+  mount options=(slave) /2,
+  mount options=(rw,slave) /3,
+  mount options in (slave) /4,
+  mount options in (ro,slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_73.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rslave /1,
+  mount options=(rslave) /2,
+  mount options=(rw,rslave) /3,
+  mount options in (rslave) /4,
+  mount options in (ro,rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_74.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=shared /1,
+  mount options=(shared) /2,
+  mount options=(rw,shared) /3,
+  mount options in (shared) /4,
+  mount options in (ro,shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_75.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rshared /1,
+  mount options=(rshared) /2,
+  mount options=(rw,rshared) /3,
+  mount options in (rshared) /4,
+  mount options in (ro,rshared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_76.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-unbindable /1,
+  mount options=(make-unbindable) /2,
+  mount options=(rw,make-unbindable) /3,
+  mount options in (make-unbindable) /4,
+  mount options in (ro,make-unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_77.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-runbindable /1,
+  mount options=(make-runbindable) /2,
+  mount options=(rw,make-runbindable) /3,
+  mount options in (make-runbindable) /4,
+  mount options in (ro,make-runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_78.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-private /1,
+  mount options=(make-private) /2,
+  mount options=(rw,make-private) /3,
+  mount options in (make-private) /4,
+  mount options in (ro,make-private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_79.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rprivate /1,
+  mount options=(make-rprivate) /2,
+  mount options=(rw,make-rprivate) /3,
+  mount options in (make-rprivate) /4,
+  mount options in (ro,make-rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_80.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-slave /1,
+  mount options=(make-slave) /2,
+  mount options=(rw,make-slave) /3,
+  mount options in (make-slave) /4,
+  mount options in (ro,make-slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_81.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-shared /1,
+  mount options=(make-shared) /2,
+  mount options=(rw,make-shared) /3,
+  mount options in (make-shared) /4,
+  mount options in (ro,make-shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_82.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rslave /1,
+  mount options=(make-rslave) /2,
+  mount options=(rw,make-rslave) /3,
+  mount options in (make-rslave) /4,
+  mount options in (ro,make-rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_83.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rshared /1,
+  mount options=(make-rshared) /2,
+  mount options=(rw,make-rshared) /3,
+  mount options in (make-rshared) /4,
+  mount options in (ro,make-rshared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_84.sd

@@ -0,0 +1,8 @@
+#
+#=Description test we can parse rules associated with MR 1054
+#=EXRESULT PASS
+/usr/bin/foo {
+    mount options=(slave) /**,
+    mount options=(slave) -> /**,
+    mount /snap/bin/** -> /**,
+}

profiles/apparmor.d/abstractions/authentication

@@ -30,6 +30,11 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # gssapi
+  /etc/gss/mech               r,
+  /etc/gss/mech.d/            r,
+  /etc/gss/mech.d/*.conf      r,
+
   # kerberos
   #include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:

profiles/apparmor.d/abstractions/base

@@ -60,6 +60,7 @@
   /etc/ld.so.conf                r,
   /etc/ld.so.conf.d/{,*.conf}    r,
   /etc/ld.so.preload             r,
+  /etc/ld-musl-*.path            r,
   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
@@ -96,6 +97,9 @@
   @{sys}/devices/system/cpu/online r,
   @{sys}/devices/system/cpu/possible r,
 
+  # transparent hugepage support
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,
 

profiles/apparmor.d/abstractions/fonts

@@ -45,7 +45,7 @@
   owner @{HOME}/.local/share/fonts/**   r,
   owner @{HOME}/.fonts.cache-2          mr,
   owner @{HOME}/.{,cache/}fontconfig/   rw,
-  owner @{HOME}/.{,cache/}fontconfig/** mrl,
+  owner @{HOME}/.{,cache/}fontconfig/** mrwkl,
   owner @{HOME}/.fonts.conf.d/          r,
   owner @{HOME}/.fonts.conf.d/**        r,
   owner @{HOME}/.config/fontconfig/     r,

profiles/apparmor.d/abstractions/kde

@@ -25,6 +25,9 @@
 /etc/kde4rc r,
 /etc/xdg/kdeglobals r,
 /etc/xdg/Trolltech.conf r,
+/usr/share/desktop-base/kf5-settings/baloofilerc r,
+/usr/share/desktop-base/kf5-settings/kdeglobals r,
+/usr/share/desktop-base/kf5-settings/kscreenlockerrc r,
 /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
 /usr/share/kubuntu-default-settings/kf5-settings/* r,
 

profiles/apparmor.d/abstractions/nameservice

@@ -21,6 +21,9 @@
   /etc/passwd             r,
   /etc/protocols          r,
 
+  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
+  /{usr/,}etc/authselect/nsswitch.conf r,
+
   # libtirpc (used for NIS/YP login) needs this
   /etc/netconfig r,
 

profiles/apparmor.d/abstractions/snap_browsers

@@ -38,5 +38,6 @@ profile snap_browsers {
   /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
 
   /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
   # add other browsers here
 }

profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde

@@ -5,3 +5,6 @@
 
   #include <abstractions/kde>
   /usr/bin/kde4-config Cx -> sanitized_helper,
+
+  # https://bugs.kde.org/show_bug.cgi?id=397399
+  /usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,

tests/regression/apparmor/capabilities.sh

@@ -49,14 +49,20 @@ CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \
 	      sys_admin sys_boot sys_nice sys_resource sys_time \
 	      sys_tty_config mknod lease audit_write audit_control"
 
+# lockdown thwarts both ioperm and iopl
+notlockeddown=TRUE
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  notlockeddown=FALSE
+fi
+
 # defines which test+capability pairs should succeed.
 syscall_reboot_sys_boot=TRUE
 syscall_sethostname_sys_admin=TRUE
 syscall_setdomainname_sys_admin=TRUE
 syscall_setpriority_sys_nice=TRUE
 syscall_setscheduler_sys_nice=TRUE
-syscall_ioperm_sys_rawio=TRUE
-syscall_iopl_sys_rawio=TRUE
+syscall_ioperm_sys_rawio=$notlockeddown
+syscall_iopl_sys_rawio=$notlockeddown
 syscall_chroot_sys_chroot=TRUE
 syscall_mlockall_ipc_lock=TRUE
 syscall_sysctl_sys_admin=TRUE
@@ -93,7 +99,13 @@ for TEST in ${TESTS} ; do
 
 	settest ${TEST}
 	# base case, unconfined
-	runchecktest "${TEST} -- unconfined" pass ${my_arg}
+	if [ "${TEST}" = "syscall_ioperm" -a "$notlockeddown" = "FALSE" ] ||
+	   [ "${TEST}" = "syscall_iopl" -a "$notlockeddown" = "FALSE" ]; then
+	    expected=fail
+	else
+	    expected=pass
+	fi
+	runchecktest "${TEST} -- unconfined" ${expected} ${my_arg}
 
 	# no capabilities allowed
 	genprofile ${my_entries}
@@ -107,11 +119,13 @@ for TEST in ${TESTS} ; do
 
 	# all capabilities allowed
 	genprofile cap:ALL ${my_entries}
-	runchecktest "${TEST} -- all caps" pass ${my_arg}
+	runchecktest "${TEST} -- all caps" ${expected} ${my_arg}
 
 	# iterate through each of the capabilities
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
+			expected_result=fail
+		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass
@@ -136,10 +150,12 @@ for TEST in ${TESTS} ; do
 
 	# all capabilities allowed
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
-	runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
+	runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
 
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
+			expected_result=fail
+		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass

tests/regression/apparmor/mount.sh

@@ -218,6 +218,10 @@ test_propagation_options() {
 	runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
 	genprofile cap:sys_admin "mount:options=($1)"
 	runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
 	remove_mnt
 
 	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
@@ -394,6 +398,16 @@ else
 	runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
 	remove_mnt
 
+	# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
+	# https://bugs.launchpad.net/apparmor/+bug/2023814
+	# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
+	# based on rules from profile in bug that triggered issue
+	genprofile cap:sys_admin "qual=deny:mount:/snap/bin/:-> /**" \
+				 "mount:options=(rw,bind):-> ${mount_point}/"
+
+	runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
+	remove_mnt
+
 	test_options
 fi
 

tests/regression/apparmor/syscall.sh

@@ -150,13 +150,19 @@ i386 | i486 | i586 | i686 | x86 | x86_64)
 # But don't run them on xen kernels
 if [ ! -d /proc/xen ] ; then
 
+# lockdown thwarts both ioperm and iopl
+expected=pass
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  expected=fail
+fi
+
 ##
 ## F. IOPERM
 ##
 settest syscall_ioperm
 
 # TEST F1
-runchecktest "IOPERM (no confinement)" pass 0 0x3ff
+runchecktest "IOPERM (no confinement)" $expected 0 0x3ff
 
 # TEST F2. ioperm will fail
 genprofile
@@ -169,7 +175,7 @@ runchecktest "IOPERM (confinement)" fail 0 0x3ff
 settest syscall_iopl
 
 # TEST G1
-runchecktest "IOPL (no confinement)" pass 3
+runchecktest "IOPL (no confinement)" $expected 3
 
 # TEST G2. iopl will fail
 genprofile

tests/regression/apparmor/tcp.sh

@@ -14,8 +14,14 @@ pwd=`cd $pwd ; /bin/pwd`
 
 bin=$pwd
 
+# TODO:
+# need to update so we can run the test for ech supported
+# need to be able to modify the compile features to choose the
+# kernel feature supported
+# need to be able to query the parser if it supports the
+# kernel feature
 . $bin/prologue.inc
-requires_kernel_features network
+requires_any_of_kernel_features network network_v8
 
 port=34567
 ip="127.0.0.1"

utils/aa-unconfined

@@ -99,6 +99,15 @@ def get_pids_netstat(netstat='netstat'):
     return pids
 
 
+def escape_special_chars(data):
+    """escape special characters in program names so that they can't mess up the terminal"""
+    data = repr(data)
+    if len(data) > 1 and data.startswith("'") and data.endswith("'"):
+        return data[1:-1]
+    else:
+        return data
+
+
 pids = set()
 if paranoid:
     pids = get_all_pids()
@@ -110,6 +119,7 @@ else:
 for pid in sorted(map(int, pids)):
     try:
         prog = os.readlink("/proc/%s/exe" % pid)
+        prog = escape_special_chars(prog)
     except OSError:
         continue
     attr = None
@@ -127,6 +137,7 @@ for pid in sorted(map(int, pids)):
         pname = cmdline.split("\0")[0]
     if '/' in pname and pname != prog:
         pname = "(%s)" % pname
+        pname = escape_special_chars(pname)
     else:
         pname = ""
     regex_interpreter = re.compile(r"^(/usr)?/bin/(python|perl|bash|dash|sh)$")
@@ -134,6 +145,7 @@ for pid in sorted(map(int, pids)):
         if regex_interpreter.search(prog):
             cmdline = re.sub(r"\x00", " ", cmdline)
             cmdline = re.sub(r"\s+$", "", cmdline).strip()
+            cmdline = escape_special_chars(cmdline)
 
             ui.UI_Info(_("%(pid)s %(program)s (%(commandline)s) not confined") % {'pid': pid, 'program': prog, 'commandline': cmdline})
         else:
@@ -144,6 +156,7 @@ for pid in sorted(map(int, pids)):
         if regex_interpreter.search(prog):
             cmdline = re.sub(r"\0", " ", cmdline)
             cmdline = re.sub(r"\s+$", "", cmdline).strip()
+            cmdline = escape_special_chars(cmdline)
             ui.UI_Info(_("%(pid)s %(program)s (%(commandline)s) confined by '%(attribute)s'") % {'pid': pid, 'program': prog, 'commandline': cmdline, 'attribute': attr})
         else:
             if pname and pname[-1] == ')':

utils/apparmor/aa.py

@@ -2025,6 +2025,9 @@ def collapse_log():
 
                 ptrace = prelog[aamode][profile][hat]['ptrace']
                 for peer in ptrace.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                     for access in ptrace[peer].keys():
                         ptrace_event = PtraceRule(access, peer, log_event=True)
                         if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
@@ -2032,6 +2035,9 @@ def collapse_log():
 
                 sig = prelog[aamode][profile][hat]['signal']
                 for peer in sig.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                     for access in sig[peer].keys():
                         for signal in sig[peer][access].keys():
                             signal_event = SignalRule(access, signal, peer, log_event=True)

utils/test/test-parser-simple-tests.py

@@ -107,6 +107,14 @@ exception_not_raised = [
     'mount/bad_opt_29.sd',
     'mount/bad_opt_30.sd',
     'mount/bad_opt_31.sd',
+    'mount/bad_opt_32.sd',
+    'mount/bad_opt_35.sd',
+    'mount/bad_opt_36.sd',
+    'mount/bad_opt_37.sd',
+    'mount/bad_opt_38.sd',
+    'mount/bad_opt_39.sd',
+    'mount/bad_opt_40.sd',
+    'mount/bad_opt_41.sd',
     'profile/flags/flags_bad10.sd',
     'profile/flags/flags_bad11.sd',
     'profile/flags/flags_bad12.sd',