Fix up the profiles make install target for the tunables/multiarch.d/

change.

Makefile

@@ -16,7 +16,7 @@ DIRS=parser \
      common \
      tests
 
-REPO_URL?=lp:apparmor
+REPO_URL?=lp:apparmor/2.6
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

README

@@ -17,7 +17,8 @@ library, available under the LGPL license, which allows change_hat(2)
 and change_profile(2) to be used by non-GPL binaries).
 
 For more information, you can read the techdoc.pdf (available after
-building the parser) and http://apparmor.wiki.kernel.org.
+building the parser) and by visiting the http://apparmor.net/ web
+site.
 
 
 -------------
@@ -29,13 +30,26 @@ AppArmor consists of several different parts:
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
 desktop/	empty
-kernel-patches/	patches for various kernel versions
+kernel-patches/	compatibility patches for various kernel versions
 libraries/	libapparmor source and language bindings
 parser/		source for parser/loader and corresponding documentation
 profiles/	configuration files, reference profiles and abstractions
 tests/		regression and stress testsuites
 utils/		high-level utilities for working with AppArmor
 
+--------------------------------------
+Important note on AppArmor kernel code
+--------------------------------------
+
+While most of the kernel AppArmor code has been accepted in the
+upstream Linux kernel, a few important pieces were not included. These
+missing pieces unfortunately are important bits for AppArmor userspace
+and kernel interaction; therefore we have included compatibility
+patches in the kernel-patches/ subdirectory, versioned by upstream
+kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
+
+Without these patches applied to the kernel, the AppArmor userspace
+will not function correctly.
 
 ------------------------------------------
 Building and Installing AppArmor Userspace
@@ -48,10 +62,14 @@ the following order.
 libapparmor:
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
-$ sh ./configure --prefix=/usr --with-perl
+$ sh ./configure --prefix=/usr --with-perl	# see below
 $ make
 $ make check
 
+[optional arguments to libapparmor's configure include --with-python
+ and --with-ruby, to generate python and ruby bindings to libapparmor,
+ respectively.]
+
 
 Utilities:
 $ cd utils
@@ -69,23 +87,23 @@ $ make install
 
 Apache mod_apparmor:
 $ cd changehat/mod_apparmor
-$ LIBS="-lapparmor" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 PAM AppArmor:
 $ cd changehat/pam_apparmor
-$ LIBS="-lapparmor -lpam" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 Profiles:
 $ cd profiles
 $ make
+$ make check	# depends on the parser having been built first
 $ make install
 
 
-
 -------------------
 AppArmor Testsuites
 -------------------
@@ -123,6 +141,14 @@ For details on structure and adding tests, see libraries/libapparmor/README.
 $ cd libraries/libapparmor
 $ make check
 
+Profile checks
+--------------
+A basic consistency check to ensure that the parser and aa-logprof parse
+successfully the current set of shipped profiles. The system or other
+parser and logprof can be passed in by overriding the PARSER and LOGPROF
+variables.
+$ cd profiles
+$ make && make check
 
 Stress Tests
 ------------

changehat/mod_apparmor/Makefile

@@ -41,12 +41,15 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2" ] ; then \
 	      fi ) 
 APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
 DESTDIR=
-LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
+# Need to pass -Wl twice here to get past both apxs2 and libtool, as
+# libtool will add the path to the RPATH of the library if passed -L/some/path
+LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs
+LDLIBS=-lapparmor
 
 all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
 
 %.so: %.c
-	${APXS} ${LIBAPPARMOR_FLAGS} -c $<
+	${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS}
 	mv .libs/$@ .
 
 .PHONY: install

common/Version

@@ -1 +1 @@
-2.6.0
+2.6.1

parser/Makefile

@@ -196,7 +196,7 @@ parser_version.h: Makefile
 # These are the families that it doesn't make sense for apparmor to mediate.
 # We use PF_ here since that is what is required in bits/socket.h, but we will
 # rewrite these as AF_.
-FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET
+FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
 
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
 

parser/parser.h

@@ -179,6 +179,7 @@ struct var_string {
 #define FLAG_CHANGEHAT_1_4  2
 #define FLAG_CHANGEHAT_1_5  3
 extern int kernel_supports_network;
+extern int net_af_max_override;
 extern int flag_changehat_version;
 extern int read_implies_exec;
 extern dfaflags_t dfaflags;

parser/parser_main.c

@@ -90,6 +90,7 @@ char *flags_string = NULL;
 int regex_type = AARE_DFA;
 int perms_create = 0;		/* perms contain create flag */
 int kernel_supports_network = 1;	/* kernel supports network rules */
+int net_af_max_override = -1;		/* use kernel to determine af_max */
 char *profile_namespace = NULL;
 int flag_changehat_version = FLAG_CHANGEHAT_1_5;
 FILE *ofile = NULL;
@@ -804,6 +805,7 @@ int process_profile(int option, char *profilename)
 	char * cachename = NULL;
 	char * cachetemp = NULL;
 	char *basename = NULL;
+	FILE *cmd;
 
 	/* per-profile states */
 	force_complain = opt_force_complain;
@@ -851,6 +853,12 @@ int process_profile(int option, char *profilename)
 		update_mru_tstamp(yyin);
 	}
 
+	cmd = fopen("/proc/self/exe", "r");
+	if (cmd) {
+		update_mru_tstamp(cmd);
+		fclose(cmd);
+	}
+
 	retval = yyparse();
 	if (retval != 0)
 		goto out;

parser/parser_misc.c

@@ -29,6 +29,10 @@
 #include <linux/limits.h>
 #include <arpa/inet.h>
 #include <linux/capability.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
 
 #include "parser.h"
 #include "parser_yacc.h"
@@ -203,6 +207,69 @@ static struct network_tuple network_mappings[] = {
 	{NULL, 0, NULL, 0, NULL, 0}
 };
 
+/* The apparmor kernel patches up until 2.6.38 didn't handle networking
+ * tables with sizes > AF_MAX correctly.  This could happen when the
+ * parser was built against newer kernel headers and then used to load
+ * policy on an older kernel.  This could happen during upgrades or
+ * in multi-kernel boot systems.
+ *
+ * Try to detect the running kernel version and use that to determine
+ * AF_MAX
+ */
+#define PROC_VERSION "/proc/sys/kernel/osrelease"
+static size_t kernel_af_max(void) {
+	char buffer[32];
+	int major;
+	int fd, res;
+
+	if (!net_af_max_override) {
+		return 0;
+	}
+	/* the override parameter is specifying the max value */
+	if (net_af_max_override > 0)
+		return net_af_max_override;
+
+	fd = open(PROC_VERSION, O_RDONLY);
+	if (!fd)
+		/* fall back to default provided during build */
+		return 0;
+	res = read(fd, &buffer, sizeof(buffer));
+	close(fd);
+	if (!res)
+		return 0;
+	buffer[sizeof(buffer)-1] = '\0';
+	res = sscanf(buffer, "2.6.%d", &major);
+	if (res != 1)
+		return 0;
+
+	switch(major) {
+	case 24:
+	case 25:
+	case 26:
+		return 34;
+	case 27:
+		return 35;
+	case 28:
+	case 29:
+	case 30:
+		return 36;
+	case 31:
+	case 32:
+	case 33:
+	case 34:
+	case 35:
+		return 37;
+	case 36:
+	case 37:
+		return 38;
+	/* kernels .38 and later should handle this correctly so no
+	 * static mapping needed
+	 */
+	default:
+		return 0;
+	}
+}
+
 /* Yuck. We grab AF_* values to define above from linux/socket.h because
  * they are more accurate than sys/socket.h for what the kernel actually
  * supports. However, we can't just include linux/socket.h directly,
@@ -213,13 +280,29 @@ static struct network_tuple network_mappings[] = {
  * hence the wrapping function.
  */
 size_t get_af_max() {
+	size_t af_max;
 	/* HACK: declare that version without "create" had a static AF_MAX */
-	if (!perms_create) return 36;
+	if (!perms_create && !net_af_max_override)
+		net_af_max_override = -1;
+
 #if AA_AF_MAX > AF_MAX
-	return AA_AF_MAX;
+	af_max = AA_AF_MAX;
 #else
-	return AF_MAX;
+	af_max = AF_MAX;
 #endif
+
+	/* HACK: some kernels didn't handle network tables from parsers
+	 * compiled against newer kernel headers as they are larger than
+	 * the running kernel expected.  If net_override is defined check
+	 * to see if there is a static max specified for that kernel
+	 */
+	if (net_af_max_override) {
+		size_t max = kernel_af_max();
+		if (max && max < af_max)
+			return max;
+	}
+
+	return af_max;
 }
 struct aa_network_entry *new_network_ent(unsigned int family,
 					 unsigned int type,

parser/parser_regex.c

@@ -392,6 +392,8 @@ static int process_profile_name_xmatch(struct codomain *cod)
 		name = local_name(cod->name);
 	ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
 					&cod->xmatch_len);
+	if (ptype == ePatternBasic)
+		cod->xmatch_len = strlen(name);
 
 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
@@ -414,8 +416,14 @@ static int process_profile_name_xmatch(struct codomain *cod)
 			struct alt_name *alt;
 			list_for_each(cod->altnames, alt) {
 				int len;
-				convert_aaregex_to_pcre(alt->name, 0, tbuf,
+				ptype = convert_aaregex_to_pcre(alt->name, 0,
-							PATH_MAX + 3, &len);
+								tbuf,
+								PATH_MAX + 3,
+								&len);
+				if (ptype == ePatternBasic)
+					len = strlen(alt->name);
+				if (len < cod->xmatch_len)
+					cod->xmatch_len = len;
 				if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) {
 					aare_delete_ruleset(rule);
 					return FALSE;

parser/rc.apparmor.functions

@@ -170,7 +170,7 @@ parse_profiles() {
 			exit 1
 			;;
 	esac
-	aa_log_action_begin "$PARSER_MSG"
+	aa_log_action_start "$PARSER_MSG"
 	# run the parser on all of the apparmor profiles
 	if [ ! -f "$PARSER" ]; then
 		aa_log_failure_msg "AppArmor parser not found"
@@ -409,9 +409,9 @@ remove_profiles() {
 
 	retval=0
 	#the list of profiles isn't stable once we start adding or removing
-	#them so stor to tmp first
+	#them so store to tmp first (in reverse order so hat profiles are removed first)
 	MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
+	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort -r > "$MODULE_PLIST"
 	cat "$MODULE_PLIST" | while read profile ; do
 		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
 		rc=$?
@@ -427,7 +427,7 @@ apparmor_stop() {
 	aa_log_daemon_msg "Unloading AppArmor profiles "
 	remove_profiles
 	rc=$?
-	log_end_msg $rc
+	aa_log_end_msg $rc
 	return $rc
 }
 

parser/tst/caching.sh

@@ -94,3 +94,13 @@ sleep $timeout
 touch $basedir/cache/$profile
 ../apparmor_parser $ARGS -v -r $basedir/$profile | grep -q 'Cached reload succeeded' || { echo "FAIL"; exit 1; }
 echo "ok"
+
+echo -n "Cache reading is skipped when parser is newer: "
+mkdir $basedir/parser
+cp ../apparmor_parser $basedir/parser/
+$basedir/parser/apparmor_parser $ARGS -v -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
+echo "ok"
+
+echo -n "Cache reading is skipped when parser in \$PATH is newer: "
+(PATH=$basedir/parser/ /bin/sh -c "apparmor_parser $ARGS -v -r $basedir/$profile") | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
+echo "ok"

profiles/Makefile

@@ -20,7 +20,7 @@
 # Makefile for LSM-based AppArmor profiles
 
 NAME=apparmor-profiles
-ALL:
+ALL: local
 COMMONDIR=../common/
 
 include common/Make.rules
@@ -38,7 +38,7 @@ PROFILES_SOURCE=./apparmor.d
 EXTRAS_SOURCE=./apparmor/profiles/extras/
 SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local
 PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*))
-TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*))
+TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d ${PROFILES_SOURCE}/tunables/multiarch.d, $(wildcard ${PROFILES_SOURCE}/tunables/*))
 ABSTRACTIONS_TO_COPY=$(filter-out ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d, $(wildcard ${PROFILES_SOURCE}/abstractions/*))
 
 local:
@@ -64,6 +64,7 @@ install: local
 	install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks
 	install -m 644 ${TUNABLES_TO_COPY} ${PROFILES_DEST}/tunables
 	install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d
+	install -m 644 ${PROFILES_SOURCE}/tunables/multiarch.d/* ${PROFILES_DEST}/tunables/multiarch.d
 	install -m 755 -d ${EXTRAS_DEST}
 	install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
 	install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local
@@ -81,23 +82,22 @@ endif
 
 ifndef PARSER
 # use system parser
-PARSER=/sbin/apparmor_parser
+PARSER=../parser/apparmor_parser
 endif
 
 ifndef LOGPROF
-# use system logprof
+# use ../utils logprof
-LOGPROF=/usr/sbin/aa-logprof
+LOGPROF=perl -I../utils/ ../utils/aa-logprof
 endif
 
-EXTRAS_PATH=${EXTRAS_SOURCE}/profiles/extras
+IGNORE_FILES=${EXTRAS_SOURCE}/README
-IGNORE_FILES=${EXTRAS_PATH}/README
+CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
-CHECK_PROFILES=$(filter-out ${IGNORE_FILES}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_PATH}/*))
 
 .PHONY: check
 check:
-	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_PATH} against apparmor_parser"
+	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
 	$(Q)for profile in ${CHECK_PROFILES} ; do \
-		${PARSER} -S -I ${PWD}/apparmor.d $${profile} > /dev/null ; \
+		${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
 	done
 	@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
-	$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null
+	$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1

profiles/apparmor.d/abstractions/authentication

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd
+#    Copyright (C) 2009-2011 Canonical Ltd
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -25,6 +25,9 @@
   /lib{,32,64}/security/pam_filter/*  mr,
   /lib{,32,64}/security/pam_*.so      mr,
   /lib{,32,64}/security/              r,
+  /lib/@{multiarch}/security/pam_filter/*  mr,
+  /lib/@{multiarch}/security/pam_*.so      mr,
+  /lib/@{multiarch}/security/              r,
 
   # kerberos
   #include <abstractions/kerberosclient>

profiles/apparmor.d/abstractions/base

@@ -2,7 +2,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -36,6 +36,8 @@
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
+  /usr/lib/@{multiarch}/gconv/*.so          mr,
+  /usr/lib/@{multiarch}/gconv/gconv-modules mr,
 
   # used by glibc when binding to ephemeral ports
   /etc/bindresvport.blacklist    r,
@@ -45,17 +47,26 @@
   /etc/ld.so.cache               mr,
   /lib{,32,64}/ld{,32,64}-*.so   mrix,
   /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
+  /lib/@{multiarch}/ld{,32,64}-*.so    mrix,
   /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
+  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
   /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
 
   # we might as well allow everything to use common libraries
   /lib{,32,64}/**                r,
   /lib{,32,64}/lib*.so*          mr,
   /lib{,32,64}/**/lib*.so*       mr,
+  /lib/@{multiarch}/**            r,
+  /lib/@{multiarch}/lib*.so*      mr,
+  /lib/@{multiarch}/**/lib*.so*   mr,
   /usr/lib{,32,64}/**            r,
   /usr/lib{,32,64}/*.so*         mr,
   /usr/lib{,32,64}/**/lib*.so*   mr,
+  /usr/lib/@{multiarch}/**          r,
+  /usr/lib/@{multiarch}/lib*.so*    mr,
+  /usr/lib/@{multiarch}/**/lib*.so* mr,
   /lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
+  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
 
   # /dev/null is pretty harmless and frequently used
   /dev/null                      rw,

profiles/apparmor.d/abstractions/gnome

@@ -2,7 +2,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009-2010 Canonical Ltd.
+#    Copyright (C) 2009-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -19,6 +19,7 @@
   /etc/gnome/gtkrc*               r,
   /etc/gtk/*                      r,
   /usr/lib{,32,64}/gtk/**         mr,
+  /usr/lib/@{multiarch}/gtk/**    mr,
   /usr/share/themes/**            r,
 
   # for gnome 1 applications
@@ -31,6 +32,9 @@
   /usr/lib{,32,64}/pango/**       mr,
   /usr/lib{,32,64}/gtk-*/**       mr,
   /usr/lib{,32,64}/gdk-pixbuf-*/** mr,
+  /usr/lib/@{multiarch}/pango/**        mr,
+  /usr/lib/@{multiarch}/gtk-*/**        mr,
+  /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
 
   # per-user gtk configuration
   @{HOME}/.gnome/Gnome            r,
@@ -60,6 +64,7 @@
   /etc/gnome-vfs-2.0/modules/ r,
   /etc/gnome-vfs-2.0/modules/* r,
   /usr/lib/gnome-vfs-2.0/modules/*.so mr,
+  /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
 
   # gvfs
   /usr/share/gvfs/remote-volume-monitors/  r,

profiles/apparmor.d/abstractions/kde

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
-#    Copyright (C) 2009-2010 Canonical Ltd.
+#    Copyright (C) 2009-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -38,10 +38,17 @@
 /usr/lib*/kde3/plugins/styles/ r,
 /usr/lib*/kde3/plugins/styles/* mr,
 /usr/lib*/kde3/lib*so* mr,
+/usr/lib/@{multiarch}/kde3/plugins/styles/ r,
+/usr/lib/@{multiarch}/kde3/plugins/styles/* mr,
+/usr/lib/@{multiarch}/kde3/lib*so* mr,
 /usr/lib*/qt3/lib*/lib*so* mr,
 /usr/lib*/qt3/plugins/**  mr,
+/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt3/plugins/**  mr,
 /usr/lib*/libqt-mt*so* mr,
 /usr/lib*/libqui*so* mr,
+/usr/lib/@{multiarch}/libqt-mt*so* mr,
+/usr/lib/@{multiarch}/libqui*so* mr,
 /usr/share/qt3/lib*/libqt-mt*so* mr,
 /usr/share/qt3/lib*/libqui*so* mr,
 
@@ -49,6 +56,11 @@
 /usr/lib*/kde4/plugins/*/*.so mr,
 /usr/lib*/kde4/plugins/*/ r,
 /usr/lib*/kde4/lib*so* mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr,
+/usr/lib/@{multiarch}/kde4/plugins/*/ r,
+/usr/lib/@{multiarch}/kde4/lib*so* mr,
 /usr/lib*/qt4/lib*/lib*so* mr,
 /usr/lib*/qt4/plugins/**  mr,
+/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr,
+/usr/lib/@{multiarch}/qt4/plugins/**  mr,
 /usr/share/qt4/** r,

profiles/apparmor.d/abstractions/kerberosclient

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,9 +12,13 @@
   # files required by kerberos client programs
   /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
   /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
+  /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
+  /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,
 
   /usr/lib{,32,64}/krb5/plugins/preauth/ r,
   /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
+  /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
+  /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
 
   /etc/krb5.keytab            r,
   /etc/krb5.conf              r,

profiles/apparmor.d/abstractions/nameservice

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -50,6 +50,8 @@
   # they are available
   /lib{,32,64}/libnss_*.so*      mr,
   /usr/lib{,32,64}/libnss_*.so*  mr,
+  /lib/@{multiarch}/libnss_*.so*      mr,
+  /usr/lib/@{multiarch}/libnss_*.so*  mr,
   /etc/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution

profiles/apparmor.d/tunables/global

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006-2009 Novell/SUSE
-#    Copyright (C) 2010 Canonical Ltd.
+#    Copyright (C) 2010-2011 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,5 +13,6 @@
 # should be included here
 
 #include <tunables/home>
+#include <tunables/multiarch>
 #include <tunables/proc>
 #include <tunables/alias>

profiles/apparmor.d/tunables/multiarch

@@ -0,0 +1,17 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{multiarch} is the set of patterns matching multi-arch library
+# install prefixes.
+@{multiarch}=*-linux-gnu*
+
+# Also, include files in tunables/multiarch.d for site and packaging
+# specific adjustments to @{multiarch}.
+#include <tunables/multiarch.d>

profiles/apparmor.d/tunables/multiarch.d/site.local

@@ -0,0 +1,14 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# The following is a space-separated list of where additional multipath
+# prefixes are stored, each should not have a trailing '/'. Directories
+# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg:
+#@{multiarch}+=*-freebsd* s390-hurd-zomg

profiles/apparmor/profiles/extras/usr.lib.firefox.firefox

@@ -122,5 +122,7 @@
   deny /usr/share/mozilla/ w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.firefox>
+  # Local path is disabled, we only enable them for profiles we promote
+  # out of extras.
+  ## include <local/usr.bin.firefox>
 }

tests/regression/apparmor/Makefile

@@ -143,6 +143,7 @@ TESTS=access \
       setattr \
       symlink \
       syscall \
+      tcp \
       unix_fd_server \
       unlink\
       xattrs\

tests/regression/apparmor/tcp.sh

@@ -21,18 +21,37 @@ ip="127.0.0.1"
 #badperm1=r
 #badperm2=w
 
-# PASS TEST - no netdomain rules
+# PASS TEST - no apparmor rules
-genprofile 
+runchecktest "TCP (no apparmor)" pass $port
-runchecktest "TCP" pass $port
 
-# PASS TEST - simple 
+# FAIL TEST - no network rules
-genprofile tcp_accept: tcp_connect:
+genprofile 
-runchecktest "TCP (accept, connect)" pass $port
+runchecktest "TCP (accept, connect) no network rules" fail $port
+
+# PASS TEST - allow tcp
+genprofile network:tcp
+runchecktest "TCP (accept, connect) allow tcp" pass $port
+
+# PASS TEST - allow inet
+genprofile network:inet
+runchecktest "TCP (accept, connect) allow inet" pass $port
+
+# PASS TEST - allow inet stream
+genprofile "network:inet stream"
+runchecktest "TCP (accept, connect) allow inet stream" pass $port
 
 # PASS TEST - simple / low-numbered port
 # you damn well better not be running telnet
-genprofile tcp_accept: tcp_connect: cap:net_bind_service
+genprofile network:inet cap:net_bind_service
-runchecktest "TCP (accept, connect)" pass 23
+runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23
+
+# FAIL TEST - simple / low-numbered port
+# will always fail unless process has net_bind_service capability.
+# you damn well better not be running telnetd.
+genprofile network:inet 
+runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23
+
+exit 0
 
 # PASS TEST - accept via interface
 genprofile tcp_accept:via:lo tcp_connect:
@@ -62,12 +81,6 @@ runchecktest "TCP (accept, connect)" pass $port
 genprofile tcp_accept:to:127.0.0.0/255.255.192.0::${port} tcp_connect:
 runchecktest "TCP (accept, connect)" pass $port
 
-# FAIL TEST - simple / low-numbered port
-# will always fail unless process has net_bind_service capability.
-# you damn well better not be running telnetd.
-genprofile tcp_accept: tcp_connect:
-runchecktest "TCP (accept, connect, port 23)" fail 23
-
 # PASS TEST - simple / low-numbered port
 # will always fail unless process has net_bind_service capability.
 # you damn well better not be running telnetd.