Fix change_profile to grant access to api

http://bugs.launchpad.net/bugs/979135

Currently a change_profile rule does not grant access to the
/proc/<pid>/attr/{current,exec} interfaces that are needed to perform
a change_profile or change_onexec, requiring that an explicit rule allowing
access to the interface be granted.

Make it so change_profile implies the necessary
  /proc/@{PID}/attr/{current,exec} w,

rule just like the presence of hats does for change_hat


Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

.bzrignore

@@ -1,3 +1,4 @@
+apparmor-*
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
@@ -5,6 +6,7 @@ parser/tst_misc
 parser/tst_regex
 parser/tst_symtab
 parser/tst_variable
+parser/tst/simple_tests/generated_*/*
 parser/parser_lex.c
 parser/parser_version.h
 parser/parser_yacc.c

Makefile

@@ -7,13 +7,9 @@ include common/Make.rules
 DIRS=parser \
      profiles \
      utils \
-     changehat/libapparmor \
+     libraries/libapparmor \
      changehat/mod_apparmor \
      changehat/pam_apparmor \
-     management/apparmor-dbus \
-     management/applets/apparmorapplet-gnome \
-     management/yastui \
-     common \
      tests
 
 REPO_URL?=lp:apparmor
@@ -24,12 +20,17 @@ REPO_URL?=lp:apparmor
 RELEASE_DIR=apparmor-${VERSION}
 __SETUP_DIR?=.
 
+# We create a separate version for tags because git can't handle tags
+# with embedded ~s in them. No spaces around '-' or they'll get
+# embedded in ${VERSION}
+TAG_VERSION=$(subst ~,-,${VERSION})
+
 .PHONY: tarball
 tarball: clean
 	REPO_VERSION=`$(value REPO_VERSION_CMD)` ; \
 	make export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
 	make setup __SETUP_DIR=${RELEASE_DIR} ; \
-	tar cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
+	tar --exclude deprecated -cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
 
 .PHONY: snapshot
 snapshot: clean
@@ -37,7 +38,7 @@ snapshot: clean
 	SNAPSHOT_DIR=apparmor-${VERSION}~$${REPO_VERSION} ;\
 	make export_dir __EXPORT_DIR=$${SNAPSHOT_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
 	make setup __SETUP_DIR=$${SNAPSHOT_DIR} ; \
-	tar cvzf $${SNAPSHOT_DIR}.tar.gz $${SNAPSHOT_DIR} ;
+	tar --exclude deprecated -cvzf $${SNAPSHOT_DIR}.tar.gz $${SNAPSHOT_DIR} ;
 
 
 .PHONY: export_dir
@@ -49,6 +50,9 @@ export_dir:
 .PHONY: clean
 clean:
 	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~*
+	for dir in $(DIRS); do \
+		make -C $$dir clean; \
+	done
 
 .PHONY: setup
 setup:
@@ -56,4 +60,5 @@ setup:
 
 .PHONY: tag
 tag:
-	bzr tag apparmor_${VERSION}
+	bzr tag apparmor_${TAG_VERSION}
+

README

@@ -30,13 +30,26 @@ AppArmor consists of several different parts:
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
 desktop/	empty
-kernel-patches/	patches for various kernel versions
+kernel-patches/	compatibility patches for various kernel versions
 libraries/	libapparmor source and language bindings
 parser/		source for parser/loader and corresponding documentation
 profiles/	configuration files, reference profiles and abstractions
 tests/		regression and stress testsuites
 utils/		high-level utilities for working with AppArmor
 
+--------------------------------------
+Important note on AppArmor kernel code
+--------------------------------------
+
+While most of the kernel AppArmor code has been accepted in the
+upstream Linux kernel, a few important pieces were not included. These
+missing pieces unfortunately are important bits for AppArmor userspace
+and kernel interaction; therefore we have included compatibility
+patches in the kernel-patches/ subdirectory, versioned by upstream
+kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
+
+Without these patches applied to the kernel, the AppArmor userspace
+will not function correctly.
 
 ------------------------------------------
 Building and Installing AppArmor Userspace
@@ -49,43 +62,52 @@ the following order.
 libapparmor:
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
-$ sh ./configure --prefix=/usr --with-perl
+$ sh ./configure --prefix=/usr --with-perl	# see below
 $ make
 $ make check
+$ make install
+
+[optional arguments to libapparmor's configure include --with-python
+ and --with-ruby, to generate python and ruby bindings to libapparmor,
+ respectively.]
 
 
 Utilities:
 $ cd utils
 $ make
+$ make check
 $ make install
 
 
 parser:
 $ cd parser
 $ make
-$ make tests	# not strictly necessary as they are run during the
-		# build by default
+$ make check
 $ make install
 
 
 Apache mod_apparmor:
 $ cd changehat/mod_apparmor
-$ LIBS="-lapparmor" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 PAM AppArmor:
 $ cd changehat/pam_apparmor
-$ LIBS="-lapparmor -lpam" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 Profiles:
 $ cd profiles
 $ make
+$ make check	# depends on the parser having been built first
 $ make install
 
 
+[Note that for the parser and the utils, if you only with to build/use
+ some of the locale languages, you can override the default by passing
+ the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
 
 -------------------
 AppArmor Testsuites
@@ -124,6 +146,14 @@ For details on structure and adding tests, see libraries/libapparmor/README.
 $ cd libraries/libapparmor
 $ make check
 
+Profile checks
+--------------
+A basic consistency check to ensure that the parser and aa-logprof parse
+successfully the current set of shipped profiles. The system or other
+parser and logprof can be passed in by overriding the PARSER and LOGPROF
+variables.
+$ cd profiles
+$ make && make check
 
 Stress Tests
 ------------

changehat/mod_apparmor/Makefile

@@ -41,12 +41,15 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2" ] ; then \
 	      fi ) 
 APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
 DESTDIR=
-LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
+# Need to pass -Wl twice here to get past both apxs2 and libtool, as
+# libtool will add the path to the RPATH of the library if passed -L/some/path
+LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs
+LDLIBS=-lapparmor
 
 all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
 
 %.so: %.c
-	${APXS} ${LIBAPPARMOR_FLAGS} -c $<
+	${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS}
 	mv .libs/$@ .
 
 .PHONY: install

changehat/tomcat_apparmor/tomcat_5_0/Makefile

@@ -37,4 +37,4 @@ clean:
 	rm -f tomcat_apparmor.spec ${NAME}-*.tar.gz Make.rules
 
 install: $(SPECFILE)
-	 ant  -Dversion=$(VERSION) -Drelease=$(RELEASE) -Dcatalina_home=${CATALINA_HOME} -Dinstall_lib=${LIB} install_jar install_jni
+	 ant  -Dversion=$(VERSION) -Drelease=$(MAN_RELEASE) -Dcatalina_home=${CATALINA_HOME} -Dinstall_lib=${LIB} install_jar install_jni

changehat/tomcat_apparmor/tomcat_5_5/Makefile

@@ -37,4 +37,4 @@ clean:
 	rm -f tomcat_apparmor.spec ${NAME}-*.tar.gz Make.rules
 
 install: $(SPECFILE)
-	 ant  -Dversion=$(VERSION) -Drelease=$(RELEASE) -Dcatalina_home=${CATALINA_HOME} -Dinstall_lib=${LIB} install_jar install_jni
+	 ant  -Dversion=$(VERSION) -Drelease=$(MAN_RELEASE) -Dcatalina_home=${CATALINA_HOME} -Dinstall_lib=${LIB} install_jar install_jni

common/Make-po.rules

@@ -27,7 +27,8 @@ XGETTEXT_ARGS=--copyright-holder="NOVELL, Inc." --msgid-bugs-address=apparmor@li
 # pass in the list of sources in the SOURCES variable
 PARENT_SOURCES=$(foreach source, ${SOURCES}, ../${source})
 
-LANGS=$(patsubst %.po, %, $(wildcard *.po))
+# Can override by passing LANGS=whatever here
+LANGS?=$(patsubst %.po, %, $(wildcard *.po))
 TARGET_MOS=$(foreach lang, $(filter-out $(DISABLED_LANGS),$(LANGS)), ${lang}.mo)
 
 .PHONY: all

common/Make.rules

@@ -150,6 +150,40 @@ _clean:
 	-rm -f ${NAME}-${VERSION}-*.tar.gz
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+
+.PHONY: list_capabilities
+list_capabilities: /usr/include/linux/capability.h
+	@echo "$(CAPABILITIES)"
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# These are the families that it doesn't make sense for apparmor
+# to mediate. We use PF_ here since that is what is required in
+# bits/socket.h, but we will rewrite these as AF_.
+
+FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+
+__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+
+# emits the AF names in a "AF_NAME NUMBER," pattern
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+
+.PHONY: list_af_names
+list_af_names:
+	@echo "$(AF_NAMES)"
+
 # =====================
 # manpages
 # =====================
@@ -172,29 +206,8 @@ install_manpages: $(MANPAGES)
 
 MAN_RELEASE="AppArmor ${VERSION}"
 
-%.1: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=1 > $@
-
-%.2: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=2 > $@
-
-%.3: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=3 > $@
-
-%.4: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=4 > $@
-
-%.5: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=5 > $@
-
-%.6: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=6 > $@
-
-%.7: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=7 > $@
-
-%.8: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=8 > $@
+%.1 %.2 %.3 %.4 %.5 %.6 %.7 %.8: %.pod
+	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --stderr --section=$(subst .,,$(suffix $@)) > $@
 
 %.1.html: %.pod
 	$(POD2HTML) --header --css apparmor.css --infile=$< --outfile=$@

common/Version

@@ -1 +1 @@
-2.6.0
+2.7.102

deprecated/utils/aa-status

@@ -0,0 +1,218 @@
+#!/usr/bin/perl -w
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2005-2006 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+
+use strict;
+use Getopt::Long;
+use Cwd 'abs_path';
+
+my $confdir = "/etc/apparmor";
+my $sd_mountpoint;
+my $check_enabled = 0;
+my $count_enforced = 0;
+my $count_profiled = 0;
+my $count_complain = 0;
+my $verbose = 0;
+my $help;
+
+GetOptions(
+  'complaining'		=> \$count_complain,
+  'enabled'		=> \$check_enabled,
+  'enforced'		=> \$count_enforced,
+  'profiled'		=> \$count_profiled,
+  'verbose|v'		=> \$verbose,
+  'help|h'		=> \$help,
+) or usage();
+
+sub usage {
+  print "Usage: $0 [OPTIONS]\n";
+  print "Displays various information about the currently loaded AppArmor policy.\n";
+  print "OPTIONS (one only):\n";
+  print "  --enabled       returns error code if subdomain not enabled\n";
+  print "  --profiled      prints the number of loaded policies\n";
+  print "  --enforced      prints the number of loaded enforcing policies\n";
+  print "  --complaining   prints the number of loaded non-enforcing policies\n";
+  print "  --verbose       (default) displays multiple data points about loaded policy set\n";
+  print "  --help          this message\n";
+  exit;
+}
+
+$verbose = 1 if ($count_complain + $check_enabled + $count_enforced + $count_profiled == 0);
+usage() if $help or ($count_complain + $check_enabled + $count_enforced + $count_profiled + $verbose > 1);
+
+sub is_subdomain_loaded() {
+  return 1 if (-d "/sys/module/apparmor");
+  if(open(MODULES, "/proc/modules")) {
+    while(<MODULES>) {
+      return 1 if m/^(subdomain|apparmor)\s+/;
+    }
+  }
+
+  return 0;
+}
+
+sub find_subdomainfs() {
+
+  my $sd_mountpoint;
+  if(open(MOUNTS, "/proc/mounts")) {
+    while(<MOUNTS>) {
+      $sd_mountpoint = "$1/apparmor" if m/^\S+\s+(\S+)\s+securityfs\s/ && -e "$1/apparmor";
+      $sd_mountpoint = "$1/subdomain" if m/^\S+\s+(\S+)\s+securityfs\s/ && -e "$1/subdomain";
+      $sd_mountpoint = $1 if m/^\S+\s+(\S+)\s+subdomainfs\s/ && -e "$1";
+    }
+    close(MOUNTS);
+  }
+
+  return $sd_mountpoint;
+}
+
+sub get_profiles {
+  my $mountpoint = shift;
+  my %profiles = ();
+
+  if (open(PROFILES, "$mountpoint/profiles")) {
+    while(<PROFILES>) {
+      $profiles{$1} = $2 if m/^([^\(]+)\s+\((\w+)\)$/;
+    }
+    close(PROFILES);
+  }
+  return (%profiles);
+}
+
+sub get_processes {
+  my %profiles = @_;
+  my %processes = ();
+  if (opendir(PROC, "/proc")) {
+    my $file;
+    while (defined($file = readdir(PROC))) {
+      if ($file =~ m/^\d+/) {
+        if (open(CURRENT, "/proc/$file/attr/current")) {
+          while (<CURRENT>) {
+            if (m/^([^\(]+)\s+\((\w+)\)$/) {
+              $processes{$file}{'profile'} = $1;
+              $processes{$file}{'mode'} = $2;
+            } elsif (grep(abs_path("/proc/$file/exe") eq $_ , keys(%profiles))) {
+              # keep only unconfined processes that have a profile defined
+              $processes{$file}{'profile'} = abs_path("/proc/$file/exe");
+              $processes{$file}{'mode'} = 'unconfined';
+            }
+          }
+          close(CURRENT);
+        }
+      }
+    }
+    closedir(PROC);
+  }
+  return (%processes);
+}
+
+my $is_loaded = is_subdomain_loaded();
+
+if (!$is_loaded) {
+  print STDERR "apparmor module is not loaded.\n" if $verbose;
+  exit 1;
+}
+
+print "apparmor module is loaded.\n" if $verbose;
+
+$sd_mountpoint = find_subdomainfs();
+if (!$sd_mountpoint) {
+  print STDERR "apparmor filesystem is not mounted.\n" if $verbose;
+  exit 3;
+}
+
+if (! -r "$sd_mountpoint/profiles") {
+  print STDERR "You do not have enough privilege to read the profile set.\n" if $verbose;
+  exit 4;
+}
+
+#print "subdomainfs is at $sd_mountpoint.\n" if $verbose;
+
+# processes is a hash table :
+#   * keys : processes pid
+#   * values : hash containing information about the running process:
+#       * 'profile' : name of the profile applied to the running process
+#       * 'mode' : mode of the profile applied to the running process
+my %processes = ();
+my %enforced_processes = ();
+my %complain_processes = ();
+my %unconfined_processes = ();
+
+# profiles is a hash table :
+#  * keys : profile name
+#  * value : profile mode
+my %profiles;
+my @enforced_profiles = ();
+my @complain_profiles = ();
+
+%profiles = get_profiles($sd_mountpoint);
+@enforced_profiles = grep { $profiles{$_} eq 'enforce' } keys %profiles;
+@complain_profiles = grep { $profiles{$_} eq 'complain' } keys %profiles;
+
+# we consider the case where no profiles are loaded to be "disabled" as well
+my $rc = (keys(%profiles) == 0) ? 2 : 0;
+
+if ($check_enabled) {
+  exit $rc;
+}
+
+if ($count_profiled) {
+  print scalar(keys(%profiles)). "\n";
+  exit $rc;
+}
+
+if ($count_enforced) {
+  print $#enforced_profiles + 1 . "\n";
+  exit $rc;
+}
+
+if ($count_complain) {
+  print $#complain_profiles + 1 . "\n";
+  exit $rc;
+}
+
+
+if ($verbose) {
+  print keys(%profiles) . " profiles are loaded.\n";
+  print $#enforced_profiles + 1 . " profiles are in enforce mode.\n";
+  for (sort(@enforced_profiles)) {
+    print "   " . $_ . "\n";
+  }
+  print $#complain_profiles + 1 . " profiles are in complain mode.\n";
+  for (sort(@complain_profiles)) {
+    print "   " . $_ . "\n";
+  }
+}
+
+%processes = get_processes(%profiles);
+if ($verbose) {
+  for (keys(%processes)) {
+    $enforced_processes{$_} = $processes{$_} if $processes{$_}{'mode'} eq 'enforce';
+    $complain_processes{$_} = $processes{$_} if $processes{$_}{'mode'} eq 'complain';
+    # some early code uses unconfined instead of unconfined.
+    $unconfined_processes{$_} = $processes{$_} if $processes{$_}{'mode'} =~ /uncon(fi|strai)ned/;
+  }
+  print keys(%processes) . " processes have profiles defined.\n";
+  print keys(%enforced_processes) . " processes are in enforce mode :\n";
+  for (sort { $enforced_processes{$a}{'profile'} cmp $enforced_processes{$b}{'profile'} } keys(%enforced_processes)) {
+    print "   " . $enforced_processes{$_}{'profile'} . " ($_) \n";
+  }
+  print keys(%complain_processes) . " processes are in complain mode.\n";
+  for (sort { $complain_processes{$a}{'profile'} cmp $complain_processes{$b}{'profile'} } keys(%complain_processes)) {
+    print "   " . $complain_processes{$_}{'profile'} . " ($_) \n";
+  }
+  print keys(%unconfined_processes) . " processes are unconfined but have a profile defined.\n";
+  for (sort { $unconfined_processes{$a}{'profile'} cmp $unconfined_processes{$b}{'profile'} } keys(%unconfined_processes)) {
+    print "   " . $unconfined_processes{$_}{'profile'} . " ($_) \n";
+  }
+}
+
+exit $rc;

kernel-patches/2.6.39/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch

@@ -0,0 +1,553 @@
+From 0ae314bc92d8b22250f04f85e4bd36ee9ed30890 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 ++++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 ++++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 112a550..d5f3dd7 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -123,6 +123,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index ae3a698..05c018b 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -620,6 +621,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -651,6 +750,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index e33aaf7..fa3f1b4 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i > AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.0.4
+

kernel-patches/2.6.39/0002-AppArmor-compatibility-patch-for-v5-interface.patch

@@ -0,0 +1,391 @@
+From cdc6b35345e5bcfe92bb2b52ef003f94ceedd40d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 22 Jul 2010 02:32:02 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 ++-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 0848292..28c52ac 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++#endif
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.0.4
+

kernel-patches/2.6.39/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

@@ -0,0 +1,68 @@
+From f17b28f64b963c47e76737f7bb7f58ce3a7c5249 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 20 Jul 2010 06:57:08 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 06d764c..cf92856 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.0.4
+

kernel-patches/3.0/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch

@@ -0,0 +1,553 @@
+From dc13dec93dbd04bfa7a9ba67df1b8ed3431d8d48 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 ++++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 ++++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3d2fd14..aa293ae 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index d6d9a57..f4874c4 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.5.4
+

kernel-patches/3.0/0002-AppArmor-compatibility-patch-for-v5-interface.patch

@@ -0,0 +1,391 @@
+From a2515f25ad5a7833ddc5a032d34eee6a5ddee3a2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 ++-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 0848292..28c52ac 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++#endif
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.5.4
+

kernel-patches/3.0/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

@@ -0,0 +1,69 @@
+From 7a10d093f9779f42cb8d6affcb6a4436d3ebd6d3 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.5.4
+

kernel-patches/3.1/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch

@@ -0,0 +1,553 @@
+From dc13dec93dbd04bfa7a9ba67df1b8ed3431d8d48 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 ++++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 ++++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3d2fd14..aa293ae 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index d6d9a57..f4874c4 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.5.4
+

kernel-patches/3.1/0002-AppArmor-compatibility-patch-for-v5-interface.patch

@@ -0,0 +1,391 @@
+From a2515f25ad5a7833ddc5a032d34eee6a5ddee3a2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 ++-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 0848292..28c52ac 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++#endif
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.5.4
+

kernel-patches/3.1/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

@@ -0,0 +1,69 @@
+From 7a10d093f9779f42cb8d6affcb6a4436d3ebd6d3 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.5.4
+

libraries/libapparmor/doc/Makefile.am

@@ -2,7 +2,7 @@
 
 POD2MAN = pod2man
 
-man_MANS = aa_change_hat.2 aa_change_profile.2
+man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2
 
 PODS = $(subst .2,.pod,$(man_MANS))
 
@@ -14,8 +14,7 @@ BUILT_SOURCES = $(man_MANS)
 %.2: %.pod
 	$(POD2MAN) \
 		--section=2 \
-		--release="NOVELL/SUSE" \
+		--release="AppArmor $(VERSION)" \
 		--center="AppArmor" \
-		--date="2007-07-27" \
+		--stderr \
 		$< > $@
-$

libraries/libapparmor/doc/aa_change_hat.pod

@@ -29,7 +29,9 @@ aa_change_hat  - change to or from a "hat" within a AppArmor profile
 B<#include E<lt>sys/apparmor.hE<gt>>
 
 B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
+
 B<int aa_change_hatv (char *subprofiles[], unsigned long magic_token);>
+
 B<int aa_change_hat_vargs (unsigned long magic_token, ...);>
 
 Link with B<-lapparmor> when compiling.
@@ -244,7 +246,8 @@ should be used.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
+aa_getcon(2) and
 L<http://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_change_profile.pod

@@ -22,14 +22,16 @@
 
 =head1 NAME
 
-aa_change_profile  - change to another profile within an AppArmor profile
-aa_change_onexec - change to another profile at the next exec
+aa_change_profile, aa_change_onexec - change a tasks profile
+
 =head1 SYNOPSIS
 
 B<#include E<lt>sys/apparmor.hE<gt>>
 
 B<int aa_change_profile(const char *profile);>
 
+B<int aa_change_onexec(const char *profile);>
+
 Link with B<-lapparmor> when compiling.
 
 =head1 DESCRIPTION
@@ -83,14 +85,9 @@ Insufficient kernel memory was available.
 
 The calling application is not confined by apparmor.
 
-=item B<ECHILD>
-
-The application's profile has no hats defined for it.
-
 =item B<EACCES>
 
-The specified I<profile> does not exist in this profile or the
-process tried to change another process's domain.
+The task does not have sufficient permissions to change its domain.
 
 =back
 
@@ -173,6 +170,7 @@ The output when run:
 
 If /tmp/change_p is to be confined as well, then the following profile can be
 used (in addition to the one for 'i_cant_be_trusted_anymore', above):
+
  # Confine change_p to be able to read /etc/passwd and aa_change_profile()
  # to the 'i_cant_be_trusted_anymore' profile.
  /tmp/change_p {

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -0,0 +1,120 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_is_enabled - determine if apparmor is available
+
+aa_find_mountpoint - find where the apparmor interface filesystem is mounted
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<int aa_is_enabled(void);>
+
+B<int aa_find_mountpoint(char **mnt);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_is_enabled function returns true (1) if apparmor is enabled.
+If it isn't it sets the errno(3) to reflect the reason it is not
+enabled and returns 0.
+
+The aa_find_mountpoint function finds where the apparmor filesystem is mounted
+on the system, and returns a string containing the mount path.  It is the
+caller's responsibility to free(3) the returned path.
+
+=head1 RETURN VALUE
+
+B<aa_is_enabled>
+On success 1 is returned. On error, 0 is returned, and errno(3) is set
+appropriately.
+
+B<aa_find_mountpoint>
+On success zero is returned. On error, -1 is returned, and errno(3) is set
+appropriately.
+
+=head1 ERRORS
+
+B<aa_is_enabled>
+
+=over 4
+
+=item B<ENOSYS>
+
+AppArmor extensions to the system are not available.
+
+=item B<ECANCELED>
+
+AppArmor is available on the system but has been disabled at boot.
+
+=item B<ENOENT>
+
+AppArmor is available (and maybe even enforcing policy) but the interface is
+not available.
+
+=item B<ENOMEM>
+
+Insufficient memory was available.
+
+=item B<EPERM>
+
+Did not have sufficient permissions to determine if AppArmor is enabled.
+
+=item B<EACCES>
+
+Did not have sufficient permissions to determine if AppArmor is enabled.
+
+=back
+
+B<aa_find_mountpoint>
+
+=over 4
+
+=item B<ENOMEM>
+
+Insufficient memory was available.
+
+=item B<EACCES>
+
+Access to the required paths was denied.
+
+=item B<ENOENT>
+
+The apparmor filesystem mount could not be found
+
+=back
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), and
+L<http://wiki.apparmor.net>.
+
+=cut

libraries/libapparmor/doc/aa_getcon.pod

@@ -0,0 +1,113 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_getprocattr_raw, aa_getprocattr - read and parse procattr data
+
+aa_getcon, aa_gettaskcon - get task confinement information
+
+aa_getpeercon - get the confinement of a socket's other end (peer)
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
+			 char **mode);>
+
+B<int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);>
+
+B<int aa_gettaskcon(pid_t target, char **con, char **mode);>
+
+B<int aa_getcon(char **con, char **mode);>
+
+B<int aa_getpeercon(int fd, char **con);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_getcon function gets the current AppArmor confinement context for the
+current task.  The confinement context is usually just the name of the AppArmor
+profile restricting the task, but it may include the profile namespace or in
+some cases a set of profile names (known as a stack of profiles).  The returned string *con should be freed using free().
+
+The aa_gettaskcon function is like the aa_getcon function except it will work
+for any arbitrary task in the system.
+
+The aa_getpeercon function is similar to that of aa_gettaskcon except that
+it returns the confinement information for task on the other end of a socket
+connection.
+
+The aa_getprocattr function is the backend for the aa_getcon and aa_gettaskcon
+functions and handles the reading and parsing of the confinement data from
+different arbitrary attr files and returns the processed results in
+an allocated buffer.
+
+The aa_getprocattr_raw() is the backend for the aa_getprocattr function and
+does not handle buffer allocation.
+
+=head1 RETURN VALUE
+
+On success size of data placed in the buffer is returned, this includes the
+mode if present and any terminating characters. On error, -1 is returned, and
+errno(3) is set appropriately.
+
+=head1 ERRORS
+
+=over 4
+
+=item B<EINVAL>
+
+The apparmor kernel module is not loaded or the communication via the
+F</proc/*/attr/file> did not conform to protocol.
+
+=item B<ENOMEM>
+
+Insufficient kernel memory was available.
+
+=item B<EACCES>
+
+Access to the specified I<file/task> was denied.
+
+=item B<ENOENT>
+
+The specified I<file/task> does not exist or is not visible.
+
+=item B<ERANGE>
+
+The confinement data is to large to fit in the supplied buffer.
+
+=back
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
+L<http://wiki.apparmor.net>.
+
+=cut

libraries/libapparmor/src/aalogparse.h

@@ -141,6 +141,10 @@ typedef struct
 	char *net_family;
 	char *net_protocol;
 	char *net_sock_type;
+	char *net_local_addr;
+	unsigned long net_local_port;
+	char *net_foreign_addr;
+	unsigned long net_foreign_port;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/apparmor.h

@@ -18,8 +18,14 @@
 #ifndef _SYS_APPARMOR_H_
 #define _SYS_APPARMOR_H	1
 
+#include <sys/types.h>
+
 __BEGIN_DECLS
 
+/* Prototypes for apparmor state queries */
+extern int aa_is_enabled(void);
+extern int aa_find_mountpoint(char **mnt);
+
 /* Prototypes for self directed domain transitions
  * see <http://apparmor.net>
  * Please see the change_hat(2) manpage for information.
@@ -34,6 +40,17 @@ extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
 
+/* Protypes for introspecting task confinement
+ * Please see the aa_getcon(2) manpage for information
+ */
+extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
+			      char **mode);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+extern int aa_gettaskcon(pid_t target, char **con, char **mode);
+extern int aa_getcon(char **con, char **mode);
+extern int aa_getpeercon_raw(int fd, char *buffer, int *size);
+extern int aa_getpeercon(int fd, char **con);
+
 #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
 #define __macroarg_count1(Y...) __macroarg_count2 (Y, 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
 #define __macroarg_count2(_,x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15,n,Y...) n

libraries/libapparmor/src/grammar.y

@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
 %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
 %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR
 
 %token TOK_EQUALS
 %token TOK_COLON
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_CAPNAME
 %token TOK_KEY_OFFSET
 %token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT
 
 %token TOK_SYSLOG_KERNEL
 
@@ -246,7 +251,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
-	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_COMM TOK_EQUALS safe_string
 	{ ret_record->comm = $3;}
 	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
 	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ /* target was always name2 in the past */
 	  ret_record->name2 = $3;
 	}
+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_local_addr = $3;}
+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_foreign_addr = $3;}
+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_local_port = $3;}
+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_foreign_port = $3;}
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;

libraries/libapparmor/src/kernel_interface.c

@@ -22,32 +22,284 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
+#include <sys/socket.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <limits.h>
 #include <stdarg.h>
+#include <mntent.h>
+
+#include "apparmor.h"
+
+/* some non-Linux systems do not define a static value */
+#ifndef PATH_MAX
+# define PATH_MAX 4096
+#endif
 
 #define symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@" #version)
 #define default_symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@@" #version)
 
-static int setprocattr(const char *path, const char *buf, int len)
+/**
+ * aa_find_mountpoint - find where the apparmor interface filesystem is mounted
+ * @mnt: returns buffer with the mountpoint string
+ *
+ * Returns: 0 on success else -1 on error
+ *
+ * NOTE: this function only supports versions of apparmor using securityfs
+ */
+int aa_find_mountpoint(char **mnt)
+{
+	struct stat statbuf;
+	struct mntent *mntpt;
+	FILE *mntfile;
+	int rc = -1;
+
+	if (!mnt) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	mntfile = setmntent("/proc/mounts", "r");
+	if (!mntfile)
+		return -1;
+
+	while ((mntpt = getmntent(mntfile))) {
+		char *proposed = NULL;
+		if (strcmp(mntpt->mnt_type, "securityfs") != 0)
+			continue;
+
+		if (asprintf(&proposed, "%s/apparmor", mntpt->mnt_dir) < 0)
+			/* ENOMEM */
+			break;
+
+		if (stat(proposed, &statbuf) == 0) {
+			*mnt = proposed;
+			rc = 0;
+			break;
+		}
+		free(proposed);
+	}
+	endmntent(mntfile);
+	if (rc == -1)
+		errno = ENOENT;
+	return rc;
+}
+
+/**
+ * aa_is_enabled - determine if apparmor is enabled
+ *
+ * Returns: 1 if enabled else reason it is not, or 0 on error
+ *
+ * ENOSYS - no indication apparmor is present in the system
+ * ENOENT - enabled but interface could not be found
+ * ECANCELED - disabled at boot
+ * ENOMEM - out of memory
+ */
+int aa_is_enabled(void)
+{
+	int serrno, fd, rc, size;
+	char buffer[2];
+	char *mnt;
+
+	/* if the interface mountpoint is available apparmor is enabled */
+	rc = aa_find_mountpoint(&mnt);
+	if (rc == 0) {
+		free(mnt);
+		return 1;
+	}
+
+	/* determine why the interface mountpoint isn't available */
+	fd = open("/sys/module/apparmor/parameters/enabled", O_RDONLY);
+	if (fd == -1) {
+		if (errno == ENOENT)
+			errno = ENOSYS;
+		return 0;
+	}
+
+	size = read(fd, &buffer, 2);
+	serrno = errno;
+	close(fd);
+	errno = serrno;
+
+	if (size > 0) {
+		if (buffer[0] == 'Y')
+			errno = ENOENT;
+		else
+			errno = ECANCELED;
+	}
+	return 0;
+}
+
+static inline pid_t aa_gettid(void)
+{
+#ifdef SYS_gettid
+	return syscall(SYS_gettid);
+#else
+	return getpid();
+#endif
+}
+
+static char *procattr_path(pid_t pid, const char *attr)
+{
+	char *path = NULL;
+	if (asprintf(&path, "/proc/%d/attr/%s", pid, attr) > 0)
+		return path;
+	return NULL;
+}
+
+/**
+ * aa_getprocattr_raw - get the contents of @attr for @tid into @buf
+ * @tid: tid of task to query
+ * @attr: which /proc/<tid>/attr/<attr> to query
+ * @buf: buffer to store the result in
+ * @len: size of the buffer
+ * @mode: if set will point to mode string within buffer if it is present
+ *
+ * Returns: size of data read or -1 on error, and sets errno
+ */
+int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
+		       char **mode)
 {
 	int rc = -1;
-	int fd, ret, ctlerr = 0;
+	int fd, ret;
+	char *tmp = NULL;
+	int size = 0;
+
+	if (!buf || len <= 0) {
+		errno = EINVAL;
+		goto out;
+	}
+
+	tmp = procattr_path(tid, attr);
+	if (!tmp)
+		goto out;
+
+	fd = open(tmp, O_RDONLY);
+	free(tmp);
+	if (fd == -1) {
+		goto out;
+	}
+
+	tmp = buf;
+	do {
+		ret = read(fd, tmp, len);
+		if (ret <= 0)
+			break;
+		tmp += ret;
+		size += ret;
+		len -= ret;
+		if (len < 0) {
+			errno = ERANGE;
+			goto out2;
+		}
+	} while (ret > 0);
+
+	if (ret < 0) {
+		int saved;
+		if (ret != -1) {
+			errno = EPROTO;
+		}
+		saved = errno;
+		(void)close(fd);
+		errno = saved;
+		goto out;
+	} else if (size > 0 && buf[size - 1] != 0) {
+		/* check for null termination */
+		if (buf[size - 1] == '\n') {
+			buf[size - 1] = 0;
+		} else if (len == 0) {
+			errno = ERANGE;
+			goto out2;
+		} else {
+			buf[size] = 0;
+			size++;
+		}
+
+		/*
+		 * now separate the mode.  If we don't find it just
+		 * return NULL
+		 */
+		if (mode)
+			*mode = NULL;
+		if (strcmp(buf, "unconfined") != 0 &&
+		    size > 4 && buf[size - 2] == ')') {
+			int pos = size - 3;
+			while (pos > 0 &&
+			       !(buf[pos] == ' ' && buf[pos + 1] == '('))
+				pos--;
+			if (pos > 0) {
+				buf[pos] = 0; /* overwrite ' ' */
+				buf[size - 2] = 0; /* overwrite trailing ) */
+				if (mode)
+					*mode = &buf[pos + 2]; /* skip '(' */
+			}
+		}
+	}
+	rc = size;
+
+out2:
+	(void)close(fd);
+out:
+	return rc;
+}
+
+#define INITIAL_GUESS_SIZE 128
+
+/**
+ * aa_getprocattr - get the contents of @attr for @tid into @buf
+ * @tid: tid of task to query
+ * @attr: which /proc/<tid>/attr/<attr> to query
+ * @buf: allocated buffer the result is stored in
+ * @mode: if set will point to mode string within buffer if it is present
+ *
+ * Returns: size of data read or -1 on error, and sets errno
+ */
+int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)
+{
+	int rc, size = INITIAL_GUESS_SIZE/2;
+	char *buffer = NULL;
+
+	if (!buf) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	do {
+		size <<= 1;
+		buffer = realloc(buffer, size);
+		if (!buffer)
+			return -1;
+		memset(buffer, 0, size);
+
+		rc = aa_getprocattr_raw(tid, attr, buffer, size, mode);
+	} while (rc == -1 && errno == ERANGE);
+
+	if (rc == -1) {
+		free(buffer);
+		*buf = NULL;
+		*mode = NULL;
+	} else
+		*buf = buffer;
+
+	return rc;
+}
+
+static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
+{
+	int rc = -1;
+	int fd, ret;
 	char *ctl = NULL;
-	pid_t tid = syscall(SYS_gettid);
 
 	if (!buf) {
 		errno = EINVAL;
 		goto out;
 	}
 
-	ctlerr = asprintf(&ctl, path, tid);
-	if (ctlerr < 0) {
+	ctl = procattr_path(tid, attr);
+	if (!ctl)
 		goto out;
-	}
 
 	fd = open(ctl, O_WRONLY);
 	if (fd == -1) {
@@ -99,7 +351,7 @@ int aa_change_hat(const char *subprofile, unsigned long token)
 		goto out;
 	}
 
-	rc = setprocattr("/proc/%d/attr/current", buf, len);
+	rc = setprocattr(aa_gettid(), "current", buf, len);
 out:
 	if (buf) {
 		/* clear local copy of magic token before freeing */
@@ -130,7 +382,7 @@ int aa_change_profile(const char *profile)
 	if (len < 0)
 		return -1;
 
-	rc = setprocattr("/proc/%d/attr/current", buf, len);
+	rc = setprocattr(aa_gettid(), "current", buf, len);
 
 	free(buf);
 	return rc;
@@ -151,7 +403,7 @@ int aa_change_onexec(const char *profile)
 	if (len < 0)
 		return -1;
 
-	rc = setprocattr("/proc/%d/attr/exec", buf, len);
+	rc = setprocattr(aa_gettid(), "exec", buf, len);
 
 	free(buf);
 	return rc;
@@ -212,7 +464,7 @@ int aa_change_hatv(const char *subprofiles[], unsigned long token)
 		/* step pos past trailing \0 */
 		pos++;
 
-	rc = setprocattr("/proc/%d/attr/current", buf, pos - buf);
+	rc = setprocattr(aa_gettid(), "current", buf, pos - buf);
 
 out:
 	if (buf) {
@@ -251,3 +503,125 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
 	va_end(ap);
 	return aa_change_hatv(argv, token);
 }
+
+/**
+ * aa_gettaskcon - get the confinement for task @target in an allocated buffer
+ * @target: task to query
+ * @con: pointer to returned buffer with the confinement string
+ * @mode: if provided will point to the mode string in @con if present
+ *
+ * Returns: length of confinement data or -1 on error and sets errno
+ *
+ * Guarentees that @con and @mode are null terminated.  The length returned
+ * is for all data including both @con and @mode, and maybe > than strlen(@con)
+ * even if @mode is NULL
+ *
+ * Caller is responsible for freeing the buffer returned in @con.  @mode is
+ * always contained within @con's buffer and so NEVER do free(@mode)
+ */
+int aa_gettaskcon(pid_t target, char **con, char **mode)
+{
+	return aa_getprocattr(target, "current", con, mode);
+}
+
+/**
+ * aa_getcon - get the confinement for current task in an allocated buffer
+ * @con: pointer to return buffer with the confinement if successful
+ * @mode: if provided will point to the mode string in @con if present
+ *
+ * Returns: length of confinement data or -1 on error and sets errno
+ *
+ * Guarentees that @con and @mode are null terminated.  The length returned
+ * is for all data including both @con and @mode, and may > than strlen(@con)
+ * even if @mode is NULL
+ *
+ * Caller is responsible for freeing the buffer returned in @con.  @mode is
+ * always contained within @con's buffer and so NEVER do free(@mode)
+ */
+int aa_getcon(char **con, char **mode)
+{
+	return aa_gettaskcon(aa_gettid(), con, mode);
+}
+
+
+#ifndef SO_PEERSEC
+#define SO_PEERSEC 31
+#endif
+
+/**
+ * aa_getpeercon_raw - get the confinement of the socket's peer (other end)
+ * @fd: socket to get peer confinement for
+ * @con: pointer to buffer to store confinement string
+ * @size: initially contains size of the buffer, returns size of data read
+ *
+ * Returns: length of confinement data including null termination or -1 on error
+ *          if errno == ERANGE then @size will hold the size needed
+ */
+int aa_getpeercon_raw(int fd, char *buffer, int *size)
+{
+	socklen_t optlen = *size;
+	int rc;
+
+	if (optlen <= 0 || buffer == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	rc = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buffer, &optlen);
+	if (rc == -1 || optlen <= 0)
+		goto out;
+
+	/* check for null termination */
+	if (buffer[optlen - 1] != 0) {
+		if (optlen < *size) {
+			buffer[optlen] = 0;
+			optlen++;
+		} else {
+			/* buffer needs to be bigger by 1 */
+			rc = -1;
+			errno = ERANGE;
+			optlen++;
+		}
+	}
+out:
+	*size = optlen;
+	return rc;
+}
+
+/**
+ * aa_getpeercon - get the confinement of the socket's peer (other end)
+ * @fd: socket to get peer confinement for
+ * @con: pointer to allocated buffer with the confinement string
+ *
+ * Returns: length of confinement data including null termination or -1 on error
+ *
+ * Caller is responsible for freeing the buffer returned.
+ */
+int aa_getpeercon(int fd, char **con)
+{
+	int rc, size = INITIAL_GUESS_SIZE;
+	char *buffer = NULL;
+
+	if (!con) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	do {
+		buffer = realloc(buffer, size);
+		if (!buffer)
+			return -1;
+		memset(buffer, 0, size);
+
+		rc = aa_getpeercon_raw(fd, buffer, &size);
+	} while (rc == -1 && errno == ERANGE);
+
+	if (rc == -1) {
+		free(buffer);
+		*con = NULL;
+		size = -1;
+	} else
+		*con = buffer;
+
+	return size;
+}

libraries/libapparmor/src/libapparmor.map

@@ -16,13 +16,22 @@ APPARMOR_1.0 {
 
 APPARMOR_1.1 {
   global:
+        aa_is_enabled;
+        aa_find_mountpoint;
         aa_change_hat;
         aa_change_hatv;
         aa_change_hat_vargs;
         aa_change_profile;
         aa_change_onexec;
+        aa_gettaskcon;
+        aa_getcon;
+        aa_getpeercon_raw;
+        aa_getpeercon;
         parse_record;
         free_record;
+        aa_getprocattr_raw;
+        aa_getprocattr;
+
   local:
 	*;
 } APPARMOR_1.0;

libraries/libapparmor/src/scanner.l

@@ -133,8 +133,15 @@ key_capability		"capability"
 key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
+key_laddr		"laddr"
+key_faddr		"faddr"
+key_lport		"lport"
+key_fport		"fport"
 audit			"audit"
 
+/* network addrs */
+ip_addr			[a-f[:digit:].:]{3,}
+
 /* syslog tokens */
 syslog_kernel		kernel{colon}
 syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
@@ -149,6 +156,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x dmesg_timestamp
 %x safe_string
 %x audit_types
+%x ip_addr
 %x other_audit
 %x unknown_message
 
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
 	}
 
+<ip_addr>{
+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
 <audit_types>{
 	{equals}	{ return(TOK_EQUALS); }
 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
@@ -265,11 +279,15 @@ yy_flex_debug = 0;
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
-{key_comm}		{ return(TOK_KEY_COMM); }
+{key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
 {key_capability}	{ return(TOK_KEY_CAPABILITY); }
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport}		{ return(TOK_KEY_LPORT); }
+{key_fport}		{ return(TOK_KEY_FPORT); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -13,9 +13,17 @@
  * are manually inserted here
  */
 
+extern int aa_is_enabled(void);
+extern int aa_find_mountpoint(char **mnt);
 extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
 extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int aa_change_hat_vargs(unsigned long token, int count, ...);
-
+extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
+			      char **mode);
+extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
+extern int aa_gettaskcon(pid_t target, char **con, char **mode);
+extern int aa_getcon(char **con, char **mode);
+extern int aa_getpeercon_raw(int fd, char *buffer, int *size);
+extern int aa_getpeercon(int fd, char **con);

libraries/libapparmor/swig/python/setup.py.in

@@ -13,7 +13,7 @@ setup(name		= 'LibAppArmor',
       ext_package	= 'LibAppArmor',
       ext_modules	= [Extension('_LibAppArmor', ['libapparmor_wrap.c'],
 					include_dirs=['@top_srcdir@/src'],
-					extra_link_args = string.split('-L@top_builddir@/src/.libs -lapparmor'),
-# static:				extra_link_args = string.split('@top_builddir@/src/.libs/libapparmor.a'),
+					extra_link_args = '-L@top_builddir@/src/.libs -lapparmor'.split(),
+# static:				extra_link_args = '@top_builddir@/src/.libs/libapparmor.a'.split(),
 			)],
       )

libraries/libapparmor/testsuite/test_multi.c

@@ -51,6 +51,18 @@ int main(int argc, char **argv)
 	return ret;
 }
 
+#define print_string(description, var) \
+	if ((var) != NULL) { \
+		printf("%s: %s\n", (description), (var)); \
+	}
+
+/* unset is the value that the library sets to the var to indicate
+   that it is unset */
+#define print_long(description, var, unset) \
+	if ((var) != (unsigned long) (unset)) { \
+		printf("%s: %ld\n", (description), (var)); \
+	}
+
 int print_results(aa_log_record *record)
 {
 		printf("Event type: ");
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
 		{
 			printf("Protocol: %s\n", record->net_protocol);
 		}
+		print_string("Local addr", record->net_local_addr);
+		print_string("Foreign addr", record->net_foreign_addr);
+		print_long("Local port", record->net_local_port, 0);
+		print_long("Foreign port", record->net_foreign_port, 0);
+
 		printf("Epoch: %lu\n", record->epoch);
 		printf("Audit subid: %u\n", record->audit_sub_id);
 	return(0);

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_comm.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322676143.201:455
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: /home/steve/tmp/my prog.sh
+Name: /home/steve/tmp/my prog.sh
+Command: my prog.sh
+Parent: 10357
+PID: 22918
+Epoch: 1322676143
+Audit subid: 455

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.in

@@ -0,0 +1 @@
+Aug 23 17:29:45 hostname kernel: [289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_profile.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322614912.304:857
+Operation: getattr
+Mask: r
+Denied Mask: r
+fsuid: 0
+ouid: 0
+Profile: test space
+Name: /lib/x86_64-linux-gnu/libdl-2.13.so
+Command: bash
+Parent: 16001
+PID: 17011
+Epoch: 1322614912
+Audit subid: 857

libraries/libapparmor/testsuite/test_multi/testcase_network_01.in

@@ -0,0 +1 @@
+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_01.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_02.in

@@ -0,0 +1 @@
+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_02.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_03.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_03.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_network_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1333648169.009:11707146
+Operation: accept
+Profile: /usr/lib/dovecot/imap-login
+Command: imap-login
+Parent: 25932
+PID: 5049
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local port: 143
+Epoch: 1333648169
+Audit subid: 11707146

libraries/libapparmor/testsuite/test_multi/testcase_network_04.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_04.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333697181.284:273901
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1056
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::1
+Foreign addr: ::1
+Local port: 2048
+Foreign port: 33986
+Epoch: 1333697181
+Audit subid: 273901

libraries/libapparmor/testsuite/test_multi/testcase_network_05.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_05.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333698107.128:273917
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1875
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 2048
+Foreign port: 59180
+Epoch: 1333698107
+Audit subid: 273917

parser/COPYING.GPL

@@ -1,15 +1,15 @@
 This license applies to all source files within the AppArmor parser
 package.
 
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -18,7 +18,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -58,8 +58,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -113,7 +113,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -171,7 +171,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -228,7 +228,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -258,7 +258,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -280,9 +280,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -294,7 +294,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
+    Copyright (C) <year>  <name of author>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -306,17 +306,16 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision version 69, Copyright (C) year name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
@@ -339,5 +338,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

parser/Makefile

@@ -49,7 +49,7 @@ ifndef CFLAGS
 CFLAGS	= -g -O2 -pipe
 
 ifdef DEBUG
-CFLAGS += -pg
+CFLAGS += -pg -D DEBUG
 endif
 endif #CFLAGS
 
@@ -73,29 +73,31 @@ EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
 # Compile-time configuration of the location of the config file
 EXTRA_CFLAGS+=-DSUBDOMAIN_CONFDIR=\"${CONFDIR}\"
 
-SRCS = parser_include.c parser_interface.c parser_lex.c parser_main.c \
-       parser_misc.c parser_merge.c parser_symtab.c parser_yacc.c \
-       parser_regex.c parser_variable.c parser_policy.c parser_alias.c
-HDRS = parser.h parser_include.h immunix.h
+SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
+       parser_main.c parser_misc.c parser_merge.c parser_symtab.c \
+       parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
+       parser_alias.c mount.c
+HDRS = parser.h parser_include.h immunix.h mount.h
 TOOLS = apparmor_parser
 
-OBJECTS = parser_lex.o parser_yacc.o parser_main.o parser_interface.o \
-	  parser_include.o parser_merge.o parser_symtab.o parser_misc.o \
-	  parser_regex.o parser_variable.o parser_policy.o parser_alias.o
+OBJECTS = $(SRCS:.c=.o)
 
 AAREDIR= libapparmor_re
-AAREOBJECTS = ${AAREDIR}/libapparmor_re.a
+AAREOBJECT = ${AAREDIR}/libapparmor_re.a
+AAREOBJECTS = $(AAREOBJECT) libstdc++.a
+AARE_LDFLAGS=-static-libgcc -L.
 
 LEX_C_FILES	= parser_lex.c
 YACC_C_FILES	= parser_yacc.c parser_yacc.h
 
 TESTS = tst_regex tst_misc tst_symtab tst_variable
-TEST_FLAGS = -Wl,--warn-unresolved-symbols
-DISABLED_TESTS =
-
-TEST_OBJECTS = $(filter-out parser_lex.o, \
-	       $(filter-out parser_yacc.o, \
-	       $(filter-out parser_main.o, ${OBJECTS})))
+TEST_CFLAGS = $(EXTRA_CFLAGS) -DUNIT_TEST -Wno-unused-result
+TEST_OBJECTS = $(filter-out \
+			parser_lex.o \
+			parser_yacc.o \
+			parser_main.o, ${OBJECTS}) \
+               $(AAREOBJECTS)
+TEST_LDFLAGS = $(AARE_LDFLAGS)
 
 ifdef V
   VERBOSE = 1
@@ -113,7 +115,7 @@ endif
 export Q VERBOSE BUILD_OUTPUT
 
 po/${NAME}.pot: ${SRCS} ${HDRS}
-	make -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
 
 techdoc.pdf: techdoc.tex
 	while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \
@@ -128,8 +130,7 @@ techdoc.txt: techdoc/index.html
 
 # targets arranged this way so that people who don't want full docs can
 # pick specific targets they want.
-main: 	$(TOOLS)
-	$(Q)make -C po all
+arch: 	$(TOOLS)
 
 manpages:	$(MANPAGES)
 
@@ -139,13 +140,20 @@ pdf:	techdoc.pdf
 
 docs:	manpages htmlmanpages pdf
 
-all:	main docs tests
+indep: docs
+	$(Q)$(MAKE) -C po all
+
+all:	arch indep
+
+
+.PHONY: libstdc++.a
+libstdc++.a:
+	rm -f ./libstdc++.a
+	ln -s `$(CXX) -print-file-name=libstdc++.a`
 
 apparmor_parser: $(OBJECTS) $(AAREOBJECTS)
-	rm -f ./libstdc++.a
-	ln -s `g++ -print-file-name=libstdc++.a`
-	g++ $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
-	      ${LEXLIB}  $(AAREOBJECTS) -static-libgcc -L.
+	$(CXX) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
+	      ${LEXLIB}  $(AAREOBJECTS) $(AARE_LDFLAGS)
 
 parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
 	$(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y
@@ -189,54 +197,46 @@ parser_policy.o: parser_policy.c parser.h parser_yacc.h
 parser_alias.o: parser_alias.c parser.h
 	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
 
+parser_common.o: parser_common.c parser.h
+	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+
+mount.o: mount.c mount.h parser.h immunix.h
+	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+
 parser_version.h: Makefile
 	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
 	@mv -f .ver $@
 
-# These are the families that it doesn't make sense for apparmor to mediate.
-# We use PF_ here since that is what is required in bits/socket.h, but we will
-# rewrite these as AF_.
-FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET
+# af_names and capabilities generation has moved to common/Make.rules,
+# as well as the filtering that occurs for network protocols that
+# apparmor should not mediate.
 
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-af_names.h: /usr/include/bits/socket.h
-	LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
-	LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
+.PHONY: af_names.h
+af_names.h:
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
-	LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
+	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
-tst_symtab: parser_symtab.c parser.h parser_variable.o
-	$(Q)$(CC) -DUNIT_TEST $(EXTRA_CFLAGS) $(TEST_FLAGS) -o $@ $< parser_variable.o $(BUILD_OUTPUT)
-
-tst_variable: parser_variable.c parser.h $(filter-out parser_variable.o, ${TEST_OBJECTS})
-	$(Q)$(CC) -DUNIT_TEST $(EXTRA_CFLAGS) $(TEST_FLAGS) -o $@ $< $(filter-out parser_variable.o, ${TEST_OBJECTS}) $(BUILD_OUTPUT)
-
-tst_misc: parser_misc.c parser.h parser_yacc.h af_names.h cap_names.h
-	$(Q)$(CC) -DUNIT_TEST $(EXTRA_CFLAGS) $(TEST_FLAGS) -o $@ $< $(BUILD_OUTPUT)
-
-tst_regex: parser_regex.c parser.h parser_yacc.h
-	$(Q)$(CC) -DUNIT_TEST $(EXTRA_CFLAGS) $(TEST_FLAGS) -o $@ $< $(BUILD_OUTPUT)
+tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
+	$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
 
 .SILENT: check
 .PHONY: check
 check: tests
 
 .SILENT: tests
-tests: ${TESTS}
-	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test} $(BUILD_OUTPUT) ; done'
-	$(Q)make -s -C tst tests
-
-.SILENT: check
-check: tests
+tests: apparmor_parser ${TESTS}
+	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
+	$(Q)$(MAKE) -s -C tst tests
 
 # always need to rebuild.
-.SILENT: $(AAREOBJECTS)
-.PHONY: $(AAREOBJECTS)
-$(AAREOBJECTS):
-	make -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+.SILENT: $(AAREOBJECT)
+.PHONY: $(AAREOBJECT)
+$(AAREOBJECT):
+	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
 install-rhel4: install-redhat
@@ -245,17 +245,14 @@ install-rhel4: install-redhat
 install-redhat:
 	install -m 755 -d $(DESTDIR)/etc/init.d
 	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
-	install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd
 
 .PHONY: install-suse
 install-suse:
 	install -m 755 -d $(DESTDIR)/etc/init.d
 	install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
-	install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd
 	install -m 755 -d $(DESTDIR)/sbin
 	ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
 	ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
-	ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd
 
 .PHONY: install-slackware
 install-slackware:
@@ -270,22 +267,29 @@ install-debian:
 .PHONY: install-unknown
 install-unknown:
 
-INSTALLDEPS=$(TOOLS)
+INSTALLDEPS=arch
 ifdef DISTRO
 INSTALLDEPS+=install-$(DISTRO)
 endif
 
 .PHONY: install
-install: $(INSTALLDEPS)
+install: install-indep install-arch
+
+.PHONY: install-arch
+install-arch: $(INSTALLDEPS)
 	install -m 755 -d $(DESTDIR)/sbin
 	install -m 755 ${TOOLS} $(DESTDIR)/sbin
+
+.PHONY: install-indep
+install-indep:
 	install -m 755 -d $(INSTALL_CONFDIR)
 	install -m 644 subdomain.conf $(INSTALL_CONFDIR)
+	install -m 644 parser.conf $(INSTALL_CONFDIR)
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
-	make -C po install NAME=${NAME} DESTDIR=${DESTDIR}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
 .SILENT: clean
 .PHONY: clean
@@ -296,15 +300,14 @@ clean: _clean
 	rm -f $(YACC_C_FILES)
 	rm -f parser_version.h
 	rm -f $(NAME)*.tar.gz $(NAME)*.tgz
-	rm -f libstdc++.a
 	rm -f af_names.h
 	rm -f cap_names.h
 	rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/
-	make -s -C $(AAREDIR) clean
-	make -s -C po clean
-	make -s -C tst clean
+	$(MAKE) -s -C $(AAREDIR) clean
+	$(MAKE) -s -C po clean
+	$(MAKE) -s -C tst clean
 
 .SILENT: dist_clean
 dist_clean:
-	@make clean
+	@$(MAKE) clean
 	@rm -f $(LEX_C_FILES) $(YACC_C_FILES)

parser/apparmor-parser.spec.in

@@ -103,6 +103,7 @@ make install DESTDIR=${RPM_BUILD_ROOT} \
   /etc/init.d/aaeventd
 %endif
 %config(noreplace) /etc/apparmor/subdomain.conf
+%config(noreplace) /etc/apparmor/parser.conf
 /var/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions

parser/apparmor.d.pod

@@ -3,7 +3,7 @@
 #                  2008, 2009
 #    NOVELL (All rights reserved)
 #
-#    Copyright (c) 2010
+#    Copyright (c) 2010 - 2012
 #    Canonical Ltd. (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
@@ -54,7 +54,7 @@ B<COMMENT> = '#' I<TEXT>
 
 B<TEXT> = any characters
 
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
+B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | I<MOUNT RULE> | I<FILE RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
 
 B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
 
@@ -75,15 +75,41 @@ B<PROGRAMHAT> = '^'  (non-whitespace characters; see aa_change_hat(2) for a desc
 
 B<PROGRAMCHILD> = I<SUBPROFILE> name
 
+B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> | I<PIVOT ROOT> )
+
+B<MOUNT> = [ 'audit' ] [ 'deny' ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -> [ I<MOUNTPOINT FILEGLOB> ]
+
+B<REMOUNT> = [ 'audit' ] [ 'deny' ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
+
+B<UMOUNT> = [ 'audit' ] [ 'deny' ] 'umount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
+
+B<PIVOT ROOT> = [ 'audit' ] [ 'deny' ] pivot_root [ I<OLD ABS PATH> ] [ I<MOUNTPOINT ABS PATH> ] [ -> I<PROGRAMCHILD> ]
+
+B<MOUNT CONDITIONS> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) I<MOUNT FSTYPE EXPRESSION> ] [ 'options' ( '=' | 'in' ) I<MOUNT FLAGS EXPRESSION> ]
+
+B<MOUNT FSTYPE EXPRESSION> = ( I<MOUNT FSTYPE LIST> | I<MOUNT EXPRESSION> )
+
+B<MOUNT FSTYPE LIST> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)
+
+B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
+
+B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
+
+B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
+
+B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
+
+B<AARE> = B<?*[]{}^> (see below for meanings)
+
 B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
 
 B<RULE QUALIFIER> = [ 'audit' ] [ 'deny' ] [ 'owner' ]
 
-B<FILEGLOB> = (must start with '/' (after variable expansion), B<?*[]{}^> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
+B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
 
 B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx -> ' I<PROGRAMCHILD> | 'Cx -> ' I<PROGRAMCHILD> | 'm' ) [ I<ACCESS> ... ]  (not all combinations are allowed; see below.)
 
-B<VARIABLE> = '@{' I<ALPHA> [ I<ALPHANUMERIC> ... ] '}'
+B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
 
 B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated values)
 
@@ -91,7 +117,7 @@ B<ALIAS RULE> = I<ABS PATH> '->' I<REWRITTEN ABS PATH> ','
 
 B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
 
-B<ALPHANUMERIC> = ('1', '2', '3', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
+B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
 
 =back
 
@@ -303,10 +329,6 @@ access is not granted, some capabilities allow loading kernel modules,
 arbitrary access to IPC, ability to bypass discretionary access controls,
 and other operations that are typically reserved for the root user.
 
-The only operations that cannot be controlled in this manner are mount(2),
-umount(2), and loading new AppArmor policy into the kernel, which are
-always denied to confined processes.
-
 =head2 Network Rules
 
 AppArmor supports simple coarse grained network mediation.  The network
@@ -323,10 +345,285 @@ as further information is specified.
 
 eg.
 
-network,		#allow access to all networking
-network tcp,		#allow access to tcp
-network inet tcp,	#allow access to tcp only for inet4 addresses
-network inet6 tcp,	#allow access to tcp only for inet6 addresses
+ network,		#allow access to all networking
+ network tcp,		#allow access to tcp
+ network inet tcp,	#allow access to tcp only for inet4 addresses
+ network inet6 tcp,	#allow access to tcp only for inet6 addresses
+
+=head2 Mount Rules
+
+AppArmor supports mount mediation and allows specifying filesystem types and
+mount flags. The syntax of mount rules in AppArmor is based on the mount(8)
+command syntax. Mount rules must contain one of the mount, remount, umount or
+pivot_root keywords, but all mount conditions are optional. Unspecified
+optional conditionals are assumed to match all entries (eg, not specifying
+fstype means all fstypes are matched). Due to the complexity of the mount
+command and how options may be specified, AppArmor allows specifying
+conditionals three different ways:
+
+=over 4
+
+=item 1.
+
+If a conditional is specified using '=', then the rule only grants permission
+for mounts matching the exactly specified options. For example, an AppArmor
+policy with the following rule:
+
+=over 4
+
+mount options=ro /dev/foo -> /mnt/,
+
+=back
+
+Would match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+=back
+
+but not either of these:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o rw /dev/foo /mnt
+
+=back
+
+=item 2.
+
+If a conditional is specified using 'in', then the rule grants permission for
+mounts matching any combination of the specified options. For example, if an
+AppArmor policy has the following rule:
+
+=over 4
+
+mount options in (ro,atime) /dev/foo -> /mnt/,
+
+=back
+
+all of these mount commands will match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o atime /dev/foo /mnt
+
+=back
+
+but none of these will:
+
+=over 4
+
+$ mount -o ro,sync /dev/foo /mnt
+
+$ mount -o ro,atime,sync /dev/foo /mnt
+
+$ mount -o rw /dev/foo /mnt
+
+$ mount -o rw,noatime /dev/foo /mnt
+
+$ mount /dev/foo /mnt
+
+=back
+
+=item 3.
+
+If multiple conditionals are specified in a single mount rule, then the rule
+grants permission for each set of options. This provides a shorthand when
+writing mount rules which might help to logically break up a conditional. For
+example, if an AppArmor policy has the following rule:
+
+=over 4
+
+mount options=ro options=atime
+
+=back
+
+both of these mount commands will match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o atime /dev/foo /mnt
+
+=back
+
+but this one will not:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+=back
+
+=back
+
+Note that separate mount rules are distinct and the options do not accumulate.
+For example, these AppArmor mount rules:
+
+=over 4
+
+mount options=ro,
+mount options=atime,
+
+=back
+
+are not equivalent to either of these mount rules:
+
+=over 4
+
+mount options=(ro,atime),
+
+mount options in (ro,atime),
+
+=back
+
+To help clarify the flexibility and complexity of mount rules, here are some
+example rules with accompanying matching commands:
+
+=over 4
+
+=item B<mount,>
+
+the 'mount' rule without any conditionals is the most generic and allows any
+mount. Equivalent to 'mount fstype=** options=** ** -> /**'.
+
+=item B<mount /dev/foo,>
+
+allow mounting of /dev/foo anywhere with any options. Some matching mount
+commands:
+
+=over 4
+
+$ mount /dev/foo /mnt
+
+$ mount -t ext3 /dev/foo /mnt
+
+$ mount -t vfat /dev/foo /mnt
+
+$ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint
+
+=back
+
+=item B<mount options=ro /dev/foo,>
+
+allow mounting of /dev/foo anywhere, as read only. Some matching mount
+commands:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o ro /dev/foo /some/where/else
+
+=back
+
+=item B<mount options=(ro,atime) /dev/foo,>
+
+allow mount of /dev/foo anywhere, as read only and using inode access times.
+Some matching mount commands:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o ro,atime /dev/foo /some/where/else
+
+=back
+
+=item B<mount options in (ro,atime) /dev/foo,>
+
+allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
+(see above). Some matching mount commands:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o atime /dev/foo /some/where/else
+
+$ mount -o ro,atime /dev/foo /some/other/place
+
+=back
+
+=item B<mount options=ro /dev/foo, mount options=atime /dev/foo,>
+
+allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
+anywhere using inode access times. Note this is expressed as two different
+rules. Matches:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt/1
+
+$ mount -o atime /dev/foo /mnt/2
+
+=back
+
+=item B<< mount -> /mnt/**, >>
+
+allow mounting anything under a directory in /mnt/**. Some matching mount
+commands:
+
+=over 4
+
+$ mount /dev/foo1 /mnt/1
+
+$ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2
+
+=back
+
+=item B<< mount options=ro -> /mnt/**, >>
+
+allow mounting anything under /mnt/**, as read only. Some matching mount
+commands:
+
+=over 4
+
+$ mount -o ro /dev/foo1 /mnt/1
+
+$ mount -o ro /dev/foo2 /mnt/deep/path/foo2
+
+=back
+
+=item B<< mount fstype=ext3 options=(rw,atime) /dev/sdb1 -> /mnt/stick/, >>
+
+allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
+using inode access times. Matches only:
+
+=over 4
+
+$ mount -o rw,atime /dev/sdb1 /mnt/stick
+
+=back
+
+=item B<< mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/, >>
+
+allow mounting /dev/foo on /mmt/ read only and using inode access times or
+allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
+Matches only:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o nodev /dev/foo /mnt
+
+$ mount -o user /dev/foo /mnt
+
+$ mount -o nodev,user /dev/foo /mnt
+
+=back
+
+=back
 
 =head2 Variables
 
@@ -605,6 +902,29 @@ An example AppArmor profile:
 
 =back
 
+=head1 KNOWN BUGS
+
+=over 4
+
+Mount options support the use of pattern matching but mount flags are not
+correctly intersected against specified patterns. Eg, 'mount options=**,'
+should be equivalent to 'mount,', but it is not. (LP: #965690)
+
+The fstype may not be matched against when certain mount command flags are
+used. Specifically fstype matching currently only works when creating a new
+mount and not remount, bind, etc.
+
+Mount rules with multiple 'options' conditionals are not applied as documented
+but instead merged such that 'options in (ro,nodev) options in (atime)' is
+equivalent to 'options in (ro,nodev,atime)'.
+
+When specifying mount options with the 'in' conditional, both the positive and
+negative values match when specifying one or the other. Eg, 'rw' matches when
+'ro' is specified and 'dev' matches when 'nodev' is specified such that
+'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.
+
+=back
+
 =head1 SEE ALSO
 
 apparmor(7), apparmor_parser(8), aa-complain(1),

parser/apparmor.vim.pod

@@ -3,7 +3,7 @@
 #                  2008, 2009
 #    NOVELL (All rights reserved)
 #
-#    Copyright (c) 2010
+#    Copyright (c) 2010 - 2012
 #    Canonical Ltd. (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
@@ -16,7 +16,7 @@
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
-#    along with this program; if not, contact Novell, Inc.
+#    along with this program; if not, contact Canonical, Ltd.
 # ----------------------------------------------------------------------
 
 
@@ -28,13 +28,11 @@ apparmor.vim - vim syntax highlighting file for AppArmor profiles
 
 =head1 SYNOPSIS
 
-The SUSE vim package is configured to automatically use syntax
-highlighting for AppArmor policies stored in /etc/apparmor.d/ and the
-extra policies stored in /etc/apparmor/profiles/extras/. If you wish to
-use the syntax highlighting in a specific vim session, you may run:
+Your system may be configured to automatically use syntax highlighting
+for installed AppArmor policies. If not, you can enable syntax highlighting in
+a specific vim session by performing:
 
- :syntax on
- :setf apparmor
+ :set syntax=apparmor
 
 =head1 DESCRIPTION
 

parser/apparmor_parser.pod

@@ -3,7 +3,7 @@
 #                  2008, 2009
 #    NOVELL (All rights reserved)
 #
-#    Copyright (c) 2010
+#    Copyright (c) 2010 - 2012
 #    Canonical Ltd. (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
@@ -127,16 +127,21 @@ Perform no caching at all: disables -W, implies -T.
 
 =item -T, --skip-read-cache
 
-By default, if a profile's cache is found in /etc/apparmor.d/cache/ and
-the timestamp is newer than the profile, it will be loaded from the cache.
-This option disables this cache loading behavior.
+By default, if a profile's cache is found in the location specified by
+--cache-loc and the timestamp is newer than the profile, it will be loaded
+from the cache. This option disables this cache loading behavior.
 
 =item -W, --write-cache
 
-Write out cached profiles to /etc/apparmor.d/cache/.  Off by default.
-In cases where abstractions have been changed, and the parser is running
-with "--replace", it may make sense to also use "--skip-read-cache" with
-the "--write-cache" option.
+Write out cached profiles to the location specified in --cache-loc.  Off
+by default. In cases where abstractions have been changed, and the parser
+is running with "--replace", it may make sense to also use
+"--skip-read-cache" with the "--write-cache" option.
+
+=item -L, --cache-loc
+
+Set the location of the cache directory.  If not specified the cache location
+defaults to /etc/apparmor.d/cache
 
 =item -Q, --skip-kernel-load
 
@@ -199,6 +204,38 @@ Give a quick reference guide.
 
 =back
 
+=head1 CONFIG FILE
+
+An optional config file /etc/apparmor/parser.conf can be used to specify the
+default options for the parser, which then can be overridden using the command
+line options.
+
+The config file ignores leading whitespace and treats lines that begin with #
+as comments.  Config options are specified one per line using the same format
+as the longform command line options (without the preceding --).
+
+Eg.
+    #comment
+
+    optimize=no-expr-tree
+    optimize=compress-fast
+
+As with the command line some options accumulate and others override, ie. when
+there are conflicting versions of switch the last option is the one chosen.
+
+Eg.
+    Optimize=no-minimize
+    Optimize=minimize
+
+would result in Optimize=minimize being set.
+
+The Include, Dump, and Optimize options accululate except for the inversion
+option (no-X vs. X), and a couple options that work by setting/clearing
+multiple options (compress-small).  In that case the option will override
+the flags it sets but will may accumulate with others.
+
+All other options override previously set values.
+
 =head1 BUGS
 
 If you find any bugs, please report them at

parser/immunix.h

@@ -61,6 +61,7 @@
 #define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)
 
 #define AA_CHANGE_HAT			(1 << 30)
+#define AA_ONEXEC			(1 << 30)
 #define AA_CHANGE_PROFILE		(1 << 31)
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
 
@@ -96,6 +97,9 @@
 
 #define ALL_AA_EXEC_TYPE		(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
 
+#define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
+#define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
+
 #define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
 					 (AA_MAY_LINK << AA_OTHER_SHIFT))
 

parser/libapparmor_re/Makefile

@@ -4,7 +4,7 @@
 TARGET=libapparmor_re.a
 
 CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS}
-CXXFLAGS := ${CFLAGS}
+CXXFLAGS := ${CFLAGS} -std=c++0x
 
 ARFLAGS=-rcs
 
@@ -12,14 +12,21 @@ BISON := bison
 
 all : ${TARGET}
 
-libapparmor_re.a: regexp.o
+libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o
 	ar ${ARFLAGS} $@ $^
 
-regexp.o : regexp.cc apparmor_re.h
-	$(LINK.cc) $< -c -o $@
+expr-tree.o: expr-tree.cc expr-tree.h
 
-regexp.cc : regexp.y flex-tables.h ../immunix.h
+hfa.o: hfa.cc apparmor_re.h hfa.h ../immunix.h
+
+aare_rules.o: aare_rules.cc aare_rules.h apparmor_re.h expr-tree.h hfa.h chfa.h parse.h ../immunix.h
+
+chfa.o: chfa.cc chfa.h ../immunix.h
+
+parse.o : parse.cc apparmor_re.h expr-tree.h
+
+parse.cc : parse.y parse.h flex-tables.h ../immunix.h
 	${BISON} -o $@ $<
 
 clean:
-	rm -f regexp.o regexp.cc regexp.so regexp.a regexp ${TARGET}
+	rm -f *.o parse.cc ${TARGET}

parser/libapparmor_re/aare_rules.cc

@@ -0,0 +1,336 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Wrapper around the dfa to convert aa rules into a dfa
+ */
+
+#include <ostream>
+#include <iostream>
+#include <fstream>
+#include <sstream>
+#include <ext/stdio_filebuf.h>
+#include <assert.h>
+#include <stdlib.h>
+
+#include "aare_rules.h"
+#include "expr-tree.h"
+#include "parse.h"
+#include "hfa.h"
+#include "chfa.h"
+#include "../immunix.h"
+
+struct aare_ruleset {
+	int reverse;
+	Node *root;
+};
+
+extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
+{
+	aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
+	if (!container)
+		return NULL;
+
+	container->root = NULL;
+	container->reverse = reverse;
+
+	return container;
+}
+
+extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
+{
+	if (rules) {
+		if (rules->root)
+			rules->root->release();
+		free(rules);
+	}
+}
+
+extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+			     uint32_t perms, uint32_t audit, dfaflags_t flags)
+{
+	return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
+}
+
+#define FLAGS_WIDTH 2
+#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
+MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2)	/* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux * u::o */
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux *u::o */
+
+extern "C" void aare_reset_matchflags(void)
+{
+	uint32_t i, j;
+#define RESET_FLAGS(group, size) { \
+	for (i = 0; i < FLAGS_WIDTH; i++) { \
+		for (j = 0; j < size; j++) { \
+		    if ((group)[i][j]) delete (group)[i][j];	\
+			(group)[i][j] = NULL; \
+		} \
+	} \
+}
+	RESET_FLAGS(match_flags, MATCH_FLAGS_SIZE);
+	RESET_FLAGS(deny_flags, MATCH_FLAGS_SIZE);
+	RESET_FLAGS(exec_match_flags, EXEC_MATCH_FLAGS_SIZE);
+	RESET_FLAGS(exact_match_flags, EXEC_MATCH_FLAGS_SIZE);
+#undef RESET_FLAGS
+}
+
+extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
+				 uint32_t perms, uint32_t audit,
+				 int count, char **rulev, dfaflags_t flags)
+{
+	Node *tree = NULL, *accept;
+	int exact_match;
+	uint32_t allow = perms;
+
+	assert(perms != 0);
+
+	if (regex_parse(&tree, rulev[0]))
+		return 0;
+	for (int i = 1; i < count; i++) {
+		Node *subtree = NULL;
+		Node *node = new CharNode(0);
+		if (!node)
+			return 0;
+		tree = new CatNode(tree, node);
+		if (regex_parse(&subtree, rulev[i]))
+			return 0;
+		tree = new CatNode(tree, subtree);
+	}
+
+	/*
+	 * Check if we have an expression with or without wildcards. This
+	 * determines how exec modifiers are merged in accept_perms() based
+	 * on how we split permission bitmasks here.
+	 */
+	exact_match = 1;
+	for (depth_first_traversal i(tree); i; i++) {
+		if (dynamic_cast<StarNode *>(*i) ||
+		    dynamic_cast<PlusNode *>(*i) ||
+		    dynamic_cast<AnyCharNode *>(*i) ||
+		    dynamic_cast<CharSetNode *>(*i) ||
+		    dynamic_cast<NotCharSetNode *>(*i))
+			exact_match = 0;
+	}
+
+	if (rules->reverse)
+		flip_tree(tree);
+
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
+
+//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
+//      fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
+
+//if (perms & ALL_EXEC_TYPE)
+//    fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
+
+//if (audit)
+//fprintf(stderr, "adding rule with audit bits set: 0x%x %s\n", audit, rulev[0]);
+
+//if (perms & AA_CHANGE_HAT)
+//    fprintf(stderr, "adding change_hat rule %s\n", rulev[0]);
+
+/* the permissions set is assumed to be non-empty if any audit
+ * bits are specified */
+	accept = NULL;
+	for (unsigned int n = 0; perms && n < (sizeof(perms) * 8); n++) {
+		uint32_t mask = 1 << n;
+
+		if (!(perms & mask))
+			continue;
+
+		int ai = audit & mask ? 1 : 0;
+		perms &= ~mask;
+
+		Node *flag;
+		if (mask & ALL_AA_EXEC_TYPE)
+			/* these cases are covered by EXEC_BITS */
+			continue;
+		if (deny) {
+			if (deny_flags[ai][n]) {
+				flag = deny_flags[ai][n];
+			} else {
+//fprintf(stderr, "Adding deny ai %d mask 0x%x audit 0x%x\n", ai, mask, audit & mask);
+				deny_flags[ai][n] = new DenyMatchFlag(mask, audit & mask);
+				flag = deny_flags[ai][n];
+			}
+		} else if (mask & AA_EXEC_BITS) {
+			uint32_t eperm = 0;
+			uint32_t index = 0;
+			if (mask & AA_USER_EXEC) {
+				eperm = mask | (perms & AA_USER_EXEC_TYPE);
+				index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
+			} else {
+				eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
+				index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
+			}
+//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
+			if (exact_match) {
+				if (exact_match_flags[ai][index]) {
+					flag = exact_match_flags[ai][index];
+				} else {
+					exact_match_flags[ai][index] = new ExactMatchFlag(eperm, audit & mask);
+					flag = exact_match_flags[ai][index];
+				}
+			} else {
+				if (exec_match_flags[ai][index]) {
+					flag = exec_match_flags[ai][index];
+				} else {
+					exec_match_flags[ai][index] = new MatchFlag(eperm, audit & mask);
+					flag = exec_match_flags[ai][index];
+				}
+			}
+		} else {
+			if (match_flags[ai][n]) {
+				flag = match_flags[ai][n];
+			} else {
+				match_flags[ai][n] = new MatchFlag(mask, audit & mask);
+				flag = match_flags[ai][n];
+			}
+		}
+		if (accept)
+			accept = new AltNode(accept, flag);
+		else
+			accept = flag;
+	} /* for ... */
+
+	if (flags & DFA_DUMP_RULE_EXPR) {
+		cerr << "rule: ";
+		cerr << rulev[0];
+		for (int i = 1; i < count; i++) {
+			cerr << "\\x00";
+			cerr << rulev[i];
+		}
+		cerr << "  ->  ";
+		tree->dump(cerr);
+		if (deny)
+			cerr << " deny";
+		cerr << " (0x" << hex << allow <<"/" << audit << dec << ")";
+		accept->dump(cerr);
+ 		cerr << "\n\n";
+	}
+
+	if (rules->root)
+		rules->root = new AltNode(rules->root, new CatNode(tree, accept));
+	else
+		rules->root = new CatNode(tree, accept);
+
+	return 1;
+
+}
+
+/* create a dfa from the ruleset
+ * returns: buffer contain dfa tables, @size set to the size of the tables
+ *          else NULL on failure
+ */
+extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+				 dfaflags_t flags)
+{
+	char *buffer = NULL;
+
+	label_nodes(rules->root);
+	if (flags & DFA_DUMP_TREE) {
+		cerr << "\nDFA: Expression Tree\n";
+		rules->root->dump(cerr);
+		cerr << "\n\n";
+	}
+
+	if (flags & DFA_CONTROL_TREE_SIMPLE) {
+		rules->root = simplify_tree(rules->root, flags);
+
+		if (flags & DFA_DUMP_SIMPLE_TREE) {
+			cerr << "\nDFA: Simplified Expression Tree\n";
+			rules->root->dump(cerr);
+			cerr << "\n\n";
+		}
+	}
+
+	stringstream stream;
+	try {
+		DFA dfa(rules->root, flags);
+		if (flags & DFA_DUMP_UNIQ_PERMS)
+			dfa.dump_uniq_perms("dfa");
+
+		if (flags & DFA_CONTROL_MINIMIZE) {
+			dfa.minimize(flags);
+
+			if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+				dfa.dump_uniq_perms("minimized dfa");
+		}
+
+		if (flags & DFA_CONTROL_FILTER_DENY &&
+		    flags & DFA_CONTROL_MINIMIZE &&
+		    dfa.apply_and_clear_deny()) {
+			/* Do a second minimization pass as removal of deny
+			 * information has moved some states from accepting
+			 * to none accepting partitions
+			 *
+			 * TODO: add this as a tail pass to minimization
+			 *       so we don't need to do a full second pass
+			 */
+			dfa.minimize(flags);
+
+			if (flags & DFA_DUMP_MIN_UNIQ_PERMS)
+				dfa.dump_uniq_perms("minimized dfa");
+		}
+
+		if (flags & DFA_CONTROL_REMOVE_UNREACHABLE)
+			dfa.remove_unreachable(flags);
+
+		if (flags & DFA_DUMP_STATES)
+			dfa.dump(cerr);
+
+		if (flags & DFA_DUMP_GRAPH)
+			dfa.dump_dot_graph(cerr);
+
+		map<uchar, uchar> eq;
+		if (flags & DFA_CONTROL_EQUIV) {
+			eq = dfa.equivalence_classes(flags);
+			dfa.apply_equivalence_classes(eq);
+
+			if (flags & DFA_DUMP_EQUIV) {
+				cerr << "\nDFA equivalence class\n";
+				dump_equivalence_classes(cerr, eq);
+			}
+		} else if (flags & DFA_DUMP_EQUIV)
+			cerr << "\nDFA did not generate an equivalence class\n";
+
+		CHFA chfa(dfa, eq, flags);
+		if (flags & DFA_DUMP_TRANS_TABLE)
+			chfa.dump(cerr);
+		chfa.flex_table(stream, "");
+	}
+	catch(int error) {
+		*size = 0;
+		return NULL;
+	}
+
+	stringbuf *buf = stream.rdbuf();
+
+	buf->pubseekpos(0);
+	*size = buf->in_avail();
+
+	buffer = (char *)malloc(*size);
+	if (!buffer)
+		return NULL;
+	buf->sgetn(buffer, *size);
+	return buffer;
+}

parser/libapparmor_re/aare_rules.h

@@ -0,0 +1,49 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Wrapper around the dfa to convert aa rules into a dfa
+ */
+#ifndef __LIBAA_RE_RULES_H
+#define __LIBAA_RE_RULES_H
+
+#include <stdint.h>
+
+#include "apparmor_re.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct aare_ruleset;
+
+typedef struct aare_ruleset aare_ruleset_t;
+
+aare_ruleset_t *aare_new_ruleset(int reverse);
+void aare_delete_ruleset(aare_ruleset_t *rules);
+int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny, uint32_t perms,
+		  uint32_t audit, dfaflags_t flags);
+int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
+		      uint32_t audit, int count, char **rulev,
+		      dfaflags_t flags);
+void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
+void aare_reset_matchflags(void);
+
+#ifdef __cplusplus
+}
+#endif
+#endif				/* __LIBAA_RE_RULES_H */

parser/libapparmor_re/apparmor_re.h

@@ -1,11 +1,20 @@
 /*
- *   Copyright (c) 2003, 2004, 2005, 2006, 2007 Novell, Inc.
- *   (All rights reserved)
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
  *
- *   The libapparmor library is licensed under the terms of the GNU
- *   Lesser General Public License, version 2.1. Please see the file
- *   COPYING.LGPL.
- */
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  */
 
 #ifndef APPARMOR_RE_H
 #define APPARMOR_RE_H
@@ -17,10 +26,11 @@ typedef enum dfaflags {
   DFA_CONTROL_TREE_LEFT =	1 << 3,
   DFA_CONTROL_MINIMIZE =	1 << 4,
   DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
-  DFA_CONTROL_MINIMIZE_HASH_PERMS = 1 << 6,
+  DFA_CONTROL_FILTER_DENY =	1 << 6,
   DFA_CONTROL_REMOVE_UNREACHABLE =	1 << 7,
   DFA_CONTROL_TRANS_HIGH =	1 << 8,
 
+  DFA_DUMP_MIN_PARTS =		1 << 13,
   DFA_DUMP_UNIQ_PERMS =		1 << 14,
   DFA_DUMP_MIN_UNIQ_PERMS =	1 << 15,
   DFA_DUMP_TREE_STATS =		1 << 16,
@@ -41,25 +51,4 @@ typedef enum dfaflags {
   DFA_DUMP_NODE_TO_DFA =	1 << 31,
 } dfaflags_t;
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-struct aare_ruleset;
-
-typedef struct aare_ruleset aare_ruleset_t;
-
-aare_ruleset_t *aare_new_ruleset(int reverse);
-void aare_delete_ruleset(aare_ruleset_t *rules);
-int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
-		  uint32_t perms, uint32_t audit, dfaflags_t flags);
-int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
-		      uint32_t audit, int count, char **rulev, dfaflags_t flags);
-void *aare_create_dfa(aare_ruleset_t *rules, size_t *size, dfaflags_t flags);
-void aare_reset_matchflags(void);
-
-#ifdef __cplusplus
-}
-#endif
-
 #endif /* APPARMOR_RE_H */

parser/libapparmor_re/chfa.cc

@@ -0,0 +1,420 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Create a compressed hfa from and hfa
+ */
+
+#include <map>
+#include <vector>
+#include <ostream>
+#include <iostream>
+#include <fstream>
+
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "hfa.h"
+#include "chfa.h"
+#include "../immunix.h"
+
+void CHFA::init_free_list(vector<pair<size_t, size_t> > &free_list,
+				     size_t prev, size_t start)
+{
+	for (size_t i = start; i < free_list.size(); i++) {
+		if (prev)
+			free_list[prev].second = i;
+		free_list[i].first = prev;
+		prev = i;
+	}
+	free_list[free_list.size() - 1].second = 0;
+}
+
+/**
+ * new Construct the transition table.
+ */
+CHFA::CHFA(DFA &dfa, map<uchar, uchar> &eq, dfaflags_t flags): eq(eq)
+{
+	if (flags & DFA_DUMP_TRANS_PROGRESS)
+		fprintf(stderr, "Compressing HFA:\r");
+
+	if (eq.empty())
+		max_eq = 255;
+	else {
+		max_eq = 0;
+		for (map<uchar, uchar>::iterator i = eq.begin();
+		     i != eq.end(); i++) {
+			if (i->second > max_eq)
+				max_eq = i->second;
+		}
+	}
+
+	/* Do initial setup adding up all the transitions and sorting by
+	 * transition count.
+	 */
+	size_t optimal = 2;
+	multimap<size_t, State *> order;
+	vector<pair<size_t, size_t> > free_list;
+
+	for (Partition::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
+		if (*i == dfa.start || *i == dfa.nonmatching)
+			continue;
+		optimal += (*i)->trans.size();
+		if (flags & DFA_CONTROL_TRANS_HIGH) {
+			size_t range = 0;
+			if ((*i)->trans.size())
+				range =
+				    (*i)->trans.rbegin()->first -
+				    (*i)->trans.begin()->first;
+			size_t ord = ((256 - (*i)->trans.size()) << 8) | (256 - range);
+			/* reverse sort by entry count, most entries first */
+			order.insert(make_pair(ord, *i));
+		}
+	}
+
+	/* Insert the dummy nonmatching transition by hand */
+	next_check.push_back(make_pair(dfa.nonmatching, dfa.nonmatching));
+	default_base.push_back(make_pair(dfa.nonmatching, 0));
+	num.insert(make_pair(dfa.nonmatching, num.size()));
+
+	accept.resize(dfa.states.size());
+	accept2.resize(dfa.states.size());
+	next_check.resize(optimal);
+	free_list.resize(optimal);
+
+	accept[0] = 0;
+	accept2[0] = 0;
+	first_free = 1;
+	init_free_list(free_list, 0, 1);
+
+	insert_state(free_list, dfa.start, dfa);
+	accept[1] = 0;
+	accept2[1] = 0;
+	num.insert(make_pair(dfa.start, num.size()));
+
+	int count = 2;
+
+	if (!(flags & DFA_CONTROL_TRANS_HIGH)) {
+		for (Partition::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
+			if (*i != dfa.nonmatching && *i != dfa.start) {
+				insert_state(free_list, *i, dfa);
+				accept[num.size()] = (*i)->perms.allow;
+				accept2[num.size()] = PACK_AUDIT_CTL((*i)->perms.audit, (*i)->perms.quiet & (*i)->perms.deny);
+				num.insert(make_pair(*i, num.size()));
+			}
+			if (flags & (DFA_DUMP_TRANS_PROGRESS)) {
+				count++;
+				if (count % 100 == 0)
+					fprintf(stderr, "\033[2KCompressing trans table: insert state: %d/%zd\r",
+						count, dfa.states.size());
+			}
+		}
+	} else {
+		for (multimap<size_t, State *>::iterator i = order.begin();
+		     i != order.end(); i++) {
+			if (i->second != dfa.nonmatching &&
+			    i->second != dfa.start) {
+				insert_state(free_list, i->second, dfa);
+				accept[num.size()] = i->second->perms.allow;
+				accept2[num.size()] = PACK_AUDIT_CTL(i->second->perms.audit, i->second->perms.quiet & i->second->perms.deny);
+				num.insert(make_pair(i->second, num.size()));
+			}
+			if (flags & (DFA_DUMP_TRANS_PROGRESS)) {
+				count++;
+				if (count % 100 == 0)
+					fprintf(stderr, "\033[2KCompressing trans table: insert state: %d/%zd\r",
+						count, dfa.states.size());
+			}
+		}
+	}
+
+	if (flags & (DFA_DUMP_TRANS_STATS | DFA_DUMP_TRANS_PROGRESS)) {
+		ssize_t size = 4 * next_check.size() + 6 * dfa.states.size();
+		fprintf(stderr, "\033[2KCompressed trans table: states %zd, next/check %zd, optimal next/check %zd avg/state %.2f, compression %zd/%zd = %.2f %%\n",
+			dfa.states.size(), next_check.size(), optimal,
+			(float)next_check.size() / (float)dfa.states.size(),
+			size, 512 * dfa.states.size(),
+			100.0 - ((float)size * 100.0 /(float)(512 * dfa.states.size())));
+	}
+}
+
+/**
+ * Does <trans> fit into position <base> of the transition table?
+ */
+bool CHFA::fits_in(vector<pair<size_t, size_t> > &free_list
+			      __attribute__ ((unused)), size_t pos,
+			      StateTrans &trans)
+{
+	size_t c, base = pos - trans.begin()->first;
+	for (StateTrans::iterator i = trans.begin(); i != trans.end(); i++) {
+		c = base + i->first;
+		/* if it overflows the next_check array it fits in as we will
+		 * resize */
+		if (c >= next_check.size())
+			return true;
+		if (next_check[c].second)
+			return false;
+	}
+
+	return true;
+}
+
+/**
+ * Insert <state> of <dfa> into the transition table.
+ */
+void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
+				   State *from, DFA &dfa)
+{
+	State *default_state = dfa.nonmatching;
+	size_t base = 0;
+	int resize;
+
+	StateTrans &trans = from->trans;
+	size_t c = trans.begin()->first;
+	size_t prev = 0;
+	size_t x = first_free;
+
+	if (from->otherwise)
+		default_state = from->otherwise;
+	if (trans.empty())
+		goto do_insert;
+
+repeat:
+	resize = 0;
+	/* get the first free entry that won't underflow */
+	while (x && (x < c)) {
+		prev = x;
+		x = free_list[x].second;
+	}
+
+	/* try inserting until we succeed. */
+	while (x && !fits_in(free_list, x, trans)) {
+		prev = x;
+		x = free_list[x].second;
+	}
+	if (!x) {
+		resize = 256 - trans.begin()->first;
+		x = free_list.size();
+		/* set prev to last free */
+	} else if (x + 255 - trans.begin()->first >= next_check.size()) {
+		resize = (255 - trans.begin()->first - (next_check.size() - 1 - x));
+		for (size_t y = x; y; y = free_list[y].second)
+			prev = y;
+	}
+	if (resize) {
+		/* expand next_check and free_list */
+		size_t old_size = free_list.size();
+		next_check.resize(next_check.size() + resize);
+		free_list.resize(free_list.size() + resize);
+		init_free_list(free_list, prev, old_size);
+		if (!first_free)
+			first_free = old_size;;
+		if (x == old_size)
+			goto repeat;
+	}
+
+	base = x - c;
+	for (StateTrans::iterator j = trans.begin(); j != trans.end(); j++) {
+		next_check[base + j->first] = make_pair(j->second, from);
+		size_t prev = free_list[base + j->first].first;
+		size_t next = free_list[base + j->first].second;
+		if (prev)
+			free_list[prev].second = next;
+		if (next)
+			free_list[next].first = prev;
+		if (base + j->first == first_free)
+			first_free = next;
+	}
+
+do_insert:
+	default_base.push_back(make_pair(default_state, base));
+}
+
+/**
+ * Text-dump the transition table (for debugging).
+ */
+void CHFA::dump(ostream &os)
+{
+	map<size_t, const State *> st;
+	for (map<const State *, size_t>::iterator i = num.begin(); i != num.end(); i++) {
+		st.insert(make_pair(i->second, i->first));
+	}
+
+	os << "size=" << default_base.size() << " (accept, default, base):  {state} -> {default state}" << "\n";
+	for (size_t i = 0; i < default_base.size(); i++) {
+		os << i << ": ";
+		os << "(" << accept[i] << ", " << num[default_base[i].first]
+		   << ", " << default_base[i].second << ")";
+		if (st[i])
+			os << " " << *st[i];
+		if (default_base[i].first)
+			os << " -> " << *default_base[i].first;
+		os << "\n";
+	}
+
+	os << "size=" << next_check.size() << " (next, check): {check state} -> {next state} : offset from base\n";
+	for (size_t i = 0; i < next_check.size(); i++) {
+		if (!next_check[i].second)
+			continue;
+
+		os << i << ": ";
+		if (next_check[i].second) {
+			os << "(" << num[next_check[i].first] << ", "
+			   << num[next_check[i].second] << ")" << " "
+			   << *next_check[i].second << " -> "
+			   << *next_check[i].first << ": ";
+
+			size_t offs = i - default_base[num[next_check[i].second]].second;
+			if (eq.size())
+				os << offs;
+			else
+				os << (uchar) offs;
+		}
+		os << "\n";
+	}
+}
+
+/**
+ * Create a flex-style binary dump of the DFA tables. The table format
+ * was partly reverse engineered from the flex sources and from
+ * examining the tables that flex creates with its --tables-file option.
+ * (Only the -Cf and -Ce formats are currently supported.)
+ */
+
+#include "flex-tables.h"
+#define YYTH_REGEX_MAGIC 0x1B5E783D
+
+static inline size_t pad64(size_t i)
+{
+	return (i + (size_t) 7) & ~(size_t) 7;
+}
+
+string fill64(size_t i)
+{
+	const char zeroes[8] = { };
+	string fill(zeroes, (i & 7) ? 8 - (i & 7) : 0);
+	return fill;
+}
+
+template<class Iter> size_t flex_table_size(Iter pos, Iter end)
+{
+	return pad64(sizeof(struct table_header) + sizeof(*pos) * (end - pos));
+}
+
+template<class Iter>
+    void write_flex_table(ostream &os, int id, Iter pos, Iter end)
+{
+	struct table_header td = { 0, 0, 0, 0 };
+	size_t size = end - pos;
+
+	td.td_id = htons(id);
+	td.td_flags = htons(sizeof(*pos));
+	td.td_lolen = htonl(size);
+	os.write((char *)&td, sizeof(td));
+
+	for (; pos != end; ++pos) {
+		switch (sizeof(*pos)) {
+		case 4:
+			os.put((char)(*pos >> 24));
+			os.put((char)(*pos >> 16));
+		case 2:
+			os.put((char)(*pos >> 8));
+		case 1:
+			os.put((char)*pos);
+		}
+	}
+
+	os << fill64(sizeof(td) + sizeof(*pos) * size);
+}
+
+void CHFA::flex_table(ostream &os, const char *name)
+{
+	const char th_version[] = "notflex";
+	struct table_set_header th = { 0, 0, 0, 0 };
+
+	/**
+	 * Change the following two data types to adjust the maximum flex
+	 * table size.
+	 */
+	typedef uint16_t state_t;
+	typedef uint32_t trans_t;
+
+	if (default_base.size() >= (state_t) - 1) {
+		cerr << "Too many states (" << default_base.size() << ") for "
+		    "type state_t\n";
+		exit(1);
+	}
+	if (next_check.size() >= (trans_t) - 1) {
+		cerr << "Too many transitions (" << next_check.size()
+		     << ") for " "type trans_t\n";
+		exit(1);
+	}
+
+	/**
+	 * Create copies of the data structures so that we can dump the tables
+	 * using the generic write_flex_table() routine.
+	 */
+	vector<uint8_t> equiv_vec;
+	if (eq.size()) {
+		equiv_vec.resize(256);
+		for (map<uchar, uchar>::iterator i = eq.begin(); i != eq.end(); i++) {
+			equiv_vec[i->first] = i->second;
+		}
+	}
+
+	vector<state_t> default_vec;
+	vector<trans_t> base_vec;
+	for (DefaultBase::iterator i = default_base.begin(); i != default_base.end(); i++) {
+		default_vec.push_back(num[i->first]);
+		base_vec.push_back(i->second);
+	}
+
+	vector<state_t> next_vec;
+	vector<state_t> check_vec;
+	for (NextCheck::iterator i = next_check.begin(); i != next_check.end(); i++) {
+		next_vec.push_back(num[i->first]);
+		check_vec.push_back(num[i->second]);
+	}
+
+	/* Write the actual flex parser table. */
+
+	size_t hsize = pad64(sizeof(th) + sizeof(th_version) + strlen(name) + 1);
+	th.th_magic = htonl(YYTH_REGEX_MAGIC);
+	th.th_hsize = htonl(hsize);
+	th.th_ssize = htonl(hsize +
+			    flex_table_size(accept.begin(), accept.end()) +
+			    flex_table_size(accept2.begin(), accept2.end()) +
+			    (eq.size() ? flex_table_size(equiv_vec.begin(), equiv_vec.end()) : 0) +
+			    flex_table_size(base_vec.begin(), base_vec.end()) +
+			    flex_table_size(default_vec.begin(), default_vec.end()) +
+			    flex_table_size(next_vec.begin(), next_vec.end()) +
+			    flex_table_size(check_vec.begin(), check_vec.end()));
+	os.write((char *)&th, sizeof(th));
+	os << th_version << (char)0 << name << (char)0;
+	os << fill64(sizeof(th) + sizeof(th_version) + strlen(name) + 1);
+
+	write_flex_table(os, YYTD_ID_ACCEPT, accept.begin(), accept.end());
+	write_flex_table(os, YYTD_ID_ACCEPT2, accept2.begin(), accept2.end());
+	if (eq.size())
+		write_flex_table(os, YYTD_ID_EC, equiv_vec.begin(),
+				 equiv_vec.end());
+	write_flex_table(os, YYTD_ID_BASE, base_vec.begin(), base_vec.end());
+	write_flex_table(os, YYTD_ID_DEF, default_vec.begin(), default_vec.end());
+	write_flex_table(os, YYTD_ID_NXT, next_vec.begin(), next_vec.end());
+	write_flex_table(os, YYTD_ID_CHK, check_vec.begin(), check_vec.end());
+}

parser/libapparmor_re/chfa.h

@@ -0,0 +1,56 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Create a compressed hfa (chfa) from and hfa
+ */
+#ifndef __LIBAA_RE_CHFA_H
+#define __LIBAA_RE_CHFA_H
+
+#include <map>
+#include <vector>
+
+#include "hfa.h"
+
+using namespace std;
+
+class CHFA {
+	typedef vector<pair<const State *, size_t> > DefaultBase;
+	typedef vector<pair<const State *, const State *> > NextCheck;
+      public:
+	CHFA(DFA &dfa, map<uchar, uchar> &eq, dfaflags_t flags);
+	void dump(ostream & os);
+	void flex_table(ostream &os, const char *name);
+	void init_free_list(vector<pair<size_t, size_t> > &free_list,
+			    size_t prev, size_t start);
+	bool fits_in(vector<pair<size_t, size_t> > &free_list, size_t base,
+		     StateTrans &cases);
+	void insert_state(vector<pair<size_t, size_t> > &free_list,
+			  State *state, DFA &dfa);
+
+      private:
+	vector<uint32_t> accept;
+	vector<uint32_t> accept2;
+	DefaultBase default_base;
+	NextCheck next_check;
+	map<const State *, size_t> num;
+	map<uchar, uchar> &eq;
+	uchar max_eq;
+	size_t first_free;
+};
+
+#endif /* __LIBAA_RE_CHFA_H */

parser/libapparmor_re/expr-tree.cc

@@ -0,0 +1,610 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Functions to create/manipulate an expression tree for regular expressions
+ * that have been parsed.
+ *
+ * The expression tree can be used directly after the parse creates it, or
+ * it can be factored so that the set of important nodes is smaller.
+ * Having a reduced set of important nodes generally results in a dfa that
+ * is closer to minimum (fewer redundant states are created).  It also
+ * results in fewer important nodes in a the state set during subset
+ * construction resulting in less memory used to create a dfa.
+ *
+ * Generally it is worth doing expression tree simplification before dfa
+ * construction, if the regular expression tree contains any alternations.
+ * Even if the regular expression doesn't simplification should be fast
+ * enough that it can be used with minimal overhead.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "expr-tree.h"
+#include "apparmor_re.h"
+
+/* Use a single static EpsNode as it carries no node specific information */
+EpsNode epsnode;
+
+ostream &operator<<(ostream &os, uchar c)
+{
+	const char *search = "\a\033\f\n\r\t|*+[](). ",
+	    *replace = "aefnrt|*+[](). ", *s;
+
+	if ((s = strchr(search, c)) && *s != '\0') {
+		os << '\\' << replace[s - search];
+	} else if (c < 32 || c >= 127) {
+		os << '\\' << '0' << char ('0' + (c >> 6))
+		   << char ('0' + ((c >> 3) & 7)) << char ('0' + (c & 7));
+	} else {
+		os << (char)c;
+	}
+	return os;
+}
+
+/**
+ * Text-dump a state (for debugging).
+ */
+ostream &operator<<(ostream &os, const NodeSet &state)
+{
+	os << '{';
+	if (!state.empty()) {
+		NodeSet::iterator i = state.begin();
+		for (;;) {
+			os << (*i)->label;
+			if (++i == state.end())
+				break;
+			os << ',';
+		}
+	}
+	os << '}';
+	return os;
+}
+
+ostream &operator<<(ostream &os, Node &node)
+{
+	node.dump(os);
+	return os;
+}
+
+/**
+ * hash_NodeSet - generate a hash for the Nodes in the set
+ */
+unsigned long hash_NodeSet(NodeSet *ns)
+{
+	unsigned long hash = 5381;
+
+	for (NodeSet::iterator i = ns->begin(); i != ns->end(); i++) {
+		hash = ((hash << 5) + hash) + (unsigned long)*i;
+	}
+
+	return hash;
+}
+
+/**
+ * label_nodes - label the node positions for pretty-printing debug output
+ *
+ * TODO: separate - node labels should be separate and optional, if not
+ * present pretty printing should use Node address
+ */
+void label_nodes(Node *root)
+{
+	int nodes = 1;
+	for (depth_first_traversal i(root); i; i++)
+		i->label = nodes++;
+}
+
+/**
+ * Text-dump the syntax tree (for debugging).
+ */
+void Node::dump_syntax_tree(ostream &os)
+{
+	for (depth_first_traversal i(this); i; i++) {
+		os << i->label << '\t';
+		if ((*i)->child[0] == 0)
+			os << **i << '\t' << (*i)->followpos << endl;
+		else {
+			if ((*i)->child[1] == 0)
+				os << (*i)->child[0]->label << **i;
+			else
+				os << (*i)->child[0]->label << **i
+				   << (*i)->child[1]->label;
+			os << '\t' << (*i)->firstpos << (*i)->lastpos << endl;
+		}
+	}
+	os << endl;
+}
+
+/*
+ * Normalize the regex parse tree for factoring and cancelations. Normalization
+ * reorganizes internal (alt and cat) nodes into a fixed "normalized" form that
+ * simplifies factoring code, in that it produces a canonicalized form for
+ * the direction being normalized so that the factoring code does not have
+ * to consider as many cases.
+ *
+ * left normalization (dir == 0) uses these rules
+ * (E | a) -> (a | E)
+ * (a | b) | c -> a | (b | c)
+ * (ab)c -> a(bc)
+ *
+ * right normalization (dir == 1) uses the same rules but reversed
+ * (a | E) -> (E | a)
+ * a | (b | c) -> (a | b) | c
+ * a(bc) -> (ab)c
+ *
+ * Note: This is written iteratively for a given node (the top node stays
+ *       fixed and the children are rotated) instead of recursively.
+ *       For a given node under examination rotate over nodes from
+ *       dir to !dir.   Until no dir direction node meets the criterial.
+ *       Then recurse to the children (which will have a different node type)
+ *       to make sure they are normalized.
+ *       Normalization of a child node is guarenteed to not affect the
+ *       normalization of the parent.
+ *
+ *       For cat nodes the depth first traverse order is guarenteed to be
+ *       maintained.  This is not necessary for altnodes.
+ *
+ * Eg. For left normalization
+ *
+ *              |1               |1
+ *             / \              / \
+ *            |2  T     ->     a   |2
+ *           / \                  / \
+ *          |3  c                b   |3
+ *         / \                      / \
+ *        a   b                    c   T
+ *
+ */
+static void rotate_node(Node *t, int dir)
+{
+	// (a | b) | c -> a | (b | c)
+	// (ab)c -> a(bc)
+	Node *left = t->child[dir];
+	t->child[dir] = left->child[dir];
+	left->child[dir] = left->child[!dir];
+	left->child[!dir] = t->child[!dir];
+	t->child[!dir] = left;
+}
+
+void normalize_tree(Node *t, int dir)
+{
+	if (dynamic_cast<LeafNode *>(t))
+		return;
+
+	for (;;) {
+		if (dynamic_cast<TwoChildNode *>(t) &&
+		    (&epsnode == t->child[dir]) &&
+		    (&epsnode != t->child[!dir])) {
+			// (E | a) -> (a | E)
+			// Ea -> aE
+			// Test for E | (E | E) and E . (E . E) which will
+			// result in an infinite loop
+			Node *c = t->child[!dir];
+			if (dynamic_cast<TwoChildNode *>(c) &&
+			    &epsnode == c->child[dir] &&
+			    &epsnode == c->child[!dir]) {
+				c->release();
+				c = &epsnode;
+			}
+			t->child[dir] = c;
+			t->child[!dir] = &epsnode;
+			// Don't break here as 'a' may be a tree that
+			// can be pulled up.
+		} else if ((dynamic_cast<AltNode *>(t) &&
+			    dynamic_cast<AltNode *>(t->child[dir])) ||
+			   (dynamic_cast<CatNode *>(t) &&
+			    dynamic_cast<CatNode *>(t->child[dir]))) {
+			// (a | b) | c -> a | (b | c)
+			// (ab)c -> a(bc)
+			rotate_node(t, dir);
+		} else if (dynamic_cast<AltNode *>(t) &&
+			   dynamic_cast<CharSetNode *>(t->child[dir]) &&
+			   dynamic_cast<CharNode *>(t->child[!dir])) {
+			// [a] | b  ->  b | [a]
+			Node *c = t->child[dir];
+			t->child[dir] = t->child[!dir];
+			t->child[!dir] = c;
+		} else {
+			break;
+		}
+	}
+	if (t->child[dir])
+		normalize_tree(t->child[dir], dir);
+	if (t->child[!dir])
+		normalize_tree(t->child[!dir], dir);
+}
+
+//charset conversion is disabled for now,
+//it hinders tree optimization in some cases, so it need to be either
+//done post optimization, or have extra factoring rules added
+#if 0
+static Node *merge_charset(Node *a, Node *b)
+{
+	if (dynamic_cast<CharNode *>(a) && dynamic_cast<CharNode *>(b)) {
+		Chars chars;
+		chars.insert(dynamic_cast<CharNode *>(a)->c);
+		chars.insert(dynamic_cast<CharNode *>(b)->c);
+		CharSetNode *n = new CharSetNode(chars);
+		return n;
+	} else if (dynamic_cast<CharNode *>(a) &&
+		   dynamic_cast<CharSetNode *>(b)) {
+		Chars *chars = &dynamic_cast<CharSetNode *>(b)->chars;
+		chars->insert(dynamic_cast<CharNode *>(a)->c);
+		return b;
+	} else if (dynamic_cast<CharSetNode *>(a) &&
+		   dynamic_cast<CharSetNode *>(b)) {
+		Chars *from = &dynamic_cast<CharSetNode *>(a)->chars;
+		Chars *to = &dynamic_cast<CharSetNode *>(b)->chars;
+		for (Chars::iterator i = from->begin(); i != from->end(); i++)
+			to->insert(*i);
+		return b;
+	}
+	//return ???;
+}
+
+static Node *alt_to_charsets(Node *t, int dir)
+{
+/*
+	Node *first = NULL;
+	Node *p = t;
+	Node *i = t;
+	for (;dynamic_cast<AltNode *>(i);) {
+		if (dynamic_cast<CharNode *>(i->child[dir]) ||
+		    dynamic_cast<CharNodeSet *>(i->child[dir])) {
+			if (!first) {
+				first = i;
+				p = i;
+				i = i->child[!dir];
+			} else {
+				first->child[dir] = merge_charset(first->child[dir],
+						      i->child[dir]);
+				p->child[!dir] = i->child[!dir];
+				Node *tmp = i;
+				i = tmp->child[!dir];
+				tmp->child[!dir] = NULL;
+				tmp->release();
+			}
+		} else {
+			p = i;
+			i = i->child[!dir];
+		}
+	}
+	// last altnode of chain check other dir as well
+	if (first && (dynamic_cast<charNode *>(i) ||
+		      dynamic_cast<charNodeSet *>(i))) {
+		
+	}
+*/
+
+/*
+		if (dynamic_cast<CharNode *>(t->child[dir]) ||
+		    dynamic_cast<CharSetNode *>(t->child[dir]))
+		    char_test = true;
+			    (char_test &&
+			     (dynamic_cast<CharNode *>(i->child[dir]) ||
+			      dynamic_cast<CharSetNode *>(i->child[dir])))) {
+*/
+	return t;
+}
+#endif
+
+static Node *basic_alt_factor(Node *t, int dir)
+{
+	if (!dynamic_cast<AltNode *>(t))
+		return t;
+
+	if (t->child[dir]->eq(t->child[!dir])) {
+		// (a | a) -> a
+		Node *tmp = t->child[dir];
+		t->child[dir] = NULL;
+		t->release();
+		return tmp;
+	}
+	// (ab) | (ac) -> a(b|c)
+	if (dynamic_cast<CatNode *>(t->child[dir]) &&
+	    dynamic_cast<CatNode *>(t->child[!dir]) &&
+	    t->child[dir]->child[dir]->eq(t->child[!dir]->child[dir])) {
+		// (ab) | (ac) -> a(b|c)
+		Node *left = t->child[dir];
+		Node *right = t->child[!dir];
+		t->child[dir] = left->child[!dir];
+		t->child[!dir] = right->child[!dir];
+		right->child[!dir] = NULL;
+		right->release();
+		left->child[!dir] = t;
+		return left;
+	}
+	// a | (ab) -> a (E | b) -> a (b | E)
+	if (dynamic_cast<CatNode *>(t->child[!dir]) &&
+	    t->child[dir]->eq(t->child[!dir]->child[dir])) {
+		Node *c = t->child[!dir];
+		t->child[dir]->release();
+		t->child[dir] = c->child[!dir];
+		t->child[!dir] = &epsnode;
+		c->child[!dir] = t;
+		return c;
+	}
+	// ab | (a) -> a (b | E)
+	if (dynamic_cast<CatNode *>(t->child[dir]) &&
+	    t->child[dir]->child[dir]->eq(t->child[!dir])) {
+		Node *c = t->child[dir];
+		t->child[!dir]->release();
+		t->child[dir] = c->child[!dir];
+		t->child[!dir] = &epsnode;
+		c->child[!dir] = t;
+		return c;
+	}
+
+	return t;
+}
+
+static Node *basic_simplify(Node *t, int dir)
+{
+	if (dynamic_cast<CatNode *>(t) && &epsnode == t->child[!dir]) {
+		// aE -> a
+		Node *tmp = t->child[dir];
+		t->child[dir] = NULL;
+		t->release();
+		return tmp;
+	}
+
+	return basic_alt_factor(t, dir);
+}
+
+/*
+ * assumes a normalized tree.  reductions shown for left normalization
+ * aE -> a
+ * (a | a) -> a
+ ** factoring patterns
+ * a | (a | b) -> (a | b)
+ * a | (ab) -> a (E | b) -> a (b | E)
+ * (ab) | (ac) -> a(b|c)
+ *
+ * returns t - if no simplifications were made
+ *         a new root node - if simplifications were made
+ */
+Node *simplify_tree_base(Node *t, int dir, bool &mod)
+{
+	if (dynamic_cast<ImportantNode *>(t))
+		return t;
+
+	for (int i = 0; i < 2; i++) {
+		if (t->child[i]) {
+			Node *c = simplify_tree_base(t->child[i], dir, mod);
+			if (c != t->child[i]) {
+				t->child[i] = c;
+				mod = true;
+			}
+		}
+	}
+
+	// only iterate on loop if modification made
+	for (;; mod = true) {
+
+		Node *tmp = basic_simplify(t, dir);
+		if (tmp != t) {
+			t = tmp;
+			continue;
+		}
+
+		/* all tests after this must meet 2 alt node condition */
+		if (!dynamic_cast<AltNode *>(t) ||
+		    !dynamic_cast<AltNode *>(t->child[!dir]))
+			break;
+
+		// a | (a | b) -> (a | b)
+		// a | (b | (c | a)) -> (b | (c | a))
+		Node *p = t;
+		Node *i = t->child[!dir];
+		for (; dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
+			if (t->child[dir]->eq(i->child[dir])) {
+				Node *tmp = t->child[!dir];
+				t->child[!dir] = NULL;
+				t->release();
+				t = tmp;
+				continue;
+			}
+		}
+		// last altnode of chain check other dir as well
+		if (t->child[dir]->eq(p->child[!dir])) {
+			Node *tmp = t->child[!dir];
+			t->child[!dir] = NULL;
+			t->release();
+			t = tmp;
+			continue;
+		}
+		//exact match didn't work, try factoring front
+		//a | (ac | (ad | () -> (a (E | c)) | (...)
+		//ab | (ac | (...)) -> (a (b | c)) | (...)
+		//ab | (a | (...)) -> (a (b | E)) | (...)
+		Node *pp;
+		int count = 0;
+		Node *subject = t->child[dir];
+		Node *a = subject;
+		if (dynamic_cast<CatNode *>(subject))
+			a = subject->child[dir];
+
+		for (pp = p = t, i = t->child[!dir];
+		     dynamic_cast<AltNode *>(i);) {
+			if ((dynamic_cast<CatNode *>(i->child[dir]) &&
+			     a->eq(i->child[dir]->child[dir])) ||
+			    (a->eq(i->child[dir]))) {
+				// extract matching alt node
+				p->child[!dir] = i->child[!dir];
+				i->child[!dir] = subject;
+				subject = basic_simplify(i, dir);
+				if (dynamic_cast<CatNode *>(subject))
+					a = subject->child[dir];
+				else
+					a = subject;
+
+				i = p->child[!dir];
+				count++;
+			} else {
+				pp = p;
+				p = i;
+				i = i->child[!dir];
+			}
+		}
+
+		// last altnode in chain check other dir as well
+		if ((dynamic_cast<CatNode *>(i) &&
+		     a->eq(i->child[dir])) || (a->eq(i))) {
+			count++;
+			if (t == p) {
+				t->child[dir] = subject;
+				t = basic_simplify(t, dir);
+			} else {
+				t->child[dir] = p->child[dir];
+				p->child[dir] = subject;
+				pp->child[!dir] = basic_simplify(p, dir);
+			}
+		} else {
+			t->child[dir] = i;
+			p->child[!dir] = subject;
+		}
+
+		if (count == 0)
+			break;
+	}
+	return t;
+}
+
+int debug_tree(Node *t)
+{
+	int nodes = 1;
+
+	if (!dynamic_cast<ImportantNode *>(t)) {
+		if (t->child[0])
+			nodes += debug_tree(t->child[0]);
+		if (t->child[1])
+			nodes += debug_tree(t->child[1]);
+	}
+	return nodes;
+}
+
+static void count_tree_nodes(Node *t, struct node_counts *counts)
+{
+	if (dynamic_cast<AltNode *>(t)) {
+		counts->alt++;
+		count_tree_nodes(t->child[0], counts);
+		count_tree_nodes(t->child[1], counts);
+	} else if (dynamic_cast<CatNode *>(t)) {
+		counts->cat++;
+		count_tree_nodes(t->child[0], counts);
+		count_tree_nodes(t->child[1], counts);
+	} else if (dynamic_cast<PlusNode *>(t)) {
+		counts->plus++;
+		count_tree_nodes(t->child[0], counts);
+	} else if (dynamic_cast<StarNode *>(t)) {
+		counts->star++;
+		count_tree_nodes(t->child[0], counts);
+	} else if (dynamic_cast<CharNode *>(t)) {
+		counts->charnode++;
+	} else if (dynamic_cast<AnyCharNode *>(t)) {
+		counts->any++;
+	} else if (dynamic_cast<CharSetNode *>(t)) {
+		counts->charset++;
+	} else if (dynamic_cast<NotCharSetNode *>(t)) {
+		counts->notcharset++;
+	}
+}
+
+#include "stdio.h"
+#include "stdint.h"
+#include "apparmor_re.h"
+
+Node *simplify_tree(Node *t, dfaflags_t flags)
+{
+	bool update;
+
+	if (flags & DFA_DUMP_TREE_STATS) {
+		struct node_counts counts = { 0, 0, 0, 0, 0, 0, 0, 0 };
+		count_tree_nodes(t, &counts);
+		fprintf(stderr,
+			"expr tree: c %d, [] %d, [^] %d, | %d, + %d, * %d, . %d, cat %d\n",
+			counts.charnode, counts.charset, counts.notcharset,
+			counts.alt, counts.plus, counts.star, counts.any,
+			counts.cat);
+	}
+	do {
+		update = false;
+		//default to right normalize first as this reduces the number
+		//of trailing nodes which might follow an internal *
+		//or **, which is where state explosion can happen
+		//eg. in one test this makes the difference between
+		//    the dfa having about 7 thousands states,
+		//    and it having about  1.25 million states
+		int dir = 1;
+		if (flags & DFA_CONTROL_TREE_LEFT)
+			dir = 0;
+		for (int count = 0; count < 2; count++) {
+			bool modified;
+			do {
+				modified = false;
+				if (flags & DFA_CONTROL_TREE_NORMAL)
+					normalize_tree(t, dir);
+				t = simplify_tree_base(t, dir, modified);
+				if (modified)
+					update = true;
+			} while (modified);
+			if (flags & DFA_CONTROL_TREE_LEFT)
+				dir++;
+			else
+				dir--;
+		}
+	} while (update);
+	if (flags & DFA_DUMP_TREE_STATS) {
+		struct node_counts counts = { 0, 0, 0, 0, 0, 0, 0, 0 };
+		count_tree_nodes(t, &counts);
+		fprintf(stderr,
+			"simplified expr tree: c %d, [] %d, [^] %d, | %d, + %d, * %d, . %d, cat %d\n",
+			counts.charnode, counts.charset, counts.notcharset,
+			counts.alt, counts.plus, counts.star, counts.any,
+			counts.cat);
+	}
+	return t;
+}
+
+/**
+ * Flip the children of all cat nodes. This causes strings to be matched
+ * back-forth.
+ */
+void flip_tree(Node *node)
+{
+	for (depth_first_traversal i(node); i; i++) {
+		if (CatNode *cat = dynamic_cast<CatNode *>(*i)) {
+			swap(cat->child[0], cat->child[1]);
+		}
+	}
+}
+
+void dump_regex_rec(ostream &os, Node *tree)
+{
+	if (tree->child[0])
+		dump_regex_rec(os, tree->child[0]);
+	os << *tree;
+	if (tree->child[1])
+		dump_regex_rec(os, tree->child[1]);
+}
+
+void dump_regex(ostream &os, Node *tree)
+{
+	dump_regex_rec(os, tree);
+	os << endl;
+}

parser/libapparmor_re/expr-tree.h

@@ -0,0 +1,597 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Functions to create/manipulate an expression tree for regular expressions
+ * that have been parsed.
+ *
+ * The expression tree can be used directly after the parse creates it, or
+ * it can be factored so that the set of important nodes is smaller.
+ * Having a reduced set of important nodes generally results in a dfa that
+ * is closer to minimum (fewer redundant states are created).  It also
+ * results in fewer important nodes in a the state set during subset
+ * construction resulting in less memory used to create a dfa.
+ *
+ * Generally it is worth doing expression tree simplification before dfa
+ * construction, if the regular expression tree contains any alternations.
+ * Even if the regular expression doesn't simplification should be fast
+ * enough that it can be used with minimal overhead.
+ */
+#ifndef __LIBAA_RE_EXPR_H
+#define __LIBAA_RE_EXPR_H
+
+#include <map>
+#include <set>
+#include <stack>
+#include <ostream>
+
+#include <stdint.h>
+
+#include "apparmor_re.h"
+
+using namespace std;
+
+typedef unsigned char uchar;
+typedef set<uchar> Chars;
+
+ostream &operator<<(ostream &os, uchar c);
+
+/* Compute the union of two sets. */
+template<class T> set<T> operator+(const set<T> &a, const set<T> &b)
+{
+	set<T> c(a);
+	c.insert(b.begin(), b.end());
+	return c;
+}
+
+/**
+ * When creating DFAs from regex trees, a DFA state is constructed from
+ * a set of important nodes in the syntax tree. This includes AcceptNodes,
+ * which indicate that when a match ends in a particular state, the
+ * regular expressions that the AcceptNode belongs to match.
+ */
+class Node;
+class ImportantNode;
+typedef set<ImportantNode *> NodeSet;
+
+/**
+ * Text-dump a state (for debugging).
+ */
+ostream &operator<<(ostream &os, const NodeSet &state);
+
+/**
+ * Out-edges from a state to another: we store the follow-set of Nodes
+ * for each input character that is not a default match in
+ * cases (i.e., following a CharNode or CharSetNode), and default
+ * matches in otherwise as well as in all matching explicit cases
+ * (i.e., following an AnyCharNode or NotCharSetNode). This avoids
+ * enumerating all the explicit tranitions for default matches.
+ */
+typedef struct Cases {
+	typedef map<uchar, NodeSet *>::iterator iterator;
+	iterator begin() { return cases.begin(); }
+	iterator end() { return cases.end(); }
+
+	Cases(): otherwise(0) { }
+	map<uchar, NodeSet *> cases;
+	NodeSet *otherwise;
+} Cases;
+
+ostream &operator<<(ostream &os, Node &node);
+
+/* An abstract node in the syntax tree. */
+class Node {
+public:
+	Node(): nullable(false) { child[0] = child[1] = 0; }
+	Node(Node *left): nullable(false)
+	{
+		child[0] = left;
+		child[1] = 0;
+	}
+	Node(Node *left, Node *right): nullable(false)
+	{
+		child[0] = left;
+		child[1] = right;
+	}
+	virtual ~Node()
+	{
+		if (child[0])
+			child[0]->release();
+		if (child[1])
+			child[1]->release();
+	}
+
+	/**
+	 * See the "Dragon Book" for an explanation of nullable, firstpos,
+	 * lastpos, and followpos.
+	 */
+	virtual void compute_nullable() { }
+	virtual void compute_firstpos() = 0;
+	virtual void compute_lastpos() = 0;
+	virtual void compute_followpos() { }
+	virtual int eq(Node *other) = 0;
+	virtual ostream &dump(ostream &os) = 0;
+	void dump_syntax_tree(ostream &os);
+
+	bool nullable;
+	NodeSet firstpos, lastpos, followpos;
+	/* child 0 is left, child 1 is right */
+	Node *child[2];
+
+	unsigned int label;	/* unique number for debug etc */
+	/**
+	 * We indirectly release Nodes through a virtual function because
+	 * accept and Eps Nodes are shared, and must be treated specially.
+	 * We could use full reference counting here but the indirect release
+	 * is sufficient and has less overhead
+	 */
+	virtual void release(void) { delete this; }
+};
+
+class InnerNode: public Node {
+public:
+	InnerNode(): Node() { };
+	InnerNode(Node *left): Node(left) { };
+	InnerNode(Node *left, Node *right): Node(left, right) { };
+};
+
+class OneChildNode: public InnerNode {
+public:
+	OneChildNode(Node *left): InnerNode(left) { };
+};
+
+class TwoChildNode: public InnerNode {
+public:
+	TwoChildNode(Node *left, Node *right): InnerNode(left, right) { };
+};
+
+class LeafNode: public Node {
+public:
+	LeafNode(): Node() { };
+};
+
+/* Match nothing (//). */
+class EpsNode: public LeafNode {
+public:
+	EpsNode(): LeafNode()
+	{
+		nullable = true;
+		label = 0;
+	}
+	void release(void)
+	{
+		/* don't delete Eps nodes because there is a single static
+		 * instance shared by all trees.  Look for epsnode in the code
+		 */
+	}
+
+	void compute_firstpos() { }
+	void compute_lastpos() { }
+	int eq(Node *other)
+	{
+		if (dynamic_cast<EpsNode *>(other))
+			return 1;
+		return 0;
+	}
+	ostream &dump(ostream &os)
+	{
+		return os << "[]";
+	}
+};
+
+/**
+ * Leaf nodes in the syntax tree are important to us: they describe the
+ * characters that the regular expression matches. We also consider
+ * AcceptNodes import: they indicate when a regular expression matches.
+ */
+class ImportantNode: public LeafNode {
+public:
+	ImportantNode(): LeafNode() { }
+	void compute_firstpos() { firstpos.insert(this); }
+	void compute_lastpos() { lastpos.insert(this); }
+	virtual void follow(Cases &cases) = 0;
+	virtual int is_accept(void) = 0;
+};
+
+/* common base class for all the different classes that contain
+ * character information.
+ */
+class CNode: public ImportantNode {
+public:
+	CNode(): ImportantNode() { }
+	int is_accept(void) { return false; }
+};
+
+/* Match one specific character (/c/). */
+class CharNode: public CNode {
+public:
+	CharNode(uchar c): c(c) { }
+	void follow(Cases &cases)
+	{
+		NodeSet **x = &cases.cases[c];
+		if (!*x) {
+			if (cases.otherwise)
+				*x = new NodeSet(*cases.otherwise);
+			else
+				*x = new NodeSet;
+		}
+		(*x)->insert(followpos.begin(), followpos.end());
+	}
+	int eq(Node *other)
+	{
+		CharNode *o = dynamic_cast<CharNode *>(other);
+		if (o) {
+			return c == o->c;
+		}
+		return 0;
+	}
+	ostream &dump(ostream &os)
+	{
+		return os << c;
+	}
+
+	uchar c;
+};
+
+/* Match a set of characters (/[abc]/). */
+class CharSetNode: public CNode {
+public:
+	CharSetNode(Chars &chars): chars(chars) { }
+	void follow(Cases &cases)
+	{
+		for (Chars::iterator i = chars.begin(); i != chars.end(); i++) {
+			NodeSet **x = &cases.cases[*i];
+			if (!*x) {
+				if (cases.otherwise)
+					*x = new NodeSet(*cases.otherwise);
+				else
+					*x = new NodeSet;
+			}
+			(*x)->insert(followpos.begin(), followpos.end());
+		}
+	}
+	int eq(Node *other)
+	{
+		CharSetNode *o = dynamic_cast<CharSetNode *>(other);
+		if (!o || chars.size() != o->chars.size())
+			return 0;
+
+		for (Chars::iterator i = chars.begin(), j = o->chars.begin();
+		     i != chars.end() && j != o->chars.end(); i++, j++) {
+			if (*i != *j)
+				return 0;
+		}
+		return 1;
+	}
+	ostream &dump(ostream &os)
+	{
+		os << '[';
+		for (Chars::iterator i = chars.begin(); i != chars.end(); i++)
+			os << *i;
+		return os << ']';
+	}
+
+	Chars chars;
+};
+
+/* Match all except one character (/[^abc]/). */
+class NotCharSetNode: public CNode {
+public:
+	NotCharSetNode(Chars &chars): chars(chars) { }
+	void follow(Cases &cases)
+	{
+		if (!cases.otherwise)
+			cases.otherwise = new NodeSet;
+		for (Chars::iterator j = chars.begin(); j != chars.end(); j++) {
+			NodeSet **x = &cases.cases[*j];
+			if (!*x)
+				*x = new NodeSet(*cases.otherwise);
+		}
+		/* Note: Add to the nonmatching characters after copying away
+		 * the old otherwise state for the matching characters.
+		 */
+		cases.otherwise->insert(followpos.begin(), followpos.end());
+		for (Cases::iterator i = cases.begin(); i != cases.end();
+		     i++) {
+			if (chars.find(i->first) == chars.end())
+				i->second->insert(followpos.begin(),
+						  followpos.end());
+		}
+	}
+	int eq(Node *other)
+	{
+		NotCharSetNode *o = dynamic_cast<NotCharSetNode *>(other);
+		if (!o || chars.size() != o->chars.size())
+			return 0;
+
+		for (Chars::iterator i = chars.begin(), j = o->chars.begin();
+		     i != chars.end() && j != o->chars.end(); i++, j++) {
+			if (*i != *j)
+				return 0;
+		}
+		return 1;
+	}
+	ostream &dump(ostream &os)
+	{
+		os << "[^";
+		for (Chars::iterator i = chars.begin(); i != chars.end(); i++)
+			os << *i;
+		return os << ']';
+	}
+
+	Chars chars;
+};
+
+/* Match any character (/./). */
+class AnyCharNode: public CNode {
+public:
+	AnyCharNode() { }
+	void follow(Cases &cases)
+	{
+		if (!cases.otherwise)
+			cases.otherwise = new NodeSet;
+		cases.otherwise->insert(followpos.begin(), followpos.end());
+		for (Cases::iterator i = cases.begin(); i != cases.end();
+		     i++)
+			i->second->insert(followpos.begin(), followpos.end());
+	}
+	int eq(Node *other)
+	{
+		if (dynamic_cast<AnyCharNode *>(other))
+			return 1;
+		return 0;
+	}
+	ostream &dump(ostream &os) { return os << "."; }
+};
+
+/**
+ * Indicate that a regular expression matches. An AcceptNode itself
+ * doesn't match anything, so it will never generate any transitions.
+ */
+class AcceptNode: public ImportantNode {
+public:
+	AcceptNode() { }
+	int is_accept(void) { return true; }
+	void release(void)
+	{
+		/* don't delete AcceptNode via release as they are shared, and
+		 * will be deleted when the table the are stored in is deleted
+		 */
+	}
+
+	void follow(Cases &cases __attribute__ ((unused)))
+	{
+		/* Nothing to follow. */
+	}
+
+	/* requires accept nodes to be common by pointer */
+	int eq(Node *other)
+	{
+		if (dynamic_cast<AcceptNode *>(other))
+			return (this == other);
+		return 0;
+	}
+};
+
+/* Match a node zero or more times. (This is a unary operator.) */
+class StarNode: public OneChildNode {
+public:
+	StarNode(Node *left): OneChildNode(left) { nullable = true; }
+	void compute_firstpos() { firstpos = child[0]->firstpos; }
+	void compute_lastpos() { lastpos = child[0]->lastpos; }
+	void compute_followpos()
+	{
+		NodeSet from = child[0]->lastpos, to = child[0]->firstpos;
+		for (NodeSet::iterator i = from.begin(); i != from.end(); i++) {
+			(*i)->followpos.insert(to.begin(), to.end());
+		}
+	}
+	int eq(Node *other)
+	{
+		if (dynamic_cast<StarNode *>(other))
+			return child[0]->eq(other->child[0]);
+		return 0;
+	}
+	ostream &dump(ostream &os)
+	{
+		os << '(';
+		child[0]->dump(os);
+		return os << ")*";
+	}
+};
+
+/* Match a node one or more times. (This is a unary operator.) */
+class PlusNode: public OneChildNode {
+public:
+	PlusNode(Node *left): OneChildNode(left) {
+	}
+	void compute_nullable() { nullable = child[0]->nullable; }
+	void compute_firstpos() { firstpos = child[0]->firstpos; }
+	void compute_lastpos() { lastpos = child[0]->lastpos; }
+	void compute_followpos()
+	{
+		NodeSet from = child[0]->lastpos, to = child[0]->firstpos;
+		for (NodeSet::iterator i = from.begin(); i != from.end(); i++) {
+			(*i)->followpos.insert(to.begin(), to.end());
+		}
+	}
+	int eq(Node *other) {
+		if (dynamic_cast<PlusNode *>(other))
+			return child[0]->eq(other->child[0]);
+		return 0;
+	}
+	ostream &dump(ostream &os) {
+		os << '(';
+		child[0]->dump(os);
+		return os << ")+";
+	}
+};
+
+/* Match a pair of consecutive nodes. */
+class CatNode: public TwoChildNode {
+public:
+	CatNode(Node *left, Node *right): TwoChildNode(left, right) { }
+	void compute_nullable()
+	{
+		nullable = child[0]->nullable && child[1]->nullable;
+	}
+	void compute_firstpos()
+	{
+		if (child[0]->nullable)
+			firstpos = child[0]->firstpos + child[1]->firstpos;
+		else
+			firstpos = child[0]->firstpos;
+	}
+	void compute_lastpos()
+	{
+		if (child[1]->nullable)
+			lastpos = child[0]->lastpos + child[1]->lastpos;
+		else
+			lastpos = child[1]->lastpos;
+	}
+	void compute_followpos()
+	{
+		NodeSet from = child[0]->lastpos, to = child[1]->firstpos;
+		for (NodeSet::iterator i = from.begin(); i != from.end(); i++) {
+			(*i)->followpos.insert(to.begin(), to.end());
+		}
+	}
+	int eq(Node *other)
+	{
+		if (dynamic_cast<CatNode *>(other)) {
+			if (!child[0]->eq(other->child[0]))
+				return 0;
+			return child[1]->eq(other->child[1]);
+		}
+		return 0;
+	}
+	ostream &dump(ostream &os)
+	{
+		child[0]->dump(os);
+		child[1]->dump(os);
+		return os;
+	}
+};
+
+/* Match one of two alternative nodes. */
+class AltNode: public TwoChildNode {
+public:
+	AltNode(Node *left, Node *right): TwoChildNode(left, right) { }
+	void compute_nullable()
+	{
+		nullable = child[0]->nullable || child[1]->nullable;
+	}
+	void compute_lastpos()
+	{
+		lastpos = child[0]->lastpos + child[1]->lastpos;
+	}
+	void compute_firstpos()
+	{
+		firstpos = child[0]->firstpos + child[1]->firstpos;
+	}
+	int eq(Node *other)
+	{
+		if (dynamic_cast<AltNode *>(other)) {
+			if (!child[0]->eq(other->child[0]))
+				return 0;
+			return child[1]->eq(other->child[1]);
+		}
+		return 0;
+	}
+	ostream &dump(ostream &os)
+	{
+		os << '(';
+		child[0]->dump(os);
+		os << '|';
+		child[1]->dump(os);
+		os << ')';
+		return os;
+	}
+};
+
+/* Traverse the syntax tree depth-first in an iterator-like manner. */
+class depth_first_traversal {
+	stack<Node *>pos;
+	void push_left(Node *node) {
+		pos.push(node);
+
+		while (dynamic_cast<InnerNode *>(node)) {
+			pos.push(node->child[0]);
+			node = node->child[0];
+		}
+	}
+public:
+	depth_first_traversal(Node *node) { push_left(node); }
+	Node *operator*() { return pos.top(); }
+	Node *operator->() { return pos.top(); }
+	operator  bool() { return !pos.empty(); }
+	void operator++(int)
+	{
+		Node *last = pos.top();
+		pos.pop();
+
+		if (!pos.empty()) {
+			/* no need to dynamic cast, as we just popped a node so
+			 * the top node must be an inner node */
+			InnerNode *node = (InnerNode *) (pos.top());
+			if (node->child[1] && node->child[1] != last) {
+				push_left(node->child[1]);
+			}
+		}
+	}
+};
+
+struct node_counts {
+	int charnode;
+	int charset;
+	int notcharset;
+	int alt;
+	int plus;
+	int star;
+	int any;
+	int cat;
+};
+
+extern EpsNode epsnode;
+
+int debug_tree(Node *t);
+Node *simplify_tree(Node *t, dfaflags_t flags);
+void label_nodes(Node *root);
+unsigned long hash_NodeSet(NodeSet *ns);
+void flip_tree(Node *node);
+
+
+class MatchFlag: public AcceptNode {
+public:
+	MatchFlag(uint32_t flag, uint32_t audit): flag(flag), audit(audit) { }
+	ostream &dump(ostream &os) { return os << '<' << flag << '>'; }
+
+	uint32_t flag;
+	uint32_t audit;
+};
+
+class ExactMatchFlag: public MatchFlag {
+public:
+	ExactMatchFlag(uint32_t flag, uint32_t audit): MatchFlag(flag, audit) {}
+};
+
+class DenyMatchFlag: public MatchFlag {
+public:
+	DenyMatchFlag(uint32_t flag, uint32_t quiet): MatchFlag(flag, quiet) {}
+};
+
+#endif /* __LIBAA_RE_EXPR */

parser/libapparmor_re/hfa.cc

@@ -0,0 +1,932 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Base of implementation based on the Lexical Analysis chapter of:
+ *   Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman:
+ *   Compilers: Principles, Techniques, and Tools (The "Dragon Book"),
+ *   Addison-Wesley, 1986.
+ */
+
+#include <list>
+#include <vector>
+#include <stack>
+#include <set>
+#include <map>
+#include <ostream>
+#include <iostream>
+#include <fstream>
+#include <string.h>
+
+#include "expr-tree.h"
+#include "hfa.h"
+#include "../immunix.h"
+
+
+ostream &operator<<(ostream &os, const CacheStats &cache)
+{
+	/* dump the state label */
+	os << "cache: size=";
+	os << cache.size();
+	os << " dups=";
+	os << cache.dup;
+	os << " longest=";
+	os << cache.max;
+	if (cache.size()) {
+		os << " avg=";
+		os << cache.sum / cache.size();
+	}
+	return os;
+}
+
+ostream &operator<<(ostream &os, const ProtoState &proto)
+{
+	/* dump the state label */
+	os << '{';
+	os << proto.nnodes;
+	os << ',';
+	os << proto.anodes;
+	os << '}';
+	return os;
+}
+
+ostream &operator<<(ostream &os, const State &state)
+{
+	/* dump the state label */
+	os << '{';
+	os << state.label;
+	os << '}';
+	return os;
+}
+
+static void split_node_types(NodeSet *nodes, NodeSet **anodes, NodeSet **nnodes
+)
+{
+	*anodes = *nnodes = NULL;
+	for (NodeSet::iterator i = nodes->begin(); i != nodes->end(); ) {
+		if ((*i)->is_accept()) {
+			if (!*anodes)
+				*anodes = new NodeSet;
+			(*anodes)->insert(*i);
+			NodeSet::iterator k = i++;
+			nodes->erase(k);
+		} else
+			i++;
+	}
+	*nnodes = nodes;
+}
+
+State *DFA::add_new_state(NodeSet *nodes, State *other)
+{
+	/* The splitting of nodes should probably get pushed down into
+	 * follow(), ie. put in separate lists from the start
+	 */
+	NodeSet *anodes, *nnodes;
+	hashedNodeVec *nnodev;
+	split_node_types(nodes, &anodes, &nnodes);
+	nnodev = nnodes_cache.insert(nnodes);
+	anodes = anodes_cache.insert(anodes);
+
+	ProtoState proto(nnodev, anodes);
+	State *state = new State(node_map.size(), proto, other);
+	pair<NodeMap::iterator,bool> x = node_map.insert(proto, state);
+	if (x.second == false) {
+		delete state;
+	} else {
+		states.push_back(state);
+		work_queue.push_back(state);
+	}
+
+	return x.first->second;
+}
+
+void DFA::update_state_transitions(State *state)
+{
+	/* Compute possible transitions for state->nodes.  This is done by
+	 * iterating over all the nodes in state->nodes and combining the
+	 * transitions.
+	 *
+	 * The resultant transition set is a mapping of characters to
+	 * sets of nodes.
+	 *
+	 * Note: the follow set for accept nodes is always empty so we don't
+	 * need to compute follow for the accept nodes in a protostate
+	 */
+	Cases cases;
+	for (hashedNodeVec::iterator i = state->proto.nnodes->begin(); i != state->proto.nnodes->end(); i++)
+		(*i)->follow(cases);
+
+	/* Now for each set of nodes in the computed transitions, make
+	 * sure that there is a state that maps to it, and add the
+	 * matching case to the state.
+	 */
+
+	/* check the default transition first */
+	if (cases.otherwise)
+		state->otherwise = add_new_state(cases.otherwise, nonmatching);
+	else
+		state->otherwise = nonmatching;
+
+	/* For each transition from *from, check if the set of nodes it
+	 * transitions to already has been mapped to a state
+	 */
+	for (Cases::iterator j = cases.begin(); j != cases.end(); j++) {
+		State *target;
+		target = add_new_state(j->second, nonmatching);
+
+		/* Don't insert transition that the otherwise transition
+		 * already covers
+		 */
+		if (target != state->otherwise)
+			state->trans[j->first] = target;
+	}
+}
+
+/* WARNING: This routine can only be called from within DFA creation as
+ * the nodes value is only valid during dfa construction.
+ */
+void DFA::dump_node_to_dfa(void)
+{
+	cerr << "Mapping of States to expr nodes\n"
+		"  State  <=   Nodes\n"
+		"-------------------\n";
+	for (Partition::iterator i = states.begin(); i != states.end(); i++)
+		cerr << "  " << (*i)->label << " <= " << (*i)->proto << "\n";
+}
+
+/**
+ * Construct a DFA from a syntax tree.
+ */
+DFA::DFA(Node *root, dfaflags_t flags): root(root)
+{
+	int i = 0;
+
+	if (flags & DFA_DUMP_PROGRESS)
+		fprintf(stderr, "Creating dfa:\r");
+
+	for (depth_first_traversal i(root); i; i++) {
+		(*i)->compute_nullable();
+		(*i)->compute_firstpos();
+		(*i)->compute_lastpos();
+	}
+
+	if (flags & DFA_DUMP_PROGRESS)
+		fprintf(stderr, "Creating dfa: followpos\r");
+	for (depth_first_traversal i(root); i; i++) {
+		(*i)->compute_followpos();
+	}
+
+	nonmatching = add_new_state(new NodeSet, NULL);
+	start = add_new_state(new NodeSet(root->firstpos), nonmatching);
+
+	/* the work_queue contains the states that need to have their
+	 * transitions computed.  This could be done with a recursive
+	 * algorithm instead of a work_queue, but it would be slightly slower
+	 * and consume more memory.
+	 *
+	 * TODO: currently the work_queue is treated in a breadth first
+	 *       search manner.  Test using the work_queue in a depth first
+	 *       manner, this may help reduce the number of entries on the
+	 *       work_queue at any given time, thus reducing peak memory use.
+	 */
+	work_queue.push_back(start);
+
+	while (!work_queue.empty()) {
+		if (i % 1000 == 0 && (flags & DFA_DUMP_PROGRESS)) {
+			cerr << "\033[2KCreating dfa: queue "
+			     << work_queue.size()
+			     << "\tstates "
+			     << states.size()
+			     << "\teliminated duplicates "
+			     << node_map.dup
+			     << "\r";
+		}
+		i++;
+
+		State *from = work_queue.front();
+		work_queue.pop_front();
+
+		/* Update 'from's transitions, and if it transitions to any
+		 * unknown State create it and add it to the work_queue
+		 */
+		update_state_transitions(from);
+
+	}  /* while (!work_queue.empty()) */
+
+	/* cleanup Sets of nodes used computing the DFA as they are no longer
+	 * needed.
+	 */
+	for (depth_first_traversal i(root); i; i++) {
+		(*i)->firstpos.clear();
+		(*i)->lastpos.clear();
+		(*i)->followpos.clear();
+	}
+
+	if (flags & DFA_DUMP_NODE_TO_DFA)
+		dump_node_to_dfa();
+
+	if (flags & (DFA_DUMP_STATS)) {
+		cerr << "\033[2KCreated dfa: states "
+		     << states.size()
+		     << " proto { "
+		     << node_map
+		     << " }, nnodes { "
+		     << nnodes_cache
+		     << " }, anodes { "
+		     << anodes_cache
+		     << " }\n";
+	}
+
+	/* Clear out uniq_nnodes as they are no longer needed.
+	 * Do not clear out uniq_anodes, as we need them for minimizations
+	 * diffs, unions, ...
+	 */
+	nnodes_cache.clear();
+	node_map.clear();
+}
+
+DFA::~DFA()
+{
+	anodes_cache.clear();
+	nnodes_cache.clear();
+
+	for (Partition::iterator i = states.begin(); i != states.end(); i++)
+		delete *i;
+}
+
+State *DFA::match_len(State *state, const char *str, size_t len)
+{
+	for (; len > 0; ++str, --len)
+		state = state->next(*str);
+
+	return state;
+}
+
+State *DFA::match_until(State *state, const char *str, const char term)
+{
+	while (*str != term)
+		state = state->next(*str++);
+
+	return state;
+}
+
+State *DFA::match(const char *str)
+{
+	return match_until(start, str, 0);
+}
+
+void DFA::dump_uniq_perms(const char *s)
+{
+	set<perms_t> uniq;
+	for (Partition::iterator i = states.begin(); i != states.end(); i++)
+		uniq.insert((*i)->perms);
+
+	cerr << "Unique Permission sets: " << s << " (" << uniq.size() << ")\n";
+	cerr << "----------------------\n";
+	for (set<perms_t >::iterator i = uniq.begin(); i != uniq.end(); i++) {
+		cerr << "  allow:" << hex << i->allow << " deny:"
+		     << i->deny << " audit:" << i->audit
+		     << " quiet:" << i->quiet << dec << "\n";
+	}
+}
+
+/* Remove dead or unreachable states */
+void DFA::remove_unreachable(dfaflags_t flags)
+{
+	set<State *> reachable;
+
+	/* find the set of reachable states */
+	reachable.insert(nonmatching);
+	work_queue.push_back(start);
+	while (!work_queue.empty()) {
+		State *from = work_queue.front();
+		work_queue.pop_front();
+		reachable.insert(from);
+
+		if (from->otherwise != nonmatching &&
+		    reachable.find(from->otherwise) == reachable.end())
+			work_queue.push_back(from->otherwise);
+
+		for (StateTrans::iterator j = from->trans.begin(); j != from->trans.end(); j++) {
+			if (reachable.find(j->second) == reachable.end())
+				work_queue.push_back(j->second);
+		}
+	}
+
+	/* walk the set of states and remove any that aren't reachable */
+	if (reachable.size() < states.size()) {
+		int count = 0;
+		Partition::iterator i;
+		Partition::iterator next;
+		for (i = states.begin(); i != states.end(); i = next) {
+			next = i;
+			next++;
+			if (reachable.find(*i) == reachable.end()) {
+				if (flags & DFA_DUMP_UNREACHABLE) {
+					cerr << "unreachable: " << **i;
+					if (*i == start)
+						cerr << " <==";
+					if ((*i)->perms.is_accept())
+						(*i)->perms.dump(cerr);
+					cerr << "\n";
+				}
+				State *current = *i;
+				states.erase(i);
+				delete(current);
+				count++;
+			}
+		}
+
+		if (count && (flags & DFA_DUMP_STATS))
+			cerr << "DFA: states " << states.size() << " removed "
+			     << count << " unreachable states\n";
+	}
+}
+
+/* test if two states have the same transitions under partition_map */
+bool DFA::same_mappings(State *s1, State *s2)
+{
+	if (s1->otherwise->partition != s2->otherwise->partition)
+		return false;
+
+	if (s1->trans.size() != s2->trans.size())
+		return false;
+
+	for (StateTrans::iterator j1 = s1->trans.begin(); j1 != s1->trans.end(); j1++) {
+		StateTrans::iterator j2 = s2->trans.find(j1->first);
+		if (j2 == s2->trans.end())
+			return false;
+		if (j1->second->partition != j2->second->partition)
+			return false;
+	}
+
+	return true;
+}
+
+/* Do simple djb2 hashing against a States transition cases
+ * this provides a rough initial guess at state equivalence as if a state
+ * has a different number of transitions or has transitions on different
+ * trans they will never be equivalent.
+ * Note: this only hashes based off of the alphabet (not destination)
+ * as different destinations could end up being equiv
+ */
+size_t DFA::hash_trans(State *s)
+{
+	unsigned long hash = 5381;
+
+	for (StateTrans::iterator j = s->trans.begin(); j != s->trans.end(); j++) {
+		hash = ((hash << 5) + hash) + j->first;
+		State *k = j->second;
+		hash = ((hash << 5) + hash) + k->trans.size();
+	}
+
+	if (s->otherwise != nonmatching) {
+		hash = ((hash << 5) + hash) + 5381;
+		State *k = s->otherwise;
+		hash = ((hash << 5) + hash) + k->trans.size();
+	}
+
+	hash = (hash << 8) | s->trans.size();
+	return hash;
+}
+
+int DFA::apply_and_clear_deny(void)
+{
+	int c = 0;
+	for (Partition::iterator i = states.begin(); i != states.end(); i++)
+		c += (*i)->apply_and_clear_deny();
+
+	return c;
+}
+
+/* minimize the number of dfa states */
+void DFA::minimize(dfaflags_t flags)
+{
+	map<pair<uint64_t, size_t>, Partition *> perm_map;
+	list<Partition *> partitions;
+
+	/* Set up the initial partitions
+	 * minimium of - 1 non accepting, and 1 accepting
+	 * if trans hashing is used the accepting and non-accepting partitions
+	 * can be further split based on the number and type of transitions
+	 * a state makes.
+	 * If permission hashing is enabled the accepting partitions can
+	 * be further divided by permissions.  This can result in not
+	 * obtaining a truely minimized dfa but comes close, and can speedup
+	 * minimization.
+	 */
+	int accept_count = 0;
+	int final_accept = 0;
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		size_t hash = 0;
+		uint64_t permtype = ((uint64_t) (PACK_AUDIT_CTL((*i)->perms.audit, (*i)->perms.quiet & (*i)->perms.deny)) << 32) | (uint64_t) (*i)->perms.allow;
+		if (flags & DFA_CONTROL_MINIMIZE_HASH_TRANS)
+			hash |= hash_trans(*i);
+		pair<uint64_t, size_t> group = make_pair(permtype, hash);
+		map<pair<uint64_t, size_t>, Partition *>::iterator p = perm_map.find(group);
+		if (p == perm_map.end()) {
+			Partition *part = new Partition();
+			part->push_back(*i);
+			perm_map.insert(make_pair(group, part));
+			partitions.push_back(part);
+			(*i)->partition = part;
+			if (permtype)
+				accept_count++;
+		} else {
+			(*i)->partition = p->second;
+			p->second->push_back(*i);
+		}
+
+		if ((flags & DFA_DUMP_PROGRESS) && (partitions.size() % 1000 == 0))
+			cerr << "\033[2KMinimize dfa: partitions "
+			     << partitions.size() << "\tinit " << partitions.size()
+			     << " (accept " << accept_count << ")\r";
+	}
+
+	/* perm_map is no longer needed so free the memory it is using.
+	 * Don't remove - doing it manually here helps reduce peak memory usage.
+	 */
+	perm_map.clear();
+
+	int init_count = partitions.size();
+	if (flags & DFA_DUMP_PROGRESS)
+		cerr << "\033[2KMinimize dfa: partitions " << partitions.size()
+		     << "\tinit " << init_count << " (accept "
+		     << accept_count << ")\r";
+
+	/* Now do repartitioning until each partition contains the set of
+	 * states that are the same.  This will happen when the partition
+	 * splitting stables.  With a worse case of 1 state per partition
+	 * ie. already minimized.
+	 */
+	Partition *new_part;
+	int new_part_count;
+	do {
+		new_part_count = 0;
+		for (list<Partition *>::iterator p = partitions.begin();
+		     p != partitions.end(); p++) {
+			new_part = NULL;
+			State *rep = *((*p)->begin());
+			Partition::iterator next;
+			for (Partition::iterator s = ++(*p)->begin(); s != (*p)->end();) {
+				if (same_mappings(rep, *s)) {
+					++s;
+					continue;
+				}
+				if (!new_part) {
+					new_part = new Partition;
+					list<Partition *>::iterator tmp = p;
+					partitions.insert(++tmp, new_part);
+					new_part_count++;
+				}
+				new_part->push_back(*s);
+				s = (*p)->erase(s);
+			}
+			/* remapping partition_map for new_part entries
+			 * Do not do this above as it messes up same_mappings
+			 */
+			if (new_part) {
+				for (Partition::iterator m = new_part->begin();
+				     m != new_part->end(); m++) {
+					(*m)->partition = new_part;
+				}
+			}
+			if ((flags & DFA_DUMP_PROGRESS) && (partitions.size() % 100 == 0))
+				cerr << "\033[2KMinimize dfa: partitions "
+				     << partitions.size() << "\tinit "
+				     << init_count << " (accept "
+				     << accept_count << ")\r";
+		}
+	} while (new_part_count);
+
+	if (partitions.size() == states.size()) {
+		if (flags & DFA_DUMP_STATS)
+			cerr << "\033[2KDfa minimization no states removed: partitions "
+			     << partitions.size() << "\tinit " << init_count
+			     << " (accept " << accept_count << ")\n";
+
+		goto out;
+	}
+
+	/* Remap the dfa so it uses the representative states
+	 * Use the first state of a partition as the representative state
+	 * At this point all states with in a partion have transitions
+	 * to states within the same partitions, however this can slow
+	 * down compressed dfa compression as there are more states,
+	 */
+	if (flags & DFA_DUMP_MIN_PARTS)
+		cerr << "Partitions after minimization\n";
+	for (list<Partition *>::iterator p = partitions.begin();
+	     p != partitions.end(); p++) {
+		/* representative state for this partition */
+		State *rep = *((*p)->begin());
+		if (flags & DFA_DUMP_MIN_PARTS)
+			cerr << *rep << " : ";
+
+		/* update representative state's transitions */
+		rep->otherwise = *rep->otherwise->partition->begin();
+
+		for (StateTrans::iterator c = rep->trans.begin(); c != rep->trans.end(); c++) {
+			Partition *partition = c->second->partition;
+			c->second = *partition->begin();
+		}
+
+//if ((*p)->size() > 1)
+//cerr << rep->label << ": ";
+		/* clear the state label for all non representative states,
+		 * and accumulate permissions */
+		for (Partition::iterator i = ++(*p)->begin(); i != (*p)->end(); i++) {
+//cerr << " " << (*i)->label;
+			if (flags & DFA_DUMP_MIN_PARTS)
+				cerr << **i << ", ";
+			(*i)->label = -1;
+			rep->perms.add((*i)->perms);
+		}
+		if (rep->perms.is_accept())
+			final_accept++;
+//if ((*p)->size() > 1)
+//cerr << "\n";
+		if (flags & DFA_DUMP_MIN_PARTS)
+			cerr << "\n";
+	}
+	if (flags & DFA_DUMP_STATS)
+		cerr << "\033[2KMinimized dfa: final partitions "
+		     << partitions.size() << " (accept " << final_accept
+		     << ")" << "\tinit " << init_count << " (accept "
+		     << accept_count << ")\n";
+
+	/* make sure nonmatching and start state are up to date with the
+	 * mappings */
+	{
+		Partition *partition = nonmatching->partition;
+		if (*partition->begin() != nonmatching) {
+			nonmatching = *partition->begin();
+		}
+
+		partition = start->partition;
+		if (*partition->begin() != start) {
+			start = *partition->begin();
+		}
+	}
+
+	/* Now that the states have been remapped, remove all states
+	 * that are not the representive states for their partition, they
+	 * will have a label == -1
+	 */
+	for (Partition::iterator i = states.begin(); i != states.end();) {
+		if ((*i)->label == -1) {
+			State *s = *i;
+			i = states.erase(i);
+			delete(s);
+		} else
+			i++;
+	}
+
+out:
+	/* Cleanup */
+	while (!partitions.empty()) {
+		Partition *p = partitions.front();
+		partitions.pop_front();
+		delete(p);
+	}
+}
+
+/**
+ * text-dump the DFA (for debugging).
+ */
+void DFA::dump(ostream & os)
+{
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		if (*i == start || (*i)->perms.is_accept()) {
+			os << **i;
+			if (*i == start)
+				os << " <== (allow/deny/audit/quiet)";
+			if ((*i)->perms.is_accept())
+				(*i)->perms.dump(os);
+			os << "\n";
+		}
+	}
+	os << "\n";
+
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		Chars excluded;
+
+		for (StateTrans::iterator j = (*i)->trans.begin();
+		     j != (*i)->trans.end(); j++) {
+			if (j->second == nonmatching) {
+				excluded.insert(j->first);
+			} else {
+				os << **i;
+				if ((*i)->perms.is_accept())
+					os << " ", (*i)->perms.dump(os);
+				os << " -> " << *(j)->second << ": 0x"
+				   << hex << (int) j->first;
+				if (isprint(j->first))
+					os << " " << j->first;
+				os << dec << "\n";
+			}
+		}
+
+		if ((*i)->otherwise != nonmatching) {
+			os << **i;
+			if ((*i)->perms.is_accept())
+				os << " ", (*i)->perms.dump(os);
+			os << " -> " << *(*i)->otherwise << ": [";
+			if (!excluded.empty()) {
+				os << "^";
+				for (Chars::iterator k = excluded.begin();
+				     k != excluded.end(); k++) {
+					if (isprint(*k))
+						os << *k;
+					else
+						os << "\\0x" << hex << (int) *k << dec;
+				}
+			}
+			os << "]\n";
+		}
+	}
+	os << "\n";
+}
+
+/**
+ * Create a dot (graphviz) graph from the DFA (for debugging).
+ */
+void DFA::dump_dot_graph(ostream & os)
+{
+	os << "digraph \"dfa\" {" << "\n";
+
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		if (*i == nonmatching)
+			continue;
+
+		os << "\t\"" << **i << "\" [" << "\n";
+		if (*i == start) {
+			os << "\t\tstyle=bold" << "\n";
+		}
+		if ((*i)->perms.is_accept()) {
+			os << "\t\tlabel=\"" << **i << "\\n";
+			(*i)->perms.dump(os);
+			os << "\"\n";
+		}
+		os << "\t]" << "\n";
+	}
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		Chars excluded;
+
+		for (StateTrans::iterator j = (*i)->trans.begin(); j != (*i)->trans.end(); j++) {
+			if (j->second == nonmatching)
+				excluded.insert(j->first);
+			else {
+				os << "\t\"" << **i << "\" -> \"" << *j->second
+				   << "\" [" << "\n";
+				os << "\t\tlabel=\"";
+				if (isprint(j->first))
+					os << j->first;
+				else
+					os << "\\0x" << hex << (int) j->first << dec;
+
+				os << "\"\n\t]" << "\n";
+			}
+		}
+		if ((*i)->otherwise != nonmatching) {
+			os << "\t\"" << **i << "\" -> \"" << *(*i)->otherwise
+			   << "\" [" << "\n";
+			if (!excluded.empty()) {
+				os << "\t\tlabel=\"[^";
+				for (Chars::iterator i = excluded.begin();
+				     i != excluded.end(); i++) {
+					if (isprint(*i))
+						os << *i;
+					else
+						os << "\\0x" << hex << (int) *i << dec;
+				}
+				os << "]\"" << "\n";
+			}
+			os << "\t]" << "\n";
+		}
+	}
+	os << '}' << "\n";
+}
+
+/**
+ * Compute character equivalence classes in the DFA to save space in the
+ * transition table.
+ */
+map<uchar, uchar> DFA::equivalence_classes(dfaflags_t flags)
+{
+	map<uchar, uchar> classes;
+	uchar next_class = 1;
+
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		/* Group edges to the same next state together */
+		map<const State *, Chars> node_sets;
+		for (StateTrans::iterator j = (*i)->trans.begin(); j != (*i)->trans.end(); j++)
+			node_sets[j->second].insert(j->first);
+
+		for (map<const State *, Chars>::iterator j = node_sets.begin();
+		     j != node_sets.end(); j++) {
+			/* Group edges to the same next state together by class */
+			map<uchar, Chars> node_classes;
+			bool class_used = false;
+			for (Chars::iterator k = j->second.begin();
+			     k != j->second.end(); k++) {
+				pair<map<uchar, uchar>::iterator, bool> x = classes.insert(make_pair(*k, next_class));
+				if (x.second)
+					class_used = true;
+				pair<map<uchar, Chars>::iterator, bool> y = node_classes.insert(make_pair(x.first->second, Chars()));
+				y.first->second.insert(*k);
+			}
+			if (class_used) {
+				next_class++;
+				class_used = false;
+			}
+			for (map<uchar, Chars>::iterator k = node_classes.begin();
+			     k != node_classes.end(); k++) {
+			  /**
+			   * If any other characters are in the same class, move
+			   * the characters in this class into their own new
+			   * class
+			   */
+				map<uchar, uchar>::iterator l;
+				for (l = classes.begin(); l != classes.end(); l++) {
+					if (l->second == k->first &&
+					    k->second.find(l->first) == k->second.end()) {
+						class_used = true;
+						break;
+					}
+				}
+				if (class_used) {
+					for (Chars::iterator l = k->second.begin();
+					     l != k->second.end(); l++) {
+						classes[*l] = next_class;
+					}
+					next_class++;
+					class_used = false;
+				}
+			}
+		}
+	}
+
+	if (flags & DFA_DUMP_EQUIV_STATS)
+		fprintf(stderr, "Equiv class reduces to %d classes\n",
+			next_class - 1);
+	return classes;
+}
+
+/**
+ * Text-dump the equivalence classes (for debugging).
+ */
+void dump_equivalence_classes(ostream &os, map<uchar, uchar> &eq)
+{
+	map<uchar, Chars> rev;
+
+	for (map<uchar, uchar>::iterator i = eq.begin(); i != eq.end(); i++) {
+		Chars &chars = rev.insert(make_pair(i->second, Chars())).first->second;
+		chars.insert(i->first);
+	}
+	os << "(eq):" << "\n";
+	for (map<uchar, Chars>::iterator i = rev.begin(); i != rev.end(); i++) {
+		os << (int)i->first << ':';
+		Chars &chars = i->second;
+		for (Chars::iterator j = chars.begin(); j != chars.end(); j++) {
+			os << ' ' << *j;
+		}
+		os << "\n";
+	}
+}
+
+/**
+ * Replace characters with classes (which are also represented as
+ * characters) in the DFA transition table.
+ */
+void DFA::apply_equivalence_classes(map<uchar, uchar> &eq)
+{
+    /**
+     * Note: We only transform the transition table; the nodes continue to
+     * contain the original characters.
+     */
+	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
+		map<uchar, State *> tmp;
+		tmp.swap((*i)->trans);
+		for (StateTrans::iterator j = tmp.begin(); j != tmp.end(); j++)
+			(*i)->trans.insert(make_pair(eq[j->first], j->second));
+	}
+}
+
+#if 0
+typedef set <ImportantNode *>AcceptNodes;
+map<ImportantNode *, AcceptNodes> dominance(DFA & dfa)
+{
+	map<ImportantNode *, AcceptNodes> is_dominated;
+
+	for (States::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
+		AcceptNodes set1;
+		for (State::iterator j = (*i)->begin(); j != (*i)->end(); j++) {
+			if (AcceptNode * accept = dynamic_cast<AcceptNode *>(*j))
+				set1.insert(accept);
+		}
+		for (AcceptNodes::iterator j = set1.begin(); j != set1.end(); j++) {
+			pair<map<ImportantNode *, AcceptNodes>::iterator, bool> x = is_dominated.insert(make_pair(*j, set1));
+			if (!x.second) {
+				AcceptNodes & set2(x.first->second), set3;
+				for (AcceptNodes::iterator l = set2.begin();
+				     l != set2.end(); l++) {
+					if (set1.find(*l) != set1.end())
+						set3.insert(*l);
+				}
+				set3.swap(set2);
+			}
+		}
+	}
+	return is_dominated;
+}
+#endif
+
+static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
+{
+	return ((perm1 & AA_EXEC_TYPE) && (perm2 & AA_EXEC_TYPE) &&
+		(perm1 & AA_EXEC_TYPE) != (perm2 & AA_EXEC_TYPE));
+}
+
+/**
+ * Compute the permission flags that this state corresponds to. If we
+ * have any exact matches, then they override the execute and safe
+ * execute flags.
+ */
+int accept_perms(NodeSet *state, perms_t &perms)
+{
+	int error = 0;
+	uint32_t exact_match_allow = 0;
+	uint32_t exact_audit = 0;
+
+	perms.clear();
+
+	if (!state)
+		return error;
+
+	for (NodeSet::iterator i = state->begin(); i != state->end(); i++) {
+		MatchFlag *match;
+		if (!(match = dynamic_cast<MatchFlag *>(*i)))
+			continue;
+		if (dynamic_cast<ExactMatchFlag *>(match)) {
+			/* exact match only ever happens with x */
+			if (!is_merged_x_consistent(exact_match_allow,
+						    match->flag))
+				error = 1;;
+			exact_match_allow |= match->flag;
+			exact_audit |= match->audit;
+		} else if (dynamic_cast<DenyMatchFlag *>(match)) {
+			perms.deny |= match->flag;
+			perms.quiet |= match->audit;
+		} else {
+			if (!is_merged_x_consistent(perms.allow, match->flag))
+				error = 1;
+			perms.allow |= match->flag;
+			perms.audit |= match->audit;
+		}
+	}
+
+	perms.allow |= exact_match_allow & ~(ALL_AA_EXEC_TYPE);
+
+	if (exact_match_allow & AA_USER_EXEC_TYPE) {
+		perms.allow = (exact_match_allow & AA_USER_EXEC_TYPE) |
+			(perms.allow & ~AA_USER_EXEC_TYPE);
+		perms.audit = (exact_audit & AA_USER_EXEC_TYPE) |
+			(perms.audit & ~AA_USER_EXEC_TYPE);
+		perms.exact = AA_USER_EXEC_TYPE;
+	}
+	if (exact_match_allow & AA_OTHER_EXEC_TYPE) {
+		perms.allow = (exact_match_allow & AA_OTHER_EXEC_TYPE) |
+			(perms.allow & ~AA_OTHER_EXEC_TYPE);
+		perms.audit = (exact_audit & AA_OTHER_EXEC_TYPE) |
+			(perms.audit & ~AA_OTHER_EXEC_TYPE);
+		perms.exact |= AA_OTHER_EXEC_TYPE;
+	}
+	if (AA_USER_EXEC & perms.deny)
+		perms.deny |= AA_USER_EXEC_TYPE;
+
+	if (AA_OTHER_EXEC & perms.deny)
+		perms.deny |= AA_OTHER_EXEC_TYPE;
+
+	perms.allow &= ~perms.deny;
+	perms.quiet &= perms.deny;
+
+	if (error)
+		fprintf(stderr, "profile has merged rule with conflicting x modifiers\n");
+
+	return error;
+}

parser/libapparmor_re/hfa.h

@@ -0,0 +1,462 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2012 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+  * Base of implementation based on the Lexical Analysis chapter of:
+ *   Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman:
+ *   Compilers: Principles, Techniques, and Tools (The "Dragon Book"),
+ *   Addison-Wesley, 1986.
+ */
+#ifndef __LIBAA_RE_HFA_H
+#define __LIBAA_RE_HFA_H
+
+#include <list>
+#include <map>
+#include <vector>
+
+#include <stdint.h>
+
+#include "expr-tree.h"
+
+class State;
+
+typedef map<uchar, State *> StateTrans;
+typedef list<State *> Partition;
+
+#include "../immunix.h"
+
+class perms_t {
+public:
+	perms_t(void) throw(int): allow(0), deny(0), audit(0), quiet(0), exact(0) { };
+
+	bool is_accept(void) { return (allow | audit | quiet); }
+
+	void dump(ostream &os)
+	{
+		os << " (0x " << hex
+		   << allow << "/" << deny << "/" << audit << "/" << quiet
+		   << ')' << dec;
+	}
+
+	void clear(void) { allow = deny = audit = quiet = 0; }
+	void add(perms_t &rhs)
+	{
+		deny |= rhs.deny;
+
+		if (!is_merged_x_consistent(allow & ALL_USER_EXEC,
+					    rhs.allow & ALL_USER_EXEC)) {
+			if ((exact & AA_USER_EXEC_TYPE) &&
+			    !(rhs.exact & AA_USER_EXEC_TYPE)) {
+				/* do nothing */
+			} else if ((rhs.exact & AA_USER_EXEC_TYPE) &&
+				   !(exact & AA_USER_EXEC_TYPE)) {
+				allow = (allow & ~AA_USER_EXEC_TYPE) |
+					(rhs.allow & AA_USER_EXEC_TYPE);
+			} else
+				throw 1;
+		} else
+			allow |= rhs.allow & AA_USER_EXEC_TYPE;
+
+		if (!is_merged_x_consistent(allow & ALL_OTHER_EXEC,
+					    rhs.allow & ALL_OTHER_EXEC)) {
+			if ((exact & AA_OTHER_EXEC_TYPE) &&
+			    !(rhs.exact & AA_OTHER_EXEC_TYPE)) {
+				/* do nothing */
+			} else if ((rhs.exact & AA_OTHER_EXEC_TYPE) &&
+				   !(exact & AA_OTHER_EXEC_TYPE)) {
+				allow = (allow & ~AA_OTHER_EXEC_TYPE) |
+					(rhs.allow & AA_OTHER_EXEC_TYPE);
+			} else
+				throw 1;
+		} else
+			allow |= rhs.allow & AA_OTHER_EXEC_TYPE;
+
+
+		allow = (allow | (rhs.allow & ~ALL_AA_EXEC_TYPE));
+		audit |= rhs.audit;
+		quiet = (quiet | rhs.quiet);
+
+		/*
+		if (exec & AA_USER_EXEC_TYPE &&
+		    (exec & AA_USER_EXEC_TYPE) != (allow & AA_USER_EXEC_TYPE))
+			throw 1;
+		if (exec & AA_OTHER_EXEC_TYPE &&
+		    (exec & AA_OTHER_EXEC_TYPE) != (allow & AA_OTHER_EXEC_TYPE))
+			throw 1;
+		*/
+	}
+
+	int apply_and_clear_deny(void)
+	{
+		if (deny) {
+			allow &= ~deny;
+			quiet &= deny;
+			deny = 0;
+			return !is_accept();
+		}
+		return 0;
+	}
+
+	bool operator<(perms_t const &rhs)const
+	{
+		if (allow < rhs.allow)
+			return allow < rhs.allow;
+		if (deny < rhs.deny)
+			return deny < rhs.deny;
+		if (audit < rhs.audit)
+			return audit < rhs.audit;
+		return quiet < rhs.quiet;
+	}
+
+	uint32_t allow, deny, audit, quiet, exact;
+};
+
+int accept_perms(NodeSet *state, perms_t &perms);
+
+/*
+ * hashedNodes - for efficient set comparison
+ */
+class hashedNodeSet {
+public:
+	unsigned long hash;
+	NodeSet *nodes;
+
+	hashedNodeSet(NodeSet *n): nodes(n)
+	{
+		hash = hash_NodeSet(n);
+	}
+
+	bool operator<(hashedNodeSet const &rhs)const
+	{
+		if (hash == rhs.hash) {
+			if (nodes->size() == rhs.nodes->size())
+				return *nodes < *(rhs.nodes);
+			else
+				return nodes->size() < rhs.nodes->size();
+		} else {
+			return hash < rhs.hash;
+		}
+	}
+};
+
+
+class hashedNodeVec {
+public:
+	typedef ImportantNode ** iterator;
+	iterator begin() { return nodes; }
+	iterator end() { iterator t = nodes ? &nodes[len] : NULL; return t; }
+
+	unsigned long hash;
+	unsigned long len;
+	ImportantNode **nodes;
+
+	hashedNodeVec(NodeSet *n)
+	{
+		hash = hash_NodeSet(n);
+		len = n->size();
+		nodes = new ImportantNode *[n->size()];
+
+		unsigned int j = 0;
+		for (NodeSet::iterator i = n->begin(); i != n->end(); i++, j++) {
+			nodes[j] = *i;
+		}
+	}
+
+	hashedNodeVec(NodeSet *n, unsigned long h): hash(h)
+	{
+		len = n->size();
+		nodes = new ImportantNode *[n->size()];
+		ImportantNode **j = nodes;
+		for (NodeSet::iterator i = n->begin(); i != n->end(); i++) {
+			*(j++) = *i;
+		}
+	}
+
+	~hashedNodeVec()
+	{
+		delete nodes;
+	}
+
+	unsigned long size()const { return len; }
+
+	bool operator<(hashedNodeVec const &rhs)const
+	{
+		if (hash == rhs.hash) {
+			if (len == rhs.size()) {
+				for (unsigned int i = 0; i < len; i++) {
+					if (nodes[i] != rhs.nodes[i])
+						return nodes[i] < rhs.nodes[i];
+				}
+				return false;
+			}
+			return len < rhs.size();
+		}
+		return hash < rhs.hash;
+	}
+};
+
+class CacheStats {
+public:
+	unsigned long dup, sum, max;
+
+	CacheStats(void): dup(0), sum(0), max(0) { };
+
+	void clear(void) { dup = sum = max = 0; }
+	virtual unsigned long size(void) const = 0;
+};
+
+class NodeCache: public CacheStats {
+public:
+	set<hashedNodeSet> cache;
+
+	NodeCache(void): cache() { };
+	~NodeCache() { clear(); };
+
+	virtual unsigned long size(void) const { return cache.size(); }
+
+	void clear()
+	{
+		for (set<hashedNodeSet>::iterator i = cache.begin();
+		     i != cache.end(); i++) {
+			delete i->nodes;
+		}
+		cache.clear();
+		CacheStats::clear();
+	}
+
+	NodeSet *insert(NodeSet *nodes)
+	{
+		if (!nodes)
+			return NULL;
+		pair<set<hashedNodeSet>::iterator,bool> uniq;
+		uniq = cache.insert(hashedNodeSet(nodes));
+		if (uniq.second == false) {
+			delete(nodes);
+			dup++;
+		} else {
+			sum += nodes->size();
+			if (nodes->size() > max)
+				max = nodes->size();
+		}
+		return uniq.first->nodes;
+	}
+};
+
+struct deref_less_than {
+       bool operator()(hashedNodeVec * const &lhs, hashedNodeVec * const &rhs)const
+		{
+			return *lhs < *rhs;
+		}
+};
+
+class NodeVecCache: public CacheStats {
+public:
+	set<hashedNodeVec *, deref_less_than> cache;
+
+	NodeVecCache(void): cache() { };
+	~NodeVecCache() { clear(); };
+
+	virtual unsigned long size(void) const { return cache.size(); }
+
+	void clear()
+	{
+		for (set<hashedNodeVec *>::iterator i = cache.begin();
+		     i != cache.end(); i++) {
+			delete *i;
+		}
+		cache.clear();
+		CacheStats::clear();
+	}
+
+	hashedNodeVec *insert(NodeSet *nodes)
+	{
+		if (!nodes)
+			return NULL;
+		pair<set<hashedNodeVec *>::iterator,bool> uniq;
+		hashedNodeVec *nv = new hashedNodeVec(nodes);
+		uniq = cache.insert(nv);
+		if (uniq.second == false) {
+			delete nv;
+			dup++;
+		} else {
+			sum += nodes->size();
+			if (nodes->size() > max)
+				max = nodes->size();
+		}
+		delete(nodes);
+		return (*uniq.first);
+	}
+};
+
+/*
+ * ProtoState - NodeSet and ancillery information used to create a state
+ */
+class ProtoState {
+public:
+	hashedNodeVec *nnodes;
+	NodeSet *anodes;
+
+	ProtoState(hashedNodeVec *n, NodeSet *a = NULL): nnodes(n), anodes(a) { };
+	bool operator<(ProtoState const &rhs)const
+	{
+		if (nnodes == rhs.nnodes)
+			return anodes < rhs.anodes;
+		return nnodes < rhs.nnodes;
+	}
+
+	unsigned long size(void)
+	{
+		if (anodes)
+			return nnodes->size() + anodes->size();
+		return nnodes->size();
+	}
+};
+
+/*
+ * State - DFA individual state information
+ * label: a unique label to identify the state used for pretty printing
+ *        the non-matching state is setup to have label == 0 and
+ *        the start state is setup to have label == 1
+ * audit: the audit permission mask for the state
+ * accept: the accept permissions for the state
+ * trans: set of transitions from this state
+ * otherwise: the default state for transitions not in @trans
+ * parition: Is a temporary work variable used during dfa minimization.
+ *           it can be replaced with a map, but that is slower and uses more
+ *           memory.
+ * nodes: Is a temporary work variable used during dfa creation.  It can
+ *        be replaced by using the nodemap, but that is slower
+ */
+class State {
+public:
+	State(int l, ProtoState &n, State *other) throw(int):
+	label(l), perms(), trans()
+	{
+		int error;
+
+		if (other)
+			otherwise = other;
+		else
+			otherwise = this;
+
+		proto = n;
+
+		/* Compute permissions associated with the State. */
+		error = accept_perms(n.anodes, perms);
+		if (error) {
+			//cerr << "Failing on accept perms " << error << "\n";
+			throw error;
+		}
+	};
+
+	State *next(uchar c) {
+		StateTrans::iterator i = trans.find(c);
+		if (i != trans.end())
+			return i->second;
+		return otherwise;
+	};
+
+	int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); }
+
+	int label;
+	perms_t perms;
+	StateTrans trans;
+	State *otherwise;
+
+	/* temp storage for State construction */
+	union {
+		Partition *partition;
+		ProtoState proto;
+	};
+};
+
+ostream &operator<<(ostream &os, const State &state);
+
+class NodeMap: public CacheStats
+{
+public:
+	typedef map<ProtoState, State *>::iterator iterator;
+	iterator begin() { return cache.begin(); }
+	iterator end() { return cache.end(); }
+
+	map<ProtoState, State *> cache;
+
+	NodeMap(void): cache() { };
+	~NodeMap() { clear(); };
+
+	virtual unsigned long size(void) const { return cache.size(); }
+
+	void clear()
+	{
+		cache.clear();
+		CacheStats::clear();
+	}
+
+	pair<iterator,bool> insert(ProtoState &proto, State *state)
+	{
+		pair<iterator,bool> uniq;
+		uniq = cache.insert(make_pair(proto, state));
+		if (uniq.second == false) {
+			dup++;
+		} else {
+			sum += proto.size();
+			if (proto.size() > max)
+				max = proto.size();
+		}
+		return uniq;
+	}
+};
+
+/* Transitions in the DFA. */
+
+class DFA {
+	void dump_node_to_dfa(void);
+	State *add_new_state(NodeSet *nodes, State *other);
+	void update_state_transitions(State *state);
+
+	/* temporary values used during computations */
+	NodeCache anodes_cache;
+	NodeVecCache nnodes_cache;
+	NodeMap node_map;
+	list<State *> work_queue;
+
+public:
+	DFA(Node *root, dfaflags_t flags);
+	virtual ~DFA();
+
+	State *match_len(State *state, const char *str, size_t len);
+	State *match_until(State *state, const char *str, const char term);
+	State *match(const char *str);
+
+	void remove_unreachable(dfaflags_t flags);
+	bool same_mappings(State *s1, State *s2);
+	size_t hash_trans(State *s);
+	void minimize(dfaflags_t flags);
+	int apply_and_clear_deny(void);
+	void dump(ostream &os);
+	void dump_dot_graph(ostream &os);
+	void dump_uniq_perms(const char *s);
+	map<uchar, uchar> equivalence_classes(dfaflags_t flags);
+	void apply_equivalence_classes(map<uchar, uchar> &eq);
+	Node *root;
+	State *nonmatching, *start;
+	Partition states;
+};
+
+void dump_equivalence_classes(ostream &os, map<uchar, uchar> &eq);
+
+#endif /* __LIBAA_RE_HFA_H */

parser/libapparmor_re/parse.h

@@ -0,0 +1,27 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Parsing of regular expression into expression trees as implemented in
+ * expr-tree
+ */
+#ifndef __LIBAA_RE_PARSE_H
+#define __LIBAA_RE_PARSE_H
+
+int regex_parse(Node **tree, const char *rule);
+
+#endif /* __LIBAA_RE_PARSE_H */

parser/libapparmor_re/parse.y

@@ -0,0 +1,262 @@
+/*
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
+ * Copyright (c) 2003-2008 Novell, Inc. (All rights reserved)
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * The libapparmor library is licensed under the terms of the GNU
+ * Lesser General Public License, version 2.1. Please see the file
+ * COPYING.LGPL.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * Parsing of regular expression into expression trees as implemented in
+ * expr-tree
+ */
+
+%{
+/* #define DEBUG_TREE */
+#include "expr-tree.h"
+
+%}
+
+%union {
+	char c;
+	Node *node;
+	Chars *cset;
+}
+
+%{
+
+void regex_error(Node **, const char *, const char *);
+#define YYLEX_PARAM &text
+int regex_lex(YYSTYPE *, const char **);
+
+static inline Chars *insert_char(Chars* cset, uchar a)
+{
+	cset->insert(a);
+	return cset;
+}
+
+static inline Chars* insert_char_range(Chars* cset, uchar a, uchar b)
+{
+	if (a > b)
+		swap(a, b);
+	for (uchar i = a; i <= b; i++)
+		cset->insert(i);
+	return cset;
+}
+
+%}
+
+%pure-parser
+/* %error-verbose */
+%parse-param {Node **root}
+%parse-param {const char *text}
+%name-prefix = "regex_"
+
+%token <c> CHAR
+%type <c> regex_char cset_char1 cset_char cset_charN
+%type <cset> charset cset_chars
+%type <node> regex expr terms0 terms qterm term
+
+/**
+ * Note: destroy all nodes upon failure, but *not* the start symbol once
+ * parsing succeeds!
+ */
+%destructor { $$->release(); } expr terms0 terms qterm term
+
+%%
+
+/* FIXME: Does not parse "[--]", "[---]", "[^^-x]". I don't actually know
+          which precise grammer Perl regexs use, and rediscovering that
+	  is proving to be painful. */
+
+regex	    : /* empty */	{ *root = $$ = &epsnode; }
+	    | expr		{ *root = $$ = $1; }
+	    ;
+
+expr	    : terms
+	    | expr '|' terms0	{ $$ = new AltNode($1, $3); }
+	    | '|' terms0	{ $$ = new AltNode(&epsnode, $2); }
+	    ;
+
+terms0	    : /* empty */	{ $$ = &epsnode; }
+	    | terms
+	    ;
+
+terms	    : qterm
+	    | terms qterm	{ $$ = new CatNode($1, $2); }
+	    ;
+
+qterm	    : term
+	    | term '*'		{ $$ = new StarNode($1); }
+	    | term '+'		{ $$ = new PlusNode($1); }
+	    ;
+
+term	    : '.'		{ $$ = new AnyCharNode; }
+	    | regex_char	{ $$ = new CharNode($1); }
+	    | '[' charset ']'	{ $$ = new CharSetNode(*$2);
+				  delete $2; }
+	    | '[' '^' charset ']'
+				{ $$ = new NotCharSetNode(*$3);
+				  delete $3; }
+	    | '[' '^' '^' cset_chars ']'
+				{ $4->insert('^');
+				  $$ = new NotCharSetNode(*$4);
+				  delete $4; }
+	    | '(' regex ')'	{ $$ = $2; }
+	    ;
+
+regex_char  : CHAR
+	    | '^'		{ $$ = '^'; }
+	    | '-'		{ $$ = '-'; }
+	    | ']'		{ $$ = ']'; }
+	    ;
+
+charset	    : cset_char1 cset_chars
+				{ $$ = insert_char($2, $1); }
+	    | cset_char1 '-' cset_charN cset_chars
+				{ $$ = insert_char_range($4, $1, $3); }
+	    ;
+
+cset_chars  : /* nothing */	{ $$ = new Chars; }
+	    | cset_chars cset_charN
+				{ $$ = insert_char($1, $2); }
+	    | cset_chars cset_charN '-' cset_charN
+				{ $$ = insert_char_range($1, $2, $4); }
+	    ;
+
+cset_char1  : cset_char
+	    | ']'		{ $$ = ']'; }
+	    | '-'		{ $$ = '-'; }
+	    ;
+
+cset_charN  : cset_char
+	    | '^'		{ $$ = '^'; }
+	    ;
+
+cset_char   : CHAR
+	    | '['		{ $$ = '['; }
+	    | '*'		{ $$ = '*'; }
+	    | '+'		{ $$ = '+'; }
+	    | '.'		{ $$ = '.'; }
+	    | '|'		{ $$ = '|'; }
+	    | '('		{ $$ = '('; }
+	    | ')'		{ $$ = ')'; }
+	    ;
+
+%%
+
+
+int octdigit(char c)
+{
+	if (c >= '0' && c <= '7')
+		return c - '0';
+	return -1;
+}
+
+int hexdigit(char c)
+{
+	if (c >= '0' && c <= '9')
+		return c - '0';
+	else if (c >= 'A' && c <= 'F')
+		return 10 + c - 'A';
+	else if (c >= 'a' && c <= 'f')
+		return 10 + c - 'a';
+	else
+		return -1;
+}
+
+int regex_lex(YYSTYPE *val, const char **pos)
+{
+	int c;
+
+	val->c = **pos;
+	switch(*(*pos)++) {
+	case '\0':
+		(*pos)--;
+		return 0;
+
+	case '*': case '+': case '.': case '|': case '^': case '-':
+	case '[': case ']': case '(' : case ')':
+		return *(*pos - 1);
+
+	case '\\':
+		val->c = **pos;
+		switch(*(*pos)++) {
+		case '\0':
+			(*pos)--;
+			/* fall through */
+		case '\\':
+			val->c = '\\';
+			break;
+
+		case '0':
+			val->c = 0;
+			if ((c = octdigit(**pos)) >= 0) {
+				val->c = c;
+				(*pos)++;
+			}
+			if ((c = octdigit(**pos)) >= 0) {
+				val->c = (val->c << 3) + c;
+				(*pos)++;
+			}
+			if ((c = octdigit(**pos)) >= 0) {
+				val->c = (val->c << 3) + c;
+				(*pos)++;
+			}
+			break;
+
+		case 'x':
+			val->c = 0;
+			if ((c = hexdigit(**pos)) >= 0) {
+				val->c = c;
+				(*pos)++;
+			}
+			if ((c = hexdigit(**pos)) >= 0) {
+				val->c = (val->c << 4) + c;
+				(*pos)++;
+			}
+			break;
+
+		case 'a':
+			val->c = '\a';
+			break;
+
+		case 'e':
+			val->c = 033  /* ESC */;
+			break;
+
+		case 'f':
+			val->c = '\f';
+			break;
+
+		case 'n':
+			val->c = '\n';
+			break;
+
+		case 'r':
+			val->c = '\r';
+			break;
+
+		case 't':
+			val->c = '\t';
+			break;
+		}
+	}
+	return CHAR;
+}
+
+void regex_error(Node ** __attribute__((unused)),
+		 const char *text __attribute__((unused)),
+		 const char *error __attribute__((unused)))
+{
+	/* We don't want the library to print error messages. */
+}

parser/libapparmor_re/regexp.h

@@ -1,10 +0,0 @@
-#ifndef __REGEXP_H
-#define __REGEXP_H
-
-/**
- * Flex file format, but without state compression and with negative
- *  match results in the YYTD_ID_DEF table instead.
- */
-#define YYTH_REGEXP_MAGIC 0x1B5E783D
-
-#endif  /* __REGEXP_H */

parser/mount.c

@@ -0,0 +1,526 @@
+/*
+ *   Copyright (c) 2010
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+/**
+ * The mount command, its mix of options and flags, its permissions and
+ * mapping are a mess.
+ *      mount [-lhV]
+ *
+ *      mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
+ *
+ *      mount [-fnrsvw] [-o option[,option]...]  device|dir
+ *
+ *      mount [-fnrsvw] [-t vfstype] [-o options] device dir
+ *
+ *----------------------------------------------------------------------
+ * Mount flags of no interest for apparmor mediation
+ * -a, --all
+ * -F fork for simultaneous mount
+ * -f fake, do everything except that actual system call
+ * -h --help
+ * -i, --internal-only
+ * -n mount without writing in /etc/mtab
+ * -O <optlist> limits what is auto mounted
+ * -p, --pass-fd num
+ * -s     Tolerate sloppy mount options
+ * -U uuid
+ * -V --version
+ * --no-canonicalize
+ *
+ *----------------------------------------------------------------------
+ * what do we do with these
+ * -l	list?
+ * -L <label> label
+ * -v --verbose		deprecated
+ *
+ *----------------------------------------------------------------------
+ * Filesystem type
+ * -t <vfstype>
+ *    vfstype=<vfstype>
+ *
+ *----------------------------------------------------------------------
+ * Mount Flags/options (-o --options)
+ *  -o option[,option]
+ * 
+ * The Linux kernel has 32 fs - independent mount flags, that mount command
+ * is responsible for stripping out and mapping to a 32 bit flags field.
+ * The mount commands mapping is documented below.
+ *
+ * Unfortunately we can not directly use this mapping as we need to be able
+ * represent, whether none, 1 or both options of a flag can be present for
+ * example
+ *    ro, and rw information is stored in a single bit.  But we need 2 bits
+ *    of information.
+ *    ro - the mount can only be readonly
+ *    rw - the mount can only be rw
+ *    ro/rw - the mount can be either ro/rw
+ *    the fourth state of neither ro/rw does not exist, but still we need
+ *    >1 bit to represent the possible choices
+ *
+ * The fs specific mount options are passed into the kernel as a string
+ * to be interpreted by the filesystem.
+ *
+ *
+ * #define MS_RDONLY	 1		Mount read-only
+ *	ro -r --read-only	[source] dest
+ *	rw -w
+ * #define MS_NOSUID	 2		Ignore suid and sgid bits
+ *	nosuid
+ *	suid
+ * #define MS_NODEV	 4		Disallow access to device special files
+ *	nodev
+ *	dev
+ * #define MS_NOEXEC	 8		Disallow program execution
+ *	noexec
+ *	exec
+ * #define MS_SYNCHRONOUS	16	Writes are synced at once
+ *	sync
+ *	async
+ * #define MS_REMOUNT	32		Alter flags of a mounted FS
+ *	remount			source dest
+ * #define MS_MANDLOCK	64		Allow mandatory locks on an FS
+ *	mand
+ *	nomand
+ * #define MS_DIRSYNC	128		Directory modifications are synchronous
+ *	dirsync
+ * #define MS_NOATIME	1024		Do not update access times
+ *	noatime
+ *	atime
+ * #define MS_NODIRATIME	2048	Do not update directory access times
+ *	nodiratime
+ *	diratime
+ * #define MS_BIND		4096
+ *	--bind -B		source dest
+ * #define MS_MOVE		8192
+ *	--move -M		source dest
+ * #define MS_REC		16384
+ *	--rbind -R		source dest
+ *	--make-rshared		dest
+ *	--make-rslave		dest
+ *	--make-rprivate		dest
+ *	--make-runbindable	dest
+ * #define MS_VERBOSE	32768		MS_VERBOSE is deprecated
+ * #define MS_SILENT	32768
+ *	silent
+ *	load
+ * #define MS_POSIXACL	(1<<16)		VFS does not apply the umask
+ *	acl
+ *	noacl
+ * #define MS_UNBINDABLE	(1<<17)	change to unbindable
+ *	--make-unbindable	dest
+ * #define MS_PRIVATE	(1<<18)		change to private
+ *	--make-private		dest
+ * #define MS_SLAVE	(1<<19)		change to slave
+ *	--make-slave		dest
+ * #define MS_SHARED	(1<<20)		change to shared
+ *	--make-shared		dest
+ * #define MS_RELATIME	(1<<21)		Update atime relative to mtime/ctime
+ *	relatime
+ *	norelatime
+ * #define MS_KERNMOUNT	(1<<22)		this is a kern_mount call
+ * #define MS_I_VERSION	(1<<23)		Update inode I_version field
+ *	iversion
+ *	noiversion
+ * #define MS_STRICTATIME	(1<<24)	Always perform atime updates
+ *	strictatime
+ *	nostrictatime
+ * #define MS_NOSEC	(1<<28)
+ * #define MS_BORN		(1<<29)
+ * #define MS_ACTIVE	(1<<30)
+ * #define MS_NOUSER	(1<<31)
+ *	nouser
+ *	user
+ *
+ * other mount options of interest
+ *
+ *   selinux
+ *     context=<context>
+ *     fscontext=<context>
+ *     defcontext=<context>,
+ *     rootcontext=<context>
+ *
+ *   defaults -> rw, suid,  dev,  exec,  auto,  nouser,  async
+ *   owner -> implies nosuid  and  nodev
+ *   users -> implies noexec, nosuid, and nodev
+ *
+ *----------------------------------------------------------------------
+ * AppArmor mount rules
+ *
+ * AppArmor mount rules try to leverage mount syntax within apparmor syntax
+ * this can not be done entirely but it is largely covered.
+ *
+ * The general mount syntax is
+ * [audit] [deny] [owner] mount [conds]* [source] [ -> [conds] path],
+ * [audit] [deny] remount [conds]* [path],
+ * [audit] [deny] umount [conds]* [path],
+ *
+ * Note: leading owner option applies owner condition to both sours and dest
+ *       path.
+ *
+ * where [conds] can be
+ * fstype=<expr>
+ * options=<expr>
+ * owner[=<expr>]
+ *
+ * <expr> := <re> | '(' (<re>[,])+ ')'
+ *
+ * If a condition is not specified then it is assumed to match all possible
+ * entries for it.  ie. a missing fstype means all fstypes are matched.
+ * However if a condition is specified then the rule only grants permission
+ * for mounts matching the specified pattern.
+ *
+ * Examples.
+ * mount,		# allow any mount
+ * mount /dev/foo,	# allow mounting of /dev/foo anywhere
+ * mount options=ro /dev/foo,  #allow mounting /dev/foo as read only
+ * mount options=(ro,foo) /dev/foo,
+ * mount options=ro options=foo /dev/foo,
+ * mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
+ *
+ *----------------------------------------------------------------------
+ * pivotroot
+ *   pivotroot [oldroot=<value>] <path> -> <profile>
+ *   pivotroot <path> -> {  }
+ *
+ *----------------------------------------------------------------------
+ * chroot
+ *   chroot <path> -> <profile>
+ *   chroot <path> -> {  }
+ *
+ *----------------------------------------------------------------------
+ * AppArmor mount rule encoding
+ *
+ * TODO:
+ *   add semantic checking of options against specified filesytem types
+ *   to catch mount options that can't be covered.
+ *
+ *
+ */
+
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "parser.h"
+#include "mount.h"
+
+struct mnt_keyword_table {
+	char *keyword;
+	unsigned int set;
+	unsigned int clear;
+};
+
+static struct mnt_keyword_table mnt_opts_table[] = {
+	{"ro",			MS_RDONLY, 0},
+	{"r",			MS_RDONLY, 0},
+	{"read-only",		MS_RDONLY, 0},
+	{"rw",			0, MS_RDONLY},
+	{"w",			0, MS_RDONLY},
+	{"suid",		0, MS_NOSUID},
+	{"nosuid",		MS_NOSUID, 0},
+	{"dev",			0, MS_NODEV},
+	{"nodev",		MS_NODEV, 0},
+	{"exec",		0, MS_NOEXEC},
+	{"noexec",		MS_NOEXEC, 0},
+	{"sync",		MS_SYNC, 0},
+	{"async",		0, MS_SYNC},
+	{"remount",		MS_REMOUNT, 0},
+	{"mand",		MS_MAND, 0},
+	{"nomand",		0, MS_MAND},
+	{"dirsync",		MS_DIRSYNC, 0},
+	{"atime",		0, MS_NOATIME},
+	{"noatime",		MS_NOATIME, 0},
+	{"diratime",		0, MS_NODIRATIME},
+	{"nodiratime",		MS_NODIRATIME, 0},
+	{"bind",		MS_BIND, 0},
+	{"B",			MS_BIND, 0},
+	{"move",		MS_MOVE, 0},
+	{"M",			MS_MOVE, 0},
+	{"rbind",		MS_RBIND, 0},
+	{"R",			MS_RBIND, 0},
+	{"verbose",		MS_VERBOSE, 0},
+	{"silent",		MS_SILENT, 0},
+	{"load",		0, MS_SILENT},
+	{"acl",			MS_ACL, 0},
+	{"noacl",		0, MS_ACL},
+	{"make-unbindable",	MS_UNBINDABLE, 0},
+	{"make-runbindable",	MS_RUNBINDABLE, 0},
+	{"make-private",	MS_PRIVATE, 0},
+	{"make-rprivate",	MS_RPRIVATE, 0},
+	{"make-slave",		MS_SLAVE, 0},
+	{"make-rslave",		MS_RSLAVE, 0},
+	{"make-shared",		MS_SHARED, 0},
+	{"make-rshared",	MS_RSHARED, 0},
+
+	{"relatime",		MS_RELATIME, 0},
+	{"norelatime",		0, MS_NORELATIME},
+	{"iversion",		MS_IVERSION, 0},
+	{"noiversion",		0, MS_IVERSION},
+	{"strictatime",		MS_STRICTATIME, 0},
+	{"user",		0, MS_NOUSER},
+	{"nouser",		MS_NOUSER, 0},
+
+	{NULL, 0, 0}
+};
+
+static struct mnt_keyword_table mnt_conds_table[] = {
+	{"options", MNT_SRC_OPT, MNT_COND_OPTIONS},
+	{"option", MNT_SRC_OPT, MNT_COND_OPTIONS},
+	{"fstype", MNT_SRC_OPT | MNT_DST_OPT, MNT_COND_FSTYPE},
+	{"vfstype", MNT_SRC_OPT | MNT_DST_OPT, MNT_COND_FSTYPE},
+
+	{NULL, 0, 0}
+};
+
+static int find_mnt_keyword(struct mnt_keyword_table *table, const char *name)
+{
+	int i;
+	for (i = 0; table[i].keyword; i++) {
+		if (strcmp(name, table[i].keyword) == 0)
+			return i;
+	}
+
+	return -1;
+}
+
+int is_valid_mnt_cond(const char *name, int src)
+{
+	int i;
+	i = find_mnt_keyword(mnt_conds_table, name);
+	if (i != -1)
+		return (mnt_conds_table[i].set & src);
+	return -1;
+}
+
+static unsigned int extract_flags(struct value_list **list, unsigned int *inv)
+{
+	unsigned int flags = 0;
+	*inv = 0;
+
+	struct value_list *entry, *tmp, *prev = NULL;
+	list_for_each_safe(*list, entry, tmp) {
+		int i;
+		i = find_mnt_keyword(mnt_opts_table, entry->value);
+		if (i != -1) {
+			flags |= mnt_opts_table[i].set;
+			*inv |= mnt_opts_table[i].clear;
+			PDEBUG(" extracting mount flag %s req: 0x%x inv: 0x%x"
+			       " => req: 0x%x inv: 0x%x\n",
+			       entry->value, mnt_opts_table[i].set,
+			       mnt_opts_table[i].clear, flags, *inv);
+			if (prev)
+				prev->next = tmp;
+			if (entry == *list)
+				*list = tmp;
+			entry->next = NULL;
+			free_value_list(entry);
+		} else
+			prev = entry;
+	}
+
+	return flags;
+}
+
+static struct value_list *extract_fstype(struct cond_entry **conds)
+{
+	struct value_list *list = NULL;
+
+	struct cond_entry *entry, *tmp, *prev = NULL;
+
+	list_for_each_safe(*conds, entry, tmp) {
+		if (strcmp(entry->name, "fstype") == 0 ||
+		    strcmp(entry->name, "vfstype") == 0) {
+			PDEBUG("  extracting fstype\n");
+			if (prev)
+				prev->next = tmp;
+			if (entry == *conds)
+				*conds = tmp;
+			entry->next = NULL;
+			list_append(entry->vals, list);
+			list = entry->vals;
+			entry->vals = NULL;
+			free_cond_entry(entry);
+		} else
+			prev = entry;
+	}
+
+	return list;
+}
+
+static struct value_list *extract_options(struct cond_entry **conds, int eq)
+{
+	struct value_list *list = NULL;
+
+	struct cond_entry *entry, *tmp, *prev = NULL;
+
+	list_for_each_safe(*conds, entry, tmp) {
+		if ((strcmp(entry->name, "options") == 0 ||
+		     strcmp(entry->name, "option") == 0) &&
+		    entry->eq == eq) {
+			if (prev)
+				prev->next = tmp;
+			if (entry == *conds)
+				*conds = tmp;
+			entry->next = NULL;
+			PDEBUG("  extracting option %s\n", entry->name);
+			list_append(entry->vals, list);
+			list = entry->vals;
+			entry->vals = NULL;
+			free_cond_entry(entry);
+		} else
+			prev = entry;
+	}
+
+	return list;
+}
+
+struct mnt_entry *new_mnt_entry(struct cond_entry *src_conds, char *device,
+				struct cond_entry *dst_conds __unused, char *mnt_point,
+				int allow)
+{
+	/* FIXME: dst_conds are ignored atm */
+
+	struct mnt_entry *ent;
+	ent = (struct mnt_entry *) calloc(1, sizeof(struct mnt_entry));
+	if (ent) {
+		ent->mnt_point = mnt_point;
+		ent->device = device;
+		ent->dev_type = extract_fstype(&src_conds);
+
+		ent->flags = 0;
+		ent->inv_flags = 0;
+
+		if (src_conds) {
+			unsigned int flags = 0, inv_flags = 0;
+			struct value_list *list = extract_options(&src_conds, 0);
+
+			ent->opts = extract_options(&src_conds, 1);
+			if (ent->opts)
+				ent->flags = extract_flags(&ent->opts,
+							   &ent->inv_flags);
+
+			if (list) {
+				flags = extract_flags(&list, &inv_flags);
+				/* these flags are optional so set both */
+				flags |= inv_flags;
+				inv_flags |= flags;
+
+				ent->flags |= flags;
+				ent->inv_flags |= inv_flags;
+
+				if (ent->opts)
+					list_append(ent->opts, list);
+				else if (list)
+					ent->opts = list;
+			}
+		}
+
+		if (allow & AA_DUMMY_REMOUNT) {
+			allow = AA_MAY_MOUNT;
+			ent->flags |= MS_REMOUNT;
+			ent->inv_flags = 0;
+		} else if (!(ent->flags | ent->inv_flags)) {
+			/* no flag options, and not remount, allow everything */
+			ent->flags = MS_ALL_FLAGS;
+			ent->inv_flags = MS_ALL_FLAGS;
+		}
+
+		ent->allow = allow;
+
+		if (src_conds) {
+			PERROR("  unsupported mount conditions\n");
+			exit(1);
+		}
+	}
+
+	return ent;
+}
+
+void free_mnt_entry(struct mnt_entry *ent)
+{
+	if (!ent)
+		return;
+
+	free_mnt_entry(ent->next);
+	free_value_list(ent->opts);
+	free_value_list(ent->dev_type);
+	free(ent->device);
+	free(ent->mnt_point);
+	free(ent->trans);
+
+	free(ent);
+}
+
+
+struct mnt_entry *dup_mnt_entry(struct mnt_entry *orig)
+{
+	struct mnt_entry *entry = NULL;
+
+	entry = (struct mnt_entry *) calloc(1, sizeof(struct mnt_entry));
+	if (!entry)
+		return NULL;
+
+	entry->mnt_point = orig->mnt_point ? strdup(orig->mnt_point) : NULL;
+	entry->device = orig->device ? strdup(orig->device) : NULL;
+	entry->trans = orig->trans ? strdup(orig->trans) : NULL;
+
+	entry->dev_type = dup_value_list(orig->dev_type);
+	entry->opts = dup_value_list(orig->opts);
+
+	entry->flags = orig->flags;
+	entry->inv_flags = orig->inv_flags;
+
+	entry->allow = orig->allow;
+	entry->audit = orig->audit;
+	entry->deny = orig->deny;
+
+	entry->next = orig->next;
+
+	return entry;
+}
+
+void print_mnt_entry(struct mnt_entry *entry)
+{
+	if (entry->allow & AA_MAY_MOUNT)
+		fprintf(stderr, "mount");
+	else if (entry->allow & AA_MAY_UMOUNT)
+		fprintf(stderr, "umount");
+	else if (entry->allow & AA_MAY_PIVOTROOT)
+		fprintf(stderr, "pivotroot");
+	else
+		fprintf(stderr, "error: unknonwn mount perm");
+
+	fprintf(stderr, " (0x%x - 0x%x) ", entry->flags, entry->inv_flags);
+	if (entry->dev_type) {
+		fprintf(stderr, " type=");
+		print_value_list(entry->dev_type);
+	}
+	if (entry->opts) {
+		fprintf(stderr, " options=");
+		print_value_list(entry->opts);
+	}
+	if (entry->device)
+		fprintf(stderr, " %s", entry->device);
+	if (entry->mnt_point)
+		fprintf(stderr, " -> %s", entry->mnt_point);
+	if (entry->trans)
+		fprintf(stderr, " -> %s", entry->trans);
+
+	fprintf(stderr, " %s (0x%x/0x%x)", entry->deny ? "deny" : "", entry->allow, entry->audit); 
+	fprintf(stderr, ",\n");
+}

parser/mount.h

@@ -0,0 +1,136 @@
+/*
+ *   Copyright (c) 2010
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#ifndef __AA_MOUNT_H
+#define __AA_MOUNT_H
+
+#include "parser.h"
+
+#define MS_RDONLY	(1 << 0)
+#define MS_RW		0
+#define MS_NOSUID	(1 << 1)
+#define MS_SUID		0
+#define MS_NODEV	(1 << 2)
+#define MS_DEV		0
+#define MS_NOEXEC	(1 << 3)
+#define MS_EXEC		0
+#define MS_SYNC		(1 << 4)
+#define MS_ASYNC	0
+#define MS_REMOUNT	(1 << 5)
+#define MS_MAND		(1 << 6)
+#define MS_NOMAND	0
+#define MS_DIRSYNC	(1 << 7)
+#define MS_NODIRSYNC	0
+#define MS_NOATIME	(1 << 10)
+#define MS_ATIME	0
+#define MS_NODIRATIME	(1 << 11)
+#define MS_DIRATIME	0
+#define MS_BIND		(1 << 12)
+#define MS_MOVE		(1 << 13)
+#define MS_REC		(1 << 14)
+#define MS_VERBOSE	(1 << 15)
+#define MS_SILENT	(1 << 15)
+#define MS_LOAD		0
+#define MS_ACL		(1 << 16)
+#define MS_NOACL	0
+#define MS_UNBINDABLE	(1 << 17)
+#define MS_PRIVATE	(1 << 18)
+#define MS_SLAVE	(1 << 19)
+#define MS_SHARED	(1 << 20)
+#define MS_RELATIME	(1 << 21)
+#define MS_NORELATIME	0
+#define MS_IVERSION	(1 << 23)
+#define MS_NOIVERSION	0
+#define MS_STRICTATIME	(1 << 24)
+#define MS_NOUSER	(1 << 31)
+#define MS_USER		0
+
+#define MS_ALL_FLAGS	(MS_RDONLY | MS_NOSUID | MS_NODEV | MS_NOEXEC | \
+			 MS_SYNC | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
+			 MS_NOATIME | MS_NODIRATIME | MS_BIND | MS_MOVE | \
+			 MS_REC | MS_VERBOSE | MS_ACL | MS_UNBINDABLE | \
+			 MS_PRIVATE | MS_SLAVE | MS_SHARED | MS_RELATIME | \
+			 MS_IVERSION | MS_STRICTATIME | MS_USER)
+
+#define MS_RBIND	(MS_BIND | MS_REC)
+#define MS_RUNBINDABLE	(MS_UNBINDABLE | MS_REC)
+#define MS_RPRIVATE	(MS_PRIVATE | MS_REC)
+#define MS_RSLAVE	(MS_SLAVE | MS_REC)
+#define MS_RSHARED	(MS_SHARED | MS_REC)
+
+/* set of flags we don't use but define (but not with the kernel values)
+ *  for MNT_FLAGS
+ */
+#define MS_ACTIVE	0
+#define MS_BORN		0
+#define MS_KERNMOUNT	0
+
+/* from kernel fs/namespace.c - set of flags masked off */
+#define MNT_FLAGS	(MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_ACTIVE | \
+			 MS_BORN | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| \
+			 MS_KERNMOUNT | MS_STRICTATIME)
+
+#define MS_BIND_FLAGS (MS_BIND | MS_REC)
+#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED | \
+			MS_REC) | (MS_ALL_FLAGS & ~(MNT_FLAGS)))
+#define MS_MOVE_FLAGS (MS_MOVE)
+
+#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_PRIVATE | MS_SLAVE | \
+		 MS_SHARED | MS_UNBINDABLE)
+#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT))
+
+#define MNT_SRC_OPT 1
+#define MNT_DST_OPT 2
+
+#define MNT_COND_FSTYPE 1
+#define MNT_COND_OPTIONS 2
+
+#define AA_MAY_PIVOTROOT 1
+#define AA_MAY_MOUNT 2
+#define AA_MAY_UMOUNT 4
+#define AA_MATCH_CONT 0x40
+#define AA_AUDIT_MNT_DATA AA_MATCH_CONT
+#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
+					 * remapped to a mount option*/
+
+
+struct mnt_entry {
+	char *mnt_point;
+	char *device;
+	char *trans;
+	struct value_list *dev_type;
+	struct value_list *opts;
+
+	unsigned int flags, inv_flags;
+
+	int allow, audit;
+	int deny;
+	struct mnt_entry *next;
+};
+
+void print_mnt_entry(struct mnt_entry *entry);
+
+int is_valid_mnt_cond(const char *name, int src);
+struct mnt_entry *new_mnt_entry(struct cond_entry *sconds, char *device,
+				struct cond_entry *dconds, char *mnt_point,
+				int mode);
+struct mnt_entry *dup_mnt_entry(struct mnt_entry *orig);
+void free_mnt_entry(struct mnt_entry *ent);
+
+
+#endif /* __AA_MOUNT_H */

parser/parser.conf

@@ -0,0 +1,58 @@
+# parser.conf is a global AppArmor config file for the apparmor_parser
+#
+# It can be used to specify the default options for the parser, which
+# can then be overriden by options passed on the command line.
+#
+# Leading whitespace is ignored and lines that begin with # are treated
+# as comments.
+#
+# Config options are specified one per line using the same format as the
+# longform command line options (without the preceding --).
+#
+# If a value is specified twice the last version to appear is used.
+
+## Suppress Warnings
+#quiet
+
+## Be verbose
+#verbose
+
+## Set include path
+#Include /etc/apparmor.d/abstractions
+
+## Set location of apparmor filesystem
+#subdomainfs /sys/kernel/security/apparmor
+
+## Set match-string to use - for forcing compiler to treat different kernels
+## the same
+# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
+
+## Turn creating/updating of the cache on by default
+#write-cache
+
+## Show cache hits
+#show-cache
+
+## skip cached policy
+#skip-cache
+
+## skip reading cache but allow updating
+#skip-read-cache
+
+
+#### Set Optimizaions.  Multiple Optimizations can be set, one per line ####
+# For supported optimizations see
+#   apparmor_parser --help=O
+
+## Turn on equivalence classes
+#equiv
+
+## Turn off expr tree simplification
+#Optimize=no-expr-simplify
+
+## Turn off DFA minimization
+#Optimize=no-minimize
+
+## Adjust compression
+#Optimize=compress-small
+#Optimize=compress-fast

parser/parser.h

@@ -2,8 +2,8 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
- *   Copyright (c) 2010
- *   Canonical, Ltd. (All rights reserved)
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -19,10 +19,21 @@
  *   Ltd.
  */
 
+#ifndef __AA_PARSER_H
+#define __AA_PARSER_H
+
 #include <netinet/in.h>
 #include <sys/resource.h>
 #include "immunix.h"
 #include "libapparmor_re/apparmor_re.h"
+#include "libapparmor_re/aare_rules.h"
+
+struct mnt_ent;
+
+/* Global variable to pass token to lexer.  Will be replaced by parameter
+ * when lexer and parser are made reentrant
+ */
+extern int parser_token;
 
 typedef enum pattern_t pattern_t;
 
@@ -43,6 +54,20 @@ struct cod_pattern {
 	char *regex;		// posix regex
 };
 
+struct value_list {
+	char *value;
+
+	struct value_list *next;
+};
+
+struct cond_entry {
+	char *name;
+	int eq;			/* where equals was used in specifying list */
+	struct value_list *vals;
+
+	struct cond_entry *next;
+};
+
 struct cod_entry {
 	char *namespace;
 	char *name;
@@ -106,7 +131,6 @@ struct codomain {
 	uint64_t audit_caps;
 	uint64_t deny_caps;
 	uint64_t quiet_caps;
-	uint64_t set_caps;
 
 	unsigned int *network_allowed;		/* array of type masks
 						 * indexed by AF_FAMILY */
@@ -118,6 +142,8 @@ struct codomain {
 
 	char *exec_table[AA_EXEC_COUNT];
 	struct cod_entry *entries;
+	struct mnt_entry *mnt_ents;
+
 	void *hat_table;
 	//struct codomain *next;
 
@@ -125,6 +151,11 @@ struct codomain {
 	int dfarule_count;
 	void *dfa;
 	size_t dfa_size;
+
+	aare_ruleset_t *policy_rules;
+	int policy_rule_count;
+	void *policy_dfa;
+	size_t policy_dfa_size;
 };
 
 struct sd_hat {
@@ -178,13 +209,8 @@ struct var_string {
 
 #define FLAG_CHANGEHAT_1_4  2
 #define FLAG_CHANGEHAT_1_5  3
-extern int kernel_supports_network;
-extern int net_af_max_override;
-extern int flag_changehat_version;
-extern int read_implies_exec;
-extern dfaflags_t dfaflags;
+
 extern int preprocess_only;
-extern FILE *ofile;
 
 #define PATH_CHROOT_REL 0x1
 #define PATH_NS_REL 0x2
@@ -220,34 +246,53 @@ extern FILE *ofile;
 #define __unused __attribute__ ((unused))
 #endif
 
+
 #define list_for_each(LIST, ENTRY) \
 	for ((ENTRY) = (LIST); (ENTRY); (ENTRY) = (ENTRY)->next)
 #define list_for_each_safe(LIST, ENTRY, TMP) \
 	for ((ENTRY) = (LIST), (TMP) = (LIST) ? (LIST)->next : NULL; (ENTRY); (ENTRY) = (TMP), (TMP) = (TMP) ? (TMP)->next : NULL)
 #define list_last_entry(LIST, ENTRY) \
 	for ((ENTRY) = (LIST); (ENTRY) && (ENTRY)->next; (ENTRY) = (ENTRY)->next)
+#define list_append(LISTA, LISTB)		\
+	do {					\
+		typeof(LISTA) ___tmp;		\
+		list_last_entry((LISTA), ___tmp);\
+		___tmp->next = (LISTB);		\
+	} while (0)
 
-/* Some external definitions to make b0rken programs happy */
+/* from parser_common.c */
+extern int regex_type;
+extern int perms_create;
+extern int net_af_max_override;
+extern int kernel_load;
+extern int kernel_supports_network;
+extern int kernel_supports_mount;
+extern int flag_changehat_version;
+extern int conf_verbose;
+extern int conf_quiet;
+extern int names_only;
+extern int option;
+extern int current_lineno;
+extern dfaflags_t dfaflags;
 extern char *progname;
 extern char *subdomainbase;
 extern char *profilename;
 extern char *profile_namespace;
-
-/* from parser_main */
-extern int force_complain;
-extern int conf_quiet;
-extern int conf_verbose;
-extern int kernel_load;
-extern int regex_type;
-extern int perms_create;
-extern struct timespec mru_tstamp;
-extern void update_mru_tstamp(FILE *file);
+extern char *current_filename;
+extern FILE *ofile;
+extern int read_implies_exec;
 extern void pwarn(char *fmt, ...) __attribute__((__format__(__printf__, 1, 2)));
 
+/* from parser_main (cannot be used in tst builds) */
+extern int force_complain;
+extern struct timespec mru_tstamp;
+extern void update_mru_tstamp(FILE *file);
+
+/* provided by parser_lex.l (cannot be used in tst builds) */
 extern FILE *yyin;
 extern void yyrestart(FILE *fp);
 extern int yyparse(void);
-extern void yyerror(char *msg, ...);
+extern void yyerror(const char *msg, ...);
 extern int yylex(void);
 
 /* parser_include.c */
@@ -258,12 +303,24 @@ extern int process_regex(struct codomain *cod);
 extern int post_process_entry(struct cod_entry *entry);
 extern void reset_regex(void);
 
+extern int process_policydb(struct codomain *cod);
+
+extern int process_policy_ents(struct codomain *cod);
+
 /* parser_variable.c */
 extern int process_variables(struct codomain *cod);
 extern struct var_string *split_out_var(char *string);
 extern void free_var_string(struct var_string *var);
 
 /* parser_misc.c */
+extern struct value_list *new_value_list(char *value);
+extern struct value_list *dup_value_list(struct value_list *list);
+extern void free_value_list(struct value_list *list);
+extern void print_value_list(struct value_list *list);
+extern struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list);
+extern void free_cond_entry(struct cond_entry *ent);
+extern void print_cond_entry(struct cond_entry *ent);
+extern char *processid(char *string, int len);
 extern char *processquoted(char *string, int len);
 extern char *processunquoted(char *string, int len);
 extern int get_keyword_token(const char *keyword);
@@ -286,6 +343,7 @@ extern void debug_cod_list(struct codomain *list);
 extern int str_to_boolean(const char* str);
 extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
 extern void free_cod_entries(struct cod_entry *list);
+extern void free_mnt_entries(struct mnt_entry *list);
 
 /* parser_symtab.c */
 struct set_value {;
@@ -323,10 +381,12 @@ extern int cache_fd;
 extern void add_to_list(struct codomain *codomain);
 extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
 extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
-extern void post_process_nt_entries(struct codomain *cod);
+extern void post_process_file_entries(struct codomain *cod);
+extern void post_process_mnt_entries(struct codomain *cod);
 extern int post_process_policy(int debug_only);
 extern int process_hat_regex(struct codomain *cod);
 extern int process_hat_variables(struct codomain *cod);
+extern int process_hat_policydb(struct codomain *cod);
 extern int post_merge_rules(void);
 extern int merge_hat_rules(struct codomain *cod);
 extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
@@ -339,3 +399,34 @@ extern void dump_policy_hats(struct codomain *cod);
 extern void dump_policy_names(void);
 extern int die_if_any_regex(void);
 void free_policies(void);
+
+#ifdef UNIT_TEST
+/* For the unit-test builds, we must include function stubs for stuff that
+ * only exists in the excluded object files; everything else should live
+ * in parser_common.c.
+ */
+
+/* parser_yacc.y */
+void yyerror(const char *msg, ...)
+{
+        va_list arg;
+        char buf[PATH_MAX];
+
+        va_start(arg, msg);
+        vsnprintf(buf, sizeof(buf), msg, arg);
+        va_end(arg);
+
+        PERROR(_("AppArmor parser error: %s\n"), buf);
+
+        exit(1);
+}
+
+#define MY_TEST(statement, error)               \
+        if (!(statement)) {                     \
+                PERROR("FAIL: %s\n", error);    \
+                rc = 1;                         \
+        }
+
+#endif
+
+#endif /** __AA_PARSER_H */

parser/parser_common.c

@@ -0,0 +1,75 @@
+/*
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical,
+ *   Ltd.
+ */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <libintl.h>
+#include <locale.h>
+#define _(s) gettext(s)
+#include "parser.h"
+
+int regex_type = AARE_DFA;
+int perms_create = 0;                   /* perms contain create flag */
+int net_af_max_override = -1;           /* use kernel to determine af_max */
+int kernel_load = 1;
+int kernel_supports_network = 1;        /* kernel supports network rules */
+int kernel_supports_mount = 0;	        /* kernel supports mount rules */
+int flag_changehat_version = FLAG_CHANGEHAT_1_5;
+int conf_verbose = 0;
+int conf_quiet = 0;
+int names_only = 0;
+int current_lineno = 1;
+int option = OPTION_ADD;
+
+dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS;
+
+char *subdomainbase = NULL;
+char *progname = __FILE__;
+char *profile_namespace = NULL;
+char *profilename = NULL;
+char *current_filename = NULL;
+
+FILE *ofile = NULL;
+
+#ifdef FORCE_READ_IMPLIES_EXEC
+int read_implies_exec = 1;
+#else
+int read_implies_exec = 0;
+#endif
+
+void pwarn(char *fmt, ...)
+{
+        va_list arg;
+        char *newfmt;
+
+        if (conf_quiet || names_only || option == OPTION_REMOVE)
+                return;
+
+        if (asprintf(&newfmt, _("Warning from %s (%s%sline %d): %s"),
+		     profilename ? profilename : "stdin",
+		     current_filename ? current_filename : "",
+		     current_filename ? " " : "",
+		     current_lineno,
+		     fmt) == -1)
+                return;
+
+        va_start(arg, fmt);
+        vfprintf(stderr, newfmt, arg);
+        va_end(arg);
+
+        free(newfmt);
+}

parser/parser_include.c

@@ -1,8 +1,8 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
- *   Copyright (c) 2010
- *   Canonical, Ltd.
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public

parser/parser_include.h

@@ -1,8 +1,8 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
- *   Copyright (c) 2010
- *   Canonical, Ltd.
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -21,8 +21,6 @@
 #define PARSER_INCLUDE_H
 
 extern int preprocess_only;
-extern int current_lineno;
-extern char *current_filename;
 
 extern int add_search_dir(char *dir);
 extern void init_base_dir(void);

parser/parser_interface.c

@@ -59,6 +59,7 @@
 
 #define SUBDOMAIN_INTERFACE_VERSION 2
 #define SUBDOMAIN_INTERFACE_DFA_VERSION 5
+#define SUBDOMAIN_INTERFACE_POLICY_DB 16
 
 int sd_serialize_codomain(int option, struct codomain *cod);
 
@@ -609,15 +610,14 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 
 #define low_caps(X) ((u32) ((X) & 0xffffffff))
 #define high_caps(X) ((u32) (((X) >> 32) & 0xffffffff))
-	allowed_caps = (profile->capabilities | profile->set_caps) &
-		~profile->deny_caps;
+	allowed_caps = (profile->capabilities) & ~profile->deny_caps;
 	if (!sd_write32(p, low_caps(allowed_caps)))
 		return 0;
 	if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
 		return 0;
 	if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
 		return 0;
-	if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
+	if (!sd_write32(p, 0))
 		return 0;
 
 	if (!sd_write_struct(p, "caps64"))
@@ -628,7 +628,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 		return 0;
 	if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
 		return 0;
-	if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
+	if (!sd_write32(p, 0))
 		return 0;
 	if (!sd_write_structend(p))
 		return 0;
@@ -655,6 +655,15 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 	} else if (profile->network_allowed)
 		pwarn(_("profile %s network rules not enforced\n"), profile->name);
 
+	if (profile->policy_dfa && regex_type == AARE_DFA) {
+		if (!sd_write_struct(p, "policydb"))
+			return 0;
+		if (!sd_serialize_dfa(p, profile->policy_dfa, profile->policy_dfa_size))
+			return 0;
+		if (!sd_write_structend(p))
+			return 0;
+	}
+
 	/* either have a single dfa or lists of different entry types */
 	if (regex_type == AARE_DFA) {
 		if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
@@ -686,9 +695,13 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
 {
 	int version;
 
-	if (regex_type == AARE_DFA)
-		version = SUBDOMAIN_INTERFACE_DFA_VERSION;
-	else
+	if (regex_type == AARE_DFA) {
+		/* Not yet
+		if (profile->policy_dfa)
+			version = SUBDOMAIN_INTERFACE_POLICYDB;
+		else */
+			version = SUBDOMAIN_INTERFACE_DFA_VERSION;
+	} else
 		version = SUBDOMAIN_INTERFACE_VERSION;
 
 
@@ -763,10 +776,10 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 		int len = 0;
 
 		if (profile_namespace) {
-			len += strlen(profile_namespace) + 1;
+			len += strlen(profile_namespace) + 2;
 			ns = profile_namespace;
 		} else if (cod->namespace) {
-			len += strlen(cod->namespace) + 1;
+			len += strlen(cod->namespace) + 2;
 			ns = cod->namespace;
 		}
 		if (cod->parent) {
@@ -778,7 +791,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 				goto exit;
 			}
 			if (ns)
-				sprintf(name, "%s:%s//%s", ns,
+				sprintf(name, ":%s:%s//%s", ns,
 					cod->parent->name, cod->name);
 			else
 				sprintf(name, "%s//%s", cod->parent->name,
@@ -790,7 +803,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 				error = -errno;
 				goto exit;
 			}
-			sprintf(name, "%s:%s", ns, cod->name);
+			sprintf(name, ":%s:%s", ns, cod->name);
 		} else {
 			name = cod->name;
 		}

parser/parser_lex.l

@@ -1,8 +1,8 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
- *   Copyright (c) 2010
- *   Canonical, Ltd.
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -23,6 +23,7 @@
 /* eliminates need to link with libfl */
 %option noyywrap
 %option nounput
+%option stack
 
 %{
 #include <stdio.h>
@@ -44,7 +45,7 @@
 #endif
 /* #define DEBUG */
 #ifdef DEBUG
-#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
+#define PDEBUG(fmt, args...) printf("Lexer (state %d): " fmt, YY_START, ## args)
 #else
 #define PDEBUG(fmt, args...)	/* Do nothing */
 #endif
@@ -54,9 +55,6 @@
 
 #define YY_NO_INPUT
 
-int current_lineno     = 1;
-char *current_filename = NULL;
-
 struct ignored_suffix_t {
 	char * text;
 	int len;
@@ -170,25 +168,35 @@ void include_filename(char *filename, int search)
 
 %}
 
-UP		"^"
+CARET		"^"
 OPEN_BRACE 	\{
 CLOSE_BRACE 	\}
 SLASH		\/
 COLON		:
 END_OF_RULE	[,]
-SEPARATOR 	{UP}
 RANGE		-
 MODE_CHARS 	([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
 MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
-ID 		[^ \t\n"!,]|(,[^ \t\n"!])
-POST_VAR_ID 	[^ =\+\t\n"!,]|(,[^ =\+\t\n"!])
-IP		{NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER}
+
+ID_CHARS	[^ \t\n"!,]
+ID 		{ID_CHARS}|(,{ID_CHARS})
+IDS		{ID}+
+POST_VAR_ID_CHARS	[^ \t\n"!,]{-}[=\+]
+POST_VAR_ID 	{POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS})
+LIST_VALUE_ID_CHARS	[^ \t\n"!,]{-}[()]
+LIST_VALUE_ID	{LIST_VALUE_ID_CHARS}+
+ID_CHARS_NOEQ	[^ \t\n"!,]{-}[=]
+ID_NOEQ		{ID_CHARS_NOEQ}|(,{ID_CHARS_NOEQ})
+IDS_NOEQ	{ID_NOEQ}+
 ALLOWED_QUOTED_ID 	[^\0"]|\\\"
 QUOTED_ID	\"{ALLOWED_QUOTED_ID}*\"
 
-HAT		hat[ \t]+
+IP		{NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER}
+
+HAT		hat{WS}*
+PROFILE		profile{WS}*
 KEYWORD         [[:alpha:]_]+
 VARIABLE_NAME	[[:alpha:]][[:alnum:]_]*
 SET_VAR_PREFIX  @
@@ -198,25 +206,36 @@ BOOL_VARIABLE	$(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
 PATHNAME	(\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
 QPATHNAME	\"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
 
-FLAGOPEN_PAREN 	\(
-FLAGCLOSE_PAREN	\)
-FLAGSEP		\,
+OPEN_PAREN 	\(
+CLOSE_PAREN	\)
+COMMA		\,
 EQUALS		=
 ADD_ASSIGN	\+=
 ARROW		->
 LT_EQUAL	<=
 
-%x SUB_NAME
-%x SUB_NAME2
+%x SUB_ID
+%x SUB_VALUE
+%x EXTCOND_MODE
 %x NETWORK_MODE
-%x FLAGS_MODE
+%x LIST_VAL_MODE
 %x ASSIGN_MODE
 %x RLIMIT_MODE
+%x MOUNT_MODE
 %x CHANGE_PROFILE_MODE
 %x INCLUDE
 
 %%
 
+%{
+/* Copied directly into yylex function */
+	if (parser_token) {
+		int t = parser_token;
+		parser_token = 0;
+		return t;
+	}
+%}
+
 <INCLUDE>{
 	{WS}+	{ /* Eat whitespace */ }
 	\<([^\> \t\n]+)\>	{	/* <filename> */
@@ -224,7 +243,7 @@ LT_EQUAL	<=
 		filename[strlen(filename) - 1] = '\0';
 		include_filename(filename + 1, 1);
 		free(filename);
-		BEGIN(INITIAL);
+		yy_pop_state();
 		}
 
 	\"([^\" \t\n]+)\"	{	/* "filename" */
@@ -232,12 +251,12 @@ LT_EQUAL	<=
 		filename[strlen(filename) - 1] = '\0';
 		include_filename(filename + 1, 0);
 		free(filename);
-		BEGIN(INITIAL);
+		yy_pop_state();
 		}
 
 	[^\<\>\"{WS}]+ {	/* filename */
 		include_filename(yytext, 0);
-		BEGIN(INITIAL);
+		yy_pop_state();
 		}
 }
 
@@ -248,112 +267,100 @@ LT_EQUAL	<=
 	if ( !YY_CURRENT_BUFFER ) yyterminate();
 }
 
-<SUB_NAME>{
-	{ID}+	{
-			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
-			   * also match TOK_MODE + TOK_END_OF_RULE
-			   * without any spaces in between (because it's
-			   * a longer match). So now, when I want to
-			   * match any random string, I go into a
-			   * separate state. */
-			DUMP_PREPROCESS;
-			yylval.id =  processunquoted(yytext, yyleng);
-			PDEBUG("Found sub name: \"%s\"\n",  yylval.id);
-			BEGIN(INITIAL);
-			return TOK_ID;
-		}
-	{QUOTED_ID}	{
-			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
-			   * also match TOK_MODE + TOK_END_OF_RULE
-			   * without any spaces in between (because it's
-			   * a longer match). So now, when I want to
-			   * match any random string, I go into a
-			   * separate state. */
-			DUMP_PREPROCESS;
-			yylval.id = processquoted(yytext, yyleng);
-			PDEBUG("Found sub name: \"%s\"\n", yylval.id);
-			BEGIN(INITIAL);
-			return TOK_ID;
-		}
-
-	[^\n]	{
-			DUMP_PREPROCESS;
-			/* Something we didn't expect */
-			yyerror(_("Found unexpected character: '%s'"), yytext);
-		}
-}
-
-<SUB_NAME2>{
-	{ID}+	{
-			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
-			   * also match TOK_MODE + TOK_END_OF_RULE
-			   * without any spaces in between (because it's
-			   * a longer match). So now, when I want to
-			   * match any random string, I go into a
-			   * separate state. */
-			DUMP_PREPROCESS;
-			yylval.id = processunquoted(yytext, yyleng);
-			PDEBUG("Found sub name: \"%s\"\n", yylval.id);
-			BEGIN(INITIAL);
-			return TOK_ID;
-		}
-	{QUOTED_ID}	{
-			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
-			   * also match TOK_MODE + TOK_END_OF_RULE
-			   * without any spaces in between (because it's
-			   * a longer match). So now, when I want to
-			   * match any random string, I go into a
-			   * separate state. */
-			DUMP_PREPROCESS;
-			yylval.id  = processquoted(yytext, yyleng);
-			PDEBUG("Found sub name: \"%s\"\n", yylval.id);
-			BEGIN(INITIAL);
-			return TOK_ID;
-		}
-
-	{WS}+	{ DUMP_PREPROCESS; /* Ignoring whitespace */ }
-	[^\n]	{
-			DUMP_PREPROCESS;
-			/* Something we didn't expect */
-			yyerror(_("Found unexpected character: '%s'"), yytext);
-		}
-}
-
-<FLAGS_MODE>{
-	{FLAGOPEN_PAREN}	{
-			DUMP_PREPROCESS;
-			PDEBUG("FLag (\n");
-			return TOK_FLAG_OPENPAREN;
+<INITIAL,MOUNT_MODE>{
+	{VARIABLE_NAME}/{WS}*=	{
+				/* we match to the = in the lexer so that
+				 * can switch scanner state.  By the time
+				 * the parser see the = it may be to late
+				 * as bison may have requested the next
+				 * token from the scanner
+				 */
+				PDEBUG("conditional %s=\n", yytext);
+				yylval.id = processid(yytext, yyleng);
+				yy_push_state(EXTCOND_MODE);
+				return TOK_CONDID;
 			}
-	{FLAGCLOSE_PAREN}	{
+	{VARIABLE_NAME}/{WS}+in{WS}*\(	{
+				/* we match to 'in' in the lexer so that
+				 * we can switch scanner state.  By the time
+				 * the parser see the 'in' it may be to late
+				 * as bison may have requested the next
+				 * token from the scanner
+				 */
+				PDEBUG("conditional %s=\n", yytext);
+				yylval.id = processid(yytext, yyleng);
+				yy_push_state(EXTCOND_MODE);
+				return TOK_CONDID;
+			}
+}
+
+<SUB_ID>{
+	({IDS}|{QUOTED_ID})	{
+			  /* Ugh, this is a gross hack. I used to use
+			   * {IDS} to match all TOK_IDs, but that would
+			   * also match TOK_MODE + TOK_END_OF_RULE
+			   * without any spaces in between (because it's
+			   * a longer match). So now, when I want to
+			   * match any random string, I go into a
+			   * separate state. */
 			DUMP_PREPROCESS;
-			PDEBUG("Flag )\n");
-			BEGIN(INITIAL);
-			return TOK_FLAG_CLOSEPAREN;
+			yylval.id =  processid(yytext, yyleng);
+			PDEBUG("Found sub name: \"%s\"\n",  yylval.id);
+			yy_pop_state();
+			return TOK_ID;
+		}
+
+	[^\n]	{
+			DUMP_PREPROCESS;
+			/* Something we didn't expect */
+			yyerror(_("Found unexpected character: '%s'"), yytext);
+		}
+}
+
+<SUB_VALUE>{
+	({IDS}|{QUOTED_ID})	{
+			  /* Ugh, this is a gross hack. I used to use
+			   * {IDS} to match all TOK_IDs, but that would
+			   * also match TOK_MODE + TOK_END_OF_RULE
+			   * without any spaces in between (because it's
+			   * a longer match). So now, when I want to
+			   * match any random string, I go into a
+			   * separate state. */
+			DUMP_PREPROCESS;
+			yylval.id =  processid(yytext, yyleng);
+			PDEBUG("Found sub value: \"%s\"\n",  yylval.id);
+			yy_pop_state();
+			return TOK_VALUE;
+		}
+
+	[^\n]	{
+			DUMP_PREPROCESS;
+			/* Something we didn't expect */
+			yyerror(_("Found unexpected character: '%s'"), yytext);
+		}
+}
+
+<LIST_VAL_MODE>{
+	{CLOSE_PAREN}	{
+			DUMP_PREPROCESS;
+			PDEBUG("listval: )\n");
+			yy_pop_state();
+			return TOK_CLOSEPAREN;
 			}
 
 	{WS}+		{ DUMP_PREPROCESS; /* Eat whitespace */ }
 
-	{FLAGSEP}	{
+	{COMMA}	{
 			DUMP_PREPROCESS;
-			PDEBUG("Flag , \n");
-			return TOK_FLAG_SEP;
+			PDEBUG("listval: , \n");
+			/* East comma, its an optional separator */
 			}
 
-	{EQUALS}	{
+	({LIST_VALUE_ID}|{QUOTED_ID})	{
 			DUMP_PREPROCESS;
-			PDEBUG("Flag = \n");
-			return TOK_EQUALS;
-			}
-	{KEYWORD}	{
-			DUMP_PREPROCESS;
-			yylval.flag_id = strdup(yytext);
-			PDEBUG("Found flag: \"%s\"\n", yylval.flag_id);
-			return TOK_FLAG_ID;
+			yylval.id = processid(yytext, yyleng);
+			PDEBUG("listval: \"%s\"\n", yylval.id);
+			return TOK_VALUE;
 			}
 
 	[^\n]		{
@@ -363,19 +370,51 @@ LT_EQUAL	<=
 			}
 }
 
+<EXTCOND_MODE>{
+	{WS}+		{ DUMP_PREPROCESS; /* Eat whitespace */ }
+
+	{EQUALS}{WS}*/[^(\n]{-}{WS}	{
+			DUMP_PREPROCESS;
+			BEGIN(SUB_VALUE);
+			return TOK_EQUALS;
+		}
+
+	{EQUALS}	{
+			DUMP_PREPROCESS;
+			return TOK_EQUALS;
+		}
+
+	{OPEN_PAREN}	{
+			DUMP_PREPROCESS;
+			PDEBUG("extcond listv\n");
+			/* Don't push state here as this is a transition
+			 * start condition and we want to return to the start
+			 * condition that invoked <EXTCOND_MODE> when
+			 * LIST_VAL_ID is done
+			 */
+			BEGIN(LIST_VAL_MODE);
+			return TOK_OPENPAREN;
+		}
+
+	in	{
+			DUMP_PREPROCESS;
+			return TOK_IN;
+		}
+
+	[^\n]	{
+			DUMP_PREPROCESS;
+			/* Something we didn't expect */
+			yyerror(_("Found unexpected character: '%s' %d"), yytext, *yytext);
+		}
+
+}
+
 <ASSIGN_MODE>{
 	{WS}+		{ DUMP_PREPROCESS; /* Eat whitespace */ }
 
-	{ID}+		{
+	({IDS}|{QUOTED_ID})		{
 			DUMP_PREPROCESS;
-			yylval.var_val = processunquoted(yytext, yyleng);
-			PDEBUG("Found assignment value: \"%s\"\n", yylval.var_val);
-			return TOK_VALUE;
-			}
-
-	{QUOTED_ID}	{
-			DUMP_PREPROCESS;
-			yylval.var_val = processquoted(yytext, yyleng);
+			yylval.var_val = processid(yytext, yyleng);
 			PDEBUG("Found assignment value: \"%s\"\n", yylval.var_val);
 			return TOK_VALUE;
 			}
@@ -391,7 +430,7 @@ LT_EQUAL	<=
 	\r?\n		{
 			DUMP_PREPROCESS;
 			current_lineno++;
-			BEGIN(INITIAL);
+			yy_pop_state();
 			}
 	[^\n]		{
 			DUMP_PREPROCESS;
@@ -403,14 +442,14 @@ LT_EQUAL	<=
 <NETWORK_MODE>{
 	{WS}+		{ DUMP_PREPROCESS; /* Eat whitespace */ }
 
-	{ID}+		{
+	{IDS}		{
 			DUMP_PREPROCESS;
 			yylval.id = strdup(yytext);
 			return TOK_ID;
 			}
 	{END_OF_RULE}	{
 			DUMP_PREPROCESS;
-			BEGIN(INITIAL);
+			yy_pop_state();
 			return TOK_END_OF_RULE;
 		}
 	[^\n]		{
@@ -433,32 +472,18 @@ LT_EQUAL	<=
 			return TOK_ARROW;
 			}
 
-	{ID}+	{
+	({IDS}|{QUOTED_ID})	{
 			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
+			   * {IDS} to match all TOK_IDs, but that would
 			   * also match TOK_MODE + TOK_END_OF_RULE
 			   * without any spaces in between (because it's
 			   * a longer match). So now, when I want to
 			   * match any random string, I go into a
 			   * separate state. */
 			DUMP_PREPROCESS;
-			yylval.id = processunquoted(yytext, yyleng);
+			yylval.id = processid(yytext, yyleng);
 			PDEBUG("Found change profile name: \"%s\"\n", yylval.id);
-			BEGIN(INITIAL);
-			return TOK_ID;
-		}
-	{QUOTED_ID}	{
-			  /* Ugh, this is a gross hack. I used to use
-			   * {ID}+ to match all TOK_IDs, but that would
-			   * also match TOK_MODE + TOK_END_OF_RULE
-			   * without any spaces in between (because it's
-			   * a longer match). So now, when I want to
-			   * match any random string, I go into a
-			   * separate state. */
-			DUMP_PREPROCESS;
-			yylval.id = processquoted(yytext, yyleng);
-			PDEBUG("Found change profile quoted name: \"%s\"\n", yylval.id);
-			BEGIN(INITIAL);
+			yy_pop_state();
 			return TOK_ID;
 		}
 
@@ -470,48 +495,11 @@ LT_EQUAL	<=
 		}
 }
 
-#include/.*\r?\n	 { /* include */
-			PDEBUG("Matched #include\n");
-			BEGIN(INCLUDE);
-			}
-
-#.*\r?\n		{ /* normal comment */
-			DUMP_PREPROCESS;
-			PDEBUG("comment(%d): %s\n", current_lineno, yytext);
-			current_lineno++;
-			BEGIN(INITIAL);
-}
-
-{END_OF_RULE}		{ DUMP_PREPROCESS; return TOK_END_OF_RULE; }
-
-{SEPARATOR}		{
-			DUMP_PREPROCESS;
-			PDEBUG("Matched a separator\n");
-			BEGIN(SUB_NAME);
-			return TOK_SEP;
-			}
-{ARROW}			{
-			DUMP_PREPROCESS;
-			PDEBUG("Matched a arrow\n");
-			return TOK_ARROW;
-			}
-{EQUALS}		{
-			DUMP_PREPROCESS;
-			PDEBUG("Matched equals for assignment\n");
-			BEGIN(ASSIGN_MODE);
-			return TOK_EQUALS;
-			}
-{ADD_ASSIGN}		{
-			DUMP_PREPROCESS;
-			PDEBUG("Matched additive value assignment\n");
-			BEGIN(ASSIGN_MODE);
-			return TOK_ADD_ASSIGN;
-			}
 <RLIMIT_MODE>{
 	{WS}+		{ DUMP_PREPROCESS; /* Eat whitespace */ }
 
 
-	-?{NUMBER}[kKMG]?  {
+	-?{NUMBER}[[:alpha:]]*  {
 			DUMP_PREPROCESS;
 		        yylval.var_val = strdup(yytext);
 		        return TOK_VALUE;
@@ -529,23 +517,94 @@ LT_EQUAL	<=
 
 	{END_OF_RULE}	{
 			DUMP_PREPROCESS;
-			BEGIN(INITIAL);
+			yy_pop_state();
 			return TOK_END_OF_RULE;
 			}
 
 	\\\n		{
 			DUMP_PREPROCESS;
 			current_lineno++;
-			BEGIN(INITIAL);
+			yy_pop_state();
 			}
 
 	\r?\n		{
 			DUMP_PREPROCESS;
 			current_lineno++;
-			BEGIN(INITIAL);
+			yy_pop_state();
 			}
 }
 
+<MOUNT_MODE>{
+	{WS}+		{  DUMP_PREPROCESS; /* Ignoring whitespace */ }
+
+	{ARROW}		{
+			DUMP_PREPROCESS;
+			PDEBUG("Matched arrow\n");
+			return TOK_ARROW;
+			}
+
+	({IDS_NOEQ}|{PATHNAME}|{QUOTED_ID})	{
+			DUMP_PREPROCESS;
+			yylval.id = processid(yytext, yyleng);
+			PDEBUG("Found ID: \"%s\"\n", yylval.id);
+			return TOK_ID;
+			}
+
+	{END_OF_RULE}	{
+			DUMP_PREPROCESS;
+			yy_pop_state();
+			return TOK_END_OF_RULE;
+			}
+
+	[^\n]		{
+			DUMP_PREPROCESS;
+			/* Something we didn't expect */
+			yyerror(_("Found unexpected character: '%s'"), yytext);
+			}
+
+	\r?\n		{
+			DUMP_PREPROCESS;
+			current_lineno++;
+			yy_pop_state();
+			}
+}
+
+#include/.*\r?\n	 { /* include */
+			PDEBUG("Matched #include\n");
+			yy_push_state(INCLUDE);
+			}
+
+#.*\r?\n		{ /* normal comment */
+			DUMP_PREPROCESS;
+			PDEBUG("comment(%d): %s\n", current_lineno, yytext);
+			current_lineno++;
+			}
+
+{END_OF_RULE}		{ DUMP_PREPROCESS; return TOK_END_OF_RULE; }
+
+{CARET}			{
+			DUMP_PREPROCESS;
+			PDEBUG("Matched hat ^\n");
+			yy_push_state(SUB_ID);
+			return TOK_CARET;
+			}
+{ARROW}			{
+			DUMP_PREPROCESS;
+			PDEBUG("Matched a arrow\n");
+			return TOK_ARROW;
+			}
+{EQUALS}		{
+			DUMP_PREPROCESS;
+			PDEBUG("Matched equals for assignment\n");
+			yy_push_state(ASSIGN_MODE);
+			return TOK_EQUALS;
+			}
+{ADD_ASSIGN}		{
+			DUMP_PREPROCESS;
+			PDEBUG("Matched additive value assignment\n");
+			yy_push_state(ASSIGN_MODE);
+			return TOK_ADD_ASSIGN;
+			}
 {SET_VARIABLE}		{
 			DUMP_PREPROCESS;
 			yylval.set_var = strdup(yytext);
@@ -571,21 +630,14 @@ LT_EQUAL	<=
 			return TOK_CLOSE;
 			}
 
-{PATHNAME}		{
+({PATHNAME}|{QPATHNAME})		{
 			DUMP_PREPROCESS;
-			yylval.id = processunquoted(yytext, yyleng);
+			yylval.id = processid(yytext, yyleng);
 			PDEBUG("Found id: \"%s\"\n", yylval.id);
 			return TOK_ID;
 			}
 
-{QPATHNAME}		{
-			DUMP_PREPROCESS;
-			yylval.id = processquoted(yytext, yyleng);
-			PDEBUG("Found id: \"%s\"\n", yylval.id);
-			return TOK_ID;
-			}
-
-{MODES}			{
+({MODES})/([[:space:],])	{
 			DUMP_PREPROCESS;
 			yylval.mode = strdup(yytext);
 			PDEBUG("Found modes: %s\n", yylval.mode);
@@ -594,21 +646,27 @@ LT_EQUAL	<=
 
 {HAT}			{
 			DUMP_PREPROCESS;
-			BEGIN(SUB_NAME2);
+			yy_push_state(SUB_ID);
 			return TOK_HAT;
 			}
 
+{PROFILE}		{
+			DUMP_PREPROCESS;
+			yy_push_state(SUB_ID);
+			return TOK_PROFILE;
+			}
+
 {COLON}			{
 			DUMP_PREPROCESS;
 			PDEBUG("Found a colon\n");
 			return TOK_COLON;
 			}
 
-{FLAGOPEN_PAREN}	{
+{OPEN_PAREN}	{
 			DUMP_PREPROCESS;
-			PDEBUG("FLag (\n");
-			BEGIN(FLAGS_MODE);
-			return TOK_FLAG_OPENPAREN;
+			PDEBUG("listval (\n");
+			yy_push_state(LIST_VAL_MODE);
+			return TOK_OPENPAREN;
 			}
 
 {VARIABLE_NAME}		{
@@ -623,20 +681,21 @@ LT_EQUAL	<=
 				PDEBUG("Found (var) id: \"%s\"\n", yylval.id);
 				return TOK_ID;
 				break;
-			case TOK_PROFILE:
-				BEGIN(SUB_NAME2);
-				break;
-			case TOK_FLAGS:
-				BEGIN(FLAGS_MODE);
-				break;
 			case TOK_RLIMIT:
-				BEGIN(RLIMIT_MODE);
+				yy_push_state(RLIMIT_MODE);
 				break;
 			case TOK_NETWORK:
-				BEGIN(NETWORK_MODE);
+				yy_push_state(NETWORK_MODE);
 				break;
 			case TOK_CHANGE_PROFILE:
-				BEGIN(CHANGE_PROFILE_MODE);
+				yy_push_state(CHANGE_PROFILE_MODE);
+				break;
+			case TOK_MOUNT:
+			case TOK_REMOUNT:
+			case TOK_UMOUNT:
+				DUMP_PREPROCESS;
+				PDEBUG("Entering mount\n");
+				yy_push_state(MOUNT_MODE);
 				break;
 			default: /* nothing */
 				break;

parser/parser_main.c

@@ -2,8 +2,8 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
- *   Copyright (c) 2010
- *   Canonical, Ltd. (All rights reserved)
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -19,6 +19,7 @@
  *   Ltd.
  */
 
+#include <ctype.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -28,14 +29,15 @@
 #include <fcntl.h>
 #include <mntent.h>
 #include <libintl.h>
-#include <linux/limits.h>
 #include <locale.h>
+#include <dirent.h>
 #define _(s) gettext(s)
 
 /* enable the following line to get voluminous debug info */
 /* #define DEBUG */
 
 #include <unistd.h>
+#include <limits.h>
 #include <sys/sysctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -58,46 +60,28 @@
 #define UNPRIVILEGED_OPS (!(PRIVILEGED_OPS))
 
 const char *parser_title	= "AppArmor parser";
-const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2010 Canonical Ltd.";
+const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2012 Canonical Ltd.";
 
 char *progname;
-int option = OPTION_ADD;
 int opt_force_complain = 0;
 int binary_input = 0;
-int names_only = 0;
 int dump_vars = 0;
 int dump_expanded_vars = 0;
-dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS | DFA_CONTROL_MINIMIZE_HASH_PERMS;
-int conf_verbose = 0;
-int conf_quiet = 0;
-int kernel_load = 1;
 int show_cache = 0;
 int skip_cache = 0;
 int skip_read_cache = 0;
 int write_cache = 0;
-#ifdef FORCE_READ_IMPLIES_EXEC
-int read_implies_exec = 1;
-#else
-int read_implies_exec = 0;
-#endif
 int preprocess_only = 0;
 int skip_mode_force = 0;
 struct timespec mru_tstamp;
 
-char *subdomainbase = NULL;
+#define FLAGS_STRING_SIZE 1024
 char *match_string = NULL;
 char *flags_string = NULL;
-int regex_type = AARE_DFA;
-int perms_create = 0;		/* perms contain create flag */
-int kernel_supports_network = 1;	/* kernel supports network rules */
-int net_af_max_override = -1;		/* use kernel to determine af_max */
-char *profile_namespace = NULL;
-int flag_changehat_version = FLAG_CHANGEHAT_1_5;
-FILE *ofile = NULL;
+char *cacheloc = NULL;
 
 /* per-profile settings */
 int force_complain = 0;
-char *profilename = NULL;
 
 struct option long_options[] = {
 	{"add", 		0, 0, 'a'},
@@ -125,6 +109,7 @@ struct option long_options[] = {
 	{"skip-read-cache",	0, 0, 'T'},
 	{"write-cache",		0, 0, 'W'},
 	{"show-cache",		0, 0, 'k'},
+	{"cache-loc",		1, 0, 'L'},
 	{"debug",		0, 0, 'd'},
 	{"dump",		1, 0, 'D'},
 	{"Dump",		1, 0, 'D'},
@@ -166,6 +151,7 @@ static void display_usage(char *command)
 	       "-K, --skip-cache	Do not attempt to load or save cached profiles\n"
 	       "-T, --skip-read-cache	Do not attempt to load cached profiles\n"
 	       "-W, --write-cache	Save cached profile (force with -T)\n"
+	       "-L, --cache-loc n	Set the location of the profile cache\n"
 	       "-q, --quiet		Don't emit warnings\n"
 	       "-v, --verbose		Show profile names as they load\n"
 	       "-Q, --skip-kernel-load	Do everything except loading into kernel\n"
@@ -216,6 +202,8 @@ optflag_table_t dumpflag_table[] = {
 	  DFA_DUMP_UNIQ_PERMS },
 	{ 1, "dfa-minimize-uniq-perms", "Dump unique perms post minimization",
 	  DFA_DUMP_MIN_UNIQ_PERMS },
+	{ 1, "dfa-minimize-partitions", "Dump dfa minimization partitions",
+	  DFA_DUMP_MIN_PARTS },
 	{ 1, "compress-progress", "Dump progress of compression",
 	  DFA_DUMP_TRANS_PROGRESS | DFA_DUMP_TRANS_STATS },
 	{ 1, "compress-stats", "Dump stats on compression",
@@ -242,10 +230,10 @@ optflag_table_t optflag_table[] = {
 	{ 2, "expr-right-simplify", "right simplification first",
 	  DFA_CONTROL_TREE_LEFT },
 	{ 1, "minimize", "dfa state minimization", DFA_CONTROL_MINIMIZE },
-	{ 1, "hash-perms", "minimization - hash permissions during setup",
-	  DFA_CONTROL_MINIMIZE_HASH_PERMS },
 	{ 1, "hash-trans", "minimization - hash transitions during setup",
 	  DFA_CONTROL_MINIMIZE_HASH_TRANS },
+	{ 1, "filter-deny", "filter out deny information from final dfa",
+	  DFA_CONTROL_FILTER_DENY },
 	{ 1, "remove-unreachable", "dfa unreachable state removal",
 	  DFA_CONTROL_REMOVE_UNREACHABLE },
 	{ 0, "compress-small",
@@ -322,29 +310,243 @@ static void display_optimize(char *command)
 	print_flag_table(optflag_table);
 }
 
-void pwarn(char *fmt, ...)
+
+/* Treat conf file like options passed on command line
+ */
+static int getopt_long_file(FILE *f, const struct option *longopts,
+			    char **optarg, int *longindex)
 {
-	va_list arg;
-	char *newfmt;
-	int rc;
+	static char line[256];
+	char *pos, *opt, *save;
+	int i;
 
-	if (conf_quiet || names_only || option == OPTION_REMOVE)
-		return;
+	for (;;) {
+		if (!fgets(line, 256, f))
+			return -1;
+		pos = line;
+		while (isblank(*pos))
+			pos++;
+		if (*pos == '#')
+			continue;
+		opt = strtok_r(pos, " \t\r\n=", &save);
+		/* blank line */
+		if (!opt)
+			continue;
 
-	rc = asprintf(&newfmt, _("Warning from %s (%s%sline %d): %s"),
-		      profilename ? profilename : "stdin",
-		      current_filename ? current_filename : "",
-		      current_filename ? " " : "",
-		      current_lineno,
-		      fmt);
-	if (!newfmt)
-		return;
+		for (i = 0; longopts[i].name &&
+			     strcmp(longopts[i].name, opt) != 0; i++) ;
+		if (!longopts[i].name) {
+			PERROR("%s: unknown option (%s) in config file.\n",
+			       progname, opt);
+			/* skip it */
+			continue;
+		}
+		break;
+	}
 
-	va_start(arg, fmt);
-	vfprintf(stderr, newfmt, arg);
-	va_end(arg);
+	if (longindex)
+		*longindex = i;
 
-	free(newfmt);
+	if (*save) {
+		int len;
+		while(isblank(*save))
+			save++;
+		len = strlen(save) - 1;
+		if (save[len] == '\n')
+			save[len] = 0;
+	}
+
+	switch (longopts[i].has_arg) {
+	case 0:
+		*optarg = NULL;
+		break;
+	case 1:
+		if (!strlen(save)) {
+			*optarg = NULL;
+			return '?';
+		}
+		*optarg = save;
+		break;
+	case 2:
+		*optarg = save;
+		break;
+	default:
+		PERROR("%s: internal error bad longopt value\n", progname);
+		exit(1);
+	}
+
+	if (longopts[i].flag == NULL)
+		return longopts[i].val;
+	else
+		*longopts[i].flag = longopts[i].val;
+	return 0;
+}
+
+/* process a single argment from getopt_long
+ * Returns: 1 if an action arg, else 0
+ */
+static int process_arg(int c, char *optarg)
+{
+	int count = 0;
+
+	switch (c) {
+	case 0:
+		PERROR("Assert, in getopt_long handling\n");
+		display_usage(progname);
+		exit(0);
+		break;
+	case 'a':
+		count++;
+		option = OPTION_ADD;
+		break;
+	case 'd':
+		debug++;
+		skip_read_cache = 1;
+		break;
+	case 'h':
+		if (!optarg) {
+			display_usage(progname);
+		} else if (strcmp(optarg, "Dump") == 0 ||
+			   strcmp(optarg, "dump") == 0 ||
+			   strcmp(optarg, "D") == 0) {
+			display_dump(progname);
+		} else if (strcmp(optarg, "Optimize") == 0 ||
+			   strcmp(optarg, "optimize") == 0 ||
+			   strcmp(optarg, "O") == 0) {
+			display_optimize(progname);
+		} else {
+			PERROR("%s: Invalid --help option %s\n",
+			       progname, optarg);
+			exit(1);
+		}
+		exit(0);
+		break;
+	case 'r':
+		count++;
+		option = OPTION_REPLACE;
+		break;
+	case 'R':
+		count++;
+		option = OPTION_REMOVE;
+		skip_cache = 1;
+		break;
+	case 'V':
+		display_version();
+		exit(0);
+		break;
+	case 'I':
+		add_search_dir(optarg);
+		break;
+	case 'b':
+		set_base_dir(optarg);
+		break;
+	case 'B':
+		binary_input = 1;
+		skip_cache = 1;
+		break;
+	case 'C':
+		opt_force_complain = 1;
+		skip_cache = 1;
+		break;
+	case 'N':
+		names_only = 1;
+		skip_cache = 1;
+		break;
+	case 'S':
+		count++;
+		option = OPTION_STDOUT;
+		skip_read_cache = 1;
+		kernel_load = 0;
+		break;
+	case 'o':
+		count++;
+		option = OPTION_OFILE;
+		skip_read_cache = 1;
+		kernel_load = 0;
+		ofile = fopen(optarg, "w");
+		if (!ofile) {
+			PERROR("%s: Could not open file %s\n",
+			       progname, optarg);
+			exit(1);
+		}
+		break;
+	case 'f':
+		subdomainbase = strndup(optarg, PATH_MAX);
+		break;
+	case 'D':
+		skip_read_cache = 1;
+		if (!optarg) {
+			dump_vars = 1;
+		} else if (strcmp(optarg, "variables") == 0) {
+			dump_vars = 1;
+		} else if (strcmp(optarg, "expanded-variables") == 0) {
+			dump_expanded_vars = 1;
+		} else if (!handle_flag_table(dumpflag_table, optarg,
+					      &dfaflags)) {
+			PERROR("%s: Invalid --Dump option %s\n",
+			       progname, optarg);
+			exit(1);
+		}
+		break;
+	case 'O':
+		skip_read_cache = 1;
+
+		if (!handle_flag_table(optflag_table, optarg,
+				       &dfaflags)) {
+			PERROR("%s: Invalid --Optimize option %s\n",
+			       progname, optarg);
+			exit(1);
+		}
+		break;
+	case 'm':
+		match_string = strdup(optarg);
+		break;
+	case 'q':
+		conf_verbose = 0;
+		conf_quiet = 1;
+		break;
+	case 'v':
+		conf_verbose = 1;
+		conf_quiet = 0;
+		break;
+	case 'n':
+		profile_namespace = strdup(optarg);
+		break;
+	case 'X':
+		read_implies_exec = 1;
+		break;
+	case 'K':
+		skip_cache = 1;
+		break;
+	case 'k':
+		show_cache = 1;
+		break;
+	case 'W':
+		write_cache = 1;
+		break;
+	case 'T':
+		skip_read_cache = 1;
+		break;
+	case 'L':
+		cacheloc = strdup(optarg);
+		break;
+	case 'Q':
+		kernel_load = 0;
+		break;
+	case 'p':
+		count++;
+		kernel_load = 0;
+		skip_cache = 1;
+		preprocess_only = 1;
+		skip_mode_force = 1;
+		break;
+	default:
+		display_usage(progname);
+		exit(0);
+		break;
+	}
+
+	return count;
 }
 
 static int process_args(int argc, char *argv[])
@@ -355,159 +557,7 @@ static int process_args(int argc, char *argv[])
 
 	while ((c = getopt_long(argc, argv, "adf:h::rRVvI:b:BCD:NSm:qQn:XKTWkO:po:", long_options, &o)) != -1)
 	{
-		switch (c) {
-		case 0:
-			PERROR("Assert, in getopt_long handling\n");
-			display_usage(progname);
-			exit(0);
-			break;
-		case 'a':
-			count++;
-			option = OPTION_ADD;
-			break;
-		case 'd':
-			debug++;
-			skip_read_cache = 1;
-			break;
-		case 'h':
-			if (!optarg) {
-				display_usage(progname);
-			} else if (strcmp(optarg, "Dump") == 0 ||
-				   strcmp(optarg, "dump") == 0 ||
-				   strcmp(optarg, "D") == 0) {
-				display_dump(progname);
-			} else if (strcmp(optarg, "Optimize") == 0 ||
-				   strcmp(optarg, "optimize") == 0 ||
-				   strcmp(optarg, "O") == 0) {
-				display_optimize(progname);
-			} else {
-				PERROR("%s: Invalid --help option %s\n",
-				       progname, optarg);
-				exit(1);
-			}	
-			exit(0);
-			break;
-		case 'r':
-			count++;
-			option = OPTION_REPLACE;
-			break;
-		case 'R':
-			count++;
-			option = OPTION_REMOVE;
-			skip_cache = 1;
-			break;
-		case 'V':
-			display_version();
-			exit(0);
-			break;
-		case 'I':
-			add_search_dir(optarg);
-			break;
-		case 'b':
-			set_base_dir(optarg);
-			break;
-		case 'B':
-			binary_input = 1;
-			skip_cache = 1;
-			break;
-		case 'C':
-			opt_force_complain = 1;
-			skip_cache = 1;
-			break;
-		case 'N':
-			names_only = 1;
-			skip_cache = 1;
-			break;
-		case 'S':
-			count++;
-			option = OPTION_STDOUT;
-			skip_read_cache = 1;
-			kernel_load = 0;
-			break;
-		case 'o':
-			count++;
-			option = OPTION_OFILE;
-			skip_read_cache = 1;
-			kernel_load = 0;
-			ofile = fopen(optarg, "w");
-			if (!ofile) {
-				PERROR("%s: Could not open file %s\n",
-				       progname, optarg);
-				exit(1);
-			}
-			break;
-		case 'f':
-			subdomainbase = strndup(optarg, PATH_MAX);
-			break;
-		case 'D':
-			skip_read_cache = 1;
-			if (!optarg) {
-				dump_vars = 1;
-			} else if (strcmp(optarg, "variables") == 0) {
-				dump_vars = 1;
-			} else if (strcmp(optarg, "expanded-variables") == 0) {
-				dump_expanded_vars = 1;
-			} else if (!handle_flag_table(dumpflag_table, optarg,
-						      &dfaflags)) {
-				PERROR("%s: Invalid --Dump option %s\n",
-				       progname, optarg);
-				exit(1);
-			}
-			break;
-		case 'O':
-			skip_read_cache = 1;
-
-			if (!handle_flag_table(optflag_table, optarg,
-					       &dfaflags)) {
-				PERROR("%s: Invalid --Optimize option %s\n",
-				       progname, optarg);
-				exit(1);
-			}
-			break;
-		case 'm':
-			match_string = strdup(optarg);
-			break;
-		case 'q':
-			conf_verbose = 0;
-			conf_quiet = 1;
-			break;
-		case 'v':
-			conf_verbose = 1;
-			conf_quiet = 0;
-			break;
-		case 'n':
-			profile_namespace = strdup(optarg);
-			break;
-		case 'X':
-			read_implies_exec = 1;
-			break;
-		case 'K':
-			skip_cache = 1;
-			break;
-		case 'k':
-			show_cache = 1;
-			break;
-		case 'W':
-			write_cache = 1;
-			break;
-		case 'T':
-			skip_read_cache = 1;
-			break;
-		case 'Q':
-			kernel_load = 0;
-			break;
-		case 'p':
-			count++;
-			kernel_load = 0;
-			skip_cache = 1;
-			preprocess_only = 1;
-			skip_mode_force = 1;
-			break;
-		default:
-			display_usage(progname);
-			exit(0);
-			break;
-		}
+		count += process_arg(c, optarg);
 	}
 
 	if (count > 1) {
@@ -521,6 +571,21 @@ static int process_args(int argc, char *argv[])
 	return optind;
 }
 
+static int process_config_file(const char *name)
+{
+	char *optarg;
+	FILE *f;
+	int c, o;
+
+	f = fopen(name, "r");
+	if (!f)
+		return 0;
+
+	while ((c = getopt_long_file(f, long_options, &optarg, &o)) != -1)
+		process_arg(c, optarg);
+	return 1;
+}
+
 static inline char *try_subdomainfs_mountpoint(const char *mntpnt,
 					       const char *path)
 {
@@ -610,17 +675,139 @@ int have_enough_privilege(void)
 	return 0;
 }
 
+char *snprintf_buffer(char *buf, char *pos, ssize_t size, const char *fmt, ...)
+{
+	va_list args;
+	int i, remaining = size - (pos - buf);
+
+	va_start(args, fmt);
+	i = vsnprintf(pos, remaining, fmt, args);
+	va_end(args);
+
+	if (i >= size) {
+		PERROR(_("Feature buffer full."));
+		exit(1);
+	}
+
+	return pos + i;
+}
+
+static char *handle_features_dir(const char *filename, char **buffer, int size,
+				 char *pos)
+{
+	DIR *dir = NULL;
+	char *dirent_path = NULL;
+	struct dirent *dirent;
+	struct stat my_stat;
+	int len;
+
+	PDEBUG("Opened features directory \"%s\"\n", filename);
+	if (!(dir = opendir(filename))) {
+		PDEBUG("opendir failed '%s'", filename);
+		exit(1);
+	}
+
+	while ((dirent = readdir(dir)) != NULL) {
+		int name_len;
+		/* skip dotfiles silently. */
+		if (dirent->d_name[0] == '.')
+			continue;
+
+		if (dirent_path)
+			free(dirent_path);
+		if (asprintf(&dirent_path, "%s/%s", filename, dirent->d_name) < 0)
+		{
+			PERROR(_("Memory allocation error."));
+			exit(1);
+		}
+
+		name_len = strlen(dirent->d_name);
+		if (!name_len)
+			continue;
+
+		if (stat(dirent_path, &my_stat)) {
+			PERROR(_("stat failed for '%s'"), dirent_path);
+			exit(1);
+		}
+
+		pos = snprintf_buffer(*buffer, pos, size, "%s {", dirent->d_name);
+		if (S_ISREG(my_stat.st_mode)) {
+			int file;
+			int remaining = size - (pos - *buffer);
+			if (!(file = open(dirent_path, O_RDONLY))) {
+				PDEBUG("Could not open '%s' in '%s'", dirent_path, filename);
+				exit(1);
+				break;
+			}
+			PDEBUG("Opened features \"%s\" in \"%s\"\n", dirent_path, filename);
+			if (my_stat.st_size > remaining) {
+				PERROR(_("Feature buffer full."));
+				exit(1);
+			}
+
+			do {
+				len = read(file, pos, remaining);
+				if (len > 0) {
+					remaining -= len;
+					pos += len;
+					*pos = 0;
+				}
+			} while (len > 0);
+			if (len < 0) {
+				PDEBUG("Error reading feature file '%s'\n",
+				       dirent_path);
+				exit(1);
+			}
+			close(file);
+
+		} else if (S_ISDIR(my_stat.st_mode)) {
+			pos = handle_features_dir(dirent_path, buffer, size,
+						  pos);
+			if (!pos)
+				break;
+
+		}
+
+		pos = snprintf_buffer(*buffer, pos, size, "}\n");
+	}
+	if (dirent_path)
+		free(dirent_path);
+	closedir(dir);
+
+	return pos;
+}
+
 /* match_string == NULL --> no match_string available
    match_string != NULL --> either a matching string specified on the
    command line, or the kernel supplied a match string */
 static void get_match_string(void) {
 
 	FILE *ms = NULL;
+	struct stat stat_file;
 
 	/* has process_args() already assigned a match string? */
 	if (match_string)
 		goto out;
 
+	if (stat(FLAGS_FILE, &stat_file) == -1)
+		goto out;
+
+	if (S_ISDIR(stat_file.st_mode)) {
+		/* if we have a features directory default to */
+		regex_type = AARE_DFA;
+		perms_create = 1;
+
+		flags_string = malloc(FLAGS_STRING_SIZE);
+		handle_features_dir(FLAGS_FILE, &flags_string, FLAGS_STRING_SIZE, flags_string);
+		if (strstr(flags_string, "network"))
+			kernel_supports_network = 1;
+		else
+			kernel_supports_network = 0;
+		if (strstr(flags_string, "mount"))
+			kernel_supports_mount = 1;
+		return;
+	}
+
 	ms = fopen(MATCH_STRING, "r");
 	if (!ms)
 		goto out;
@@ -659,20 +846,24 @@ out:
 static void get_flags_string(char **flags, char *flags_file) {
 	char *pos;
 	FILE *f = NULL;
+	size_t size;
 
 	/* abort if missing or already set */
-	if (!flags || *flags) return;
+	if (!flags || *flags)
+		return;
 
 	f = fopen(flags_file, "r");
 	if (!f)
 		return;
 
-	*flags = malloc(1024);
+	*flags = malloc(FLAGS_STRING_SIZE);
 	if (!*flags)
 		goto fail;
 
-	if (!fgets(*flags, 1024, f))
+	size = fread(*flags, 1, FLAGS_STRING_SIZE - 1, f);
+	if (!size || ferror(f))
 		goto fail;
+	(*flags)[size] = 0;
 
 	fclose(f);
 	pos = strstr(*flags, "change_hat=");
@@ -863,6 +1054,15 @@ int process_profile(int option, char *profilename)
 	if (retval != 0)
 		goto out;
 
+	/* Test to see if profile is for another namespace, if so disable
+	 * caching for now
+	 * TODO: Add support for caching profiles in an alternate namespace
+	 * TODO: Add support for embedded namespace defines if they aren't
+	 *       removed from the language.
+	 */
+	if (profile_namespace)
+		skip_cache = 1;
+
 	/* Do secondary test to see if cached binary profile is good,
 	 * instead of checking against a presupplied list of files
 	 * use the timestamps from the files that were parsed.
@@ -871,8 +1071,14 @@ int process_profile(int option, char *profilename)
 	 */
 	if ((profilename && option != OPTION_REMOVE) && !force_complain &&
 	    !skip_cache) {
-		if (asprintf(&cachename, "%s/%s/%s", basedir, "cache", basename)<0) {
-			perror("asprintf");
+		if (cacheloc) {
+			cachename = strdup(cacheloc);
+			if (!cachename) {
+				PERROR(_("Memory allocation error."));
+				exit(1);
+			}
+		} else if (asprintf(&cachename, "%s/%s/%s", basedir, "cache", basename)<0) {
+			PERROR(_("Memory allocation error."));
 			exit(1);
 		}
 		/* Load a binary cache if it exists and is newest */
@@ -950,8 +1156,7 @@ out:
 		}
 		else {
 			unlink(cachetemp);
-			if (show_cache)
-				PERROR("Removed cache attempt: %s\n", cachetemp);
+			PERROR("Warning failed to create cache: %s\n", basename);
 		}
 		free(cachetemp);
 	}
@@ -1033,6 +1238,7 @@ int main(int argc, char *argv[])
 
 	init_base_dir();
 
+	process_config_file("/etc/apparmor/parser.conf");
 	optind = process_args(argc, argv);
 
 	setlocale(LC_MESSAGES, "");

parser/parser_misc.c

@@ -17,6 +17,7 @@
 
 /* assistance routines */
 
+#include <assert.h>
 #include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -36,6 +37,7 @@
 
 #include "parser.h"
 #include "parser_yacc.h"
+#include "mount.h"
 
 /* #define DEBUG */
 #ifdef DEBUG
@@ -53,8 +55,6 @@ struct keyword_table {
 };
 
 static struct keyword_table keyword_table[] = {
-	/* flags */
-	{"flags",		TOK_FLAGS},
 	/* network */
 	{"network",		TOK_NETWORK},
 	/* misc keywords */
@@ -73,12 +73,18 @@ static struct keyword_table keyword_table[] = {
 	{"subset",		TOK_SUBSET},
 	{"audit",		TOK_AUDIT},
 	{"deny",		TOK_DENY},
-	{"profile",		TOK_PROFILE},
 	{"set",			TOK_SET},
 	{"rlimit",		TOK_RLIMIT},
 	{"alias",		TOK_ALIAS},
 	{"rewrite",		TOK_ALIAS},
 	{"ptrace",		TOK_PTRACE},
+	{"file",		TOK_FILE},
+	{"mount",		TOK_MOUNT},
+	{"remount",		TOK_REMOUNT},
+	{"umount",		TOK_UMOUNT},
+	{"unmount",		TOK_UMOUNT},
+	{"pivot_root",		TOK_PIVOTROOT},
+	{"in",			TOK_IN},
 	/* terminate */
 	{NULL, 0}
 };
@@ -129,6 +135,9 @@ static int get_table_token(const char *name __unused, struct keyword_table *tabl
 static struct keyword_table capability_table[] = {
 	/* capabilities */
 	#include "cap_names.h"
+#ifndef CAP_SYSLOG
+	{"syslog", 34},
+#endif
 	/* terminate */
 	{NULL, 0}
 };
@@ -394,6 +403,16 @@ char *processunquoted(char *string, int len)
 	return tmp;
 }
 
+char *processid(char *string, int len)
+{
+	/* lexer should never call this fn if len <= 0 */
+	assert(len > 0);
+
+	if (*string == '"')
+		return processquoted(string, len);
+	return processunquoted(string, len);
+}
+
 /* rewrite a quoted string substituting escaped characters for the
  * real thing.  Strip the quotes around the string */
 
@@ -430,7 +449,7 @@ char *processquoted(char *string, int len)
 				*s = '\\';
 				l++;
 				break;
-			case '0' - '3':
+			case '0': case '1': case '2': case '3':
 				if ((l < len - 4) &&
 				    strchr("0123456789", string[l + 2]) &&
 				    strchr("0123456789", string[l + 3])) {
@@ -764,6 +783,20 @@ void free_cod_entries(struct cod_entry *list)
 	free(list);
 }
 
+void free_mnt_entries(struct mnt_entry *list)
+{
+	if (!list)
+		return;
+	if (list->next)
+		free_mnt_entries(list->next);
+	free(list->mnt_point);
+	free(list->device);
+	free_value_list(list->dev_type);
+	free_value_list(list->opts);
+
+	free(list);
+}
+
 static void debug_base_perm_mask(int mask)
 {
 	if (HAS_MAY_READ(mask))
@@ -866,6 +899,7 @@ static const char *capnames[] = {
 	"audit_control",
 	"setfcap",
 	"mac_override"
+	"syslog",
 };
 
 const char *capability_to_name(unsigned int cap)
@@ -900,8 +934,6 @@ void debug_capabilities(struct codomain *cod)
 		__debug_capabilities(cod->deny_caps, "Deny Caps");
 	if (cod->quiet_caps != 0ull)
 		__debug_capabilities(cod->quiet_caps, "Quiet Caps");
-	if (cod->set_caps != 0ull)
-		__debug_capabilities(cod->set_caps, "Set Capabilities");
 }
 
 void debug_cod_list(struct codomain *cod)
@@ -928,28 +960,103 @@ void debug_cod_list(struct codomain *cod)
 	dump_policy_hats(cod);
 }
 
-#ifdef UNIT_TEST
-#define MY_TEST(statement, error)		\
-	if (!(statement)) {			\
-		PERROR("FAIL: %s\n", error);	\
-		rc = 1;				\
-	}
-
-/* Guh, fake routine */
-void yyerror(char *msg, ...)
+struct value_list *new_value_list(char *value)
 {
-	va_list arg;
-	char buf[PATH_MAX];
-
-	va_start(arg, msg);
-	vsnprintf(buf, sizeof(buf), msg, arg);
-	va_end(arg);
-
-	PERROR(_("AppArmor parser error: %s\n"), buf);
-
-	exit(1);
+	struct value_list *val = calloc(1, sizeof(struct value_list));
+	if (val)
+		val->value = value;
+	return val;
 }
 
+void free_value_list(struct value_list *list)
+{
+	struct value_list *next;
+
+	while (list) {
+		next = list->next;
+		if (list->value)
+			free(list->value);
+		free(list);
+		list = next;
+	}
+}
+
+struct value_list *dup_value_list(struct value_list *list)
+{
+	struct value_list *entry, *dup, *head = NULL;
+	char *value;
+
+	list_for_each(list, entry) {
+		value = NULL;
+		if (list->value) {
+			value = strdup(list->value);
+			if (!value)
+				goto fail2;
+		}
+		dup = new_value_list(value);
+		if (!dup)
+			goto fail;
+		if (head)
+			list_append(head, dup);
+		else
+			head = dup;
+	}
+
+	return head;
+
+fail:
+	free(value);
+fail2:
+	free_value_list(head);
+
+	return NULL;
+}
+
+void print_value_list(struct value_list *list)
+{
+	struct value_list *entry;
+
+	if (!list)
+		return;
+
+	fprintf(stderr, "%s", list->value);
+	list = list->next;
+	list_for_each(list, entry) {
+		fprintf(stderr, ", %s", entry->value);
+	}
+}
+
+struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
+{
+	struct cond_entry *ent = calloc(1, sizeof(struct cond_entry));
+	if (ent) {
+		ent->name = name;
+		ent->vals = list;
+		ent->eq = eq;
+	}
+
+	return ent;
+}
+
+void free_cond_entry(struct cond_entry *ent)
+{
+	if (ent) {
+		free(ent->name);
+		free_value_list(ent->vals);
+		free(ent);
+	}
+}
+
+void print_cond_entry(struct cond_entry *ent)
+{
+	if (ent) {
+		fprintf(stderr, "%s=(", ent->name);
+		print_value_list(ent->vals);
+		fprintf(stderr, ")\n");
+	}
+}
+
+#ifdef UNIT_TEST
 int test_str_to_boolean(void)
 {
 	int rc = 0;
@@ -973,7 +1080,7 @@ int test_str_to_boolean(void)
 int test_processunquoted(void)
 {
 	int rc = 0;
-	const char *teststring, *processedstring;
+	char *teststring, *processedstring;
 
 	teststring = "";
 	MY_TEST(strcmp(teststring, processunquoted(teststring, strlen(teststring))) == 0,
@@ -998,6 +1105,106 @@ int test_processunquoted(void)
 	return rc;
 }
 
+int test_processquoted(void)
+{
+	int rc = 0;
+	char *teststring, *processedstring;
+	char *out;
+
+	teststring = "";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(teststring, out) == 0,
+			"processquoted on empty string");
+	free(out);
+
+	teststring = "\"abcdefg\"";
+	processedstring = "abcdefg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on simple string");
+	free(out);
+
+	teststring = "\"abcd\\tefg\"";
+	processedstring = "abcd\tefg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on string with tab");
+	free(out);
+
+	teststring = "\"abcdefg\\\"";
+	processedstring = "abcdefg\\";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on trailing slash");
+	free(out);
+
+	teststring = "\"a\\\\bcdefg\"";
+	processedstring = "a\\bcdefg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted slash");
+	free(out);
+
+	teststring = "\"a\\\"bcde\\\"fg\"";
+	processedstring = "a\"bcde\"fg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted quotes");
+	free(out);
+
+	teststring = "\"\\rabcdefg\"";
+	processedstring = "\rabcdefg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted \\r");
+	free(out);
+
+	teststring = "\"abcdefg\\n\"";
+	processedstring = "abcdefg\n";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted \\n");
+	free(out);
+
+	teststring = "\"\\Uabc\\Ndefg\\x\"";
+	processedstring = "\\Uabc\\Ndefg\\x";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted passthrough on invalid quoted chars");
+	free(out);
+
+	teststring = "\"abc\\042defg\"";
+	processedstring = "abc\"defg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted octal \\042");
+	free(out);
+
+	teststring = "\"abcdefg\\176\"";
+	processedstring = "abcdefg~";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted on quoted octal \\176");
+	free(out);
+
+	/* yes, our octal processing is lame; patches accepted */
+	teststring = "\"abc\\42defg\"";
+	processedstring = "abc\\42defg";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted passthrough quoted invalid octal \\42");
+	free(out);
+
+	teststring = "\"abcdefg\\04\"";
+	processedstring = "abcdefg\\04";
+	out = processquoted(teststring, strlen(teststring));
+	MY_TEST(strcmp(processedstring, out) == 0,
+			"processquoted passthrough quoted invalid trailing octal \\04");
+	free(out);
+
+	return rc;
+}
+
 int main(void)
 {
 	int rc = 0;
@@ -1010,6 +1217,11 @@ int main(void)
 	retval = test_processunquoted();
 	if (retval != 0)
 		rc = retval;
+
+	retval = test_processquoted();
+	if (retval != 0)
+		rc = retval;
+
 	return rc;
 }
 #endif /* UNIT_TEST */

parser/parser_policy.c

@@ -2,8 +2,8 @@
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
  *
- *   Copyright (c) 2010
- *   Canonical, Ltd. (All rights reserved)
+ *   Copyright (c) 2010 - 2012
+ *   Canonical Ltd. (All rights reserved)
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -29,6 +29,7 @@
 #define _(s) gettext(s)
 
 #include "parser.h"
+#include "mount.h"
 #include "parser_yacc.h"
 
 /* #define DEBUG */
@@ -95,10 +96,26 @@ void add_hat_to_policy(struct codomain *cod, struct codomain *hat)
 	}
 }
 
+static int add_entry_to_x_table(struct codomain *cod, char *name)
+{
+	int i;
+	for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
+		if (!cod->exec_table[i]) {
+			cod->exec_table[i] = name;
+			return i;
+		} else if (strcmp(cod->exec_table[i], name) == 0) {
+			/* name already in table */
+			free(name);
+			return i;
+		}
+	}
+	free(name);
+	return 0;
+}
+
 static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 {
 	char *name = NULL;
-	int i;
 
 	/* check to see if it is a local transition */
 	if (!entry->namespace) {
@@ -146,18 +163,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 		name = entry->nt_name;
 	}
 
-	for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
-		if (!cod->exec_table[i]) {
-			cod->exec_table[i] = name;
-			return i;
-		} else if (strcmp(cod->exec_table[i], name) == 0) {
-			/* name already in table */
-			free(name);
-			return i;
-		}
-	}
-	free(name);
-	return 0;
+	return add_entry_to_x_table(cod, name);
 }
 
 void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
@@ -166,16 +172,17 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
 	cod->entries = entry;
 }
 
-void post_process_nt_entries(struct codomain *cod)
+void post_process_file_entries(struct codomain *cod)
 {
 	struct cod_entry *entry;
+	int cp_mode = 0;
 
 	list_for_each(cod->entries, entry) {
 		if (entry->nt_name) {
 			int mode = 0;
 			int n = add_named_transition(cod, entry);
 			if (!n) {
-				PERROR("Profile %s has to many specified profile transitions.\n", cod->name);
+				PERROR("Profile %s has too many specified profile transitions.\n", cod->name);
 				exit(1);
 			}
 			if (entry->mode & AA_USER_EXEC)
@@ -187,9 +194,56 @@ void post_process_nt_entries(struct codomain *cod)
 			entry->namespace = NULL;
 			entry->nt_name = NULL;
 		}
+		/* FIXME: currently change_profile also implies onexec */
+		cp_mode |= entry->mode & (AA_CHANGE_PROFILE);
+	}
+
+	/* if there are change_profile rules, this implies that we need
+	 * access to /proc/self/attr/current
+	 */
+	if (cp_mode & AA_CHANGE_PROFILE) {
+		/* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
+		struct cod_entry *new_ent;
+		char *buffer = strdup("/proc/*/attr/{current,exec}");
+		if (!buffer) {
+			PERROR("Memory allocation error\n");
+			exit(1);
+		}
+		new_ent = new_entry(NULL, buffer, AA_MAY_WRITE, NULL);
+		if (!new_ent) {
+			PERROR("Memory allocation error\n");
+			exit(1);
+		}
+		add_entry_to_policy(cod, new_ent);
 	}
 }
 
+void post_process_mnt_entries(struct codomain *cod)
+{
+	struct mnt_entry *entry;
+
+	list_for_each(cod->mnt_ents, entry) {
+		if (entry->trans) {
+			unsigned int mode = 0;
+			int n = add_entry_to_x_table(cod, entry->trans);
+			if (!n) {
+				PERROR("Profile %s has too many specified profile transitions.\n", cod->name);
+				exit(1);
+			}
+
+			if (entry->allow & AA_USER_EXEC)
+				mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
+			if (entry->allow & AA_OTHER_EXEC)
+				mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
+			entry->allow = ((entry->allow & ~AA_ALL_EXEC_MODIFIERS) |
+				       (mode & AA_ALL_EXEC_MODIFIERS));
+
+			entry->trans = NULL;
+		}
+	}
+}
+
+
 static void __merge_rules(const void *nodep, const VISIT value,
 			  const int __unused depth)
 {
@@ -294,6 +348,33 @@ int process_hat_regex(struct codomain *cod)
 	return 0;
 }
 
+static void __process_policydb(const void *nodep, const VISIT value,
+			       const int __unused depth)
+{
+	struct codomain **t = (struct codomain **) nodep;
+
+	if (value == preorder || value == endorder)
+		return;
+
+	if (process_policydb(*t) != 0) {
+		PERROR(_("ERROR processing policydb rules for profile %s, failed to load\n"),
+		       (*t)->name);
+		exit(1);
+	}
+}
+
+int post_process_policydb(void)
+{
+	twalk(policy_list, __process_policydb);
+	return 0;
+}
+
+int process_hat_policydb(struct codomain *cod)
+{
+	twalk(cod->hat_table, __process_policydb);
+	return 0;
+}
+
 static void __process_variables(const void *nodep, const VISIT value,
 				const int __unused depth)
 {
@@ -645,7 +726,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
 	a->audit_caps |= b->audit_caps;
 	a->deny_caps |= b->deny_caps;
 	a->quiet_caps |= b->quiet_caps;
-	a->set_caps |= b->set_caps;
 
 	if (a->network_allowed) {
 		size_t i;
@@ -707,6 +787,15 @@ int post_process_policy(int debug_only)
 		}
 	}
 
+	if (!debug_only) {
+		retval = post_process_policydb();
+		if (retval != 0) {
+			PERROR(_("%s: Errors found during policydb postprocess.  Aborting.\n"),
+			       progname);
+			return retval;
+		}
+	}
+
 	return retval;
 }
 
@@ -728,10 +817,15 @@ void free_policy(struct codomain *cod)
 		return;
 	free_hat_table(cod->hat_table);
 	free_cod_entries(cod->entries);
+	free_mnt_entries(cod->mnt_ents);
 	if (cod->dfarules)
 		aare_delete_ruleset(cod->dfarules);
 	if (cod->dfa)
 		free(cod->dfa);
+	if (cod->policy_rules)
+		aare_delete_ruleset(cod->policy_rules);
+	if (cod->policy_dfa)
+		free(cod->policy_dfa);
 	if (cod->name)
 		free(cod->name);
 	if (cod->attachment)

parser/parser_regex.c

@@ -16,6 +16,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <stdarg.h>
 #include <string.h>
 #include <libintl.h>
@@ -26,6 +27,9 @@
 
 #include "parser.h"
 #include "libapparmor_re/apparmor_re.h"
+#include "libapparmor_re/aare_rules.h"
+#include "mount.h"
+#include "policydb.h"
 
 enum error_type {
 	e_no_error,
@@ -506,19 +510,28 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 			return FALSE;
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
+		char *vec[3];
+		char lbuf[PATH_MAX + 8];
+		int index = 1;
+
+		/* allow change_profile for all execs */
+		vec[0] = "/[^\\x00]*";
+
 		if (entry->namespace) {
-			char *vec[2];
-			char lbuf[PATH_MAX + 8];
 			int pos;
 			ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
-			vec[0] = lbuf;
-			vec[1] = tbuf;
-			if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec, dfaflags))
-			    return FALSE;
-		} else {
-		  if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, dfaflags))
-				return FALSE;
+			vec[index++] = lbuf;
 		}
+		vec[index++] = tbuf;
+
+		/* regular change_profile rule */
+		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
+			return FALSE;
+		/* onexec rules - both rules are needed for onexec */
+		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags))
+			return FALSE;
+		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
+			return FALSE;
 	}
 	if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
 		int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
@@ -609,35 +622,485 @@ out:
 	return error;
 }
 
+static int build_list_val_expr(char *buffer, int size, struct value_list *list)
+{
+	struct value_list *ent;
+	char tmp[PATH_MAX + 3];
+	char *p;
+	int len;
+	pattern_t ptype;
+	int pos;
+
+	if (!list) {
+		strncpy(buffer, "[^\\000]*", size);
+		return TRUE;
+	}
+
+	p = buffer;
+	strncpy(p, "(", size - (p - buffer));
+	p++;
+	if (p > buffer + size)
+		goto fail;
+
+	ptype = convert_aaregex_to_pcre(list->value, 0, tmp, PATH_MAX+3, &pos);
+	if (ptype == ePatternInvalid)
+		goto fail;
+
+	len = strlen(tmp);
+	if (len > size - (p - buffer))
+		goto fail;
+	strcpy(p, tmp);
+	p += len;
+
+	list_for_each(list->next, ent) {
+		ptype = convert_aaregex_to_pcre(ent->value, 0, tmp,
+						PATH_MAX+3, &pos);
+		if (ptype == ePatternInvalid)
+			goto fail;
+
+		strncpy(p, "|", size - (p - buffer));
+		p++;
+		len = strlen(tmp);
+		if (len > size - (p - buffer))
+			goto fail;
+		strcpy(p, tmp);
+		p += len;
+	}
+	strncpy(p, ")", size - (p - buffer));
+	p++;
+	if (p > buffer + size)
+		goto fail;
+
+	return TRUE;
+fail:
+	return FALSE;
+}
+
+static int convert_entry(char *buffer, int size, char *entry)
+{
+	pattern_t ptype;
+	int pos;
+
+	if (entry) {
+		ptype = convert_aaregex_to_pcre(entry, 0, buffer, size, &pos);
+		if (ptype == ePatternInvalid)
+			return FALSE;
+	} else {
+		/* match any char except \000 0 or more times */
+		if (size < 8)
+			return FALSE;
+
+		strcpy(buffer, "[^\\000]*");
+	}
+	return TRUE;
+}
+
+static int build_mnt_flags(char *buffer, int size, unsigned int flags,
+			   unsigned int inv_flags)
+{
+	char *p = buffer;
+	int i, len = 0;
+
+	if (flags == MS_ALL_FLAGS) {
+		/* all flags are optional */
+		len = snprintf(p, size, "[^\\000]*");
+		if (len < 0 || len >= size)
+			return FALSE;
+		return TRUE;
+	}
+	for (i = 0; i <= 31; ++i) {
+		if ((flags & inv_flags) & (1 << i))
+			len = snprintf(p, size, "(\\x%02x|)", i + 1);
+		else if (flags & (1 << i))
+			len = snprintf(p, size, "\\x%02x", i + 1);
+		else	/* no entry = not set */
+			continue;
+
+		if (len < 0 || len >= size)
+			return FALSE;
+		p += len;
+		size -= len;
+	}
+
+	/* this needs to go once the backend is updated. */
+	if (buffer == p) {
+		/* match nothing - use impossible 254 as regex parser doesn't
+		 * like the empty string
+		 */
+		if (size < 9)
+			return FALSE;
+
+		strcpy(p, "(\\xfe|)");
+	}
+
+	return TRUE;
+}
+
+static int build_mnt_opts(char *buffer, int size, struct value_list *opts)
+{
+	struct value_list *ent;
+	char tmp[PATH_MAX + 3];
+	char *p;
+	int len;
+	pattern_t ptype;
+	int pos;
+
+	if (!opts) {
+		if (size < 8)
+			return FALSE;
+		strncpy(buffer, "[^\\000]*", size);
+		return TRUE;
+	}
+
+	p = buffer;
+	list_for_each(opts, ent) {
+		ptype = convert_aaregex_to_pcre(ent->value, 0, tmp,
+						PATH_MAX+3, &pos);
+		if (ptype == ePatternInvalid)
+			goto fail;
+
+		len = strlen(tmp);
+		if (len > size - (p - buffer))
+			goto fail;
+		strcpy(p, tmp);
+		p += len;
+		if (ent->next && size - (p - buffer) > 1) {
+			*p++ = ',';
+			*p = 0;
+		}
+	}
+
+	return TRUE;
+
+fail:
+	return FALSE;
+}
+
+static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
+{
+	char mntbuf[PATH_MAX + 3];
+	char devbuf[PATH_MAX + 3];
+	char typebuf[PATH_MAX + 3];
+	char flagsbuf[PATH_MAX + 3];
+	char optsbuf[PATH_MAX + 3];
+	char *p, *vec[5];
+	int count = 0;
+	unsigned int flags, inv_flags;
+
+	/* a single mount rule may result in multiple matching rules being
+	 * created in the backend to cover all the possible choices
+	 */
+
+	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
+	    && !entry->device && !entry->dev_type) {
+		int allow;
+		/* remount can't be conditional on device and type */
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (entry->mnt_point) {
+			/* both device && mnt_point or just mnt_point */
+			if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+				goto fail;
+			vec[0] = mntbuf;
+		} else {
+			if (!convert_entry(p, PATH_MAX +3, entry->device))
+				goto fail;
+			vec[0] = mntbuf;
+		}
+		/* skip device */
+		if (!convert_entry(devbuf, PATH_MAX +3, NULL))
+			goto fail;
+		vec[1] = devbuf;
+		/* skip type */
+		vec[2] = devbuf;
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
+			goto fail;
+		vec[3] = flagsbuf;
+		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+			goto fail;
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
+			goto fail;
+		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
+	}
+	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
+	    && !entry->dev_type && !entry->opts) {
+		/* bind mount rules can't be conditional on dev_type or data */
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		if (!convert_entry(devbuf, PATH_MAX +3, entry->device))
+			goto fail;
+		vec[1] = devbuf;
+		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
+			goto fail;
+		vec[2] = typebuf;
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
+			goto fail;
+		vec[3] = flagsbuf;
+		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+				       entry->audit, 4, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+	if ((entry->allow & AA_MAY_MOUNT) &&
+	    (entry->flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED))
+	    && !entry->device && !entry->dev_type && !entry->opts) {
+		/* change type base rules can not be conditional on device,
+		 * device type or data
+		 */
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		/* skip device and type */
+		if (!convert_entry(devbuf, PATH_MAX +3, NULL))
+			goto fail;
+		vec[1] = devbuf;
+		vec[2] = devbuf;
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
+			goto fail;
+		vec[3] = flagsbuf;
+		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+				       entry->audit, 4, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_MOVE)
+	    && !entry->dev_type && !entry->opts) {
+		/* mount move rules can not be conditional on dev_type,
+		 * or data
+		 */
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		if (!convert_entry(devbuf, PATH_MAX +3, entry->device))
+			goto fail;
+		vec[1] = devbuf;
+		/* skip type */
+		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
+			goto fail;
+		vec[2] = typebuf;
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
+			goto fail;
+		vec[3] = flagsbuf;
+		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+				       entry->audit, 4, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+	if ((entry->allow & AA_MAY_MOUNT) &&
+	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
+		int allow;
+		/* generic mount if flags are set that are not covered by
+		 * above commands
+		 */
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		if (!convert_entry(devbuf, PATH_MAX +3, entry->device))
+			goto fail;
+		vec[1] = devbuf;
+		if (!build_list_val_expr(typebuf, PATH_MAX+2, entry->dev_type))
+			goto fail;
+		vec[2] = typebuf;
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
+			goto fail;
+		vec[3] = flagsbuf;
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
+			goto fail;
+		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
+	}
+	if (entry->allow & AA_MAY_UMOUNT) {
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+				       entry->audit, 1, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+	if (entry->allow & AA_MAY_PIVOTROOT) {
+		p = mntbuf;
+		/* rule class single byte header */
+		p += sprintf(p, "\\x%02x", AA_CLASS_MOUNT);
+		if (!convert_entry(p, PATH_MAX +3, entry->mnt_point))
+			goto fail;
+		vec[0] = mntbuf;
+		if (!convert_entry(devbuf, PATH_MAX +3, entry->device))
+			goto fail;
+		vec[1] = devbuf;
+		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
+				       entry->audit, 2, vec, dfaflags))
+			goto fail;
+		count++;
+	}
+
+	if (!count)
+		/* didn't actually encode anything */
+		goto fail;
+
+	return TRUE;
+
+fail:
+	PERROR("Enocoding of mount rule failed\n");
+	return FALSE;
+}
+
+
+int post_process_policydb_ents(struct codomain *cod)
+{
+	int ret = TRUE;
+	int count = 0;
+
+	/* Add fns for rules that should be added to policydb here */
+	if (cod->mnt_ents && kernel_supports_mount) {
+		struct mnt_entry *entry;
+		list_for_each(cod->mnt_ents, entry) {
+			if (regex_type == AARE_DFA &&
+			    !process_mnt_entry(cod->policy_rules, entry))
+				ret = FALSE;
+			count++;
+		}
+	} else if (cod->mnt_ents && !kernel_supports_mount)
+		pwarn("profile %s mount rules not enforced\n", cod->name);
+
+	cod->policy_rule_count = count;
+	return ret;
+}
+
+int process_policydb(struct codomain *cod)
+{
+	int error = -1;
+
+	if (regex_type == AARE_DFA) {
+		cod->policy_rules = aare_new_ruleset(0);
+		if (!cod->policy_rules)
+			goto out;
+	}
+
+	if (!post_process_policydb_ents(cod))
+		goto out;
+
+	if (regex_type == AARE_DFA && cod->policy_rule_count > 0) {
+		cod->policy_dfa = aare_create_dfa(cod->policy_rules,
+						  &cod->policy_dfa_size,
+						  dfaflags);
+		aare_delete_ruleset(cod->policy_rules);
+		cod->policy_rules = NULL;
+		if (!cod->policy_dfa)
+			goto out;
+	}
+
+	aare_reset_matchflags();
+	if (process_hat_policydb(cod) != 0)
+		goto out;
+
+	error = 0;
+
+out:
+	return error;
+}
+
 void reset_regex(void)
 {
 	aare_reset_matchflags();
 }
 
 #ifdef UNIT_TEST
-#define MY_TEST(statement, error)		\
-	if (!(statement)) {			\
-		PERROR("FAIL: %s\n", error);	\
-		rc = 1;				\
-	}
-
-/* Guh, fake routine */
-void yyerror(char *msg, ...)
-{
-	va_list arg;
-	char buf[PATH_MAX];
-
-	va_start(arg, msg);
-	vsnprintf(buf, sizeof(buf), msg, arg);
-	va_end(arg);
-
-	PERROR(_("AppArmor parser error: %s\n"), buf);
-
-	exit(1);
-}
-/* Guh, fake symbol */
-char *progname;
-
 static int test_filter_slashes(void)
 {
 	int rc = 0;

parser/parser_symtab.c

@@ -539,30 +539,6 @@ void free_symtabs(void)
 }
 
 #ifdef UNIT_TEST
-#define MY_TEST(statement, error)		\
-	if (!(statement)) {			\
-		PERROR("FAIL: %s\n", error);	\
-		rc = 1;				\
-	}
-
-/* Guh, fake symbol */
-char *progname;
-
-/* Guh, fake routine */
-void yyerror(char *msg, ...)
-{
-	va_list arg;
-	char buf[PATH_MAX];
-
-	va_start(arg, msg);
-	vsnprintf(buf, sizeof(buf), msg, arg);
-	va_end(arg);
-
-	PERROR(_("AppArmor parser error: %s\n"), buf);
-
-	exit(1);
-}
-
 int main(void)
 {
 	int rc = 0;
@@ -589,7 +565,7 @@ int main(void)
 	retval = new_set_var("test", "different value");
 	MY_TEST(retval != 0, "new set variable 2");
 
-	retval = new_set_var("testes", "testes");
+	retval = new_set_var("testing", "testing");
 	MY_TEST(retval == 0, "new set variable 3");
 
 	retval = new_set_var("monopuff", "Mockingbird");

parser/parser_variable.c

@@ -28,6 +28,7 @@
 /* #define DEBUG */
 
 #include "parser.h"
+#include "mount.h"
 
 static inline char *get_var_end(char *var)
 {
@@ -36,8 +37,14 @@ static inline char *get_var_end(char *var)
 	while (*eptr) {
 		if (*eptr == '}')
 			return eptr;
-		if (!(*eptr == '_' || isalpha(*eptr)))
-			return NULL; /* invalid char */
+		/* first character must be alpha */
+		if (eptr == var) {
+		 	if (!isalpha(*eptr))
+				return NULL; /* invalid char */
+		} else {
+			if (!(*eptr == '_' || isalnum(*eptr)))
+				return NULL; /* invalid char */
+		}
 		eptr++;
 	}
 	return NULL; /* no terminating '}' */
@@ -124,17 +131,19 @@ void free_var_string(struct var_string *var)
 	free(var);
 }
 
-static int expand_entry_variables(struct cod_entry *entry)
+/* doesn't handle variables in options atm */
+static int expand_entry_variables(char **name, void *entry, 
+				  int (dup_and_chain)(void *))
 {
 	struct set_value *valuelist;
 	int ret = TRUE;
 	char *value;
 	struct var_string *split_var;
 
-	if (!entry) 		/* shouldn't happen */
+	if (!entry) 		/* can happen when entry is optional */
 		return ret;
 
-	while ((split_var = split_out_var(entry->name))) {
+	while ((split_var = split_out_var(*name))) {
 		valuelist = get_set_var(split_var->var);
 		if (!valuelist) {
 			int boolean = get_boolean_var(split_var->var);
@@ -153,24 +162,22 @@ static int expand_entry_variables(struct cod_entry *entry)
 			       split_var->var);
 			exit(1);
 		}
-		free(entry->name);
-		if (asprintf(&(entry->name), "%s%s%s",
+		free(*name);
+		if (asprintf(name, "%s%s%s",
 			     split_var->prefix ? split_var->prefix : "",
 			     value,
 			     split_var->suffix ? split_var->suffix : "") == -1)
 			return FALSE;
 
 		while ((value = get_next_set_value(&valuelist))) {
-			struct cod_entry *dupe = copy_cod_entry(entry);
-			if (!dupe) {
-				PERROR("Memory allocaton error while handling set variable %s\n",
+			if (!dup_and_chain(entry)) {
+				PERROR("Memory allocation error while handling set variable %s\n",
 				       split_var->var);
 				exit(1);
 			}
-			entry->next = dupe;
 
-			free(entry->name);
-			if (asprintf(&(entry->name), "%s%s%s",
+			free(*name);
+			if (asprintf(name, "%s%s%s",
 			      split_var->prefix ? split_var->prefix : "", value,
 			      split_var->suffix ? split_var->suffix : "") == -1)
 				return FALSE;
@@ -181,15 +188,66 @@ static int expand_entry_variables(struct cod_entry *entry)
 	return ret;
 }
 
+int clone_and_chain_cod(void *v)
+{
+	struct cod_entry *entry = v;
+	struct cod_entry *dup = copy_cod_entry(entry);
+	if (!dup)
+		return 0;
+
+	entry->next = dup;
+
+	return 1;
+}
+
+int clone_and_chain_mnt(void *v)
+{
+	struct mnt_entry *entry = v;
+
+	struct mnt_entry *dup = dup_mnt_entry(entry);
+	if (!dup)
+		return 0;
+
+	entry->next = dup;
+
+	return 1;
+}
+
 static int process_variables_in_entries(struct cod_entry *entry_list)
 {
 	int ret = TRUE, rc;
 	struct cod_entry *entry;
 
 	list_for_each(entry_list, entry) {
-		rc = expand_entry_variables(entry);
+		rc = expand_entry_variables(&entry->name, entry,
+					    clone_and_chain_cod);
 		if (!rc)
-			ret = FALSE;
+			return FALSE;
+	}
+
+	return ret;
+}
+
+/* does not currently support expansion of vars in options */
+static int process_variables_in_mnt_entries(struct mnt_entry *entry_list)
+{
+	int ret = TRUE, rc;
+	struct mnt_entry *entry;
+
+	list_for_each(entry_list, entry) {
+		rc = expand_entry_variables(&entry->mnt_point, entry,
+					    clone_and_chain_mnt);
+		if (!rc)
+			return FALSE;
+		rc = expand_entry_variables(&entry->device, entry,
+					    clone_and_chain_mnt);
+		if (!rc)
+			return FALSE;
+		rc = expand_entry_variables(&entry->trans, entry,
+					    clone_and_chain_mnt);
+		if (!rc)
+			return FALSE;
+
 	}
 
 	return ret;
@@ -203,6 +261,10 @@ int process_variables(struct codomain *cod)
 		error = -1;
 	}
 
+	if (!process_variables_in_mnt_entries(cod->mnt_ents)) {
+		error = -1;
+	}
+
 	if (process_hat_variables(cod) != 0) {
 			error = -1;
 	}
@@ -210,29 +272,6 @@ int process_variables(struct codomain *cod)
 }
 
 #ifdef UNIT_TEST
-#define MY_TEST(statement, error)		\
-	if (!(statement)) {			\
-		PERROR("FAIL: %s\n", error);	\
-		rc = 1;				\
-	}
-
-/* Guh, fake routine */
-void yyerror(char *msg, ...)
-{
-	va_list arg;
-	char buf[PATH_MAX];
-
-	va_start(arg, msg);
-	vsnprintf(buf, sizeof(buf), msg, arg);
-	va_end(arg);
-
-	PERROR(_("AppArmor parser error: %s\n"), buf);
-
-	exit(1);
-}
-/* Guh, fake symbol */
-char *progname;
-
 int test_get_var_end(void)
 {
 	int rc = 0;
@@ -271,7 +310,7 @@ int test_split_string(void)
 	char *var = "boogie";
 	char *suffix = "suffixication";
 
-	(void) asprintf(&tst_string, "%s@{%s}%s", prefix, var, suffix);
+	asprintf(&tst_string, "%s@{%s}%s", prefix, var, suffix);
 	var_start = tst_string + strlen(prefix);
 	var_end = var_start + strlen(var) + strlen("@\{");
 	ret_struct = split_string(tst_string, var_start, var_end);
@@ -317,6 +356,8 @@ int test_split_out_var(void)
 	struct var_string *ret_struct;
 	char *prefix = "abcdefg";
 	char *var = "boogie";
+	char *var2 = "V4rW1thNum5";
+	char *var3 = "boogie_board";
 	char *suffix = "suffixication";
 
 	/* simple case */
@@ -394,6 +435,34 @@ int test_split_out_var(void)
 	MY_TEST(strcmp(ret_struct->suffix, suffix) == 0, "split out var 7 suffix");
 	free_var_string(ret_struct);
 
+	/* numeric char in var, should succeed */
+	asprintf(&tst_string, "%s@{%s}%s", prefix, var2, suffix);
+	ret_struct = split_out_var(tst_string);
+	MY_TEST(ret_struct && strcmp(ret_struct->prefix, prefix) == 0, "split out numeric var prefix");
+	MY_TEST(ret_struct && strcmp(ret_struct->var, var2) == 0, "split numeric var var");
+	MY_TEST(ret_struct && strcmp(ret_struct->suffix, suffix) == 0, "split out numeric var suffix");
+	free_var_string(ret_struct);
+
+	/* numeric first char in var, should fail */
+	asprintf(&tst_string, "%s@{6%s}%s", prefix, var2, suffix);
+	ret_struct = split_out_var(tst_string);
+	MY_TEST(ret_struct == NULL, "split out var - numeric first char in var");
+	free_var_string(ret_struct);
+
+	/* underscore char in var, should succeed */
+	asprintf(&tst_string, "%s@{%s}%s", prefix, var3, suffix);
+	ret_struct = split_out_var(tst_string);
+	MY_TEST(ret_struct && strcmp(ret_struct->prefix, prefix) == 0, "split out underscore var prefix");
+	MY_TEST(ret_struct && strcmp(ret_struct->var, var3) == 0, "split out underscore var");
+	MY_TEST(ret_struct && strcmp(ret_struct->suffix, suffix) == 0, "split out underscore var suffix");
+	free_var_string(ret_struct);
+
+	/* underscore first char in var, should fail */
+	asprintf(&tst_string, "%s@{_%s%s}%s", prefix, var2, var3, suffix);
+	ret_struct = split_out_var(tst_string);
+	MY_TEST(ret_struct == NULL, "split out var - underscore first char in var");
+	free_var_string(ret_struct);
+
 	return rc;
 }
 int main(void)

parser/parser_yacc.y

@@ -2,8 +2,8 @@
 /*
  *   Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  *   NOVELL (All rights reserved)
- *   Copyright (c) 2010
- *   Canonical, Ltd.
+ *   Copyright (c) 2010-2012
+ *   Canonical Ltd.
  *
  *   This program is free software; you can redistribute it and/or
  *   modify it under the terms of version 2 of the GNU General Public
@@ -32,6 +32,7 @@
 /* #define DEBUG */
 
 #include "parser.h"
+#include "mount.h"
 #include "parser_include.h"
 #include <unistd.h>
 #include <netinet/in.h>
@@ -64,21 +65,23 @@
 
 #define CAP_TO_MASK(x) (1ull << (x))
 
-struct value_list {
-	char *value;
-	struct value_list *next;
-};
+int parser_token = 0;
 
-void free_value_list(struct value_list *list);
 struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
 			       char *link_id, char *nt);
+struct mnt_entry *do_mnt_rule(struct cond_entry *src_conds, char *src,
+			      struct cond_entry *dst_conds, char *dst,
+			      int mode);
+struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
+				char *transition);
 
 void add_local_entry(struct codomain *cod);
 
 %}
 
 %token TOK_ID
-%token TOK_SEP
+%token TOK_CONDID
+%token TOK_CARET
 %token TOK_OPEN
 %token TOK_CLOSE
 %token TOK_MODE
@@ -110,6 +113,15 @@ void add_local_entry(struct codomain *cod);
 %token TOK_SET
 %token TOK_ALIAS
 %token TOK_PTRACE
+%token TOK_OPENPAREN
+%token TOK_CLOSEPAREN
+%token TOK_COMMA
+%token TOK_FILE
+%token TOK_MOUNT
+%token TOK_REMOUNT
+%token TOK_UMOUNT
+%token TOK_PIVOTROOT
+%token TOK_IN
 
  /* rlimits */
 %token TOK_RLIMIT
@@ -136,10 +148,6 @@ void add_local_entry(struct codomain *cod);
 
 /* debug flag values */
 %token TOK_FLAGS
-%token TOK_FLAG_OPENPAREN
-%token TOK_FLAG_CLOSEPAREN
-%token TOK_FLAG_SEP
-%token TOK_FLAG_ID
 
 %union {
 	char *id;
@@ -149,6 +157,8 @@ void add_local_entry(struct codomain *cod);
 	struct codomain *cod;
 	struct cod_net_entry *net_entry;
 	struct cod_entry *user_entry;
+	struct mnt_entry *mnt_entry;
+
 	struct flagval flags;
 	int fmode;
 	uint64_t cap;
@@ -157,11 +167,13 @@ void add_local_entry(struct codomain *cod);
 	char *bool_var;
 	char *var_val;
 	struct value_list *val_list;
+	struct cond_entry *cond_entry;
 	int boolean;
 	struct named_transition transition;
 }
 
 %type <id> 	TOK_ID
+%type <id>	TOK_CONDID
 %type <mode> 	TOK_MODE
 %type <fmode>   file_mode
 %type <cod>	profile_base
@@ -172,14 +184,19 @@ void add_local_entry(struct codomain *cod);
 %type <cod>	cond_rule
 %type <network_entry> network_rule
 %type <user_entry> rule
+%type <user_entry> file_rule
+%type <user_entry> file_rule_tail
+%type <user_entry> link_rule
+%type <user_entry> ptrace_rule
 %type <user_entry> frule
+%type <mnt_entry> mnt_rule
+%type <cond_entry> opt_conds
+%type <cond_entry> cond
 %type <flags>	flags
 %type <flags>	flagvals
 %type <flags>	flagval
-%type <flag_id>	TOK_FLAG_ID
 %type <cap>	caps
 %type <cap>	capability
-%type <cap>	set_caps
 %type <user_entry> change_profile
 %type <set_var> TOK_SET_VAR
 %type <bool_var> TOK_BOOL_VAR
@@ -191,10 +208,12 @@ void add_local_entry(struct codomain *cod);
 %type <boolean> opt_audit_flag
 %type <boolean> opt_owner_flag
 %type <boolean> opt_profile_flag
+%type <boolean> opt_flags
 %type <id>	opt_namespace
 %type <id>	opt_id
 %type <transition> opt_named_transition
 %type <boolean> opt_unsafe
+%type <boolean> opt_file
 %%
 
 
@@ -238,9 +257,10 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
 		if (force_complain)
 			cod->flags.complain = 1;
 
-		post_process_nt_entries(cod);
+		post_process_file_entries(cod);
+		post_process_mnt_entries(cod);
 		PDEBUG("%s: flags='%s%s'\n",
-		       $3,
+		       $2,
 		       cod->flags.complain ? "complain, " : "",
 		       cod->flags.audit ? "audit" : "");
 
@@ -280,7 +300,7 @@ hat: hat_start profile_base
 	{
 		struct codomain *cod = $2;
 		if ($2)
-			PDEBUG("Matched: hat %s { ... }\n", code->name);
+			PDEBUG("Matched: hat %s { ... }\n", cod->name);
 
 		cod->flags.hat = 1;
 		$$ = cod;
@@ -369,26 +389,23 @@ varassign:	TOK_BOOL_VAR TOK_EQUALS TOK_VALUE
 
 valuelist:	TOK_VALUE
 	{
-		struct value_list *new = calloc(1, sizeof(struct value_list));
-		if (!new)
+		struct value_list *val = new_value_list($1);
+		if (!val)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("Matched: value (%s)\n", $1);
 
-		new->value = $1;
-		new->next = NULL;
-		$$ = new;
+		$$ = val;
 	}
 
 valuelist:	valuelist TOK_VALUE
 	{
-		struct value_list *new = calloc(1, sizeof(struct value_list));
-		if (!new)
+		struct value_list *val = new_value_list($2);
+		if (!val)
 			yyerror(_("Memory allocation error."));
-		PDEBUG("Matched: value (%s)\n", $1);
+		PDEBUG("Matched: value list\n");
 
-		new->value = $2;
-		new->next = $1;
-		$$ = new;
+		list_append($1, val);
+		$$ = $1;
 	}
 
 flags:	{ /* nothing */
@@ -397,21 +414,24 @@ flags:	{ /* nothing */
 		$$ = fv;
 	};
 
-flags:	TOK_FLAGS TOK_EQUALS TOK_FLAG_OPENPAREN flagvals TOK_FLAG_CLOSEPAREN
+opt_flags: { /* nothing */ $$ = 0; }
+	| TOK_CONDID TOK_EQUALS
 	{
-		$$ = $4;
-	};
-
-flags: TOK_FLAG_OPENPAREN flagvals TOK_FLAG_CLOSEPAREN
-	{
-		$$ = $2;
+		if (strcmp($1, "flags") != 0)
+			yyerror("expected flags= got %s=", $1);
+		$$ = 1;
 	}
 
-flagvals:	flagvals TOK_FLAG_SEP flagval
+flags:	opt_flags TOK_OPENPAREN flagvals TOK_CLOSEPAREN
 	{
-		$1.complain = $1.complain || $3.complain;
-		$1.audit = $1.audit || $3.audit;
-		$1.path = $1.path | $3.path;
+		$$ = $3;
+	};
+
+flagvals:	flagvals flagval
+	{
+		$1.complain = $1.complain || $2.complain;
+		$1.audit = $1.audit || $2.audit;
+		$1.path = $1.path | $2.path;
 		if (($1.path & (PATH_CHROOT_REL | PATH_NS_REL)) ==
 		    (PATH_CHROOT_REL | PATH_NS_REL))
 			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));
@@ -434,7 +454,7 @@ flagvals:	flagval
 		$$ = $1;
 	};
 
-flagval:	TOK_FLAG_ID
+flagval:	TOK_VALUE
 	{
 		struct flagval fv = { 0, 0, 0, 0 };
 		if (strcmp($1, "debug") == 0) {
@@ -641,6 +661,25 @@ rules: rules opt_audit_flag network_rule
 		$$ = $1;
 	}
 
+rules:  rules opt_audit_flag TOK_DENY mnt_rule
+	{
+		$4->deny = $4->allow;
+		if ($2)
+			$4->audit = $4->allow;
+		$4->next = $1->mnt_ents;
+		$1->mnt_ents = $4;
+		$$ = $1;
+	}
+
+rules: rules opt_audit_flag mnt_rule
+	{
+		if ($2)
+			$3->audit = $3->allow;
+		$3->next = $1->mnt_ents;
+		$1->mnt_ents = $3;
+		$$ = $1;
+	}
+
 rules:	rules change_profile
 	{
 		PDEBUG("matched: rules change_profile\n");
@@ -667,12 +706,6 @@ rules:	rules opt_audit_flag capability
 		$$ = $1;
 	};
 
-rules: rules set_caps
-	{
-		$1->set_caps |= $2;
-		$$ = $1;
-	};
-
 rules:	rules hat
 	{
 		PDEBUG("Matched: hat rule\n");
@@ -711,10 +744,31 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE TOK_END_OF_RULE
 		if (strcmp($6, "infinity") == 0) {
 			value = RLIM_INFINITY;
 		} else {
+			const char *seconds = "seconds";
+			const char *minutes = "minutes";
+			const char *hours = "hours";
+			const char *days = "days";
+			const char *kb = "KB";
+			const char *mb = "MB";
+			const char *gb = "GB";
+
 			tmp = strtoll($6, &end, 0);
 			switch (limit) {
 			case RLIMIT_CPU:
-				yyerror("RLIMIT '%s' is currently unsupported\n", $4);
+				if (!end || $6 == end || tmp < 0)
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				if (*end == '\0' ||
+				    strstr(seconds, end) == seconds) {
+					value = tmp;
+				} else if (strstr(minutes, end) == minutes) {
+					value = tmp * 60;
+				} else if (strstr(hours, end) == hours) {
+					value = tmp * 60 * 60;
+				} else if (strstr(days, end) == days) {
+					value = tmp * 60 * 60 * 24;
+				} else {
+					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
+				}
 				break;
 			case RLIMIT_NOFILE:
 			case RLIMIT_NPROC:
@@ -722,14 +776,14 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE TOK_END_OF_RULE
 			case RLIMIT_SIGPENDING:
 #ifdef RLIMIT_RTPRIO
 			case RLIMIT_RTPRIO:
-				if ($6 == end || *end != '\0' || tmp < 0)
+				if (!end || $6 == end || *end != '\0' || tmp < 0)
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
 				value = tmp;
 				break;
 #endif
 #ifdef RLIMIT_NICE
 			case RLIMIT_NICE:
-				if ($6 == end || *end != '\0')
+				if (!end || $6 == end || *end != '\0')
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
 				if (tmp < -20 || tmp > 19)
 					yyerror("RLIMIT '%s' out of range (-20 .. 19) %d\n", $4, tmp);
@@ -746,11 +800,11 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE TOK_END_OF_RULE
 			case RLIMIT_MSGQUEUE:
 				if ($6 == end || tmp < 0)
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
-				if (strcmp(end, "K") == 0) {
+				if (strstr(kb, end) == kb) {
 					tmp *= 1024;
-				} else if (strcmp(end, "M") == 0) {
+				} else if (strstr(mb, end) == mb) {
 					tmp *= 1024*1024;
-				} else if (strcmp(end, "G") == 0) {
+				} else if (strstr(gb, end) == gb) {
 					tmp *= 1024*1024*1024;
 				} else if (*end != '\0') {
 					yyerror("RLIMIT '%s' invalid value %s\n", $4, $6);
@@ -871,24 +925,16 @@ opt_named_transition:
 		$$.name = $5;
 	};
 
+rule: file_rule { $$ = $1; }
+	| link_rule { $$ = $1; }
+	| ptrace_rule {$$ = $1; }
+
 opt_unsafe: { /* nothing */ $$ = 0; }
 	| TOK_UNSAFE { $$ = 1; };
 	| TOK_SAFE { $$ = 2; };
 
-rule:	opt_unsafe frule
-	{
-		if ($1) {
-			if (!($2->mode & AA_EXEC_BITS))
-				yyerror(_("unsafe rule missing exec permissions"));
-			if ($1 == 1) {
-				$2->mode |= (($2->mode & AA_EXEC_BITS) << 8) &
-					 ALL_AA_EXEC_UNSAFE;
-			}
-			else if ($1 == 2)
-				$2->mode &= ~ALL_AA_EXEC_UNSAFE;
-		}
-		$$ = $2;
-	};
+opt_file: { /* nothing */ $$ = 0; }
+	| TOK_FILE { $$ = 1; }
 
 frule:	id_or_var file_mode opt_named_transition TOK_END_OF_RULE
 	{
@@ -912,16 +958,45 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 		}
  	};
 
-rule:  opt_unsafe id_or_var file_mode id_or_var
+file_rule: TOK_FILE TOK_END_OF_RULE
+	{
+		char *path = strdup("/{**,}");
+		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
+			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
+		/* duplicate to other permission set */
+		perms |= perms << AA_OTHER_SHIFT;
+		if (!path)
+			yyerror(_("Memory allocation error."));
+		$$ = do_file_rule(NULL, path, perms, NULL, NULL);
+	}
+	| opt_file file_rule_tail { $$ = $2; }
+
+
+file_rule_tail: opt_unsafe frule
+	{
+		if ($1) {
+			if (!($2->mode & AA_EXEC_BITS))
+				yyerror(_("unsafe rule missing exec permissions"));
+			if ($1 == 1) {
+				$2->mode |= (($2->mode & AA_EXEC_BITS) << 8) &
+					 ALL_AA_EXEC_UNSAFE;
+			}
+			else if ($1 == 2)
+				$2->mode &= ~ALL_AA_EXEC_UNSAFE;
+		}
+		$$ = $2;
+	};
+
+file_rule_tail: opt_unsafe id_or_var file_mode id_or_var
 	{
 		/* Oopsie, we appear to be missing an EOL marker. If we
 		 * were *smart*, we could work around it. Since we're
 		 * obviously not smart, we'll just punt with a more
 		 * sensible error. */
-		yyerror(_("missing an end of line character? (entry: %s)"), $1);
+		yyerror(_("missing an end of line character? (entry: %s)"), $2);
 	};
 
-rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
+link_rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
@@ -931,7 +1006,7 @@ rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 		$$ = entry;
 	};
 
-rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
+ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
@@ -940,7 +1015,7 @@ rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
 		$$ = entry;
 	};
 
-rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
+ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
@@ -988,7 +1063,86 @@ network_rule: TOK_NETWORK TOK_ID TOK_ID TOK_END_OF_RULE
 		$$ = entry;
 	}
 
-hat_start: TOK_SEP {}
+cond: TOK_CONDID TOK_EQUALS TOK_VALUE
+	{
+		struct cond_entry *ent;
+		struct value_list *value = new_value_list($3);
+		if (!value)
+			yyerror(_("Memory allocation error."));
+		ent = new_cond_entry($1, 1, value);
+		if (!ent) {
+			free_value_list(value);
+			yyerror(_("Memory allocation error."));
+		}
+		$$ = ent;
+	}
+
+cond: TOK_CONDID TOK_EQUALS TOK_OPENPAREN valuelist TOK_CLOSEPAREN
+	{
+		struct cond_entry *ent = new_cond_entry($1, 1, $4);
+
+		if (!ent)
+			yyerror(_("Memory allocation error."));
+		$$ = ent;
+	}
+
+
+cond: TOK_CONDID TOK_IN TOK_OPENPAREN valuelist TOK_CLOSEPAREN
+	{
+		struct cond_entry *ent = new_cond_entry($1, 0, $4);
+
+		if (!ent)
+			yyerror(_("Memory allocation error."));
+		$$ = ent;
+	}
+
+opt_conds: { /* nothing */ $$ = NULL; }
+	| opt_conds cond
+	{
+		$2->next = $1;
+		$$ = $2;
+	}
+
+mnt_rule: TOK_MOUNT opt_conds opt_id TOK_END_OF_RULE
+	{
+		$$ = do_mnt_rule($2, $3, NULL, NULL, AA_MAY_MOUNT);
+	}
+
+mnt_rule: TOK_MOUNT opt_conds opt_id TOK_ARROW opt_conds TOK_ID TOK_END_OF_RULE
+	{
+		$$ = do_mnt_rule($2, $3, $5, $6, AA_MAY_MOUNT);
+	}
+
+mnt_rule: TOK_REMOUNT opt_conds opt_id TOK_END_OF_RULE
+	{
+		$$ = do_mnt_rule($2, NULL, NULL, $3, AA_DUMMY_REMOUNT);
+	}
+
+mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
+	{
+		$$ = do_mnt_rule($2, NULL, NULL, $3, AA_MAY_UMOUNT);
+	}
+
+mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
+	{
+		char *name = NULL;
+		if ($4.present && $4.namespace) {
+			name = malloc(strlen($4.namespace) +
+				      strlen($4.name) + 3);
+			if (!name) {
+				PERROR("Memory allocation error\n");
+				exit(1);
+			}
+			sprintf(name, ":%s:%s", $4.namespace, $4.name);
+			free($4.namespace);
+			free($4.name);
+		} else if ($4.present)
+			name = $4.name;
+
+		$$ = do_pivot_rule($2, $3, name);
+	}
+
+hat_start: TOK_CARET {}
 	| TOK_HAT {}
 
 file_mode: TOK_MODE
@@ -1022,17 +1176,17 @@ change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID T
 	};
 
 
-set_caps:	TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
-	{
-		$$ = $3;
-	};
-
 capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
 	{
-		$$ = $2;
+		if ($2 == 0) {
+			/* bare capability keyword - set all caps */
+			$$ = 0xffffffffffffffff;
+		} else
+			$$ = $2;
 	};
 
-caps: caps TOK_ID
+caps: { /* nothing */ $$ = 0; }
+	| caps TOK_ID
 	{
 		int cap = name_to_capability($2);
 		if (cap == -1)
@@ -1041,26 +1195,14 @@ caps: caps TOK_ID
 		$$ = $1 | CAP_TO_MASK(cap);
 	}
 
-caps: TOK_ID
-	{
-		int cap = name_to_capability($1);
-		if (cap == -1)
-			yyerror(_("Invalid capability %s."), $1);
-		free($1);
-		$$ = CAP_TO_MASK(cap);
-	};
-
 %%
 #define MAXBUFSIZE 4096
 
-void yyerror(char *msg, ...)
+void vprintyyerror(const char *msg, va_list argptr)
 {
-	va_list arg;
 	char buf[MAXBUFSIZE];
 
-	va_start(arg, msg);
-	vsnprintf(buf, sizeof(buf), msg, arg);
-	va_end(arg);
+	vsnprintf(buf, sizeof(buf), msg, argptr);
 
 	if (profilename) {
 		PERROR(_("AppArmor parser error for %s%s%s at line %d: %s\n"),
@@ -1074,21 +1216,26 @@ void yyerror(char *msg, ...)
 		       current_filename ? current_filename : "",
 		       current_lineno, buf);
 	}
-
-	exit(1);
 }
 
-void free_value_list(struct value_list *list)
+void printyyerror(const char *msg, ...)
 {
-	struct value_list *next;
+	va_list arg;
 
-	while (list) {
-		next = list->next;
-		if (list->value)
-			free(list->value);
-		free(list);
-		list = next;
-	}
+	va_start(arg, msg);
+	vprintyyerror(msg, arg);
+	va_end(arg);
+}
+
+void yyerror(const char *msg, ...)
+{
+	va_list arg;
+
+	va_start(arg, msg);
+	vprintyyerror(msg, arg);
+	va_end(arg);
+
+	exit(1);
 }
 
 struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
@@ -1128,3 +1275,76 @@ void add_local_entry(struct codomain *cod)
 		add_entry_to_policy(cod, entry);
 	}
 }
+
+static char *mnt_cond_msg[] = {"",
+			 " not allowed as source conditional",
+			 " not allowed as target conditional",
+			 "",
+			 NULL};
+
+int verify_mnt_conds(struct cond_entry *conds, int src)
+{
+	struct cond_entry *entry;
+	int error = 0;
+
+	if (!conds)
+		return 0;
+
+	list_for_each(conds, entry) {
+		int res = is_valid_mnt_cond(entry->name, src);
+		if (res <= 0) {
+				printyyerror(_("invalid mount conditional %s%s"),
+					     entry->name,
+					     res == -1 ? "" : mnt_cond_msg[src]);
+				error++;
+		}
+	}
+
+	return error;
+}
+
+struct mnt_entry *do_mnt_rule(struct cond_entry *src_conds, char *src,
+			      struct cond_entry *dst_conds, char *dst,
+			      int mode)
+{
+	struct mnt_entry *ent;
+
+	if (verify_mnt_conds(src_conds, MNT_SRC_OPT) != 0)
+		yyerror(_("bad mount rule"));
+
+	/* FIXME: atm conditions are not supported on dst
+	if (verify_conds(dst_conds, DST_OPT) != 0)
+		yyerror(_("bad mount rule"));
+	*/
+	if (dst_conds)
+		yyerror(_("mount point conditions not currently supported"));
+
+	ent = new_mnt_entry(src_conds, src, dst_conds, dst, mode);
+	if (!ent) {
+		yyerror(_("Memory allocation error."));
+	}
+
+	return ent;
+}
+
+struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
+				char *transition)
+{
+	struct mnt_entry *ent = NULL;
+	char *device = NULL;
+	if (old) {
+		if (strcmp(old->name, "oldroot") != 0)
+			yyerror(_("invalid pivotroot conditional '%s'"), old->name);
+		if (old->vals) {
+			device = old->vals->value;
+			old->vals->value = NULL;
+		}
+		free_cond_entry(old);
+	}
+
+	ent = new_mnt_entry(NULL, device, NULL, root,
+			    AA_MAY_PIVOTROOT);
+	ent->trans = transition;
+
+	return ent;
+}

parser/policydb.h

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2012 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#ifndef __AA_POLICYDB_H
+#define __AA_POLICYDB_H
+
+/*
+ * Class of mediation types in the AppArmor policy db
+ */
+#define AA_CLASS_COND		0
+#define AA_CLASS_UNKNOWN	1
+#define AA_CLASS_FILE		2
+#define AA_CLASS_CAP		3
+#define AA_CLASS_NET		4
+#define AA_CLASS_RLIMITS	5
+#define AA_CLASS_DOMAIN		6
+#define AA_CLASS_MOUNT		7
+#define AA_CLASS_NS_DOMAIN	8
+#define AA_CLASS_PTRACE		9
+
+#define AA_CLASS_ENV		16
+
+#define AA_CLASS_DBUS		32
+#define AA_CLASS_X		33
+
+#endif /* __AA_POLICYDB_H */

parser/rc.aaeventd.suse

@@ -27,7 +27,7 @@
 ### BEGIN INIT INFO
 # Provides: aaeventd
 # Required-Start: apparmor
-# Required-Stop:
+# Required-Stop: $null
 # Default-Start: 2 3 5
 # Default-Stop:
 # Short-Description: AppArmor Notification and Reporting
@@ -78,9 +78,9 @@ usage() {
 
 start_aa_event() {
 	if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
-		sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
+		sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
 	elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
-		sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
+		sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
 	fi
 }
 

parser/rc.apparmor.functions

@@ -1,7 +1,7 @@
 #!/bin/sh
 # ----------------------------------------------------------------------
 #    Copyright (c) 1999-2008 NOVELL (All rights reserved)
-#    Copyright (c) 2009-2011 Canonical Ltd. (All rights reserved)
+#    Copyright (c) 2009-2012 Canonical Ltd. (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -83,15 +83,6 @@ SECURITYFS=/sys/kernel/security
 SUBDOMAINFS_MOUNTPOINT=$(grep subdomainfs /etc/fstab  | \
 	sed -e 's|^[[:space:]]*[^[:space:]]\+[[:space:]]\+\(/[^[:space:]]*\)[[:space:]]\+subdomainfs.*$|\1|' 2> /dev/null)
 
-if [ -d "/var/lib/${MODULE}" ] ; then
-	APPARMOR_TMPDIR="/var/lib/${MODULE}"
-elif [ -d "/var/lib/${OLD_MODULE}" ] ; then
-	APPARMOR_TMPDIR="/var/lib/${OLD_MODULE}"
-else
-	APPARMOR_TMPDIR="/tmp"
-fi
-
-
 # keep exit status from parser during profile load.  0 is good, 1 is bad
 STATUS=0
 
@@ -108,9 +99,7 @@ is_apparmor_present() {
 	# check for subdomainfs version of module
 	grep -qE "^($modules)[[:space:]]" /proc/modules
 
-	if [ $? -ne 0 ] ; then
-		ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
-	fi
+	[ $? -ne 0 -a -d /sys/module/apparmor ]
 
 	return $?
 }
@@ -170,7 +159,7 @@ parse_profiles() {
 			exit 1
 			;;
 	esac
-	aa_log_action_begin "$PARSER_MSG"
+	aa_log_action_start "$PARSER_MSG"
 	# run the parser on all of the apparmor profiles
 	if [ ! -f "$PARSER" ]; then
 		aa_log_failure_msg "AppArmor parser not found"
@@ -198,6 +187,7 @@ parse_profiles() {
 			aa_log_skipped_msg "$profile"
 			logger -t "AppArmor(init)" -p daemon.warn "Skipping profile $profile"
 			STATUS=2
+			continue
 		elif [ "$skip" -ne 0 ]; then
 			continue
 		fi
@@ -222,7 +212,6 @@ parse_profiles() {
 
 profiles_names_list() {
 	# run the parser on all of the apparmor profiles
-	TMPFILE=$1
 	if [ ! -f "$PARSER" ]; then
 		aa_log_failure_msg "- AppArmor parser not found"
 		exit 1
@@ -235,9 +224,9 @@ profiles_names_list() {
 
 	for profile in $PROFILE_DIR/*; do
 	        if skip_profile "${profile}" && [ -f "${profile}" ] ; then
-			LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" | grep -v '\^')
+			LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" )
 			if [ $? -eq 0 ]; then
-				echo "$LIST_ADD" >>$TMPFILE
+				echo "$LIST_ADD"
 			fi
 		fi
 	done
@@ -297,7 +286,7 @@ is_apparmor_loaded() {
 }
 
 is_securityfs_mounted() {
-	grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
+	test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
 	return $?
 }
 
@@ -377,10 +366,11 @@ apparmor_start() {
 	configure_owlsm
 
 	# if there is anything in the profiles file don't load
-	cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
+	if ! read line < "$SFS_MOUNTPOINT/profiles"; then
 		parse_profiles load
 	else
-		aa_log_skipped_msg "AppArmor already loaded with profiles."
+		aa_log_skipped_msg ": already loaded with profiles."
+		return 0
 	fi
 	aa_log_end_msg 0
 	return 0
@@ -408,18 +398,16 @@ remove_profiles() {
 	fi
 
 	retval=0
-	#the list of profiles isn't stable once we start adding or removing
-	#them so stor to tmp first
-	MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
-	cat "$MODULE_PLIST" | while read profile ; do
+	# We filter child profiles as removing the parent will remove
+	# the children
+	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
+	LC_COLLATE=C sort | grep -v // | while read profile ; do
 		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
 		rc=$?
 		if [ ${rc} -ne 0 ] ; then 
 			retval=${rc}
 		fi
 	done
-	rm "$MODULE_PLIST"
 	return ${retval}
 }
 
@@ -427,7 +415,7 @@ apparmor_stop() {
 	aa_log_daemon_msg "Unloading AppArmor profiles "
 	remove_profiles
 	rc=$?
-	log_end_msg $rc
+	aa_log_end_msg $rc
 	return $rc
 }
 
@@ -459,20 +447,41 @@ __apparmor_restart() {
 		return 4
 	fi
 
+	aa_log_daemon_msg "Restarting AppArmor"
+
 	configure_owlsm
 	parse_profiles reload
-	PNAMES_LIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-	profiles_names_list ${PNAMES_LIST}
-	MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
 	# Clean out running profiles not associated with the current profile
 	# set, excluding the libvirt dynamically generated profiles.
-	sed  -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | egrep -v '^libvirt-[0-9a-f\-]+$' | sort >"$MODULE_PLIST"
-	sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
+	# Note that we reverse sort the list of profiles to remove to
+	# ensure that child profiles (e.g. hats) are removed before the
+	# parent. We *do* need to remove the child profile and not rely
+	# on removing the parent profile when the profile has had its
+	# child profile names changed.
+	profiles_names_list | awk '
+BEGIN {
+  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {
+    str = sub(/ \((enforce|complain)\)$/, "", $0);
+    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
+      arr[$str] = $str
+  }
+}
+
+{ if (length(arr[$0]) > 0) { delete arr[$0] } }
+
+END {
+  for (key in arr)
+    if (length(arr[key]) > 0) {
+      printf("%s\n", arr[key])
+    }
+}
+' | LC_COLLATE=C sort -r | while IFS= read profile ; do
 		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
 	done
-	rm "$MODULE_PLIST"
-	rm "$PNAMES_LIST"
-	return 0
+	# will not catch all errors, but still better than nothing
+	rc=$?
+	aa_log_end_msg $rc
+	return $rc
 }
 
 apparmor_restart() {
@@ -516,11 +525,11 @@ apparmor_status () {
 		${SD_STATUS} --verbose
 		return $?
 	fi
-	if ! is_apparmor_present apparmor subdomain ; then
+	if ! is_apparmor_loaded ; then
 		echo "AppArmor is not loaded."
 		rc=1
 	else
-		echo "AppArmor is enabled,"
+		echo "AppArmor is enabled."
 		rc=0
 	fi
 	echo "Install the apparmor-utils package to receive more detailed"

parser/rc.apparmor.suse

@@ -31,6 +31,7 @@
 # Required-Start: boot.cleanup
 # Required-Stop: $null
 # Should-Start: $local_fs
+# Should-Stop: $null
 # Default-Start: B
 # Default-Stop:
 # Short-Description: AppArmor initialization
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
 }
 
 aa_log_failure_msg() {
-	log_failure_msg $*
+	log_failure_msg '\n'$*
+}
+
+aa_log_action_start() {
+	echo -n
+}
+
+aa_log_action_end() {
+	echo -n
+}
+
+aa_log_daemon_msg() {
+	echo -en "$@ "
 }
 
 aa_log_skipped_msg() {
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
 	echo -e	"$rc_skipped"
 }
 
+aa_log_end_msg() {
+	v="-v"
+	if [ "$1" != '0' ]; then
+		rc="-v$1"
+	fi
+	rc_status $v
+}
+
 usage() {
     echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
 }

parser/subdomain.conf.pod

@@ -3,7 +3,7 @@
 #                  2008, 2009
 #    NOVELL (All rights reserved)
 #
-#    Copyright (c) 2010
+#    Copyright (c) 2010 - 2012
 #    Canonical Ltd. (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or

parser/tst/Makefile

@@ -4,19 +4,25 @@ TESTS=simple.pl
 PARSER_DIR=..
 PARSER_BIN=apparmor_parser
 PARSER=$(PARSER_DIR)/$(PARSER_BIN)
+PROVE_ARG=-f
 
 ifeq ($(VERBOSE),1)
-  PROVE_ARG=-v
+  PROVE_ARG+=-v
 endif
 
 all: tests
 
-.PHONY: tests error_output gen_xtrans parser_sanity caching
-tests: error_output gen_xtrans parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching minimize
+tests: error_output gen_xtrans parser_sanity caching minimize
 
-gen_xtrans:
+GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/
+
+gen_xtrans: $(GEN_TRANS_DIRS)
 	./gen-xtrans.pl
 
+$(GEN_TRANS_DIRS):
+	mkdir $@
+
 error_output: $(PARSER)
 	$(PARSER) -S -I errors >/dev/null errors/okay.sd
 	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/single.sd | \
@@ -35,10 +41,11 @@ parser_sanity: $(PARSER)
 caching: $(PARSER)
 	LANG=C ./caching.sh
 
+minimize: $(PARSER)
+	LANG=C ./minimize.sh
+
 $(PARSER):
 	make -C $(PARSER_DIR) $(PARSER_BIN)
 
 clean:
-	rm -f simple_tests/generated_x/*
-	rm -f simple_tests/generated_perms_leading/*
-	rm -f simple_tests/generated_perms_safe/*
+	find $(GEN_TRANS_DIRS) -type f | xargs rm -f

parser/tst/caching.sh

@@ -49,11 +49,34 @@ echo -n "Profiles are cached when requested: "
 [ ! -f $basedir/cache/$profile ] && echo "FAIL ($basedir/cache/$profile does not exist)" && exit 1
 echo "ok"
 
+read_features_dir()
+{
+    directory="$1"
+    if [ ! -d "$directory" ] ; then
+	return
+    fi
+    for f in `ls -AU "$directory"` ; do
+	if [ -f "$directory/$f" ] ; then
+	    read -r -d "" KF < "$directory/$f" || true
+	    echo -e "$f {$KF\n}"
+	elif [ -d "$directory/$f" ] ; then
+	    echo -n "$f {"
+	    KF=`read_features_dir "$directory/$f" "$KF"` || true
+	    echo "$KF"
+	    echo -e "}"
+	fi
+    done
+}
+
 echo -n "Kernel features are written to cache: "
 [ ! -f $basedir/cache/.features ] && echo "FAIL ($basedir/cache/.features missing)" && exit 1
-read CF < $basedir/cache/.features || true
-read KF < /sys/kernel/security/apparmor/features || true
-[ "$CF" != "$KF" ] && echo "FAIL (feature text mismatch: cache '$CF' vs kernel '$KF')" && exit 1
+read -r -d "" CF < $basedir/cache/.features || true
+if [ -d /sys/kernel/security/apparmor/features ] ; then
+    KF=`read_features_dir /sys/kernel/security/apparmor/features`
+else
+    read -r -d "" KF < /sys/kernel/security/apparmor/features || true
+fi
+[ "$CF" != "$KF" ] && echo -e "FAIL (feature text mismatch:\n  cache '$CF'\nvs\n  kernel '$KF')" && exit 1
 echo "ok"
 
 echo -n "Cache is loaded when it exists and features match: "

parser/tst/gen-xtrans.pl

@@ -118,7 +118,7 @@ sub gen_file($$$$$$$$$$$$) {
     print $file "/usr/bin/foo {\n";
     print_rule($file, $leading1, $qual1, $rule1, $perm1, $target1);
     print_rule($file, $leading2, $qual2, $rule2, $perm2, $target2);
-    print $file "}";
+    print $file "}\n";
     close($file);
 
     $count++;