2.7.1 Release

(At least) openSUSE uses ~/.kde4 to store KDE4 settings.
This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions.

The patch is mostly from Velery Valery, I only fixed a merge conflict 
and added the kmail{,2} part in private-files-strict.

References: https://bugzilla.novell.com/show_bug.cgi?id=741592

Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7.

common/Version

@@ -1 +1 @@
-2.7.0~rc1
+2.7.1

libraries/libapparmor/src/grammar.y

@@ -246,7 +246,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
-	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_COMM TOK_EQUALS safe_string
 	{ ret_record->comm = $3;}
 	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
 	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS

libraries/libapparmor/src/scanner.l

@@ -265,7 +265,7 @@ yy_flex_debug = 0;
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
-{key_comm}		{ return(TOK_KEY_COMM); }
+{key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
 {key_capability}	{ return(TOK_KEY_CAPABILITY); }
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }

libraries/libapparmor/swig/python/setup.py.in

@@ -13,7 +13,7 @@ setup(name		= 'LibAppArmor',
       ext_package	= 'LibAppArmor',
       ext_modules	= [Extension('_LibAppArmor', ['libapparmor_wrap.c'],
 					include_dirs=['@top_srcdir@/src'],
-					extra_link_args = string.split('-L@top_builddir@/src/.libs -lapparmor'),
-# static:				extra_link_args = string.split('@top_builddir@/src/.libs/libapparmor.a'),
+					extra_link_args = '-L@top_builddir@/src/.libs -lapparmor'.split(),
+# static:				extra_link_args = '@top_builddir@/src/.libs/libapparmor.a'.split(),
 			)],
       )

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_comm.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322676143.201:455
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: /home/steve/tmp/my prog.sh
+Name: /home/steve/tmp/my prog.sh
+Command: my prog.sh
+Parent: 10357
+PID: 22918
+Epoch: 1322676143
+Audit subid: 455

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.in

@@ -0,0 +1 @@
+Aug 23 17:29:45 hostname kernel: [289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_profile.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322614912.304:857
+Operation: getattr
+Mask: r
+Denied Mask: r
+fsuid: 0
+ouid: 0
+Profile: test space
+Name: /lib/x86_64-linux-gnu/libdl-2.13.so
+Command: bash
+Parent: 16001
+PID: 17011
+Epoch: 1322614912
+Audit subid: 857

parser/COPYING.GPL

@@ -1,15 +1,15 @@
 This license applies to all source files within the AppArmor parser
 package.
 
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -18,7 +18,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -58,8 +58,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -113,7 +113,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -171,7 +171,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -228,7 +228,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -258,7 +258,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -280,9 +280,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -294,7 +294,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
+    Copyright (C) <year>  <name of author>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -306,17 +306,16 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision version 69, Copyright (C) year name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
@@ -339,5 +338,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

parser/Makefile

@@ -115,7 +115,7 @@ endif
 export Q VERBOSE BUILD_OUTPUT
 
 po/${NAME}.pot: ${SRCS} ${HDRS}
-	make -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
 
 techdoc.pdf: techdoc.tex
 	while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \
@@ -141,7 +141,7 @@ pdf:	techdoc.pdf
 docs:	manpages htmlmanpages pdf
 
 indep: docs
-	$(Q)make -C po all
+	$(Q)$(MAKE) -C po all
 
 all:	arch indep
 
@@ -149,10 +149,10 @@ all:	arch indep
 .PHONY: libstdc++.a
 libstdc++.a:
 	rm -f ./libstdc++.a
-	ln -s `g++ -print-file-name=libstdc++.a`
+	ln -s `$(CXX) -print-file-name=libstdc++.a`
 
 apparmor_parser: $(OBJECTS) $(AAREOBJECTS)
-	g++ $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
+	$(CXX) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
 	      ${LEXLIB}  $(AAREOBJECTS) $(AARE_LDFLAGS)
 
 parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
@@ -231,13 +231,13 @@ check: tests
 .SILENT: tests
 tests: apparmor_parser ${TESTS}
 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
-	$(Q)make -s -C tst tests
+	$(Q)$(MAKE) -s -C tst tests
 
 # always need to rebuild.
 .SILENT: $(AAREOBJECT)
 .PHONY: $(AAREOBJECT)
 $(AAREOBJECT):
-	make -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
 install-rhel4: install-redhat
@@ -289,8 +289,8 @@ install-indep:
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
-	make -C po install NAME=${NAME} DESTDIR=${DESTDIR}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
 .SILENT: clean
 .PHONY: clean
@@ -304,11 +304,11 @@ clean: _clean
 	rm -f af_names.h
 	rm -f cap_names.h
 	rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/
-	make -s -C $(AAREDIR) clean
-	make -s -C po clean
-	make -s -C tst clean
+	$(MAKE) -s -C $(AAREDIR) clean
+	$(MAKE) -s -C po clean
+	$(MAKE) -s -C tst clean
 
 .SILENT: dist_clean
 dist_clean:
-	@make clean
+	@$(MAKE) clean
 	@rm -f $(LEX_C_FILES) $(YACC_C_FILES)

parser/rc.apparmor.functions

@@ -525,11 +525,11 @@ apparmor_status () {
 		${SD_STATUS} --verbose
 		return $?
 	fi
-	if ! is_apparmor_present apparmor subdomain ; then
+	if ! is_apparmor_loaded ; then
 		echo "AppArmor is not loaded."
 		rc=1
 	else
-		echo "AppArmor is enabled,"
+		echo "AppArmor is enabled."
 		rc=0
 	fi
 	echo "Install the apparmor-utils package to receive more detailed"

profiles/Makefile

@@ -52,9 +52,11 @@ install: local
 	install -m 755 -d ${PROFILES_DEST}
 	install -m 755 -d ${PROFILES_DEST}/abstractions \
                           ${PROFILES_DEST}/apache2.d \
+                          ${PROFILES_DEST}/disable \
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables \
                           ${PROFILES_DEST}/tunables/home.d \
+                          ${PROFILES_DEST}/tunables/multiarch.d \
                           ${PROFILES_DEST}/local
 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
 	install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions

profiles/apparmor.d/abstractions/apache2-common

@@ -1,9 +1,20 @@
 # vim:syntax=apparmor
 
+# This file contains basic permissions for Apache and every vHost
+
+  #include <abstractions/nameservice>
+
   # Apache
   network inet stream,
+  network inet6 stream,
+  # apache manual, error pages and icons
   /usr/share/apache2/** r,
 
   # changehat itself
   /proc/*/attr/current                        w,
 
+  # htaccess files - for what ever it is worth
+  /**/.htaccess            r,
+
+  /dev/urandom            r,
+

profiles/apparmor.d/abstractions/aspell

@@ -2,7 +2,7 @@
 # aspell permissions
 
   # per-user settings and dictionaries
-  @{HOME}/.aspell.*.{pws,prepl} rk,
+  owner @{HOME}/.aspell.*.{pws,prepl} rwk,
 
   # system libraries and dictionaries
   /usr/lib/aspell/ r,

profiles/apparmor.d/abstractions/authentication

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
-#    Copyright (C) 2009-2011 Canonical Ltd
+#    Copyright (C) 2009-2012 Canonical Ltd
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -47,3 +47,5 @@
   # smbpass
   #include <abstractions/smbpass>
 
+  # p11-kit (PKCS#11 modules configuration)
+  #include <abstractions/p11-kit>

profiles/apparmor.d/abstractions/base

@@ -36,8 +36,8 @@
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
   /usr/lib{,32,64}/gconv/gconv-modules*  mr,
-  /usr/lib/@{multiarch}/gconv/*.so          mr,
-  /usr/lib/@{multiarch}/gconv/gconv-modules mr,
+  /usr/lib/@{multiarch}/gconv/*.so           mr,
+  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
 
   # used by glibc when binding to ephemeral ports
   /etc/bindresvport.blacklist    r,

profiles/apparmor.d/abstractions/cups-client

@@ -1,7 +1,7 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2009-2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,3 +13,6 @@
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
   /{,var/}run/cups/cups.sock w,
+  # client should be able to read user-specified cups configuration
+  owner @{HOME}/.cups/client.conf r,
+  owner @{HOME}/.cups/lpoptions r,

profiles/apparmor.d/abstractions/enchant

@@ -52,5 +52,5 @@
   /usr/share/java/zemberek-tr-[0-9]*.jar           r,
 
   # per-user dictionaries
-  owner @{HOME}/.config/enchant/                   r,
+  owner @{HOME}/.config/enchant/                   rw,
   owner @{HOME}/.config/enchant/*                  rwk,

profiles/apparmor.d/abstractions/fonts

@@ -39,6 +39,8 @@
   @{HOME}/.fonts.cache-2               mr,
   @{HOME}/.fontconfig/                  r,
   @{HOME}/.fontconfig/**              mrl,
+  @{HOME}/.fonts.conf.d/                r,
+  @{HOME}/.fonts.conf.d/**              r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,

profiles/apparmor.d/abstractions/kde

@@ -25,8 +25,8 @@
 @{HOME}/.DCOPserver_* r,
 @{HOME}/.ICEauthority r,
 @{HOME}/.fonts.* lrw,
-@{HOME}/.kde/share/config/kdeglobals rw,
-@{HOME}/.kde/share/config/*.lock rwl,
+@{HOME}/.kde{,4}/share/config/kdeglobals rw,
+@{HOME}/.kde{,4}/share/config/*.lock rwl,
 @{HOME}/.qt/** rw,
 @{HOME}/.config/Trolltech.conf rwk,
 

profiles/apparmor.d/abstractions/ldapclient

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+  /etc/ldap.conf            r,
+  /etc/ldap.secret          r,
+  /etc/openldap/*           r,
+  /etc/openldap/cacerts/*   r,
+
+  # SASL plugins and config
+  /etc/sasl2/*              r,
+  /usr/lib{,32,64}/sasl2/*  r,
+
+  #include <abstractions/ssl_certs>

profiles/apparmor.d/abstractions/nameservice

@@ -16,8 +16,6 @@
   /etc/group              r,
   /etc/host.conf          r,
   /etc/hosts              r,
-  /etc/ldap.conf          r,
-  /etc/ldap.secret        r,
   /etc/nsswitch.conf      r,
   /etc/gai.conf           r,
   /etc/passwd             r,
@@ -32,9 +30,6 @@
 
   /etc/samba/lmhosts      r,
   /etc/services           r,
-  # all openldap config
-  /etc/openldap/*         r,
-  /etc/ldap/**            r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,6 +55,9 @@
   # nis
   #include <abstractions/nis>
 
+  # ldap
+  #include <abstractions/ldapclient>
+
   # winbind
   #include <abstractions/winbind>
 

profiles/apparmor.d/abstractions/p11-kit

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/pkcs11/ r,
+  /etc/pkcs11/pkcs11.conf r,
+  /etc/pkcs11/modules/ r,
+  /etc/pkcs11/modules/* r,
+
+  /usr/lib{,32,64}/pkcs11/*.so mr,
+  /usr/lib/@{multiarch}/pkcs11/*.so mr,
+
+  # p11-kit also supports reading user configuration from ~/.pkcs11 depending
+  # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
+  # included in this abstraction.

profiles/apparmor.d/abstractions/private-files

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
-# privacy-violations contains rules for common files that you want to explicity
-# deny access
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
 
   # privacy violations (don't audit files under $HOME otherwise get a
   # lot of false positives when reading contents of directories)
@@ -15,7 +15,9 @@
   # special attention to (potentially) executable files
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
-  audit deny @{HOME}/.kde/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
+  audit deny @{HOME}/.kde{,4}/env/** wl,
+  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
 
   # don't allow reading/updating of run control files
   deny @{HOME}/.*rc mrk,

profiles/apparmor.d/abstractions/private-files-strict

@@ -1,6 +1,6 @@
 # vim:syntax=apparmor
 # privacy-violations-strict contains additional rules for sensitive
-# files that you want to explicity deny access
+# files that you want to explicitly deny access
 
   #include <abstractions/private-files>
 
@@ -13,6 +13,6 @@
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
   audit deny @{HOME}/.evolution/** mrwkl,
   audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 

profiles/apparmor.d/abstractions/python

@@ -29,3 +29,9 @@
 
   # wx paths
   /usr/lib/wx/python/*.pth r,
+
+  # python build configuration and headers
+  /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
+
+  # python setup script used by apport
+  /etc/python{2,3}.[0-7]*/sitecustomize.py r,

profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients

@@ -10,4 +10,4 @@
   /usr/bin/kget PUxr,
   /usr/bin/ktorrent PUxr,
   /usr/bin/qbittorrent PUxr,
-  /usr/bin/transmission PUxr,
+  /usr/bin/transmission{,-gtk,-qt,-cli} PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

@@ -46,3 +46,11 @@
   /opt/google/talkplugin/lib/*.so mr,
   /opt/google/talkplugin/GoogleTalkPlugin ixr,
   owner @{HOME}/.config/google-googletalkplugin/** rw,
+
+  # If we allow the above, nvidia based systems will also need these
+  /dev/nvidactl rw,
+  /dev/nvidia0 rw,
+  @{PROC}/interrupts r,
+
+  # Virus scanners
+  /usr/bin/clamscan PUx,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors

@@ -8,3 +8,4 @@
   /usr/bin/vim.gnome PUxr,
   /usr/bin/leafpad PUxr,
   /usr/bin/mousepad PUxr,
+  /usr/bin/kate PUxr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -7,6 +7,7 @@
   /usr/bin/apturl PUxr,
   /usr/bin/gnome-codec-install PUxr,
   /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+  /usr/share/software-center/software-center PUxr,
 
   # Input Methods
   /usr/bin/scim PUx,
@@ -14,10 +15,13 @@
 
   # File managers
   /usr/bin/nautilus PUxr,
-  /usr/bin/thunar PUxr,
+  /usr/bin/{t,T}hunar PUxr,
 
   # Themes
   /usr/bin/gnome-appearance-properties PUxr,
 
   # Kubuntu
   /usr/lib/mozilla/kmozillahelper PUxr,
+
+  # Exo-aware applications
+  /usr/bin/exo-open ixr,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files

@@ -11,7 +11,7 @@
   #include <abstractions/private-files>
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
 
   # Comment this out if using gpg plugin/addons
   audit deny @{HOME}/.gnupg/** mrwkl,

profiles/apparmor.d/abstractions/ubuntu-media-players

@@ -4,6 +4,7 @@
 #
   /usr/bin/amarok PUxr,
   /usr/bin/audacious2 PUxr,
+  /usr/bin/audacity PUxr,
   /usr/bin/bangarang PUxr,
   /usr/bin/banshee PUxr,
   /usr/bin/banshee-1 PUxr,

profiles/apparmor.d/abstractions/winbind

@@ -13,7 +13,7 @@
   /tmp/.winbindd/pipe  rw,
   /var/{lib,run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
-  /usr/lib/samba/valid.dat    r,
-  /usr/lib/samba/upcase.dat   r,
-  /usr/lib/samba/lowcase.dat  r,
+  /usr/lib*/samba/valid.dat   r,
+  /usr/lib*/samba/upcase.dat  r,
+  /usr/lib*/samba/lowcase.dat r,
 

profiles/apparmor.d/sbin.syslog-ng

@@ -23,6 +23,7 @@
 
   capability chown,
   capability dac_override,
+  capability dac_read_search,
   capability fsetid,
   capability fowner,
   capability sys_tty_config,

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -8,7 +8,11 @@
   capability setgid,
   capability setuid,
 
+  # http://www.postfix.org/SASL_README.html#server_dovecot
+  /etc/dovecot/dovecot.conf r,
+  /etc/dovecot/{auth,conf}.d/*.conf r,
   /etc/dovecot/dovecot-postfix.conf r,
+
   @{HOME} r,
   @{HOME}/Maildir/ rw,
   @{HOME}/Maildir/** klrw,

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -2,6 +2,7 @@
 /usr/sbin/avahi-daemon {
   #include <abstractions/base>
   #include <abstractions/consoles>
+  #include <abstractions/dbus>
   #include <abstractions/nameservice>
 
   capability chown,
@@ -19,10 +20,10 @@
   /proc/*/fd/ r,
   /usr/sbin/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
+  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
   /{,var/}run/avahi-daemon/ w,
   /{,var/}run/avahi-daemon/pid krw,
   /{,var/}run/avahi-daemon/socket w,
-  /{,var/}run/dbus/system_bus_socket w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.avahi-daemon>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -9,6 +9,8 @@
 #
 # ------------------------------------------------------------------
 
+@{TFTP_DIR}=/var/tftp
+
 #include <tunables/global>
 /usr/sbin/dnsmasq {
   #include <abstractions/base>
@@ -36,6 +38,10 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
+  # for the read-only TFTP server
+  @{TFTP_DIR}/ r,
+  @{TFTP_DIR}/** r,
+
   # libvirt lease and hosts files for dnsmasq
   /var/lib/libvirt/dnsmasq/            r,
   /var/lib/libvirt/dnsmasq/*.leases rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -21,11 +21,17 @@
   capability sys_tty_config,
 
   /etc/mtab r,
+  /etc/netgroup r,
   /etc/printcap r,
+  /etc/samba/* rwk,
   /proc/*/mounts r,
   /proc/sys/kernel/core_pattern r,
+  /usr/lib*/samba/vfs/*.so mr,
+  /usr/lib*/samba/charset/*.so mr,
+  /usr/lib*/samba/auth/script.so mr,
+  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
-  /etc/samba/* rwk,
+  /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/cache/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,

profiles/apparmor.d/usr.sbin.smbldap-useradd

@@ -0,0 +1,37 @@
+# Last Modified: Tue Jan  3 00:17:40 2012
+#include <tunables/global>
+
+/usr/sbin/smbldap-useradd {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/nameservice>
+  #include <abstractions/perl>
+
+  /dev/tty rw,
+  /bin/bash ix,
+  /etc/init.d/nscd Cx,
+  /etc/shadow r,
+  /etc/smbldap-tools/smbldap.conf r,
+  /etc/smbldap-tools/smbldap_bind.conf r,
+  /usr/sbin/smbldap-useradd r,
+  /usr/sbin/smbldap_tools.pm r,
+  /var/log/samba/log.smbd w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.smbldap-useradd>
+
+  profile /etc/init.d/nscd {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    capability sys_ptrace,
+
+    /bin/bash r,
+    /bin/mountpoint rix,
+    /bin/systemctl rix,
+    /dev/tty rw,
+    /etc/init.d/nscd r,
+    /etc/rc.status r,
+
+  }
+}

profiles/apparmor.d/usr.sbin.traceroute

@@ -18,6 +18,7 @@
   capability net_raw,
 
   network inet raw,
+  network inet6 raw,
 
   /usr/sbin/traceroute rmix,
   @{PROC}/net/route r,

profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork

@@ -12,6 +12,7 @@
 #include <tunables/global>
 
 /usr/sbin/httpd2-prefork {
+  #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/kerberosclient>
@@ -78,8 +79,6 @@
   /usr/local/tomcat/conf/mod_jk.conf r,
   /usr/local/tomcat/conf/workers-ajp12.properties r,
   /usr/sbin/httpd2-prefork r,
-  /usr/share/apache2/error/* r,
-  /usr/share/apache2/error/include/* r,
   /usr/share/misc/magic.mime r,
   /usr/share/snmp/mibs r,
   /usr/share/snmp/mibs/*.{txt,mib} r,
@@ -125,21 +124,20 @@
   /srv/www/icons/*.{gif,jpg,png}     r,
   /srv/www/vhosts                    r,
   /srv/www/vhosts/**                 r,
-  # SuSE location of the apache manual + error pages
-  /usr/share/apache2/**              r,
 
   # php session state
   /var/lib/php/sess_*                rwl,
 
 
   ^HANDLING_UNTRUSTED_INPUT {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     /var/log/apache2/*     w,
-    /**.htaccess           r,
+    audit /.htaccess       r, # WARNING: .htaccess directly in / will be disallowed in future versions 
+                              # (.htaccess in subdirectories is and will stay allowed by abstractions/apache2-common)
   }
 
   ^DEFAULT_URI {
-    #include <abstractions/nameservice>
+    #include <abstractions/apache2-common>
     #include <abstractions/base>
 
     # Note that mod_perl, mod_php, mod_python, etc, allows in-apache
@@ -176,8 +174,6 @@
     /srv/www/icons/*.{gif,jpg,png}     r,
     /srv/www/vhosts                    r,
     /srv/www/vhosts/**                 r,
-    # SuSE location of the apache manual + error pages
-    /usr/share/apache2/**              r,
 
     # php session state
     /var/lib/php/sess_*                rwl,

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -33,6 +34,7 @@
 
   /dev/ptmx rw,
   /dev/urandom r,
+  /etc/default/locale r,
   /etc/environment r,
   /etc/hosts.allow r,
   /etc/hosts.deny r,
@@ -55,10 +57,12 @@
   /bin/bash2 rUx,
   /bin/bsh rUx,
   /bin/csh rUx,
+  /bin/dash rUx,
   /bin/ksh rUx,
   /bin/sh rUx,
   /bin/tcsh rUx,
   /bin/zsh rUx,
+  /bin/zsh4 rUx,
   /sbin/nologin rUx,
 
 # Call passwd for password change when expired
@@ -74,6 +78,7 @@
 
 # duplicated from AUTHENTICATED
   /etc/motd r,
+  /{,var/}run/motd r,
   /tmp/ssh-*/agent.[0-9]* rwl,
 
   /tmp/ssh-*[0-9]*/ w,
@@ -89,10 +94,12 @@
     /bin/bash2 Ux,
     /bin/bsh Ux,
     /bin/csh Ux,
+    /bin/dash Ux,
     /bin/ksh Ux,
     /bin/sh Ux,
     /bin/tcsh Ux,
     /bin/zsh Ux,
+    /bin/zsh4 Ux,
     /sbin/nologin Ux,
 
 # for debugging
@@ -161,6 +168,7 @@
     /etc/localtime r,
     /etc/login.defs r,
     /etc/motd r,
+    /{,var/}run/motd r,
     /tmp/ssh-*/agent.[0-9]* rwl,
     /tmp/ssh-*[0-9]*/ w,
 

utils/Immunix/AppArmor.pm

@@ -770,12 +770,18 @@ sub create_new_profile($) {
         my $hashbang = head($fqdbin);
         if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
             my $interpreter = get_full_path($1);
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
             if ($interpreter =~ /perl/) {
                 $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
             } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
                 $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
+            } elsif ($interpreter =~ m/python/) {
+                $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
+            } elsif ($interpreter =~ m/ruby/) {
+                $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
             }
             handle_binfmt($profile->{$fqdbin}, $interpreter);
         } else {
@@ -2860,6 +2866,7 @@ sub add_event_to_tree ($) {
     } elsif ($e->{operation} eq "open" ||
              $e->{operation} eq "truncate" ||
              $e->{operation} eq "mkdir" ||
+             $e->{operation} eq "mknod" ||
              $e->{operation} eq "rename_src" ||
              $e->{operation} eq "rename_dest" ||
              $e->{operation} =~ m/^(unlink|rmdir|symlink_create|link)$/) {

utils/Makefile

@@ -36,7 +36,7 @@ MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 MANPAGES = ${TOOLS:=.8} logprof.conf.5
 
 all: ${MANPAGES} ${HTMLMANPAGES}
-	make -C po all
+	$(MAKE) -C po all
 
 # need some better way of determining this
 DESTDIR=/
@@ -46,7 +46,7 @@ VENDOR_PERL=$(shell perl -e 'use Config; print $$Config{"vendorlib"};')
 PERLDIR=${DESTDIR}${VENDOR_PERL}/${MODDIR}
 
 po/${NAME}.pot: ${TOOLS}
-	make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES}"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES}"
 
 .PHONY: install
 install: ${MANPAGES} ${HTMLMANPAGES}
@@ -57,8 +57,8 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	install -m 755 ${TOOLS} ${BINDIR}
 	install -d ${PERLDIR}
 	install -m 644 ${MODULES} ${PERLDIR}
-	make -C po install DESTDIR=${DESTDIR} NAME=${NAME}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 .PHONY: clean
@@ -66,7 +66,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 clean: _clean
 	rm -f core core.* *.o *.s *.a *~
 	rm -f Make.rules
-	make -C po clean
+	$(MAKE) -C po clean
 
 check:
 	for i in ${MODULES} ${PERLTOOLS} ; do \

utils/aa-notify

@@ -151,7 +151,7 @@ if (-s $conf) {
     if (defined($prefs{use_group})) {
         my ($name, $passwd, $gid, $members) = getgrnam($prefs{use_group});
         if (not defined($members) or not defined($login) or (not grep { $_ eq $login } split(/ /, $members) and $login ne "root")) {
-            _error("'$login' must be in '$prefs{use_group}' group. Aborting");
+            _error("'$login' must be in '$prefs{use_group}' group. Aborting.\nAsk your admin to add you to this group or to change the group in\n$conf if you want to use aa-notify.");
         }
     }
 }