Bump version to apparmor 2.8.0

constructor in a union.  Change the ProtoState class to use an init fn
instead of a constructor.

common/Version

@@ -1 +1 @@
-2.7.102
+2.8.0

kernel-patches/3.2/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch

@@ -0,0 +1,553 @@
+From 125fccb600288968aa3395883c0a394c47176fcd Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 +++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 ++++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 +++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3783202..7459547 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.9.5
+

kernel-patches/3.2/0002-AppArmor-compatibility-patch-for-v5-interface.patch

@@ -0,0 +1,391 @@
+From 004192fb5223c7b81a949e36a080a5da56132826 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 +-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 69ddb47..867995c 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++#endif
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.9.5
+

kernel-patches/3.2/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

@@ -0,0 +1,69 @@
+From e5d90918aa31f948ecec2f3c088567dbab30c90b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.9.5
+

kernel-patches/3.3/0001-AppArmor-compatibility-patch-for-v5-network-controll.patch

@@ -0,0 +1,553 @@
+From 1023c7c2f9d9c5707147479104312c4c3d1a2c2b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:39 -0700
+Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
+
+Add compatibility for v5 network rules.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ include/linux/lsm_audit.h          |    4 +
+ security/apparmor/Makefile         |   19 +++-
+ security/apparmor/include/net.h    |   40 +++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 ++++++++++++++++++++++++
+ security/apparmor/net.c            |  170 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   48 +++++++++-
+ 8 files changed, 394 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..7cefef9 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +44,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 97ce8fa..a54adbc 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -620,6 +621,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -651,6 +750,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
+-- 
+1.7.9.5
+

kernel-patches/3.3/0002-AppArmor-compatibility-patch-for-v5-interface.patch

@@ -0,0 +1,391 @@
+From da1ce2265ebb70860b9c137a542e48b170e4606b Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:40 -0700
+Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/Kconfig              |    9 +
+ security/apparmor/Makefile             |    1 +
+ security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
+ security/apparmor/apparmorfs.c         |   18 +-
+ security/apparmor/include/apparmorfs.h |    6 +
+ 5 files changed, 319 insertions(+), 2 deletions(-)
+ create mode 100644 security/apparmor/apparmorfs-24.c
+
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 7cefef9..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -5,6 +5,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+               resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+ clean-files := capability_names.h rlim_names.h af_names.h
+ 
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index e39df6d..235e9fa 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++#endif
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+-- 
+1.7.9.5
+

kernel-patches/3.3/0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch

@@ -0,0 +1,69 @@
+From 5d05f2909c12f6f03581bca9c1fa52dafa10fb0f Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 10 Aug 2011 22:02:41 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken
+ userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.9.5
+

kernel-patches/3.4/0001-UBUNTU-SAUCE-AppArmor-Add-profile-introspection-file.patch

@@ -0,0 +1,264 @@
+From 8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 22 Jul 2010 02:32:02 -0700
+Subject: [PATCH 1/3] UBUNTU: SAUCE: AppArmor: Add profile introspection file
+ to interface
+
+Add the dynamic profiles file to the interace, to allow load policy
+introspection.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+---
+ security/apparmor/apparmorfs.c |  227 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 227 insertions(+)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..89bdc62 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,232 @@ const struct file_operations aa_fs_seq_file_ops = {
+ 	.release	= single_release,
+ };
+ 
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
++
+ /** Base file system setup **/
+ 
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +436,7 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
++	AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
+ 	AA_FS_DIR("features", aa_fs_entry_features),
+ 	{ }
+ };
+-- 
+1.7.9.5
+

kernel-patches/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch

@@ -0,0 +1,603 @@
+From 423e2cb454d75d6185eecd0c1b5cf6ccc2d8482d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 4 Oct 2010 15:03:36 -0700
+Subject: [PATCH 2/3] UBUNTU: SAUCE: AppArmor: basic networking rules
+
+Base support for network mediation.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/.gitignore       |    2 +-
+ security/apparmor/Makefile         |   42 +++++++++-
+ security/apparmor/apparmorfs.c     |    1 +
+ security/apparmor/include/audit.h  |    4 +
+ security/apparmor/include/net.h    |   44 ++++++++++
+ security/apparmor/include/policy.h |    3 +
+ security/apparmor/lsm.c            |  112 +++++++++++++++++++++++++
+ security/apparmor/net.c            |  162 ++++++++++++++++++++++++++++++++++++
+ security/apparmor/policy.c         |    1 +
+ security/apparmor/policy_unpack.c  |   46 ++++++++++
+ 10 files changed, 414 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/net.h
+ create mode 100644 security/apparmor/net.c
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 4d995ae..d5b291e 100644
+--- a/security/apparmor/.gitignore
++++ b/security/apparmor/.gitignore
+@@ -1,6 +1,6 @@
+ #
+ # Generated include files
+ #
+-af_names.h
++net_names.h
+ capability_names.h
+ rlim_names.h
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 806bd19..19daa85 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h net_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -20,6 +20,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ 	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names
++# Transform lines from
++#    define AF_LOCAL	1	/* POSIX name for AF_UNIX	*/
++#    #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++#    [1] = "local",
++#    [2] = "inet",
++#
++# and build the securityfs entries for the mapping.
++# Transforms lines from
++#    #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++#    #define AA_FS_AF_MASK "local inet"
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++	echo "};" >> $@ ;\
++	echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
++	sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
++	 $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
++
++# Build a lower case string table of sock type names
++# Transform lines from
++#    SOCK_STREAM	= 1,
++# to
++#    [1] = "stream",
++quiet_cmd_make-sock = GEN     $@
++cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
++	sed $^ >>$@ -r -n \
++	-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++	echo "};" >> $@
+ 
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -56,6 +88,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ 	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+ 
+ $(obj)/capability.o : $(obj)/capability_names.h
++$(obj)/net.o : $(obj)/net_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ 			    $(src)/Makefile
+@@ -63,3 +96,8 @@ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+ 		      $(src)/Makefile
+ 	$(call cmd,make-rlim)
++$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
++		     $(srctree)/include/linux/net.h \
++		     $(src)/Makefile
++	$(call cmd,make-af)
++	$(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 89bdc62..c66315d 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -427,6 +427,7 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
++	AA_FS_DIR("network",                    aa_fs_entry_network),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index 3868b1e..c1ff09c 100644
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -126,6 +126,10 @@ struct apparmor_audit_data {
+ 			u32 denied;
+ 			uid_t ouid;
+ 		} fs;
++		struct {
++			int type, protocol;
++			struct sock *sk;
++		} net;
+ 	};
+ };
+ 
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..cb8a121
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,44 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++#include "apparmorfs.h"
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern struct aa_fs_entry aa_fs_entry_network[];
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index bda4569..eb13a73 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *const profile_mode_names[];
+@@ -157,6 +158,7 @@ struct aa_policydb {
+  * @policy: general match rules governing policy
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -194,6 +196,7 @@ struct aa_profile {
+ 	struct aa_policydb policy;
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index ad05d39..3cde194 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -622,6 +623,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ 	return error;
+ }
+ 
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
+ static struct security_operations apparmor_ops = {
+ 	.name =				"apparmor",
+ 
+@@ -653,6 +752,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..084232b
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,162 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "net_names.h"
++
++struct aa_fs_entry aa_fs_entry_network[] = {
++	AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
++	{ }
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net->family]) {
++		audit_log_string(ab, address_family_names[sa->u.net->family]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
++	}
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad->net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad->net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
++	}
++	audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	struct apparmor_audit_data aad = { };
++	struct lsm_network_audit net = { };
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++	sa.aad = &aad;
++	sa.u.net = &net;
++	sa.aad->op = op,
++	sa.u.net->family = family;
++	sa.u.net->sk = sk;
++	sa.aad->net.type = type;
++	sa.aad->net.protocol = protocol;
++	sa.aad->error = error;
++
++	if (likely(!sa.aad->error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net->family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad->net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad->net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index f1f7506..b8100a7 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index deab7c7..8f8e9c1 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -193,6 +193,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -471,6 +484,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
++	size_t size = 0;
+ 	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+@@ -564,6 +578,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++	}
++	/*
++	 * allow unix domain and netlink sockets they are handled
++	 * by IPC
++	 */
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ 		/* generic policy dfa - optional and may be NULL */
+ 		profile->policy.dfa = unpack_dfa(e);
+-- 
+1.7.9.5
+

kernel-patches/3.4/0003-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch

@@ -0,0 +1,957 @@
+From a94d5e11c0484af59e5feebf144cc48c186892ad Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 16 May 2012 10:58:05 -0700
+Subject: [PATCH 3/3] UBUNTU: SAUCE: apparmor: Add the ability to mediate
+ mount
+
+Add the ability for apparmor to do mediation of mount operations. Mount
+rules require an updated apparmor_parser (2.8 series) for policy compilation.
+
+The basic form of the rules are.
+
+  [audit] [deny] mount [conds]* [device] [ -> [conds] path],
+  [audit] [deny] remount [conds]* [path],
+  [audit] [deny] umount [conds]* [path],
+  [audit] [deny] pivotroot [oldroot=<value>] <path>
+
+  remount is just a short cut for mount options=remount
+
+  where [conds] can be
+    fstype=<expr>
+    options=<expr>
+
+Example mount commands
+  mount,		# allow all mounts, but not umount or pivotroot
+
+  mount fstype=procfs,  # allow mounting procfs anywhere
+
+  mount options=(bind, ro) /foo -> /bar,  # readonly bind mount
+
+  mount /dev/sda -> /mnt,
+
+  mount /dev/sd** -> /mnt/**,
+
+  mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
+
+  umount,
+
+  umount /m*,
+
+See the apparmor userspace for full documentation
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Kees Cook <kees@ubuntu.com>
+---
+ security/apparmor/Makefile           |    2 +-
+ security/apparmor/apparmorfs.c       |   13 +
+ security/apparmor/audit.c            |    4 +
+ security/apparmor/domain.c           |    2 +-
+ security/apparmor/include/apparmor.h |    3 +-
+ security/apparmor/include/audit.h    |   11 +
+ security/apparmor/include/domain.h   |    2 +
+ security/apparmor/include/mount.h    |   54 +++
+ security/apparmor/lsm.c              |   59 ++++
+ security/apparmor/mount.c            |  620 ++++++++++++++++++++++++++++++++++
+ 10 files changed, 767 insertions(+), 3 deletions(-)
+ create mode 100644 security/apparmor/include/mount.h
+ create mode 100644 security/apparmor/mount.c
+
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 19daa85..63e0a4c 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o net.o
++              resource.o sid.o file.o net.o mount.o
+ 
+ clean-files := capability_names.h rlim_names.h net_names.h
+ 
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index c66315d..ff19009 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -424,10 +424,23 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
+ 	{ }
+ };
+ 
++static struct aa_fs_entry aa_fs_entry_mount[] = {
++	AA_FS_FILE_STRING("mask", "mount umount"),
++	{ }
++};
++
++static struct aa_fs_entry aa_fs_entry_namespaces[] = {
++	AA_FS_FILE_BOOLEAN("profile",           1),
++	AA_FS_FILE_BOOLEAN("pivot_root",        1),
++	{ }
++};
++
+ static struct aa_fs_entry aa_fs_entry_features[] = {
+ 	AA_FS_DIR("domain",			aa_fs_entry_domain),
+ 	AA_FS_DIR("file",			aa_fs_entry_file),
+ 	AA_FS_DIR("network",                    aa_fs_entry_network),
++	AA_FS_DIR("mount",                      aa_fs_entry_mount),
++	AA_FS_DIR("namespaces",                 aa_fs_entry_namespaces),
+ 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+ 	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
+ 	{ }
+diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
+index cc3520d..b9f5ee9 100644
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -44,6 +44,10 @@ const char *const op_table[] = {
+ 	"file_mmap",
+ 	"file_mprotect",
+ 
++	"pivotroot",
++	"mount",
++	"umount",
++
+ 	"create",
+ 	"post_create",
+ 	"bind",
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index 6327685..dfdc47b 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -242,7 +242,7 @@ static const char *next_name(int xtype, const char *name)
+  *
+  * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
+  */
+-static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
++struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
+ {
+ 	struct aa_profile *new_profile = NULL;
+ 	struct aa_namespace *ns = profile->ns;
+diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
+index 40aedd9..e243d96 100644
+--- a/security/apparmor/include/apparmor.h
++++ b/security/apparmor/include/apparmor.h
+@@ -29,8 +29,9 @@
+ #define AA_CLASS_NET		4
+ #define AA_CLASS_RLIMITS	5
+ #define AA_CLASS_DOMAIN		6
++#define AA_CLASS_MOUNT		7
+ 
+-#define AA_CLASS_LAST		AA_CLASS_DOMAIN
++#define AA_CLASS_LAST		AA_CLASS_MOUNT
+ 
+ /* Control parameters settable through module/boot flags */
+ extern enum audit_mode aa_g_audit;
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index c1ff09c..7b90900c 100644
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -73,6 +73,10 @@ enum aa_ops {
+ 	OP_FMMAP,
+ 	OP_FMPROT,
+ 
++	OP_PIVOTROOT,
++	OP_MOUNT,
++	OP_UMOUNT,
++
+ 	OP_CREATE,
+ 	OP_POST_CREATE,
+ 	OP_BIND,
+@@ -121,6 +125,13 @@ struct apparmor_audit_data {
+ 			unsigned long max;
+ 		} rlim;
+ 		struct {
++			const char *src_name;
++			const char *type;
++			const char *trans;
++			const char *data;
++			unsigned long flags;
++		} mnt;
++		struct {
+ 			const char *target;
+ 			u32 request;
+ 			u32 denied;
+diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
+index de04464..a3f70c5 100644
+--- a/security/apparmor/include/domain.h
++++ b/security/apparmor/include/domain.h
+@@ -23,6 +23,8 @@ struct aa_domain {
+ 	char **table;
+ };
+ 
++struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex);
++
+ int apparmor_bprm_set_creds(struct linux_binprm *bprm);
+ int apparmor_bprm_secureexec(struct linux_binprm *bprm);
+ void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
+diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
+new file mode 100644
+index 0000000..bc17a53
+--- /dev/null
++++ b/security/apparmor/include/mount.h
+@@ -0,0 +1,54 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor file mediation function definitions.
++ *
++ * Copyright 2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_MOUNT_H
++#define __AA_MOUNT_H
++
++#include <linux/fs.h>
++#include <linux/path.h>
++
++#include "domain.h"
++#include "policy.h"
++
++/* mount perms */
++#define AA_MAY_PIVOTROOT	0x01
++#define AA_MAY_MOUNT		0x02
++#define AA_MAY_UMOUNT		0x04
++#define AA_AUDIT_DATA		0x40
++#define AA_CONT_MATCH		0x40
++
++#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
++
++int aa_remount(struct aa_profile *profile, struct path *path,
++	       unsigned long flags, void *data);
++
++int aa_bind_mount(struct aa_profile *profile, struct path *path,
++		  const char *old_name, unsigned long flags);
++
++
++int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++			 unsigned long flags);
++
++int aa_move_mount(struct aa_profile *profile, struct path *path,
++		  const char *old_name);
++
++int aa_new_mount(struct aa_profile *profile, const char *dev_name,
++		 struct path *path, const char *type, unsigned long flags,
++		 void *data);
++
++int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
++
++int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
++		  struct path *new_path);
++
++#endif /* __AA_MOUNT_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 3cde194..4512cc6 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -36,6 +36,7 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
++#include "include/mount.h"
+ 
+ /* Flag indicating whether initialization completed */
+ int apparmor_initialized __initdata;
+@@ -512,6 +513,60 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
+ 			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
+ }
+ 
++static int apparmor_sb_mount(char *dev_name, struct path *path, char *type,
++			     unsigned long flags, void *data)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* Discard magic */
++	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
++		flags &= ~MS_MGC_MSK;
++
++	flags &= ~AA_MS_IGNORE_MASK;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile)) {
++		if (flags & MS_REMOUNT)
++			error = aa_remount(profile, path, flags, data);
++		else if (flags & MS_BIND)
++			error = aa_bind_mount(profile, path, dev_name, flags);
++		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
++				  MS_UNBINDABLE))
++			error = aa_mount_change_type(profile, path, flags);
++		else if (flags & MS_MOVE)
++			error = aa_move_mount(profile, path, dev_name);
++		else
++			error = aa_new_mount(profile, dev_name, path, type,
++					     flags, data);
++	}
++	return error;
++}
++
++static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_umount(profile, mnt, flags);
++
++	return error;
++}
++
++static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_pivotroot(profile, old_path, new_path);
++
++	return error;
++}
++
+ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ 				char **value)
+ {
+@@ -729,6 +784,10 @@ static struct security_operations apparmor_ops = {
+ 	.capget =			apparmor_capget,
+ 	.capable =			apparmor_capable,
+ 
++	.sb_mount =			apparmor_sb_mount,
++	.sb_umount =			apparmor_sb_umount,
++	.sb_pivotroot =			apparmor_sb_pivotroot,
++
+ 	.path_link =			apparmor_path_link,
+ 	.path_unlink =			apparmor_path_unlink,
+ 	.path_symlink =			apparmor_path_symlink,
+diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
+new file mode 100644
+index 0000000..63d8493
+--- /dev/null
++++ b/security/apparmor/mount.c
+@@ -0,0 +1,620 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor mediation of files
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include <linux/fs.h>
++#include <linux/mount.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/domain.h"
++#include "include/file.h"
++#include "include/match.h"
++#include "include/mount.h"
++#include "include/path.h"
++#include "include/policy.h"
++
++
++static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
++{
++	if (flags & MS_RDONLY)
++		audit_log_format(ab, "ro");
++	else
++		audit_log_format(ab, "rw");
++	if (flags & MS_NOSUID)
++		audit_log_format(ab, ", nosuid");
++	if (flags & MS_NODEV)
++		audit_log_format(ab, ", nodev");
++	if (flags & MS_NOEXEC)
++		audit_log_format(ab, ", noexec");
++	if (flags & MS_SYNCHRONOUS)
++		audit_log_format(ab, ", sync");
++	if (flags & MS_REMOUNT)
++		audit_log_format(ab, ", remount");
++	if (flags & MS_MANDLOCK)
++		audit_log_format(ab, ", mand");
++	if (flags & MS_DIRSYNC)
++		audit_log_format(ab, ", dirsync");
++	if (flags & MS_NOATIME)
++		audit_log_format(ab, ", noatime");
++	if (flags & MS_NODIRATIME)
++		audit_log_format(ab, ", nodiratime");
++	if (flags & MS_BIND)
++		audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
++	if (flags & MS_MOVE)
++		audit_log_format(ab, ", move");
++	if (flags & MS_SILENT)
++		audit_log_format(ab, ", silent");
++	if (flags & MS_POSIXACL)
++		audit_log_format(ab, ", acl");
++	if (flags & MS_UNBINDABLE)
++		audit_log_format(ab, flags & MS_REC ? ", runbindable" :
++				 ", unbindable");
++	if (flags & MS_PRIVATE)
++		audit_log_format(ab, flags & MS_REC ? ", rprivate" :
++				 ", private");
++	if (flags & MS_SLAVE)
++		audit_log_format(ab, flags & MS_REC ? ", rslave" :
++				 ", slave");
++	if (flags & MS_SHARED)
++		audit_log_format(ab, flags & MS_REC ? ", rshared" :
++				 ", shared");
++	if (flags & MS_RELATIME)
++		audit_log_format(ab, ", relatime");
++	if (flags & MS_I_VERSION)
++		audit_log_format(ab, ", iversion");
++	if (flags & MS_STRICTATIME)
++		audit_log_format(ab, ", strictatime");
++	if (flags & MS_NOUSER)
++		audit_log_format(ab, ", nouser");
++}
++
++/**
++ * audit_cb - call back for mount specific audit fields
++ * @ab: audit_buffer  (NOT NULL)
++ * @va: audit struct to audit values of  (NOT NULL)
++ */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	if (sa->aad->mnt.type) {
++		audit_log_format(ab, " fstype=");
++		audit_log_untrustedstring(ab, sa->aad->mnt.type);
++	}
++	if (sa->aad->mnt.src_name) {
++		audit_log_format(ab, " srcname=");
++		audit_log_untrustedstring(ab, sa->aad->mnt.src_name);
++	}
++	if (sa->aad->mnt.trans) {
++		audit_log_format(ab, " trans=");
++		audit_log_untrustedstring(ab, sa->aad->mnt.trans);
++	}
++	if (sa->aad->mnt.flags || sa->aad->op == OP_MOUNT) {
++		audit_log_format(ab, " flags=\"");
++		audit_mnt_flags(ab, sa->aad->mnt.flags);
++		audit_log_format(ab, "\"");
++	}
++	if (sa->aad->mnt.data) {
++		audit_log_format(ab, " options=");
++		audit_log_untrustedstring(ab, sa->aad->mnt.data);
++	}
++}
++
++/**
++ * audit_mount - handle the auditing of mount operations
++ * @profile: the profile being enforced  (NOT NULL)
++ * @gfp: allocation flags
++ * @op: operation being mediated (NOT NULL)
++ * @name: name of object being mediated (MAYBE NULL)
++ * @src_name: src_name of object being mediated (MAYBE_NULL)
++ * @type: type of filesystem (MAYBE_NULL)
++ * @trans: name of trans (MAYBE NULL)
++ * @flags: filesystem idependent mount flags
++ * @data: filesystem mount flags
++ * @request: permissions requested
++ * @perms: the permissions computed for the request (NOT NULL)
++ * @info: extra information message (MAYBE NULL)
++ * @error: 0 if operation allowed else failure error code
++ *
++ * Returns: %0 or error on failure
++ */
++static int audit_mount(struct aa_profile *profile, gfp_t gfp, int op,
++		       const char *name, const char *src_name,
++		       const char *type, const char *trans,
++		       unsigned long flags, const void *data, u32 request,
++		       struct file_perms *perms, const char *info, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	struct apparmor_audit_data aad = { };
++
++	if (likely(!error)) {
++		u32 mask = perms->audit;
++
++		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
++			mask = 0xffff;
++
++		/* mask off perms that are not being force audited */
++		request &= mask;
++
++		if (likely(!request))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		/* only report permissions that were denied */
++		request = request & ~perms->allow;
++
++		if (request & perms->kill)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		/* quiet known rejects, assumes quiet and kill do not overlap */
++		if ((request & perms->quiet) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			request &= ~perms->quiet;
++
++		if (!request)
++			return COMPLAIN_MODE(profile) ?
++				complain_error(error) : error;
++	}
++
++	COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	sa.aad = &aad;
++	sa.aad->op = op;
++	sa.aad->name = name;
++	sa.aad->mnt.src_name = src_name;
++	sa.aad->mnt.type = type;
++	sa.aad->mnt.trans = trans;
++	sa.aad->mnt.flags = flags;
++	if (data && (perms->audit & AA_AUDIT_DATA))
++		sa.aad->mnt.data = data;
++	sa.aad->info = info;
++	sa.aad->error = error;
++
++	return aa_audit(audit_type, profile, gfp, &sa, audit_cb);
++}
++
++/**
++ * match_mnt_flags - Do an ordered match on mount flags
++ * @dfa: dfa to match against
++ * @state: state to start in
++ * @flags: mount flags to match against
++ *
++ * Mount flags are encoded as an ordered match. This is done instead of
++ * checking against a simple bitmask, to allow for logical operations
++ * on the flags.
++ *
++ * Returns: next state after flags match
++ */
++static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
++				    unsigned long flags)
++{
++	unsigned int i;
++
++	for (i = 0; i <= 31 ; ++i) {
++		if ((1 << i) & flags)
++			state = aa_dfa_next(dfa, state, i + 1);
++	}
++
++	return state;
++}
++
++/**
++ * compute_mnt_perms - compute mount permission associated with @state
++ * @dfa: dfa to match against (NOT NULL)
++ * @state: state match finished in
++ *
++ * Returns: mount permissions
++ */
++static struct file_perms compute_mnt_perms(struct aa_dfa *dfa,
++					   unsigned int state)
++{
++	struct file_perms perms;
++
++	perms.kill = 0;
++	perms.allow = dfa_user_allow(dfa, state);
++	perms.audit = dfa_user_audit(dfa, state);
++	perms.quiet = dfa_user_quiet(dfa, state);
++	perms.xindex = dfa_user_xindex(dfa, state);
++
++	return perms;
++}
++
++static const char const *mnt_info_table[] = {
++	"match succeeded",
++	"failed mntpnt match",
++	"failed srcname match",
++	"failed type match",
++	"failed flags match",
++	"failed data match"
++};
++
++/*
++ * Returns 0 on success else element that match failed in, this is the
++ * index into the mnt_info_table above
++ */
++static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
++			const char *mntpnt, const char *devname,
++			const char *type, unsigned long flags,
++			void *data, bool binary, struct file_perms *perms)
++{
++	unsigned int state;
++
++	state = aa_dfa_match(dfa, start, mntpnt);
++	state = aa_dfa_null_transition(dfa, state);
++	if (!state)
++		return 1;
++
++	if (devname)
++		state = aa_dfa_match(dfa, state, devname);
++	state = aa_dfa_null_transition(dfa, state);
++	if (!state)
++		return 2;
++
++	if (type)
++		state = aa_dfa_match(dfa, state, type);
++	state = aa_dfa_null_transition(dfa, state);
++	if (!state)
++		return 3;
++
++	state = match_mnt_flags(dfa, state, flags);
++	if (!state)
++		return 4;
++	*perms = compute_mnt_perms(dfa, state);
++	if (perms->allow & AA_MAY_MOUNT)
++		return 0;
++
++	/* only match data if not binary and the DFA flags data is expected */
++	if (data && !binary && (perms->allow & AA_CONT_MATCH)) {
++		state = aa_dfa_null_transition(dfa, state);
++		if (!state)
++			return 4;
++
++		state = aa_dfa_match(dfa, state, data);
++		if (!state)
++			return 5;
++		*perms = compute_mnt_perms(dfa, state);
++		if (perms->allow & AA_MAY_MOUNT)
++			return 0;
++	}
++
++	/* failed at end of flags match */
++	return 4;
++}
++
++/**
++ * match_mnt - handle path matching for mount
++ * @profile: the confining profile
++ * @mntpnt: string for the mntpnt (NOT NULL)
++ * @devname: string for the devname/src_name (MAYBE NULL)
++ * @type: string for the dev type (MAYBE NULL)
++ * @flags: mount flags to match
++ * @data: fs mount data (MAYBE NULL)
++ * @binary: whether @data is binary
++ * @perms: Returns: permission found by the match
++ * @info: Returns: infomation string about the match for logging
++ *
++ * Returns: 0 on success else error
++ */
++static int match_mnt(struct aa_profile *profile, const char *mntpnt,
++		     const char *devname, const char *type,
++		     unsigned long flags, void *data, bool binary,
++		     struct file_perms *perms, const char **info)
++{
++	int pos;
++
++	if (!profile->policy.dfa)
++		return -EACCES;
++
++	pos = do_match_mnt(profile->policy.dfa,
++			   profile->policy.start[AA_CLASS_MOUNT],
++			   mntpnt, devname, type, flags, data, binary, perms);
++	if (pos) {
++		*info = mnt_info_table[pos];
++		return -EACCES;
++	}
++
++	return 0;
++}
++
++static int path_flags(struct aa_profile *profile, struct path *path)
++{
++	return profile->path_flags |
++		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
++}
++
++int aa_remount(struct aa_profile *profile, struct path *path,
++	       unsigned long flags, void *data)
++{
++	struct file_perms perms = { };
++	const char *name, *info = NULL;
++	char *buffer = NULL;
++	int binary, error;
++
++	binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
++
++	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	error = match_mnt(profile, name, NULL, NULL, flags, data, binary,
++			  &perms, &info);
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
++			    NULL, flags, data, AA_MAY_MOUNT, &perms, info,
++			    error);
++	kfree(buffer);
++
++	return error;
++}
++
++int aa_bind_mount(struct aa_profile *profile, struct path *path,
++		  const char *dev_name, unsigned long flags)
++{
++	struct file_perms perms = { };
++	char *buffer = NULL, *old_buffer = NULL;
++	const char *name, *old_name = NULL, *info = NULL;
++	struct path old_path;
++	int error;
++
++	if (!dev_name || !*dev_name)
++		return -EINVAL;
++
++	flags &= MS_REC | MS_BIND;
++
++	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
++	if (error)
++		goto audit;
++
++	error = aa_path_name(&old_path, path_flags(profile, &old_path),
++			     &old_buffer, &old_name, &info);
++	path_put(&old_path);
++	if (error)
++		goto audit;
++
++	error = match_mnt(profile, name, old_name, NULL, flags, NULL, 0,
++			  &perms, &info);
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
++			    NULL, NULL, flags, NULL, AA_MAY_MOUNT, &perms,
++			    info, error);
++	kfree(buffer);
++	kfree(old_buffer);
++
++	return error;
++}
++
++int aa_mount_change_type(struct aa_profile *profile, struct path *path,
++			 unsigned long flags)
++{
++	struct file_perms perms = { };
++	char *buffer = NULL;
++	const char *name, *info = NULL;
++	int error;
++
++	/* These are the flags allowed by do_change_type() */
++	flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
++		  MS_UNBINDABLE);
++
++	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	error = match_mnt(profile, name, NULL, NULL, flags, NULL, 0, &perms,
++			  &info);
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, NULL, NULL,
++			    NULL, flags, NULL, AA_MAY_MOUNT, &perms, info,
++			    error);
++	kfree(buffer);
++
++	return error;
++}
++
++int aa_move_mount(struct aa_profile *profile, struct path *path,
++		  const char *orig_name)
++{
++	struct file_perms perms = { };
++	char *buffer = NULL, *old_buffer = NULL;
++	const char *name, *old_name = NULL, *info = NULL;
++	struct path old_path;
++	int error;
++
++	if (!orig_name || !*orig_name)
++		return -EINVAL;
++
++	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
++	if (error)
++		goto audit;
++
++	error = aa_path_name(&old_path, path_flags(profile, &old_path),
++			     &old_buffer, &old_name, &info);
++	path_put(&old_path);
++	if (error)
++		goto audit;
++
++	error = match_mnt(profile, name, old_name, NULL, MS_MOVE, NULL, 0,
++			  &perms, &info);
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name, old_name,
++			    NULL, NULL, MS_MOVE, NULL, AA_MAY_MOUNT, &perms,
++			    info, error);
++	kfree(buffer);
++	kfree(old_buffer);
++
++	return error;
++}
++
++int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
++		 struct path *path, const char *type, unsigned long flags,
++		 void *data)
++{
++	struct file_perms perms = { };
++	char *buffer = NULL, *dev_buffer = NULL;
++	const char *name = NULL, *dev_name = NULL, *info = NULL;
++	int binary = 1;
++	int error;
++
++	dev_name = orig_dev_name;
++	if (type) {
++		int requires_dev;
++		struct file_system_type *fstype = get_fs_type(type);
++		if (!fstype)
++			return -ENODEV;
++
++		binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
++		requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
++		put_filesystem(fstype);
++
++		if (requires_dev) {
++			struct path dev_path;
++
++			if (!dev_name || !*dev_name) {
++				error = -ENOENT;
++				goto out;
++			}
++
++			error = kern_path(dev_name, LOOKUP_FOLLOW, &dev_path);
++			if (error)
++				goto audit;
++
++			error = aa_path_name(&dev_path,
++					     path_flags(profile, &dev_path),
++					     &dev_buffer, &dev_name, &info);
++			path_put(&dev_path);
++			if (error)
++				goto audit;
++		}
++	}
++
++	error = aa_path_name(path, path_flags(profile, path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	error = match_mnt(profile, name, dev_name, type, flags, data, binary,
++			  &perms, &info);
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_MOUNT, name,  dev_name,
++			    type, NULL, flags, data, AA_MAY_MOUNT, &perms, info,
++			    error);
++	kfree(buffer);
++	kfree(dev_buffer);
++
++out:
++	return error;
++
++}
++
++int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
++{
++	struct file_perms perms = { };
++	char *buffer = NULL;
++	const char *name, *info = NULL;
++	int error;
++
++	struct path path = { mnt, mnt->mnt_root };
++	error = aa_path_name(&path, path_flags(profile, &path), &buffer, &name,
++			     &info);
++	if (error)
++		goto audit;
++
++	if (!error && profile->policy.dfa) {
++		unsigned int state;
++		state = aa_dfa_match(profile->policy.dfa,
++				     profile->policy.start[AA_CLASS_MOUNT],
++				     name);
++		perms = compute_mnt_perms(profile->policy.dfa, state);
++	}
++
++	if (AA_MAY_UMOUNT & ~perms.allow)
++		error = -EACCES;
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_UMOUNT, name, NULL, NULL,
++			    NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error);
++	kfree(buffer);
++
++	return error;
++}
++
++int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
++		  struct path *new_path)
++{
++	struct file_perms perms = { };
++	struct aa_profile *target = NULL;
++	char *old_buffer = NULL, *new_buffer = NULL;
++	const char *old_name, *new_name = NULL, *info = NULL;
++	int error;
++
++	error = aa_path_name(old_path, path_flags(profile, old_path),
++			     &old_buffer, &old_name, &info);
++	if (error)
++		goto audit;
++
++	error = aa_path_name(new_path, path_flags(profile, new_path),
++			     &new_buffer, &new_name, &info);
++	if (error)
++		goto audit;
++
++	if (profile->policy.dfa) {
++		unsigned int state;
++		state = aa_dfa_match(profile->policy.dfa,
++				     profile->policy.start[AA_CLASS_MOUNT],
++				     new_name);
++		state = aa_dfa_null_transition(profile->policy.dfa, state);
++		state = aa_dfa_match(profile->policy.dfa, state, old_name);
++		perms = compute_mnt_perms(profile->policy.dfa, state);
++	}
++
++	if (AA_MAY_PIVOTROOT & perms.allow) {
++		if ((perms.xindex & AA_X_TYPE_MASK) == AA_X_TABLE) {
++			target = x_table_lookup(profile, perms.xindex);
++			if (!target)
++				error = -ENOENT;
++			else
++				error = aa_replace_current_profile(target);
++		}
++	} else
++		error = -EACCES;
++
++audit:
++	error = audit_mount(profile, GFP_KERNEL, OP_PIVOTROOT, new_name,
++			    old_name, NULL, target ? target->base.name : NULL,
++			    0, NULL,  AA_MAY_PIVOTROOT, &perms, info, error);
++	aa_put_profile(target);
++	kfree(old_buffer);
++	kfree(new_buffer);
++
++	return error;
++}
+-- 
+1.7.9.5
+

libraries/libapparmor/m4/ac_python_devel.m4

@@ -158,6 +158,8 @@ $ac_distutils_result])
         AC_MSG_CHECKING([consistency of all components of python development environment])
         AC_LANG_PUSH([C])
         # save current global flags
+        ac_save_LIBS="$LIBS"
+        ac_save_CPPFLAGS="$CPPFLAGS"
         LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         AC_TRY_LINK([

libraries/libapparmor/src/Makefile.am

@@ -3,7 +3,8 @@ INCLUDES = $(all_includes)
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
 AM_YFLAGS = -d -p aalogparse_
-AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
+AM_CFLAGS = -Wall
+AM_CPPFLAGS = -D_GNU_SOURCE
 scanner.h: scanner.l
 	$(LEX) -v $<
 

libraries/libapparmor/swig/perl/Makefile.PL.in

@@ -10,7 +10,7 @@ WriteMakefile(
 	'FIRST_MAKEFILE' => 'Makefile.perl',
 	'ABSTRACT' => q[Perl interface to AppArmor] ,
 	'VERSION' => q[@VERSION@],
-	'INC' => q[-I@top_srcdir@/src @CFLAGS@],
+	'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
 	'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
 	'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
 ) ;

libraries/libapparmor/testsuite/Makefile.am

@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
 noinst_PROGRAMS = test_multi.multi
 
 test_multi_multi_SOURCES	= test_multi.c
-test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
-test_multi_multi_LDFLAGS	= $(LDFLAGS)
+test_multi_multi_CFLAGS		= -Wall
 test_multi_multi_LDADD		= -L../src/.libs -lapparmor
 
 clean-local:

parser/Makefile

@@ -118,7 +118,8 @@ po/${NAME}.pot: ${SRCS} ${HDRS}
 	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
 
 techdoc.pdf: techdoc.tex
-	while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \
+	timestamp=$(shell date "+%Y%m%d%H%M%S+02'00'" -r $< );\
+	while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
 		grep -q "Label(s) may have changed" techdoc.log; \
 	do :; done
 
@@ -302,7 +303,7 @@ clean: _clean
 	rm -f $(NAME)*.tar.gz $(NAME)*.tgz
 	rm -f af_names.h
 	rm -f cap_names.h
-	rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/
+	rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/
 	$(MAKE) -s -C $(AAREDIR) clean
 	$(MAKE) -s -C po clean
 	$(MAKE) -s -C tst clean

parser/libapparmor_re/hfa.cc

@@ -101,7 +101,8 @@ State *DFA::add_new_state(NodeSet *nodes, State *other)
 	nnodev = nnodes_cache.insert(nnodes);
 	anodes = anodes_cache.insert(anodes);
 
-	ProtoState proto(nnodev, anodes);
+	ProtoState proto;
+	proto.init(nnodev, anodes);
 	State *state = new State(node_map.size(), proto, other);
 	pair<NodeMap::iterator,bool> x = node_map.insert(proto, state);
 	if (x.second == false) {

parser/libapparmor_re/hfa.h

@@ -310,7 +310,15 @@ public:
 	hashedNodeVec *nnodes;
 	NodeSet *anodes;
 
-	ProtoState(hashedNodeVec *n, NodeSet *a = NULL): nnodes(n), anodes(a) { };
+	/* init is used instead of a constructor because ProtoState is used
+	 * in a union
+	 */
+	void init(hashedNodeVec *n, NodeSet *a = NULL)
+	{
+		nnodes = n;
+		anodes = a;
+	}
+
 	bool operator<(ProtoState const &rhs)const
 	{
 		if (nnodes == rhs.nnodes)
@@ -338,7 +346,7 @@ public:
  * parition: Is a temporary work variable used during dfa minimization.
  *           it can be replaced with a map, but that is slower and uses more
  *           memory.
- * nodes: Is a temporary work variable used during dfa creation.  It can
+ * proto: Is a temporary work variable used during dfa creation.  It can
  *        be replaced by using the nodemap, but that is slower
  */
 class State {
@@ -379,8 +387,8 @@ public:
 
 	/* temp storage for State construction */
 	union {
-		Partition *partition;
-		ProtoState proto;
+		Partition *partition;	/* used during minimization */
+		ProtoState proto;	/* used during creation */
 	};
 };
 

parser/techdoc.tex

@@ -5,6 +5,17 @@
 \usepackage{url}
 %\usepackage{times}
 
+\usepackage[pdftex,
+  pdfauthor={Andreas Gruenbacher and Seth Arnold},
+  pdftitle={AppArmor Technical Documentation},%
+\ifx\fixedpdfdate\@empty\else
+  pdfcreationdate={\fixedpdfdate},
+  pdfmoddate={\fixedpdfdate},
+\fi
+  pdfsubject={AppArmor},
+  pdfkeywords={AppArmor}
+]{hyperref}
+
 \hyphenation{App-Armor}
 \hyphenation{name-space}
 
@@ -14,7 +25,8 @@
 \author{Andreas Gruenbacher and Seth Arnold \\
 \url{{agruen,seth.arnold}@suse.de} \\
 SUSE Labs / Novell}
-%\date{}
+% don't include the (build!) date
+\date{}
 
 \begin{document}
 

profiles/apparmor.d/abstractions/X

@@ -17,7 +17,7 @@
 
   # .Xauthority files required for X connections, per user
   @{HOME}/.Xauthority           r,
-  owner /{,var/}run/gdm/*/database r,
+  owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
 
   # the unix socket to use to connect to the display

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -32,6 +32,10 @@
   /usr/bin/firefox Cxr -> sanitized_helper,
   /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,
 
+  # Iceweasel
+  /usr/bin/iceweasel Cxr -> sanitized_helper,
+  /usr/lib/iceweasel/iceweasel Cx -> sanitized_helper,
+
   # some unpackaged, but popular browsers
   /usr/lib/icecat-*/icecat Cx -> sanitized_helper,
   /usr/bin/opera Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-email

@@ -18,6 +18,5 @@
   /usr/bin/sylpheed Cx -> sanitized_helper,
   /usr/bin/tkrat Cx -> sanitized_helper,
 
-  /usr/lib/thunderbird/thunderbird Cx -> sanitized_helper,
-  /usr/lib/thunderbird-[1-9]*/thunderbird{,.sh} Cx -> sanitized_helper,
+  /usr/lib/thunderbird*/thunderbird{,.sh} Cx -> sanitized_helper,
 

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -48,6 +48,20 @@ profile sanitized_helper {
   # Allow exec of libexec applications in /usr/lib*
   /usr/lib*/{,**/}* Pixr,
 
+  # Allow exec of software-center scripts. We may need to allow wider
+  # permissions for /usr/share, but for now just do this. (LP: #972367)
+  /usr/share/software-center/* Pixr,
+
+  # While the chromium and chrome sandboxes are setuid root, they only link
+  # in limited libraries so glibc's secure execution should be enough to not
+  # require the santized_helper (ie, LD_PRELOAD will only use standard system
+  # paths (man ld.so)).
+  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+  /opt/google/chrome/chrome-sandbox PUxr,
+  /opt/google/chrome/google-chrome Pixr,
+  /opt/google/chrome/chrome Pixr,
+  /opt/google/chrome/lib*.so{,.*} m,
+
   # Full access
   / r,
   /** rwkl,

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -9,7 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-@{TFTP_DIR}=/var/tftp
+@{TFTP_DIR}=/var/tftp /srv/tftpboot
 
 #include <tunables/global>
 /usr/sbin/dnsmasq {

tests/regression/apparmor/onexec.sh

@@ -151,9 +151,9 @@ do_test "noexist px" $bin/onexec noexist fail $bin/open $file
 genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw
 do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open $file
 
-# ONEXEC from CONFINED - change to rw profile, no exec profile to override
+# ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit access to /proc/*/attr/exec
 genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
-do_test "change profile - no onexec:w" $bin/onexec $bin/rw fail $bin/open $file
+do_test "change profile - no onexec:w" $bin/onexec $bin/rw pass $bin/open $file
 
 # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
 genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw

utils/Immunix/AppArmor.pm

@@ -4814,13 +4814,9 @@ sub sub_mode_to_str($) {
     $str .= "a" if ($mode & $AA_MAY_APPEND);
     $str .= "l" if ($mode & $AA_MAY_LINK);
     $str .= "k" if ($mode & $AA_MAY_LOCK);
-    if ($mode & $AA_EXEC_UNCONFINED) {
-	if ($mode & $AA_EXEC_UNSAFE) {
-	    $str .= "u";
-	} else {
-	    $str .= "U";
-	}
-    }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
     if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
 	if ($mode & $AA_EXEC_UNSAFE) {
 	    $str .= "p";
@@ -4835,7 +4831,18 @@ sub sub_mode_to_str($) {
 	    $str .= "C";
 	}
     }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
+    if ($mode & $AA_EXEC_UNCONFINED) {
+	if ($mode & $AA_EXEC_UNSAFE) {
+	    $str .= "u";
+	} else {
+	    $str .= "U";
+	}
+    }
     $str .= "i" if ($mode & $AA_EXEC_INHERIT);
+
     $str .= "x" if ($mode & $AA_MAY_EXEC);
 
     return $str;

utils/Makefile

@@ -32,8 +32,10 @@ PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
 TOOLS = ${PERLTOOLS} aa-decode aa-status
 MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
+PYTOOLS = aa-easyprof
+PYSETUP = python-tools-setup.py
 
-MANPAGES = ${TOOLS:=.8} logprof.conf.5
+MANPAGES = ${TOOLS:=.8} logprof.conf.5 ${PYTOOLS:=.8}
 
 all: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) -C po all
@@ -45,9 +47,10 @@ BINDIR=${DESTDIR}/usr/sbin
 CONFDIR=${DESTDIR}/etc/apparmor
 VENDOR_PERL=$(shell perl -e 'use Config; print $$Config{"vendorlib"};')
 PERLDIR=${DESTDIR}${VENDOR_PERL}/${MODDIR}
+PYPREFIX=/usr
 
-po/${NAME}.pot: ${TOOLS}
-	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES}"
+po/${NAME}.pot: ${TOOLS} ${PYTOOLS}
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES} ${PYTOOLS}"
 
 .PHONY: install
 install: ${MANPAGES} ${HTMLMANPAGES}
@@ -62,6 +65,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 	$(MAKE) -C vim install DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
+	python ${PYSETUP} install --prefix=${PYPREFIX} --root=${DESTDIR} --version=${VERSION}
 
 .PHONY: clean
 ifndef VERBOSE
@@ -72,6 +76,8 @@ clean: _clean
 	rm -f Make.rules
 	$(MAKE) -C po clean
 	$(MAKE) -C vim clean
+	rm -rf staging/ build/
+	rm -f apparmor/*.pyc
 
 # ${CAPABILITIES} is defined in common/Make.rules
 .PHONY: check_severity_db
@@ -92,3 +98,13 @@ check: check_severity_db
 	for i in ${MODULES} ${PERLTOOLS} ; do \
 		perl -c $$i || exit 1; \
 	done
+	tmpfile=$$(mktemp --tmpdir aa-pyflakes-XXXXXX); \
+	for i in ${PYTOOLS} apparmor aa-status test/*.py; do \
+		echo Checking $$i; \
+		pyflakes $$i 2>&1 | grep -v "undefined name '_'" > $$tmpfile; \
+		test -s $$tmpfile && cat $$tmpfile && rm -f $$tmpfile && exit 1; \
+	done || true; \
+	rm -f $$tmpfile
+	for i in test/* ; do \
+		python $$i || exit 1; \
+	done

utils/aa-easyprof

@@ -0,0 +1,65 @@
+#! /usr/bin/env python
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import apparmor.easyprof
+from apparmor.easyprof import AppArmorException, error
+import os
+import sys
+
+if __name__ == "__main__":
+    def usage():
+        '''Return usage information'''
+        return 'USAGE: %s [options] <path to binary>' % \
+               os.path.basename(sys.argv[0])
+
+    (opt, args) = apparmor.easyprof.parse_args()
+    binary = None
+
+    m = usage()
+    if opt.show_policy_group and not opt.policy_groups:
+        error("Must specify -p with --show-policy-group")
+    elif not opt.template and not opt.policy_groups and len(args) < 1:
+        error("Must specify full path to binary\n%s" % m)
+
+    binary = None
+    if len(args) >= 1:
+        binary = args[0]
+
+    try:
+        easyp = apparmor.easyprof.AppArmorEasyProfile(binary, opt)
+    except AppArmorException, e:
+        error(e.value)
+    except Exception:
+        raise
+
+    if opt.list_templates:
+        apparmor.easyprof.print_basefilenames(easyp.get_templates())
+        sys.exit(0)
+    elif opt.template and opt.show_template:
+        files = [os.path.join(easyp.dirs['templates'], opt.template)]
+        apparmor.easyprof.print_files(files)
+        sys.exit(0)
+    elif opt.list_policy_groups:
+        apparmor.easyprof.print_basefilenames(easyp.get_policy_groups())
+        sys.exit(0)
+    elif opt.policy_groups and opt.show_policy_group:
+        for g in opt.policy_groups.split(','):
+            files = [os.path.join(easyp.dirs['policygroups'], g)]
+            apparmor.easyprof.print_files(files)
+        sys.exit(0)
+    elif binary == None:
+        error("Must specify full path to binary\n%s" % m)
+
+    # if we made it here, generate a profile
+    params = apparmor.easyprof.gen_policy_params(binary, opt)
+    p = easyp.gen_policy(**params)
+    print p,
+

utils/aa-easyprof.pod

@@ -0,0 +1,146 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+=pod
+
+=head1 NAME
+
+aa-easyprof - AppArmor profile generation made easy.
+
+=head1 SYNOPSIS
+
+B<aa-easyprof> [option] <path to binary>
+
+=head1 DESCRIPTION
+
+B<aa-easyprof> provides an easy to use interface for AppArmor policy
+generation. B<aa-easyprof> supports the use of templates and policy groups to
+quickly profile an application. Please note that while this tool can help
+with policy generation, its utility is dependent on the quality of the
+templates, policy groups and abstractions used. Also, this tool may create
+policy which is less restricted than creating policy by hand or with
+B<aa-genprof> and B<aa-logprof>.
+
+=head1 OPTIONS
+
+B<aa-easyprof> accepts the following arguments:
+
+=over 4
+
+=item -t TEMPLATE, --template=TEMPLATE
+
+Specify which template to use. May specify either a system template from
+/usr/share/apparmor/easyprof/templates or a filename for the template to
+use. If not specified, use /usr/share/apparmor/easyprof/templates/default.
+
+=item -p POLICYGROUPS, --policy-groups=POLICYGROUPS
+
+Specify POLICY as a comma-separated list of policy groups. See --list-templates
+for supported policy groups. The available policy groups are in
+/usr/share/apparmor/easyprof/policy. Policy groups are simply groupings of
+AppArmor rules or policies. They are similar to AppArmor abstractions, but
+usually encompass more policy rules.
+
+=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
+
+Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
+usually recommended you use policy groups instead, but this is provided as a
+convenience. AppArmor abstractions are located in /etc/apparmor.d/abstractions.
+See apparmor.d(5) for details.
+
+=item -r PATH, --read-path=PATH
+
+Specify a PATH to allow owner reads. May be specified multiple times. If the
+PATH ends in a '/', then PATH is treated as a directory and reads are allowed
+to all files under this directory. Can optionally use '/*' at the end of the
+PATH to only allow reads to files directly in PATH.
+
+=item -w PATH, --write-dir=PATH
+
+Like --read-path but also allow owner writes in additions to reads.
+
+=item -n NAME, --name=NAME
+
+Specify NAME of policy. If not specified, NAME is set to the name of the
+binary. The NAME of the policy is often used as part of the path in the
+various templates.
+
+=item --template-var="@{VAR}=VALUE"
+
+Set VAR to VALUE in the resulting policy. This typically only makes sense if
+the specified template uses this value. May be specified multiple times.
+
+=item --list-templates
+
+List available templates.
+
+=item --show-template=TEMPLATE
+
+Display template specified with --template.
+
+=item --templates-dir=PATH
+
+Use PATH instead of system templates directory.
+
+=item --list-policy-groups
+
+List available policy groups.
+
+=item --show-policy-group
+
+Display policy groups specified with --policy.
+
+=item --policy-groups-dir=PATH
+
+Use PATH instead of system policy-groups directory.
+
+=item --author
+
+Specify author of the policy.
+
+=item --copyright
+
+Specify copyright of the policy.
+
+=item --comment
+
+Specify comment for the policy.
+
+=back
+
+=head1 EXAMPLE
+
+Example usage for a program named 'foo' which is installed in /opt/foo:
+
+=over
+
+$ aa-easyprof --template=user-application --template-var="@{APPNAME}=foo" --policy-groups=opt-application,user-application /opt/foo/bin/FooApp
+
+=back
+
+=head1 BUGS
+
+If you find any additional bugs, please report them to Launchpad at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7) apparmor.d(5)
+
+=cut

utils/apparmor/__init__.py

@@ -0,0 +1,9 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------

utils/apparmor/easyprof.py

@@ -0,0 +1,567 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import codecs
+import glob
+import optparse
+import os
+import re
+import subprocess
+import sys
+import tempfile
+
+#
+# TODO: move this out to the common library
+#
+#from apparmor import AppArmorException
+class AppArmorException(Exception):
+    '''This class represents AppArmor exceptions'''
+    def __init__(self, value):
+        self.value = value
+
+    def __str__(self):
+        return repr(self.value)
+#
+# End common
+#
+
+DEBUGGING = False
+
+#
+# TODO: move this out to a utilities library
+#
+def error(out, exit_code=1, do_exit=True):
+    '''Print error message and exit'''
+    try:
+        print >> sys.stderr, "ERROR: %s" % (out)
+    except IOError:
+        pass
+
+    if do_exit:
+        sys.exit(exit_code)
+
+
+def warn(out):
+    '''Print warning message'''
+    try:
+        print >> sys.stderr, "WARN: %s" % (out)
+    except IOError:
+        pass
+
+
+def msg(out, output=sys.stdout):
+    '''Print message'''
+    try:
+        print >> output, "%s" % (out)
+    except IOError:
+        pass
+
+
+def cmd(command):
+    '''Try to execute the given command.'''
+    debug(command)
+    try:
+        sp = subprocess.Popen(command, stdout=subprocess.PIPE,
+                              stderr=subprocess.STDOUT)
+    except OSError, ex:
+        return [127, str(ex)]
+
+    out = sp.communicate()[0]
+    return [sp.returncode, out]
+
+
+def cmd_pipe(command1, command2):
+    '''Try to pipe command1 into command2.'''
+    try:
+        sp1 = subprocess.Popen(command1, stdout=subprocess.PIPE)
+        sp2 = subprocess.Popen(command2, stdin=sp1.stdout)
+    except OSError, ex:
+        return [127, str(ex)]
+
+    out = sp2.communicate()[0]
+    return [sp2.returncode, out]
+
+
+def debug(out):
+    '''Print debug message'''
+    if DEBUGGING:
+        try:
+            print >> sys.stderr, "DEBUG: %s" % (out)
+        except IOError:
+            pass
+
+
+def valid_binary_path(path):
+    '''Validate name'''
+    try:
+        a_path = os.path.abspath(path)
+    except Exception:
+        debug("Could not find absolute path for binary")
+        return False
+
+    if path != a_path:
+        debug("Binary should use a normalized absolute path")
+        return False
+
+    if not os.path.exists(a_path):
+        return True
+
+    r_path = os.path.realpath(path)
+    if r_path != a_path:
+        debug("Binary should not be a symlink")
+        return False
+
+    return True
+
+
+def valid_variable_name(var):
+    '''Validate variable name'''
+    if re.search(r'[a-zA-Z0-9_]+$', var):
+        return True
+    return False
+
+
+def valid_path(path):
+    '''Valid path'''
+    # No relative paths
+    m = "Invalid path: %s" % (path)
+    if not path.startswith('/'):
+        debug("%s (relative)" % (m))
+        return False
+
+    try:
+        os.path.normpath(path)
+    except Exception:
+        debug("%s (could not normalize)" % (m))
+        return False
+    return True
+
+
+def get_directory_contents(path):
+    '''Find contents of the given directory'''
+    if not valid_path(path):
+        return None
+
+    files = []
+    for f in glob.glob(path + "/*"):
+        files.append(f)
+
+    files.sort()
+    return files
+
+def open_file_read(path):
+    '''Open specified file read-only'''
+    try:
+        orig = codecs.open(path, 'r', "UTF-8")
+    except Exception:
+        raise
+
+    return orig
+
+
+def verify_policy(policy):
+    '''Verify policy compiles'''
+    exe = "/sbin/apparmor_parser"
+    if not os.path.exists(exe):
+        rc, exe = cmd(['which', 'apparmor_parser'])
+        if rc != 0:
+            warn("Could not find apparmor_parser. Skipping verify")
+            return True
+
+    fn = ""
+    # if policy starts with '/' and is one line, assume it is a path
+    if len(policy.splitlines()) == 1 and valid_path(policy):
+        fn = policy
+    else:
+        f, fn = tempfile.mkstemp(prefix='aa-easyprof')
+        os.write(f, policy)
+        os.close(f)
+
+    rc, out = cmd([exe, '-p', fn])
+    os.unlink(fn)
+    if rc == 0:
+        return True
+    return False
+
+#
+# End utility functions
+#
+
+
+class AppArmorEasyProfile:
+    '''Easy profile class'''
+    def __init__(self, binary, opt):
+        self.conffile = "/etc/apparmor/easyprof.conf"
+        if opt.conffile:
+            self.conffile = os.path.abspath(opt.conffile)
+
+        self.dirs = dict()
+        if os.path.isfile(self.conffile):
+            self._get_defaults()
+
+        if opt.templates_dir and os.path.isdir(opt.templates_dir):
+            self.dirs['templates'] = os.path.abspath(opt.templates_dir)
+        elif not opt.templates_dir and \
+             opt.template and \
+             os.path.isfile(opt.template) and \
+             valid_path(opt.template):
+	    # If we specified the template and it is an absolute path, just set
+	    # the templates directory to the parent of the template so we don't
+            # have to require --template-dir with absolute paths.
+            self.dirs['templates'] = os.path.abspath(os.path.dirname(opt.template))
+        if opt.policy_groups_dir and os.path.isdir(opt.policy_groups_dir):
+            self.dirs['policygroups'] = os.path.abspath(opt.policy_groups_dir)
+
+        if not self.dirs.has_key('templates'):
+            raise AppArmorException("Could not find templates directory")
+        if not self.dirs.has_key('policygroups'):
+            raise AppArmorException("Could not find policygroups directory")
+
+        self.aa_topdir = "/etc/apparmor.d"
+
+        self.binary = binary
+        if binary != None:
+            if not valid_binary_path(binary):
+                raise AppArmorException("Invalid path for binary: '%s'" % binary)
+
+        self.set_template(opt.template)
+        self.set_policygroup(opt.policy_groups)
+        if opt.name:
+            self.set_name(opt.name)
+        elif self.binary != None:
+            self.set_name(self.binary)
+
+        self.templates = get_directory_contents(self.dirs['templates'])
+        self.policy_groups = get_directory_contents(self.dirs['policygroups'])
+
+    def _get_defaults(self):
+        '''Read in defaults from configuration'''
+        if not os.path.exists(self.conffile):
+            raise AppArmorException("Could not find '%s'" % self.conffile)
+
+        # Read in the configuration
+        f = open_file_read(self.conffile)
+
+        pat = re.compile(r'^\w+=".*"?')
+        for line in f:
+            if not pat.search(line):
+                continue
+            if line.startswith("POLICYGROUPS_DIR="):
+                d = re.split(r'=', line.strip())[1].strip('["\']')
+                self.dirs['policygroups'] = d
+            elif line.startswith("TEMPLATES_DIR="):
+                d = re.split(r'=', line.strip())[1].strip('["\']')
+                self.dirs['templates'] = d
+        f.close()
+
+        keys = self.dirs.keys()
+        if 'templates' not in keys:
+            raise AppArmorException("Could not find TEMPLATES_DIR in '%s'" % self.conffile)
+        if 'policygroups' not in keys:
+            raise AppArmorException("Could not find POLICYGROUPS_DIR in '%s'" % self.conffile)
+
+        for k in self.dirs.keys():
+            if not os.path.isdir(self.dirs[k]):
+                raise AppArmorException("Could not find '%s'" % self.dirs[k])
+
+    def set_name(self, name):
+        '''Set name of policy'''
+        self.name = name
+
+    def get_template(self):
+        '''Get contents of current template'''
+        return open(self.template).read()
+
+    def set_template(self, template):
+        '''Set current template'''
+        self.template = template
+        if not template.startswith('/'):
+            self.template = os.path.join(self.dirs['templates'], template)
+        if not os.path.exists(self.template):
+            raise AppArmorException('%s does not exist' % (self.template))
+
+    def get_templates(self):
+        '''Get list of all available templates by filename'''
+        return self.templates
+
+    def get_policygroup(self, policygroup):
+        '''Get contents of specific policygroup'''
+        p = policygroup
+        if not p.startswith('/'):
+            p = os.path.join(self.dirs['policygroups'], p)
+        if self.policy_groups == None or not p in self.policy_groups:
+            raise AppArmorException("Policy group '%s' does not exist" % p)
+        return open(p).read()
+
+    def set_policygroup(self, policygroups):
+        '''Set policygroups'''
+        self.policy_groups = []
+        if policygroups != None:
+            for p in policygroups.split(','):
+                if not p.startswith('/'):
+                    p = os.path.join(self.dirs['policygroups'], p)
+                if not os.path.exists(p):
+                    raise AppArmorException('%s does not exist' % (p))
+                self.policy_groups.append(p)
+
+    def get_policy_groups(self):
+        '''Get list of all policy groups by filename'''
+        return self.policy_groups
+
+    def gen_abstraction_rule(self, abstraction):
+        '''Generate an abstraction rule'''
+        p = os.path.join(self.aa_topdir, "abstractions", abstraction)
+        if not os.path.exists(p):
+            raise AppArmorException("%s does not exist" % p)
+        return "#include <abstractions/%s>" % abstraction
+
+    def gen_variable_declaration(self, dec):
+        '''Generate a variable declaration'''
+        if not re.search(r'^@\{[a-zA-Z_]+\}=.+', dec):
+            raise AppArmorException("Invalid variable declaration '%s'" % dec)
+        return dec
+
+    def gen_path_rule(self, path, access):
+        rule = []
+        if not path.startswith('/') and not path.startswith('@'):
+            raise AppArmorException("'%s' should not be relative path" % path)
+
+        owner = ""
+        if path.startswith('/home/') or path.startswith("@{HOME"):
+            owner = "owner "
+
+        if path.endswith('/'):
+            rule.append("%s %s," % (path, access))
+            rule.append("%s%s** %s," % (owner, path, access))
+        elif path.endswith('/**') or path.endswith('/*'):
+            rule.append("%s %s," % (os.path.dirname(path), access))
+            rule.append("%s%s %s," % (owner, path, access))
+        else:
+            rule.append("%s%s %s," % (owner, path, access))
+
+        return rule
+
+
+    def gen_policy(self, name, binary, template_var=[], abstractions=None, policy_groups=None, read_path=[], write_path=[], author=None, comment=None, copyright=None):
+        def find_prefix(t, s):
+            '''Calculate whitespace prefix based on occurrence of s in t'''
+            pat = re.compile(r'^ *%s' % s)
+            p = ""
+            for line in t.splitlines():
+                if pat.match(line):
+                    p = " " * (len(line) - len(line.lstrip()))
+                    break
+            return p
+
+        policy = self.get_template()
+        if '###ENDUSAGE###' in policy:
+            found = False
+            tmp = ""
+            for line in policy.splitlines():
+                if not found:
+                    if line.startswith('###ENDUSAGE###'):
+                        found = True
+                    continue
+                tmp += line + "\n"
+            policy = tmp
+
+        # Fill-in profile name and binary
+        policy = re.sub(r'###NAME###', name, policy)
+        policy = re.sub(r'###BINARY###', binary, policy)
+
+        # Fill-in various comment fields
+        if comment != None:
+            policy = re.sub(r'###COMMENT###', "Comment: %s" % comment, policy)
+
+        if author != None:
+            policy = re.sub(r'###AUTHOR###', "Author: %s" % author, policy)
+
+        if copyright != None:
+            policy = re.sub(r'###COPYRIGHT###', "Copyright: %s" % copyright, policy)
+
+        # Fill-in rules and variables with proper indenting
+        search = '###ABSTRACTIONS###'
+        prefix = find_prefix(policy, search)
+        s = "%s# No abstractions specified" % prefix
+        if abstractions != None:
+            s = "%s# Specified abstractions" % (prefix)
+            for i in abstractions.split(','):
+                s += "\n%s%s" % (prefix, self.gen_abstraction_rule(i))
+        policy = re.sub(r' *%s' % search, s, policy)
+
+        search = '###POLICYGROUPS###'
+        prefix = find_prefix(policy, search)
+        s = "%s# No policy groups specified" % prefix
+        if policy_groups != None:
+            s = "%s# Rules specified via policy groups" % (prefix)
+            for i in policy_groups.split(','):
+                for line in self.get_policygroup(i).splitlines():
+                    s += "\n%s%s" % (prefix, line)
+                if i != policy_groups.split(',')[-1]:
+                    s += "\n"
+        policy = re.sub(r' *%s' % search, s, policy)
+
+        search = '###VAR###'
+        prefix = find_prefix(policy, search)
+        s = "%s# No template variables specified" % prefix
+        if len(template_var) > 0:
+            s = "%s# Specified profile variables" % (prefix)
+            for i in template_var:
+                s += "\n%s%s" % (prefix, self.gen_variable_declaration(i))
+        policy = re.sub(r' *%s' % search, s, policy)
+
+        search = '###READS###'
+        prefix = find_prefix(policy, search)
+        s = "%s# No read paths specified" % prefix
+        if len(read_path) > 0:
+            s = "%s# Specified read permissions" % (prefix)
+            for i in read_path:
+                for r in self.gen_path_rule(i, 'r'):
+                    s += "\n%s%s" % (prefix, r)
+        policy = re.sub(r' *%s' % search, s, policy)
+
+        search = '###WRITES###'
+        prefix = find_prefix(policy, search)
+        s = "%s# No write paths specified" % prefix
+        if len(write_path) > 0:
+            s = "%s# Specified write permissions" % (prefix)
+            for i in write_path:
+                for r in self.gen_path_rule(i, 'rwk'):
+                    s += "\n%s%s" % (prefix, r)
+        policy = re.sub(r' *%s' % search, s, policy)
+
+        if not verify_policy(policy):
+            debug("\n" + policy)
+            raise AppArmorException("Invalid policy")
+
+        return policy
+
+def print_basefilenames(files):
+    for i in files:
+        print "%s" % (os.path.basename(i))
+
+def print_files(files):
+    for i in files:
+        print open(i).read()
+
+def parse_args(args=None):
+    '''Parse arguments'''
+    global DEBUGGING
+
+    parser = optparse.OptionParser()
+    parser.add_option("-c", "--config-file",
+                      dest="conffile",
+                      help="Use alternate configuration file",
+                      metavar="FILE")
+    parser.add_option("-d", "--debug",
+                      help="Show debugging output",
+                      action='store_true',
+                      default=False)
+    parser.add_option("-t", "--template",
+                      dest="template",
+                      help="Use non-default policy template",
+                      metavar="TEMPLATE",
+                      default='default')
+    parser.add_option("--list-templates",
+                      help="List available templates",
+                      action='store_true',
+                      default=False)
+    parser.add_option("--templates-dir",
+                      dest="templates_dir",
+                      help="Use non-default templates directory",
+                      metavar="DIR")
+    parser.add_option("--show-template",
+                      help="Show specified template",
+                      action='store_true',
+                      default=False)
+    parser.add_option("-p", "--policy-groups",
+                      help="Comma-separated list of policy groups",
+                      metavar="POLICYGROUPS")
+    parser.add_option("--list-policy-groups",
+                      help="List available policy groups",
+                      action='store_true',
+                      default=False)
+    parser.add_option("--policy-groups-dir",
+                      dest="policy_groups_dir",
+                      help="Use non-default policy-groups directory",
+                      metavar="DIR")
+    parser.add_option("--show-policy-group",
+                      help="Show specified policy groups",
+                      action='store_true',
+                      default=False)
+    parser.add_option("-a", "--abstractions",
+                      dest="abstractions",
+                      help="Comma-separated list of abstractions",
+                      metavar="ABSTRACTIONS")
+    parser.add_option("--read-path",
+                      dest="read_path",
+                      help="Path allowing owner reads",
+                      metavar="PATH",
+                      action="append")
+    parser.add_option("--write-path",
+                      dest="write_path",
+                      help="Path allowing owner writes",
+                      metavar="PATH",
+                      action="append")
+    parser.add_option("-n", "--name",
+                      dest="name",
+                      help="Name of policy",
+                      metavar="NAME")
+    parser.add_option("--comment",
+                      dest="comment",
+                      help="Comment for policy",
+                      metavar="COMMENT")
+    parser.add_option("--author",
+                      dest="author",
+                      help="Author of policy",
+                      metavar="COMMENT")
+    parser.add_option("--copyright",
+                      dest="copyright",
+                      help="Copyright for policy",
+                      metavar="COMMENT")
+    parser.add_option("--template-var",
+                      dest="template_var",
+                      help="Declare AppArmor variable",
+                      metavar="@{VARIABLE}=VALUE",
+                      action="append")
+
+    (my_opt, my_args) = parser.parse_args(args)
+    if my_opt.debug:
+        DEBUGGING = True
+    return (my_opt, my_args)
+
+def gen_policy_params(binary, opt):
+    '''Generate parameters for gen_policy'''
+    params = dict(binary=binary)
+    if opt.name:
+        params['name'] = opt.name
+    else:
+        params['name'] = os.path.basename(binary)
+    if opt.template_var: # What about specified multiple times?
+        params['template_var'] = opt.template_var
+    if opt.abstractions:
+        params['abstractions'] = opt.abstractions
+    if opt.policy_groups:
+        params['policy_groups'] = opt.policy_groups
+    if opt.read_path:
+        params['read_path'] = opt.read_path
+    if opt.write_path:
+        params['write_path'] = opt.write_path
+    if opt.abstractions:
+        params['abstractions'] = opt.abstractions
+    if opt.comment:
+        params['comment'] = opt.comment
+    if opt.author:
+        params['author'] = opt.author
+    if opt.copyright:
+        params['copyright'] = opt.copyright
+
+    return params
+

utils/easyprof/README

@@ -0,0 +1,44 @@
+AppArmor Easy Profiler
+----------------------
+aa-easyprof is a standalone CLI application which can also be imported into
+developer SDKs. See test/test-aa-easyprof.py for an example of how to import
+this into your SDK.
+
+
+Templates
+---------
+Any number of templates can be used. The user may specify one on the command
+line or use a system-wide template from /usr/share/apparmor/easyprof/templates.
+
+Currently the combination of the user-application and the opt-application and
+user-application policygroups should achieve a working policy for Ubuntu's
+Application Review Board:
+- http://developer.ubuntu.com/publish/my-apps-packages/
+
+Eg:
+$ aa-easyprof --template=user-application \
+              --template-var="@{APPNAME}=foo" \
+              --policy-groups=opt-application,user-application \
+              /opt/foo/bin/foo
+
+Testing
+-------
+Unit tests:
+$ ./test/test-aa-easyprof.py
+
+In source manual testing:
+$ ./aa-easyprof --templates-dir=./easyprof/templates \
+                --policy-groups-dir=./easyprof/policygroups \
+                ... \
+                /opt/foo/bin/foo
+
+Post-install manual testing:
+$ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install
+$ cd /tmp/test
+$ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \
+    --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \
+    --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \
+    /opt/bin/foo
+
+(you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying
+--templates-dir and --policy-groups-dir).

utils/easyprof/easyprof.conf

@@ -0,0 +1,5 @@
+# Location of system policygroups
+POLICYGROUPS_DIR="/usr/share/apparmor/easyprof/policygroups"
+
+# Location of system templates
+TEMPLATES_DIR="/usr/share/apparmor/easyprof/templates"

utils/easyprof/policygroups/networking

@@ -0,0 +1,2 @@
+# Policygroup to allow networking
+#include <abstractions/nameservice>

utils/easyprof/policygroups/opt-application

@@ -0,0 +1,3 @@
+# Policy group for applications installed in /opt
+/opt/@{APPNAME}/ r,
+/opt/@{APPNAME}/** mrk,

utils/easyprof/policygroups/user-application

@@ -0,0 +1,8 @@
+# Policy group allowing various writes to standard directories in @{HOMEDIRS}
+#include <abstractions/xdg-desktop>
+owner @{HOMEDIRS}/.cache/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.cache/@{APPNAME}/** rwkl,
+owner @{HOMEDIRS}/.config/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.config/@{APPNAME}/** rwkl,
+owner @{HOMEDIRS}/.local/share/@{APPNAME}/ rw,
+owner @{HOMEDIRS}/.local/share/@{APPNAME}/** rwkl,

utils/easyprof/templates/default

@@ -0,0 +1,26 @@
+#
+# Example usage:
+# $ aa-easyprof --policy-groups=user-application /usr/bin/foo
+#
+###ENDUSAGE###
+# vim:syntax=apparmor
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+  #include <abstractions/base>
+
+  ###ABSTRACTIONS###
+
+  ###POLICYGROUPS###
+
+  ###READS###
+
+  ###WRITES###
+}

utils/easyprof/templates/user-application

@@ -0,0 +1,29 @@
+#
+# Example usage for a program named 'foo' which is installed in /opt/foo
+# $ aa-easyprof --template=user-application \
+#               --template-var="@{APPNAME}=foo" \
+#               --policy-groups=opt-application,user-application \
+#               /opt/foo/bin/foo
+#
+###ENDUSAGE###
+# vim:syntax=apparmor
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+  #include <abstractions/base>
+
+  ###ABSTRACTIONS###
+
+  ###POLICYGROUPS###
+
+  ###READS###
+
+  ###WRITES###
+}

utils/python-tools-setup.py

@@ -0,0 +1,79 @@
+# ----------------------------------------------------------------------
+#    Copyright (c) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Canonical, Ltd.
+# ----------------------------------------------------------------------
+#
+# Usage:
+# $ python ./python-tools-setup.py install --root=... --version=...
+#
+# Note: --version=... must be the last argument to this script
+#
+
+from distutils.command.install import install as _install
+from distutils.core import setup
+import os
+import shutil
+import sys
+
+class Install(_install, object):
+    '''Override distutils to install the files where we want them.'''
+    def run(self):
+        # Now byte-compile everything
+        super(Install, self).run()
+
+        prefix = self.prefix
+        if self.root != None:
+            prefix = self.root
+
+        # Install scripts, configuration files and data
+        scripts = ['/usr/bin/aa-easyprof']
+        self.mkpath(prefix + os.path.dirname(scripts[0]))
+        for s in scripts:
+            self.copy_file(os.path.basename(s), prefix + s)
+
+        configs = ['easyprof/easyprof.conf']
+        self.mkpath(prefix + "/etc/apparmor")
+        for c in configs:
+            self.copy_file(c, os.path.join(prefix + "/etc/apparmor", os.path.basename(c)))
+
+        data = ['easyprof/templates', 'easyprof/policygroups']
+        self.mkpath(prefix + "/usr/share/apparmor/easyprof")
+        for d in data:
+            self.copy_tree(d, os.path.join(prefix + "/usr/share/apparmor/easyprof", os.path.basename(d)))
+
+
+if os.path.exists('staging'):
+    shutil.rmtree('staging')
+shutil.copytree('apparmor', 'staging')
+
+# Support the --version=... since this will be part of a Makefile
+version = "unknown-version"
+if "--version=" in sys.argv[-1]:
+    version=sys.argv[-1].split('=')[1]
+    sys.argv = sys.argv[0:-1]
+
+setup (name='apparmor',
+       version=version,
+       description='Python libraries for AppArmor utilities',
+       long_description='Python libraries for AppArmor utilities',
+       author='AppArmor Developers',
+       author_email='apparmor@lists.ubuntu.com',
+       url='https://launchpad.net/apparmor',
+       license='GPL-2',
+       cmdclass={'install': Install},
+       package_dir={'apparmor': 'staging'},
+       py_modules=['apparmor.easyprof']
+)
+
+shutil.rmtree('staging')

utils/test/easyprof.conf

@@ -0,0 +1,5 @@
+# Location of system policygroups
+POLICYGROUPS_DIR="./policygroups"
+
+# Location of system templates
+TEMPLATES_DIR="./templates"

utils/test/test-aa-easyprof.py

@@ -0,0 +1,882 @@
+#! /usr/bin/env python
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import glob
+import os
+import shutil
+import sys
+import tempfile
+import unittest
+
+topdir = None
+debugging = False
+
+def recursive_rm(dirPath, contents_only=False):
+    '''recursively remove directory'''
+    names = os.listdir(dirPath)
+    for name in names:
+        path = os.path.join(dirPath, name)
+        if os.path.islink(path) or not os.path.isdir(path):
+            os.unlink(path)
+        else:
+            recursive_rm(path)
+    if contents_only == False:
+        os.rmdir(dirPath)
+
+#
+# Our test class
+#
+class T(unittest.TestCase):
+    def setUp(self):
+        '''Setup for tests'''
+        global topdir
+
+        self.tmpdir = tempfile.mkdtemp(prefix='test-aa-easyprof')
+
+        # Copy everything into place
+        for d in ['easyprof/policygroups', 'easyprof/templates']:
+            shutil.copytree(os.path.join(topdir, d), os.path.join(self.tmpdir, os.path.basename(d)))
+
+        # Create a test template
+        self.test_template = "test-template"
+        contents = '''# vim:syntax=apparmor
+# %s
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+  #include <abstractions/base>
+
+  ###ABSTRACTIONS###
+
+  ###POLICYGROUPS###
+
+  ###READS###
+
+  ###WRITES###
+}
+
+''' % (self.test_template)
+        open(os.path.join(self.tmpdir, 'templates', self.test_template), 'w').write(contents)
+
+        # Create a test policygroup
+        self.test_policygroup = "test-policygroup"
+        contents = '''
+  # %s
+  #include <abstractions/gnome>
+  #include <abstractions/nameservice>
+''' % (self.test_policygroup)
+        open(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), 'w').write(contents)
+
+        # setup our conffile
+        self.conffile = os.path.join(self.tmpdir, 'easyprof.conf')
+        contents = '''
+POLICYGROUPS_DIR="%s/policygroups"
+TEMPLATES_DIR="%s/templates"
+''' % (self.tmpdir, self.tmpdir)
+        open(self.conffile, 'w').write(contents)
+
+        self.binary = "/opt/bin/foo"
+        self.full_args = ['-c', self.conffile, self.binary]
+
+        if debugging:
+            self.full_args.append('-d')
+
+        (self.options, self.args) = easyprof.parse_args(self.full_args + [self.binary])
+
+    def tearDown(self):
+        '''Teardown for tests'''
+        if os.path.exists(self.tmpdir):
+            recursive_rm(self.tmpdir)
+
+#
+# config file tests
+#
+    def test_configuration_file_p_invalid(self):
+        '''Test config parsing (invalid POLICYGROUPS_DIR)'''
+        contents = '''
+POLICYGROUPS_DIR=
+TEMPLATES_DIR="%s/templates"
+''' % (self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_configuration_file_p_empty(self):
+        '''Test config parsing (empty POLICYGROUPS_DIR)'''
+        contents = '''
+POLICYGROUPS_DIR="%s"
+TEMPLATES_DIR="%s/templates"
+''' % ('', self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_configuration_file_p_nonexistent(self):
+        '''Test config parsing (nonexistent POLICYGROUPS_DIR)'''
+        contents = '''
+POLICYGROUPS_DIR="%s/policygroups"
+TEMPLATES_DIR="%s/templates"
+''' % ('/nonexistent', self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_policygroups_dir_relative(self):
+        '''Test --policy-groups-dir (relative DIR)'''
+        os.chdir(self.tmpdir)
+        rel = os.path.join(self.tmpdir, 'relative')
+        os.mkdir(rel)
+        shutil.copy(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), os.path.join(rel, self.test_policygroup))
+
+        args = self.full_args
+        args += ['--policy-groups-dir', './relative', '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # no fallback
+        self.assertTrue(easyp.dirs['policygroups'] == rel, "Not using specified --policy-groups-dir")
+        self.assertFalse(easyp.get_policy_groups() == None, "Could not find policy-groups")
+
+    def test_policygroups_dir_nonexistent(self):
+        '''Test --policy-groups-dir (nonexistent DIR)'''
+        os.chdir(self.tmpdir)
+        rel = os.path.join(self.tmpdir, 'nonexistent')
+
+        args = self.full_args
+        args += ['--policy-groups-dir', rel, '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # test if using fallback
+        self.assertFalse(easyp.dirs['policygroups'] == rel, "Using nonexistent --policy-groups-dir")
+
+        # test fallback
+        self.assertTrue(easyp.get_policy_groups() != None, "Found policy-groups when shouldn't have")
+
+    def test_policygroups_dir_valid(self):
+        '''Test --policy-groups-dir (valid DIR)'''
+        os.chdir(self.tmpdir)
+        valid = os.path.join(self.tmpdir, 'valid')
+        os.mkdir(valid)
+        shutil.copy(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), os.path.join(valid, self.test_policygroup))
+
+        args = self.full_args
+        args += ['--policy-groups-dir', valid, '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # no fallback
+        self.assertTrue(easyp.dirs['policygroups'] == valid, "Not using specified --policy-groups-dir")
+        self.assertFalse(easyp.get_policy_groups() == None, "Could not find policy-groups")
+
+    def test_configuration_file_t_invalid(self):
+        '''Test config parsing (invalid TEMPLATES_DIR)'''
+        contents = '''
+TEMPLATES_DIR=
+POLICYGROUPS_DIR="%s/templates"
+''' % (self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_configuration_file_t_empty(self):
+        '''Test config parsing (empty TEMPLATES_DIR)'''
+        contents = '''
+TEMPLATES_DIR="%s"
+POLICYGROUPS_DIR="%s/templates"
+''' % ('', self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_configuration_file_t_nonexistent(self):
+        '''Test config parsing (nonexistent TEMPLATES_DIR)'''
+        contents = '''
+TEMPLATES_DIR="%s/policygroups"
+POLICYGROUPS_DIR="%s/templates"
+''' % ('/nonexistent', self.tmpdir)
+
+        open(self.conffile, 'w').write(contents)
+        try:
+            easyprof.AppArmorEasyProfile(self.binary, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+
+        raise Exception ("File should have been invalid")
+
+    def test_templates_dir_relative(self):
+        '''Test --templates-dir (relative DIR)'''
+        os.chdir(self.tmpdir)
+        rel = os.path.join(self.tmpdir, 'relative')
+        os.mkdir(rel)
+        shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), os.path.join(rel, self.test_template))
+
+        args = self.full_args
+        args += ['--templates-dir', './relative', '--show-template', '--template=%s' % self.test_template]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # no fallback
+        self.assertTrue(easyp.dirs['templates'] == rel, "Not using specified --template-dir")
+        self.assertFalse(easyp.get_templates() == None, "Could not find templates")
+
+    def test_templates_dir_nonexistent(self):
+        '''Test --templates-dir (nonexistent DIR)'''
+        os.chdir(self.tmpdir)
+        rel = os.path.join(self.tmpdir, 'nonexistent')
+
+        args = self.full_args
+        args += ['--templates-dir', rel, '--show-template', '--template=%s' % self.test_template]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # test if using fallback
+        self.assertFalse(easyp.dirs['templates'] == rel, "Using nonexistent --template-dir")
+
+        # test fallback
+        self.assertTrue(easyp.get_templates() != None, "Found templates when shouldn't have")
+
+    def test_templates_dir_valid(self):
+        '''Test --templates-dir (valid DIR)'''
+        os.chdir(self.tmpdir)
+        valid = os.path.join(self.tmpdir, 'valid')
+        os.mkdir(valid)
+        shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), os.path.join(valid, self.test_template))
+
+        args = self.full_args
+        args += ['--templates-dir', valid, '--show-template', '--template=%s' % self.test_template]
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+        # no fallback
+        self.assertTrue(easyp.dirs['templates'] == valid, "Not using specified --template-dir")
+        self.assertFalse(easyp.get_templates() == None, "Could not find templates")
+
+#
+# Binary file tests
+#
+    def test_binary(self):
+        '''Test binary'''
+        easyprof.AppArmorEasyProfile('/bin/ls', self.options)
+
+    def test_binary_nonexistent(self):
+        '''Test binary (nonexistent)'''
+        easyprof.AppArmorEasyProfile(os.path.join(self.tmpdir, 'nonexistent'), self.options)
+
+    def test_binary_relative(self):
+        '''Test binary (relative)'''
+        try:
+            easyprof.AppArmorEasyProfile('./foo', self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("Binary should have been invalid")
+
+    def test_binary_symlink(self):
+        '''Test binary (symlink)'''
+        exe = os.path.join(self.tmpdir, 'exe')
+        open(exe, 'wa').close()
+        symlink = exe + ".lnk"
+        os.symlink(exe, symlink)
+
+        try:
+            easyprof.AppArmorEasyProfile(symlink, self.options)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("Binary should have been invalid")
+
+#
+# Templates tests
+#
+    def test_templates_list(self):
+        '''Test templates (list)'''
+        args = self.full_args
+        args.append('--list-templates')
+        (self.options, self.args) = easyprof.parse_args(args)
+
+        easyp = easyprof.AppArmorEasyProfile(None, self.options)
+        for i in easyp.get_templates():
+            self.assertTrue(os.path.exists(i), "Could not find '%s'" % i)
+
+    def test_templates_show(self):
+        '''Test templates (show)'''
+        files = []
+        for f in glob.glob("%s/templates/*" % self.tmpdir):
+            files.append(f)
+
+        for f in files:
+            args = self.full_args
+            args += ['--show-template', '--template', f]
+            (self.options, self.args) = easyprof.parse_args(args)
+            easyp = easyprof.AppArmorEasyProfile(None, self.options)
+
+            path = os.path.join(easyp.dirs['templates'], f)
+            self.assertTrue(os.path.exists(path), "Could not find '%s'" % path)
+            open(path).read()
+
+#
+# Policygroups tests
+#
+    def test_policygroups_list(self):
+        '''Test policygroups (list)'''
+        args = self.full_args
+        args.append('--list-policy-groups')
+        (self.options, self.args) = easyprof.parse_args(args)
+
+        easyp = easyprof.AppArmorEasyProfile(None, self.options)
+        for i in easyp.get_templates():
+            self.assertTrue(os.path.exists(i), "Could not find '%s'" % i)
+
+    def test_policygroups_show(self):
+        '''Test policygroups (show)'''
+        files = []
+        for f in glob.glob("%s/policygroups/*" % self.tmpdir):
+            files.append(f)
+
+        for f in files:
+            args = self.full_args
+            args += ['--show-template', '--template', f]
+            (self.options, self.args) = easyprof.parse_args(args)
+            easyp = easyprof.AppArmorEasyProfile(None, self.options)
+
+            path = os.path.join(easyp.dirs['policygroups'], f)
+            self.assertTrue(os.path.exists(path), "Could not find '%s'" % path)
+            open(path).read()
+
+#
+# Test genpolicy
+#
+    def _gen_policy(self, name=None, template=None, extra_args=[]):
+        '''Generate a policy'''
+        # Build up our args
+        args = self.full_args
+
+        if template == None:
+            args.append('--template=%s' % self.test_template)
+        else:
+            args.append('--template=%s' % template)
+
+        if name != None:
+            args.append('--name=%s' % name)
+
+        if len(extra_args) > 0:
+            args += extra_args
+
+        args.append(self.binary)
+
+        # Now parse our args
+        (self.options, self.args) = easyprof.parse_args(args)
+        easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+        params = easyprof.gen_policy_params(self.binary, self.options)
+        p = easyp.gen_policy(**params)
+
+        # We always need to check for these
+        search_terms = [self.binary]
+        if name != None:
+            search_terms.append(name)
+
+        if template == None:
+            search_terms.append(self.test_template)
+
+        for s in search_terms:
+            self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+
+        # ###NAME### should be replaced with self.binary or 'name'. Check for that
+        inv_s = '###NAME###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+        if debugging:
+            print p
+
+        return p
+
+    def test_genpolicy_templates_abspath(self):
+        '''Test genpolicy (abspath to template)'''
+        # create a new template
+        template = os.path.join(self.tmpdir, "test-abspath-template")
+        shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), template)
+        contents = open(template).read()
+        test_string = "#teststring"
+        open(template, 'w').write(contents + "\n%s\n" % test_string)
+
+        p = self._gen_policy(template=template)
+
+        for s in [self.test_template, test_string]:
+            self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+
+    def test_genpolicy_templates_system(self):
+        '''Test genpolicy (system template)'''
+        self._gen_policy()
+
+    def test_genpolicy_templates_nonexistent(self):
+        '''Test genpolicy (nonexistent template)'''
+        try:
+            self._gen_policy(template=os.path.join(self.tmpdir, "/nonexistent"))
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("template should be invalid")
+
+    def test_genpolicy_name(self):
+        '''Test genpolicy (name)'''
+        self._gen_policy(name='test-foo')
+
+    def test_genpolicy_comment(self):
+        '''Test genpolicy (comment)'''
+        s = "test comment"
+        p = self._gen_policy(extra_args=['--comment=%s' % s])
+        self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###COMMENT###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_author(self):
+        '''Test genpolicy (author)'''
+        s = "Archibald Poindexter"
+        p = self._gen_policy(extra_args=['--author=%s' % s])
+        self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###AUTHOR###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_copyright(self):
+        '''Test genpolicy (copyright)'''
+        s = "2112/01/01"
+        p = self._gen_policy(extra_args=['--copyright=%s' % s])
+        self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###COPYRIGHT###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_abstractions(self):
+        '''Test genpolicy (single abstraction)'''
+        s = "nameservice"
+        p = self._gen_policy(extra_args=['--abstractions=%s' % s])
+        search = "#include <abstractions/%s>" % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###ABSTRACTIONS###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_abstractions_multiple(self):
+        '''Test genpolicy (multiple abstractions)'''
+        abstractions = "authentication,X,user-tmp"
+        p = self._gen_policy(extra_args=['--abstractions=%s' % abstractions])
+        for s in abstractions.split(','):
+            search = "#include <abstractions/%s>" % s
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###ABSTRACTIONS###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_policygroups(self):
+        '''Test genpolicy (single policygroup)'''
+        groups = self.test_policygroup
+        p = self._gen_policy(extra_args=['--policy-groups=%s' % groups])
+
+        for s in ['#include <abstractions/nameservice>', '#include <abstractions/gnome>']:
+            self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###POLICYGROUPS###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_policygroups_multiple(self):
+        '''Test genpolicy (multiple policygroups)'''
+        test_policygroup2 = "test-policygroup2"
+        contents = '''
+  # %s
+  #include <abstractions/kde>
+  #include <abstractions/openssl>
+''' % (self.test_policygroup)
+        open(os.path.join(self.tmpdir, 'policygroups', test_policygroup2), 'w').write(contents)
+
+        groups = "%s,%s" % (self.test_policygroup, test_policygroup2)
+        p = self._gen_policy(extra_args=['--policy-groups=%s' % groups])
+
+        for s in ['#include <abstractions/nameservice>',
+                  '#include <abstractions/gnome>',
+                  '#include <abstractions/kde>',
+                  '#include <abstractions/openssl>']:
+            self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###POLICYGROUPS###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_policygroups_nonexistent(self):
+        '''Test genpolicy (nonexistent policygroup)'''
+        try:
+            self._gen_policy(extra_args=['--policy-groups=nonexistent'])
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("policygroup should be invalid")
+
+    def test_genpolicy_readpath_file(self):
+        '''Test genpolicy (read-path file)'''
+        s = "/opt/test-foo"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search = "%s r," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_home_file(self):
+        '''Test genpolicy (read-path file in /home)'''
+        s = "/home/*/test-foo"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search = "owner %s r," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_homevar_file(self):
+        '''Test genpolicy (read-path file in @{HOME})'''
+        s = "@{HOME}/test-foo"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search = "owner %s r," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_homedirs_file(self):
+        '''Test genpolicy (read-path file in @{HOMEDIRS})'''
+        s = "@{HOMEDIRS}/test-foo"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search = "owner %s r," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_dir(self):
+        '''Test genpolicy (read-path directory/)'''
+        s = "/opt/test-foo-dir/"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search_terms = ["%s r," % s, "%s** r," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_dir_glob(self):
+        '''Test genpolicy (read-path directory/*)'''
+        s = "/opt/test-foo-dir/*"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search_terms = ["%s r," % os.path.dirname(s), "%s r," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_dir_glob_all(self):
+        '''Test genpolicy (read-path directory/**)'''
+        s = "/opt/test-foo-dir/**"
+        p = self._gen_policy(extra_args=['--read-path=%s' % s])
+        search_terms = ["%s r," % os.path.dirname(s), "%s r," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_multiple(self):
+        '''Test genpolicy (read-path multiple)'''
+        paths = ["/opt/test-foo",
+                 "/home/*/test-foo",
+                 "@{HOME}/test-foo",
+                 "@{HOMEDIRS}/test-foo",
+                 "/opt/test-foo-dir/",
+                 "/opt/test-foo-dir/*",
+                 "/opt/test-foo-dir/**"]
+        args = []
+        search_terms = []
+        for s in paths:
+            args.append('--read-path=%s' % s)
+            # This mimics easyprof.gen_path_rule()
+            owner = ""
+            if s.startswith('/home/') or s.startswith("@{HOME"):
+                owner = "owner "
+            if s.endswith('/'):
+                search_terms.append("%s r," % (s))
+                search_terms.append("%s%s** r," % (owner, s))
+            elif s.endswith('/**') or s.endswith('/*'):
+                search_terms.append("%s r," % (os.path.dirname(s)))
+                search_terms.append("%s%s r," % (owner, s))
+            else:
+                search_terms.append("%s%s r," % (owner, s))
+
+        p = self._gen_policy(extra_args=args)
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_readpath_bad(self):
+        '''Test genpolicy (read-path bad)'''
+        s = "bar"
+        try:
+            self._gen_policy(extra_args=['--read-path=%s' % s])
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("read-path should be invalid")
+
+    def test_genpolicy_writepath_file(self):
+        '''Test genpolicy (write-path file)'''
+        s = "/opt/test-foo"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search = "%s rwk," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_home_file(self):
+        '''Test genpolicy (write-path file in /home)'''
+        s = "/home/*/test-foo"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search = "owner %s rwk," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_homevar_file(self):
+        '''Test genpolicy (write-path file in @{HOME})'''
+        s = "@{HOME}/test-foo"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search = "owner %s rwk," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_homedirs_file(self):
+        '''Test genpolicy (write-path file in @{HOMEDIRS})'''
+        s = "@{HOMEDIRS}/test-foo"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search = "owner %s rwk," % s
+        self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_dir(self):
+        '''Test genpolicy (write-path directory/)'''
+        s = "/opt/test-foo-dir/"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search_terms = ["%s rwk," % s, "%s** rwk," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_dir_glob(self):
+        '''Test genpolicy (write-path directory/*)'''
+        s = "/opt/test-foo-dir/*"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search_terms = ["%s rwk," % os.path.dirname(s), "%s rwk," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_dir_glob_all(self):
+        '''Test genpolicy (write-path directory/**)'''
+        s = "/opt/test-foo-dir/**"
+        p = self._gen_policy(extra_args=['--write-path=%s' % s])
+        search_terms = ["%s rwk," % os.path.dirname(s), "%s rwk," % s]
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_multiple(self):
+        '''Test genpolicy (write-path multiple)'''
+        paths = ["/opt/test-foo",
+                 "/home/*/test-foo",
+                 "@{HOME}/test-foo",
+                 "@{HOMEDIRS}/test-foo",
+                 "/opt/test-foo-dir/",
+                 "/opt/test-foo-dir/*",
+                 "/opt/test-foo-dir/**"]
+        args = []
+        search_terms = []
+        for s in paths:
+            args.append('--write-path=%s' % s)
+            # This mimics easyprof.gen_path_rule()
+            owner = ""
+            if s.startswith('/home/') or s.startswith("@{HOME"):
+                owner = "owner "
+            if s.endswith('/'):
+                search_terms.append("%s rwk," % (s))
+                search_terms.append("%s%s** rwk," % (owner, s))
+            elif s.endswith('/**') or s.endswith('/*'):
+                search_terms.append("%s rwk," % (os.path.dirname(s)))
+                search_terms.append("%s%s rwk," % (owner, s))
+            else:
+                search_terms.append("%s%s rwk," % (owner, s))
+
+        p = self._gen_policy(extra_args=args)
+        for search in search_terms:
+            self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+        inv_s = '###READPATH###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_writepath_bad(self):
+        '''Test genpolicy (write-path bad)'''
+        s = "bar"
+        try:
+            self._gen_policy(extra_args=['--write-path=%s' % s])
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("write-path should be invalid")
+
+    def test_genpolicy_templatevar(self):
+        '''Test genpolicy (template-var single)'''
+        s = "@{FOO}=bar"
+        p = self._gen_policy(extra_args=['--template-var=%s' % s])
+        self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+        inv_s = '###TEMPLATEVAR###'
+        self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_templatevar_multiple(self):
+        '''Test genpolicy (template-var multiple)'''
+        variables = ["@{FOO}=bar", "@{BAR}=baz"]
+        args = []
+        for s in variables:
+            args.append('--template-var=%s' % s)
+
+        p = self._gen_policy(extra_args=args)
+        for s in variables:
+            self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+            inv_s = '###TEMPLATEVAR###'
+            self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+    def test_genpolicy_templatevar_bad(self):
+        '''Test genpolicy (template-var bad)'''
+        s = "{FOO}=bar"
+        try:
+            self._gen_policy(extra_args=['--template-var=%s' % s])
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("template-var should be invalid")
+
+    def test_genpolicy_invalid_template_policy(self):
+        '''Test genpolicy (invalid template policy)'''
+        # create a new template
+        template = os.path.join(self.tmpdir, "test-invalid-template")
+        shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), template)
+        contents = open(template).read()
+        bad_pol = ""
+        bad_string = "bzzzt"
+        for line in contents.splitlines():
+            if '}' in line:
+                bad_pol += bad_string
+            else:
+                bad_pol += line
+            bad_pol += "\n"
+        open(template, 'w').write(bad_pol)
+        try:
+            self._gen_policy(template=template)
+        except easyprof.AppArmorException:
+            return
+        except Exception:
+            raise
+        raise Exception ("policy should be invalid")
+
+
+#
+# End test class
+#
+
+#
+# Main
+#
+if __name__ == '__main__':
+    def cleanup(files):
+        for f in files:
+            if os.path.exists(f):
+                os.unlink(f)
+
+    absfn = os.path.abspath(sys.argv[0])
+    topdir = os.path.dirname(os.path.dirname(absfn))
+
+    if len(sys.argv) > 1 and (sys.argv[1] == '-d' or sys.argv[1] == '--debug'):
+        debugging = True
+
+    created = []
+
+    # Create the necessary files to import aa-easyprof
+    init = os.path.join(os.path.dirname(absfn), '__init__.py')
+    if not os.path.exists(init):
+        open(init, 'wa').close()
+        created.append(init)
+
+    symlink = os.path.join(os.path.dirname(absfn), 'easyprof.py')
+    if not os.path.exists(symlink):
+        os.symlink(os.path.join(topdir, 'apparmor', 'easyprof.py'), symlink)
+        created.append(symlink)
+        created.append(symlink + 'c')
+
+    # Now that we have everything we need, import aa-easyprof
+    import easyprof
+
+    # run the tests
+    suite = unittest.TestSuite()
+    suite.addTest(unittest.TestLoader().loadTestsFromTestCase(T))
+    rc = unittest.TextTestRunner(verbosity=2).run(suite)
+
+    cleanup(created)
+
+    if not rc.wasSuccessful():
+        sys.exit(1)