toplevel Makefile: use https URI by default for vcs export

Merge from trunk commit 2261.

Since --per-file-timestamps is broken over the SSH transport (see
https://bugs.launchpad.net/bzr/+bug/1257078), make the default use
a HTTPS URI instead.

Makefile

@@ -12,7 +12,9 @@ DIRS=parser \
      changehat/pam_apparmor \
      tests
 
-REPO_URL?=lp:apparmor/2.8
+#REPO_URL?=lp:apparmor/2.8
+# --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
+REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/2.8
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

README

@@ -198,3 +198,21 @@ Building and Installing AppArmor Kernel Patches
 
 TODO
 
+
+-----------------
+Required versions
+-----------------
+
+The AppArmor userspace utilities are written with some assumptions about
+installed and available versions of other tools. This is a (possibly
+incomplete) list of known version dependencies:
+
+AppArmor.pm (used by aa-audit, aa-autodep, aa-complain, aa-disable,
+aa-enforce, aa-genprof, aa-logprof, aa-unconfined) requires minimum
+Perl 5.10.1.
+
+Python scripts require minimum Python 2.7. Some utilities may require
+Python 3.3. Python 3.0, 3.1, 3.2 are largely untested.
+
+Most shell scripts are written for POSIX-compatible sh. aa-decode expects
+bash, probably version 3.2 and higher.

changehat/mod_apparmor/mod_apparmor.c

@@ -17,6 +17,7 @@
 #include "http_config.h"
 #include "http_request.h"
 #include "http_log.h"
+#include "http_main.h"
 #include "http_protocol.h"
 #include "util_filter.h"
 #include "apr.h"
@@ -35,9 +36,18 @@
 #define DEFAULT_HAT "HANDLING_UNTRUSTED_INPUT"
 #define DEFAULT_URI_HAT "DEFAULT_URI"
 
+/* Compatibility with apache 2.2 */
+#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER < 3
+  #define APLOG_TRACE1 APLOG_DEBUG
+  server_rec *ap_server_conf = NULL;
+#endif
+
+#ifdef APLOG_USE_MODULE
+  APLOG_USE_MODULE(apparmor);
+#endif
 module AP_MODULE_DECLARE_DATA apparmor_module;
 
-static unsigned int magic_token = 0;
+static unsigned long magic_token = 0;
 static int inside_default_hat = 0;
 
 typedef struct {
@@ -68,9 +78,10 @@ immunix_init (apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
     	apr_file_read (file, (void *) &magic_token, &size);
 	apr_file_close (file);
     } else {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to open /dev/urandom");
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
+			"Failed to open /dev/urandom");
     }
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "Opened /dev/urandom successfully");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "Opened /dev/urandom successfully");
 
     return OK;
 }
@@ -83,35 +94,32 @@ immunix_child_init (apr_pool_t *p, server_rec *s)
 {
     int ret;
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "init: calling change_hat");
-    ret = change_hat (DEFAULT_HAT, magic_token);
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf,
+		    "init: calling change_hat with '%s'", DEFAULT_HAT);
+    ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (ret < 0) {
-    	change_hat (NULL, magic_token);
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to change_hat to '%s'",
-			DEFAULT_HAT);
+    	aa_change_hat(NULL, magic_token);
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
+			"Failed to change_hat to '%s'", DEFAULT_HAT);
     } else {
         inside_default_hat = 1;
     }
 }    			 
 
-#ifdef DEBUG
 static void
-debug_dump_uri (apr_uri_t * uri) 
+debug_dump_uri(request_rec *r)
 {
-    if (uri) 
-    	ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Dumping uri info "
+    apr_uri_t *uri = &r->parsed_uri;
+    if (uri)
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping uri info "
     	          "scheme='%s' host='%s' path='%s' query='%s' fragment='%s'",
     		  uri->scheme, uri->hostname, uri->path, uri->query,
 		  uri->fragment);
     else
-    	ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Asked to dump NULL uri");
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Asked to dump NULL uri");
 
 }
-#else
-static void
-debug_dump_uri (apr_uri_t * __unused uri) { }
-#endif
-    
+
 /* 
    immunix_enter_hat will attempt to change_hat in the following order:
    (1) to a hatname in a location directive
@@ -129,8 +137,8 @@ immunix_enter_hat (request_rec *r)
     immunix_srv_cfg * scfg = (immunix_srv_cfg *) 
     		ap_get_module_config (r->server->module_config, &apparmor_module);
 
-    debug_dump_uri (&r->parsed_uri);
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx", 
+    debug_dump_uri(r);
+    ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx",
     	dcfg->path, (unsigned long) r->next, (unsigned long) r->prev, 
 	(unsigned long) r->main);
 
@@ -139,41 +147,48 @@ immunix_enter_hat (request_rec *r)
     	return OK;
 
     if (inside_default_hat) {
-        change_hat (NULL, magic_token);
+        aa_change_hat(NULL, magic_token);
 	inside_default_hat = 0;
     }
 
     if (dcfg != NULL && dcfg->hat_name != NULL) {
-        ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [dcfg] %s", dcfg->hat_name);
-        sd_ret = change_hat (dcfg->hat_name, magic_token);
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [dcfg] %s", dcfg->hat_name);
+        sd_ret = aa_change_hat(dcfg->hat_name, magic_token);
 	if (sd_ret < 0) {
-	    change_hat (NULL, magic_token);
+	    aa_change_hat(NULL, magic_token);
 	} else {
 	    return OK;
 	}
     }
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [uri] %s", r->uri);
-    sd_ret = change_hat (r->uri, magic_token);
+    if (scfg) {
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping scfg info: "
+    	          "scfg='0x%lx' scfg->hat_name='%s'",
+    		  (unsigned long) scfg, scfg->hat_name);
+    } else {
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "scfg is null");
+    }
+    if (scfg != NULL && scfg->hat_name != NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [scfg] %s", scfg->hat_name);
+        sd_ret = aa_change_hat(scfg->hat_name, magic_token);
+	if (sd_ret < 0) {
+	    aa_change_hat(NULL, magic_token);
+	} else {
+	    return OK;
+	}
+    }
+
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [uri] %s", r->uri);
+    sd_ret = aa_change_hat(r->uri, magic_token);
     if (sd_ret < 0) {
-    	change_hat (NULL, magic_token);
+    	aa_change_hat(NULL, magic_token);
     } else {
 	    return OK;
     }
 
-    if (scfg != NULL && scfg->hat_name != NULL) {
-        ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [scfg] %s", scfg->hat_name);
-        sd_ret = change_hat (scfg->hat_name, magic_token);
-	if (sd_ret < 0) {
-	    change_hat (NULL, magic_token);
-	} else {
-	    return OK;
-	}
-    }
-
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat DEFAULT_URI");
-    sd_ret = change_hat (DEFAULT_URI_HAT, magic_token);
-    if (sd_ret < 0) change_hat (NULL, magic_token);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat DEFAULT_URI");
+    sd_ret = aa_change_hat(DEFAULT_URI_HAT, magic_token);
+    if (sd_ret < 0) aa_change_hat(NULL, magic_token);
 
     return OK;
 }
@@ -186,14 +201,15 @@ immunix_exit_hat (request_rec *r)
     		ap_get_module_config (r->per_dir_config, &apparmor_module);
     /* immunix_srv_cfg * scfg = (immunix_srv_cfg *)
     		ap_get_module_config (r->server->module_config, &apparmor_module); */
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "exiting change_hat - dir hat %s path %s", dcfg->hat_name, dcfg->path);
-    change_hat (NULL, magic_token);
+    ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "exiting change_hat: dir hat %s dir path %s",
+		    dcfg->hat_name, dcfg->path);
+    aa_change_hat(NULL, magic_token);
 
-    sd_ret = change_hat (DEFAULT_HAT, magic_token);
+    sd_ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (sd_ret < 0) {
-    	change_hat (NULL, magic_token);
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to change_hat to '%s'",
-			DEFAULT_HAT);
+    	aa_change_hat(NULL, magic_token);
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r,
+			"Failed to change_hat to '%s'", DEFAULT_HAT);
     } else {
         inside_default_hat = 1;
     }
@@ -204,7 +220,7 @@ immunix_exit_hat (request_rec *r)
 static const char *
 aa_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "config change hat %s",
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "directory config change hat %s",
     			parm1 ? parm1 : "DEFAULT");
     immunix_dir_cfg * dcfg = mconfig;
     if (parm1 != NULL) {
@@ -221,7 +237,7 @@ static const char *
 immunix_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
     if (path_warn_once == 0) {
-    	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ImmHatName is "
+    	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmHatName is "
 		     "deprecated, please use AAHatName instead");
 	path_warn_once = 1;
     }
@@ -231,9 +247,10 @@ immunix_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 static const char *
 aa_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "config change hat %s",
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "server config change hat %s",
     			parm1 ? parm1 : "DEFAULT");
-    immunix_srv_cfg * scfg = mconfig;
+    immunix_srv_cfg * scfg = (immunix_srv_cfg *)
+	    ap_get_module_config(cmd->server->module_config, &apparmor_module);
     if (parm1 != NULL) {
     	scfg->hat_name = parm1;
     } else {
@@ -248,7 +265,7 @@ static const char *
 immunix_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
     if (srv_warn_once == 0) {
-	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ImmDefaultHatName is "
+	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmDefaultHatName is "
 		     "deprecated, please use AADefaultHatName instead");
 	srv_warn_once = 1;
     }
@@ -260,9 +277,9 @@ immunix_create_dir_config (apr_pool_t * p, char * path)
 {
     immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_create_dir (%s)", path ? path : ":no path:");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_dir (%s)", path ? path : ":no path:");
     if (newcfg == NULL) {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "immunix_create_dir: couldn't alloc dir config");
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_dir: couldn't alloc dir config");
     	return NULL;
     }
     newcfg->path = apr_pstrdup (p, path ? path : ":no path:");
@@ -277,7 +294,7 @@ immunix_merge_dir_config (apr_pool_t * p, void * parent, void * child)
 {
     immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_merge_dir ()");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_merge_dir ()");
     if (newcfg == NULL)
     	return NULL;
 
@@ -290,9 +307,9 @@ immunix_create_srv_config (apr_pool_t * p, server_rec * srv)
 {
     immunix_srv_cfg * newcfg = (immunix_srv_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_create_srv");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_srv");
     if (newcfg == NULL) {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "immunix_create_srv: couldn't alloc srv config");
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_srv: couldn't alloc srv config");
     	return NULL;
     }
 

changehat/mod_apparmor/mod_apparmor.pod

@@ -72,11 +72,10 @@ behavior described above.
 
 AADefaultHatName allows you to specify a default hat to be used for
 virtual hosts and other Apache server directives, so that you can have
-different defaults for different virtual hosts. This can be overridden by
-the AAHatName directive and is checked for only if there isn't a matching
-AAHatName or hat named by the URI. If the AADefaultHatName hat does not
-exist, it falls back to the DEFAULT_URI hat if it exists (as described
-above).
+different defaults for different virtual hosts. This can be overridden
+by the AAHatName directive and is checked for only if there isn't
+a matching AAHatName. If the AADefaultHatName hat does not exist,
+then it falls back to the behavior described above.
 
 =back
 
@@ -96,11 +95,11 @@ will:
 1. try to aa_change_hat(2) into a matching AAHatName hat if it exists and
 applies, otherwise it will
 
-2. try to aa_change_hat(2) into the URI itself, otherwise it will
-
-3. try to aa_change_hat(2) into an AADefaultHatName hat if it has been defined
+2. try to aa_change_hat(2) into an AADefaultHatName hat if it has been defined
 for the server/vhost, otherwise it will
 
+3. try to aa_change_hat(2) into the URI itself, otherwise it will
+
 4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
 will
 
@@ -115,7 +114,7 @@ with the prefork MPM configuration -- threaded configurations of Apache
 may not work correctly.
 
 There are likely other bugs lurking about; if you find any, please report
-them at L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+them at L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

common/Make.rules

@@ -32,6 +32,10 @@ ifndef AWK
 $(error awk utility required for build but not available)
 endif
 
+# Convenience functions
+pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
+map = $(foreach a,$(2),$(call $(1),$(a)))
+
 # OVERRIDABLE variables
 # Set these variables before including Make.rules to change its behavior
 #   SPECFILE - for packages that have a non-standard specfile name
@@ -132,6 +136,17 @@ endif
 
 endif
 
+ifndef PYTHON_VERSIONS
+PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)
+endif
+
+ifndef PYTHON
+PYTHON = $(firstword ${PYTHON_VERSIONS})
+endif
+
+#Helper function to be used with $(call pyalldo, run_test_with_all.py)
+pyalldo=set -e; $(foreach py, $(PYTHON_VERSIONS), $(py) $(1);)
+
 .PHONY: version
 .SILENT: version
 version:

common/Version

@@ -1 +1 @@
-2.8.1
+2.8.4

libraries/libapparmor/autogen.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 
 DIE=0
+package=libapparmor
 
 (autoconf --version) < /dev/null > /dev/null 2>&1 || {
         echo
@@ -19,7 +20,7 @@ DIE=0
         DIE=1
 }
 
-(libtool --version) < /dev/null > /dev/null 2>&1 || {
+(libtoolize --version) < /dev/null > /dev/null 2>&1 || {
 	echo
 	echo "You must have libtool installed to compile $package."
 	echo "Download the appropriate package for your system,"

libraries/libapparmor/doc/aa_change_hat.pod

@@ -248,7 +248,7 @@ The output when run:
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>. Note that
+L<https://bugs.launchpad.net/apparmor/+filebug>. Note that
 aa_change_hat(2) provides no memory barriers between different areas of a
 program; if address space separation is required, then separate processes
 should be used.

libraries/libapparmor/doc/aa_change_profile.pod

@@ -197,7 +197,7 @@ used (in addition to the one for 'i_cant_be_trusted_anymore', above):
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>. Note that using
+L<https://bugs.launchpad.net/apparmor/+filebug>. Note that using
 aa_change_profile(2) without execve(2) provides no memory barriers between
 different areas of a program; if address space separation is required, then
 separate processes should be used.

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -110,7 +110,7 @@ The apparmor filesystem mount could not be found
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

libraries/libapparmor/doc/aa_getcon.pod

@@ -103,7 +103,7 @@ The confinement data is to large to fit in the supplied buffer.
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

libraries/libapparmor/m4/ac_python_devel.m4

@@ -17,9 +17,9 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
         # Check for a version of Python >= 2.1.0
         #
         AC_MSG_CHECKING([for a version of Python >= '2.1.0'])
-        ac_supports_python_ver=`$PYTHON -c "import sys, string; \
-                ver = string.split(sys.version)[[0]]; \
-                print ver >= '2.1.0'"`
+        ac_supports_python_ver=`$PYTHON -c "import sys; \
+                ver = sys.version.split()[[0]]; \
+                sys.stdout.write(str(ver >= '2.1.0'))"`
         if test "$ac_supports_python_ver" != "True"; then
                 if test -z "$PYTHON_NOVERSIONCHECK"; then
                         AC_MSG_RESULT([no])
@@ -44,9 +44,9 @@ to something else than an empty string.
         #
         if test -n "$1"; then
                 AC_MSG_CHECKING([for a version of Python $1])
-                ac_supports_python_ver=`$PYTHON -c "import sys, string; \
-                        ver = string.split(sys.version)[[0]]; \
-                        print ver $1"`
+                ac_supports_python_ver=`$PYTHON -c "import sys; \
+                        ver = sys.version.split()[[0]]; \
+                        sys.stdout.write("%s\n" % (ver == $1))"`
                 if test "$ac_supports_python_ver" = "True"; then
                    AC_MSG_RESULT([yes])
                 else
@@ -79,9 +79,12 @@ $ac_distutils_result])
         # Check for Python include path
         #
         AC_MSG_CHECKING([for Python include path])
+        if type $PYTHON-config; then
+                PYTHON_CPPFLAGS=`$PYTHON-config --includes`
+        fi
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
-                        print distutils.sysconfig.get_python_inc();"`
+                python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
+sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -94,25 +97,26 @@ $ac_distutils_result])
         # Check for Python library path
         #
         AC_MSG_CHECKING([for Python library path])
+        if type $PYTHON-config; then
+                PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
+        fi
         if test -z "$PYTHON_LDFLAGS"; then
                 # (makes two attempts to ensure we've got a version number
                 # from the interpreter)
-                py_version=`$PYTHON -c "from distutils.sysconfig import *; \
-                        from string import join; \
-                        print join(get_config_vars('VERSION'))"`
+                py_version=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
+sys.stdout.write('%s\n' % ''.join(get_config_vars('VERSION')))"`
                 if test "$py_version" == "[None]"; then
                         if test -n "$PYTHON_VERSION"; then
                                 py_version=$PYTHON_VERSION
                         else
                                 py_version=`$PYTHON -c "import sys; \
-                                        print sys.version[[:3]]"`
+sys.stdout.write("%s\n" % sys.version[[:3]])"`
                         fi
                 fi
 
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
-                        from string import join; \
-                        print '-L' + get_python_lib(0,1), \
-                        '-lpython';"`$py_version
+                PYTHON_LDFLAGS=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
+sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHON -c \
+"import sys; sys.stdout.write('%s' % getattr(sys,'abiflags',''))"`
         fi
         AC_MSG_RESULT([$PYTHON_LDFLAGS])
         AC_SUBST([PYTHON_LDFLAGS])
@@ -122,8 +126,8 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python site-packages path])
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
-                        print distutils.sysconfig.get_python_lib(0,0);"`
+                PYTHON_SITE_PKG=`$PYTHON -c "import sys; import distutils.sysconfig; \
+sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
         fi
         AC_MSG_RESULT([$PYTHON_SITE_PKG])
         AC_SUBST([PYTHON_SITE_PKG])
@@ -133,9 +137,9 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING(python extra libraries)
         if test -z "$PYTHON_EXTRA_LIBS"; then
-           PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
-                conf = distutils.sysconfig.get_config_var; \
-                print conf('LOCALMODLIBS'), conf('LIBS')"`
+           PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+conf = distutils.sysconfig.get_config_var; \
+sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
         AC_SUBST(PYTHON_EXTRA_LIBS)
@@ -145,9 +149,9 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING(python extra linking flags)
         if test -z "$PYTHON_EXTRA_LDFLAGS"; then
-                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
-                        conf = distutils.sysconfig.get_config_var; \
-                        print conf('LINKFORSHARED')"`
+                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+conf = distutils.sysconfig.get_config_var; \
+sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
         AC_SUBST(PYTHON_EXTRA_LDFLAGS)

libraries/libapparmor/src/Makefile.am

@@ -19,7 +19,7 @@ INCLUDES = $(all_includes)
 #    - set AA_LIB_AGE to 0.
 #
 AA_LIB_CURRENT = 1
-AA_LIB_REVISION = 3
+AA_LIB_REVISION = 6
 AA_LIB_AGE = 0
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/grammar.y

@@ -175,13 +175,13 @@ other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
 
 syslog_type:
 	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
-	  { ret_record->version = AA_RECORD_SYNTAX_V2; }
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	;
 
 /* when audit dispatches a message it doesn't prepend the audit type string */
@@ -203,8 +203,10 @@ audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS
 		free($7);
 	} ;
 
-syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_TIME { /* do nothing? */ }
-	| TOK_DATE TOK_TIME { /* do nothing */ }
+syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_TIME
+		{ free($1); free($3); /* do nothing? */ }
+	| TOK_DATE TOK_TIME
+		{ free($1); free($2); /* do nothing */ }
 	;
 
 key_list: key

libraries/libapparmor/src/kernel_interface.c

@@ -279,7 +279,8 @@ int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)
 	if (rc == -1) {
 		free(buffer);
 		*buf = NULL;
-		*mode = NULL;
+		if (mode)
+			*mode = NULL;
 	} else
 		*buf = buffer;
 
@@ -333,7 +334,7 @@ int aa_change_hat(const char *subprofile, unsigned long token)
 	int rc = -1;
 	int len = 0;
 	char *buf = NULL;
-	const char *fmt = "changehat %016x^%s";
+	const char *fmt = "changehat %016lx^%s";
 
 	/* both may not be null */
 	if (!(token || subprofile)) {

libraries/libapparmor/src/libaalogparse.c

@@ -77,6 +77,10 @@ void free_record(aa_log_record *record)
 			free(record->net_protocol);
 		if (record->net_sock_type != NULL)
 			free(record->net_sock_type);
+		if (record->net_local_addr != NULL)
+			free(record->net_local_addr);
+		if (record->net_foreign_addr != NULL)
+			free(record->net_foreign_addr);
 
 		free(record);
 	}

parser/apparmor.vim.pod

@@ -48,7 +48,7 @@ but it may help you understand your profiles better.
 
 B<apparmor.vim> does not properly detect dark versus light backgrounds.
 Patches accepted. If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/apparmor_parser.pod

@@ -308,7 +308,7 @@ All other options override previously set values.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/libapparmor_re/chfa.cc

@@ -92,10 +92,10 @@ CHFA::CHFA(DFA &dfa, map<uchar, uchar> &eq, dfaflags_t flags): eq(eq)
 	default_base.push_back(make_pair(dfa.nonmatching, 0));
 	num.insert(make_pair(dfa.nonmatching, num.size()));
 
-	accept.resize(dfa.states.size());
-	accept2.resize(dfa.states.size());
-	next_check.resize(optimal);
-	free_list.resize(optimal);
+	accept.resize(max(dfa.states.size(), (size_t) 2));
+	accept2.resize(max(dfa.states.size(), (size_t) 2));
+	next_check.resize(max(optimal, (size_t) 256));
+	free_list.resize(next_check.size());
 
 	accept[0] = 0;
 	accept2[0] = 0;

parser/libapparmor_re/parse.y

@@ -57,6 +57,7 @@ static inline Chars* insert_char_range(Chars* cset, uchar a, uchar b)
 
 %pure-parser
 /* %error-verbose */
+%lex-param {YYLEX_PARAM}
 %parse-param {Node **root}
 %parse-param {const char *text}
 %name-prefix = "regex_"

parser/parser.h

@@ -265,6 +265,7 @@ extern int regex_type;
 extern int perms_create;
 extern int net_af_max_override;
 extern int kernel_load;
+extern int kernel_supports_setload;
 extern int kernel_supports_network;
 extern int kernel_supports_mount;
 extern int flag_changehat_version;

parser/parser_common.c

@@ -26,6 +26,7 @@ int regex_type = AARE_DFA;
 int perms_create = 0;                   /* perms contain create flag */
 int net_af_max_override = -1;           /* use kernel to determine af_max */
 int kernel_load = 1;
+int kernel_supports_setload = 0;	/* kernel supports atomic set loads */
 int kernel_supports_network = 1;        /* kernel supports network rules */
 int kernel_supports_mount = 0;	        /* kernel supports mount rules */
 int flag_changehat_version = FLAG_CHANGEHAT_1_5;

parser/parser_interface.c

@@ -255,13 +255,13 @@ static inline void sd_inc(sd_serialize *p, int size)
 	}
 }
 
-inline long sd_serial_size(sd_serialize *p)
+static inline long sd_serial_size(sd_serialize *p)
 {
 	return (p->pos - p->buffer);
 }
 
 /* routines for writing data to the serialization buffer */
-inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
+static inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
 {
 	int num = (size / BUFFERINC) + 1;
 	if (p->pos + SD_CODE_SIZE + size > p->extent) {
@@ -284,7 +284,7 @@ inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
 	return 1;
 }
 
-inline int sd_write8(sd_serialize *p, u8 b)
+static inline int sd_write8(sd_serialize *p, u8 b)
 {
 	u8 *c;
 	if (!sd_prepare_write(p, SD_U8, sizeof(b)))
@@ -295,7 +295,7 @@ inline int sd_write8(sd_serialize *p, u8 b)
 	return 1;
 }
 
-inline int sd_write16(sd_serialize *p, u16 b)
+static inline int sd_write16(sd_serialize *p, u16 b)
 {
 	u16 tmp;
 	if (!sd_prepare_write(p, SD_U16, sizeof(b)))
@@ -306,7 +306,7 @@ inline int sd_write16(sd_serialize *p, u16 b)
 	return 1;
 }
 
-inline int sd_write32(sd_serialize *p, u32 b)
+static inline int sd_write32(sd_serialize *p, u32 b)
 {
 	u32 tmp;
 	if (!sd_prepare_write(p, SD_U32, sizeof(b)))
@@ -317,7 +317,7 @@ inline int sd_write32(sd_serialize *p, u32 b)
 	return 1;
 }
 
-inline int sd_write64(sd_serialize *p, u64 b)
+static inline int sd_write64(sd_serialize *p, u64 b)
 {
 	u64 tmp;
 	if (!sd_prepare_write(p, SD_U64, sizeof(b)))
@@ -328,7 +328,7 @@ inline int sd_write64(sd_serialize *p, u64 b)
 	return 1;
 }
 
-inline int sd_write_name(sd_serialize *p, char *name)
+static inline int sd_write_name(sd_serialize *p, char *name)
 {
 	long size = 0;
 	PDEBUG("Writing name '%s'\n", name);
@@ -346,7 +346,7 @@ inline int sd_write_name(sd_serialize *p, char *name)
 	return 1;
 }
 
-inline int sd_write_blob(sd_serialize *p, void *b, int buf_size, char *name)
+static inline int sd_write_blob(sd_serialize *p, void *b, int buf_size, char *name)
 {
 	u32 tmp;
 	if (!sd_write_name(p, name))
@@ -361,14 +361,15 @@ inline int sd_write_blob(sd_serialize *p, void *b, int buf_size, char *name)
 	return 1;
 }
 
-#define align64(X) (((size_t) (X) + (size_t) 7) & ~((size_t) 7))
-inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
+#define align64(X) (((X) + (typeof(X)) 7) & ~((typeof(X)) 7))
+static inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
 				 char *name)
 {
 	size_t pad;
 	u32 tmp;
 	if (!sd_write_name(p, name))
 		return 0;
+
 	pad = align64((p->pos + 5) - p->buffer) - ((p->pos + 5) - p->buffer);
 	if (!sd_prepare_write(p, SD_BLOB, 4 + buf_size + pad))
 		return 0;
@@ -397,12 +398,12 @@ static int sd_write_strn(sd_serialize *p, char *b, int size, char *name)
 	return 1;
 }
 
-inline int sd_write_string(sd_serialize *p, char *b, char *name)
+static inline int sd_write_string(sd_serialize *p, char *b, char *name)
 {
 	return sd_write_strn(p, b, strlen(b) + 1, name);
 }
 
-inline int sd_write_struct(sd_serialize *p, char *name)
+static inline int sd_write_struct(sd_serialize *p, char *name)
 {
 	if (!sd_write_name(p, name))
 		return 0;
@@ -411,14 +412,14 @@ inline int sd_write_struct(sd_serialize *p, char *name)
 	return 1;
 }
 
-inline int sd_write_structend(sd_serialize *p)
+static inline int sd_write_structend(sd_serialize *p)
 {
 	if (!sd_prepare_write(p, SD_STRUCTEND, 0))
 		return 0;
 	return 1;
 }
 
-inline int sd_write_array(sd_serialize *p, char *name, int size)
+static inline int sd_write_array(sd_serialize *p, char *name, int size)
 {
 	u16 tmp;
 	if (!sd_write_name(p, name))
@@ -431,14 +432,14 @@ inline int sd_write_array(sd_serialize *p, char *name, int size)
 	return 1;
 }
 
-inline int sd_write_arrayend(sd_serialize *p)
+static inline int sd_write_arrayend(sd_serialize *p)
 {
 	if (!sd_prepare_write(p, SD_ARRAYEND, 0))
 		return 0;
 	return 1;
 }
 
-inline int sd_write_list(sd_serialize *p, char *name)
+static inline int sd_write_list(sd_serialize *p, char *name)
 {
 	if (!sd_write_name(p, name))
 		return 0;
@@ -447,7 +448,7 @@ inline int sd_write_list(sd_serialize *p, char *name)
 	return 1;
 }
 
-inline int sd_write_listend(sd_serialize *p)
+static inline int sd_write_listend(sd_serialize *p)
 {
 	if (!sd_prepare_write(p, SD_LISTEND, 0))
 		return 0;
@@ -887,52 +888,73 @@ static char *next_profile_buffer(char *buffer, int size)
 	return NULL;
 }
 
+static int write_buffer(int fd, char *buffer, int size, int set)
+{
+	const char *err_str = set ? "profile set" : "profile";
+	int wsize = write(fd, buffer, size);
+	if (wsize < 0) {
+		PERROR(_("%s: Unable to write %s\n"), progname, err_str);
+		return -errno;
+	} else if (wsize < size) {
+		PERROR(_("%s: Unable to write %s\n"), progname, err_str);
+		return -EPROTO;
+	}
+	return 0;
+}
+
 int sd_load_buffer(int option, char *buffer, int size)
 {
 	int fd = -1;
-	int error = -ENOMEM, wsize, bsize;
+	int error, bsize;
 	char *filename = NULL;
-	char *b;
+
+	/* TODO: push backup into caller */
+	if (!kernel_load)
+		return 0;
 
 	switch (option) {
 	case OPTION_ADD:
 		if (asprintf(&filename, "%s/.load", subdomainbase) == -1)
-			goto exit;
-		if (kernel_load) fd = open(filename, O_WRONLY);
+			return -ENOMEM;
 		break;
 	case OPTION_REPLACE:
 		if (asprintf(&filename, "%s/.replace", subdomainbase) == -1)
-			goto exit;
-		if (kernel_load) fd = open(filename, O_WRONLY);
+			return -ENOMEM;
 		break;
 	default:
-		error = -EINVAL;
-		goto exit;
-		break;
+		return -EINVAL;
 	}
 
-	if (kernel_load && fd < 0) {
+	fd = open(filename, O_WRONLY);
+	if (fd < 0) {
 		PERROR(_("Unable to open %s - %s\n"), filename,
 		       strerror(errno));
 		error = -errno;
-		goto exit;
+		goto out;
 	}
 
-	error = 0;
-	for (b = buffer; b ; b = next_profile_buffer(b + sizeof(header_version), bsize)) {
-		bsize = size - (b - buffer);
-		if (kernel_load) {
-			wsize = write(fd, b, bsize);
-			if (wsize < 0) {
-				error = -errno;
-			} else if (wsize < bsize) {
-				PERROR(_("%s: Unable to write entire profile entry\n"),
-				       progname);
-			}
+	if (kernel_supports_setload) {
+		error = write_buffer(fd, buffer, size, TRUE);
+	} else {
+		char *b, *next;
+
+		error = 0;	/* in case there are no profiles */
+		for (b = buffer; b; b = next, size -= bsize) {
+			next = next_profile_buffer(b + sizeof(header_version),
+						   size);
+			if (next)
+				bsize = next - b;
+			else
+				bsize = size;
+			error = write_buffer(fd, b, bsize, FALSE);
+			if (error)
+				break;
 		}
 	}
-	if (kernel_load) close(fd);
-exit:
+	close(fd);
+
+out:
 	free(filename);
+
 	return error;
 }

parser/parser_main.c

@@ -39,7 +39,6 @@
 
 #include <unistd.h>
 #include <limits.h>
-#include <sys/sysctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 
@@ -74,11 +73,12 @@ int skip_read_cache = 0;
 int write_cache = 0;
 int cond_clear_cache = 1;		/* only applies if write is set */
 int force_clear_cache = 0;		/* force clearing regargless of state */
+int create_cache_dir = 0;		/* create the cache dir if missing? */
 int preprocess_only = 0;
 int skip_mode_force = 0;
 struct timespec mru_tstamp;
 
-#define FLAGS_STRING_SIZE 1024
+#define FLAGS_STRING_SIZE 8192
 char *match_string = NULL;
 char *flags_string = NULL;
 char *cacheloc = NULL;
@@ -114,6 +114,7 @@ struct option long_options[] = {
 	{"show-cache",		0, 0, 'k'},
 	{"skip-bad-cache",	0, 0, 129},	/* no short option */
 	{"purge-cache",		0, 0, 130},	/* no short option */
+	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"cache-loc",		1, 0, 'L'},
 	{"debug",		0, 0, 'd'},
 	{"dump",		1, 0, 'D'},
@@ -158,6 +159,7 @@ static void display_usage(char *command)
 	       "-W, --write-cache	Save cached profile (force with -T)\n"
 	       "    --skip-bad-cache	Don't clear cache if out of sync\n"
 	       "    --purge-cache	Clear cache regardless of its state\n"
+	       "    --create-cache-dir	Create the cache dir if missing\n"
 	       "-L, --cache-loc n	Set the location of the profile cache\n"
 	       "-q, --quiet		Don't emit warnings\n"
 	       "-v, --verbose		Show profile names as they load\n"
@@ -542,6 +544,9 @@ static int process_arg(int c, char *optarg)
 	case 130:
 		force_clear_cache = 1;
 		break;
+	case 131:
+		create_cache_dir = 1;
+		break;
 	case 'L':
 		cacheloc = strdup(optarg);
 		break;
@@ -820,6 +825,8 @@ static void get_match_string(void) {
 			kernel_supports_network = 0;
 		if (strstr(flags_string, "mount"))
 			kernel_supports_mount = 1;
+		if (strstr(flags_string, "set_load"))
+			kernel_supports_setload = 1;
 		return;
 	}
 
@@ -1086,13 +1093,7 @@ int process_profile(int option, char *profilename)
 	 */
 	if ((profilename && option != OPTION_REMOVE) && !force_complain &&
 	    !skip_cache) {
-		if (cacheloc) {
-			cachename = strdup(cacheloc);
-			if (!cachename) {
-				PERROR(_("Memory allocation error."));
-				exit(1);
-			}
-		} else if (asprintf(&cachename, "%s/%s/%s", basedir, "cache", basename)<0) {
+		if (asprintf(&cachename, "%s/%s", cacheloc, basename)<0) {
 			PERROR(_("Memory allocation error."));
 			exit(1);
 		}
@@ -1107,7 +1108,7 @@ int process_profile(int option, char *profilename)
 		}
 		if (write_cache) {
 			/* Otherwise, set up to save a cached copy */
-			if (asprintf(&cachetemp, "%s/%s/%s-XXXXXX", basedir, "cache", basename)<0) {
+			if (asprintf(&cachetemp, "%s-XXXXXX", cachename)<0) {
 				perror("asprintf");
 				exit(1);
 			}
@@ -1165,8 +1166,11 @@ out:
 		}
 
 		if (useable_cache) {
-			rename(cachetemp, cachename);
-			if (show_cache)
+			if (rename(cachetemp, cachename) < 0) {
+				pwarn("Warning failed to write cache: %s\n", cachename);
+				unlink(cachetemp);
+			}
+			else if (show_cache)
 				PERROR("Wrote cache: %s\n", cachename);
 		}
 		else {
@@ -1258,35 +1262,47 @@ static int clear_cache_cb(const char *path, __unused struct dirent *dirent,
 
 static int clear_cache_files(const char *path)
 {
-	char *cache;
 	int error;
-
-	if (asprintf(&cache, "%s/cache", path) == -1) {
-		perror("asprintf");
-		exit(1);
-	}
-
-	error = dir_for_each(cache, clear_cache_cb);
-
-	free(cache);
-
+	error = dir_for_each(path, clear_cache_cb);
 	return error;
 }
 
-static int create_cache(const char *path, const char *features)
+static int create_cache(const char *cachedir, const char *path,
+			const char *features)
 {
+	struct stat stat_file;
 	FILE * f = NULL;
 
+	if (clear_cache_files(cacheloc) != 0)
+		goto error;
+
+create_file:
 	f = fopen(path, "w");
 	if (f) {
 		if (fwrite(features, strlen(features), 1, f) != 1 )
-			goto fail;
+			goto error;
 
 		fclose(f);
+
+
+		return 0;
+	}
+
+error:
+	/* does the dir exist? */
+	if (stat(cachedir, &stat_file) == -1 && create_cache_dir) {
+		if (mkdir(cachedir, 0700) == 0)
+			goto create_file;
+		if (show_cache)
+			PERROR(_("Can't create cache directory: %s\n"), cachedir);
+	} else if (!S_ISDIR(stat_file.st_mode)) {
+		if (show_cache)
+			PERROR(_("File in cache directory location: %s\n"), cachedir);
+	} else {
+		if (show_cache)
+			PERROR(_("Can't update cache directory: %s\n"), cachedir);
 	}
 
-	return 0;
-fail:
 	if (show_cache)
 		PERROR("Cache write disabled: cannot create %s\n", path);
 	write_cache = 0;
@@ -1324,8 +1340,8 @@ static void setup_flags(void)
          *  - If cache/.features exists, and does not match flags_string,
          *    force cache reading/writing off.
          */
-	if (asprintf(&cache_features_path, "%s/cache/.features", basedir) == -1) {
-		perror("asprintf");
+	if (asprintf(&cache_features_path, "%s/.features", cacheloc) == -1) {
+		PERROR(_("Memory allocation error."));
 		exit(1);
 	}
 
@@ -1333,11 +1349,9 @@ static void setup_flags(void)
 	if (cache_flags) {
 		if (strcmp(flags_string, cache_flags) != 0) {
 			if (write_cache && cond_clear_cache) {
-				if (clear_cache_files(basedir) ||
-				    create_cache(cache_features_path,
-						 flags_string)) {
+				if (create_cache(cacheloc, cache_features_path,
+						 flags_string))
 					skip_read_cache = 1;
-				}
 			} else {
 				if (show_cache)
 					PERROR("Cache read/write disabled: %s does not match %s\n", FLAGS_FILE, cache_features_path);
@@ -1348,7 +1362,7 @@ static void setup_flags(void)
 		free(cache_flags);
 		cache_flags = NULL;
 	} else if (write_cache) {
-		create_cache(cache_features_path, flags_string);
+		create_cache(cacheloc, cache_features_path, flags_string);
 	}
 
 	free(cache_features_path);
@@ -1378,8 +1392,16 @@ int main(int argc, char *argv[])
 		return retval;
 	}
 
+	/* create the cacheloc once and use it everywhere */
+	if (!cacheloc) {
+		if (asprintf(&cacheloc, "%s/cache", basedir) == -1) {
+			PERROR(_("Memory allocation error."));
+			exit(1);
+		}
+	}
+
 	if (force_clear_cache) {
-		clear_cache_files(basedir);
+		clear_cache_files(cacheloc);
 		exit(0);
 	}
 

parser/subdomain.conf.pod

@@ -96,7 +96,7 @@ module source is no longer installed by default. However, the module has
 been included with the SUSE kernel, so no rebuilding should be necessary.
 
 If you find any additional bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/tst/caching.sh

@@ -12,7 +12,8 @@ fi
 
 # fake base directory
 basedir=$(mktemp -d -t aa-cache-XXXXXX)
-trap "rm -rf $basedir" EXIT
+altcachedir=$(mktemp -d -t aa-alt-cache-XXXXXXXX)
+trap "rm -rf $basedir $altcachedir" EXIT
 mkdir -p $basedir/cache
 
 ARGS="--base $basedir --skip-kernel-load"
@@ -158,3 +159,13 @@ echo "ok"
 echo -n "Cache reading is skipped when parser in \$PATH is newer: "
 (PATH=$basedir/parser/ /bin/sh -c "apparmor_parser $ARGS -v -r $basedir/$profile") | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
 echo "ok"
+
+echo -n "Profiles are cached in alternate location when requested: "
+../apparmor_parser $ARGS -q --write-cache --cache-loc $altcachedir -r $basedir/$profile
+[ ! -f $altcachedir/$profile ] && echo "FAIL ($altcachedir/$profile does not exist)" && exit 1
+echo "ok"
+
+echo -n "Cache is loaded from alt location when it exists and features match: "
+../apparmor_parser $ARGS -v -r $basedir/$profile --cache-loc $altcachedir | grep -q 'Cached reload succeeded' || { echo "FAIL"; exit 1; }
+echo "ok"
+

profiles/apparmor.d/abstractions/audio

@@ -55,6 +55,9 @@ owner /{run,dev}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
 owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
+owner /{,var/}run/user/*/pulse/  rw,
+owner /{,var/}run/user/*/pulse/* rwk,
+owner @{HOME}/.config/pulse/cookie rwk,
 owner /tmp/pulse-*/ rw,
 owner /tmp/pulse-*/* rw,
 
@@ -65,3 +68,6 @@ owner /tmp/pulse-*/* rw,
 # openal
 /etc/openal/alsoft.conf r,
 owner @{HOME}/.alsoftrc r,
+
+# wildmidi
+/etc/wildmidi/wildmidi.cfg r,

profiles/apparmor.d/abstractions/base

@@ -100,6 +100,9 @@
   # glibc statvfs
   @{PROC}/filesystems            r,
 
+  # glibc malloc (man 5 proc)
+  @{PROC}/sys/vm/overcommit_memory r,
+
   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
   # filesystems generally. This does not appreciably decrease security with
   # Ubuntu profiles because the user is expected to have access to files owned

profiles/apparmor.d/abstractions/dbus-session

@@ -10,4 +10,7 @@
 # ------------------------------------------------------------------
 
   /usr/bin/dbus-launch ix,
+
+  # unique per-machine identifier
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,

profiles/apparmor.d/abstractions/dconf

@@ -0,0 +1,7 @@
+# vim:syntax=apparmor
+
+# permissions for querying dconf settings; granting write access should
+# be specified in a specific application's profile.
+
+  owner /{,var/}run/user/*/dconf/user r,
+  owner @{HOME}/.config/dconf/user r,

profiles/apparmor.d/abstractions/fonts

@@ -18,6 +18,7 @@
   /usr/share/fonts/**                   r,
 
   /etc/fonts/**                         r,
+  /usr/share/fontconfig/conf.avail/**   r,
 
   /opt/kde3/share/fonts/**              r,
 
@@ -30,7 +31,9 @@
   /usr/share/a2ps/fonts/**              r,
   /usr/share/xfce/fonts/**              r,
   /usr/share/ghostscript/fonts/**       r,
+  /usr/share/javascript/*/fonts/**      r,
   /usr/share/texmf/{,*/}fonts/**        r,
+  /usr/share/texlive/texmf-dist/fonts/** r,
   /var/lib/ghostscript/**               r,
 
   @{HOME}/.fonts.conf                   r,
@@ -41,6 +44,11 @@
   @{HOME}/.{,cache/}fontconfig/**     mrl,
   @{HOME}/.fonts.conf.d/                r,
   @{HOME}/.fonts.conf.d/**              r,
+  owner @{HOME}/.config/fontconfig/     r,
+  owner @{HOME}/.config/fontconfig/**   r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,
+
+  # poppler CMap tables
+  /usr/share/poppler/cMap/**            r,

profiles/apparmor.d/abstractions/freedesktop.org

@@ -30,6 +30,7 @@
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
+  owner @{HOME}/.local/share/applications/               r,
   owner @{HOME}/.local/share/applications/*.desktop      r,
   owner @{HOME}/.local/share/applications/defaults.list  r,
   owner @{HOME}/.local/share/applications/mimeapps.list  r,

profiles/apparmor.d/abstractions/gnome

@@ -21,6 +21,7 @@
   /etc/gtk/*                      r,
   /usr/lib{,32,64}/gtk/**         mr,
   /usr/lib/@{multiarch}/gtk/**    mr,
+  /usr/share/themes/              r,
   /usr/share/themes/**            r,
 
   # for gnome 1 applications
@@ -82,7 +83,5 @@
 
   # mime-types
   /etc/gnome/defaults.list r,
+  /usr/share/gnome/applications/ r,
   /usr/share/gnome/applications/mimeinfo.cache r,
-
-  # poppler CMap tables
-  /usr/share/poppler/cMap/** r,

profiles/apparmor.d/abstractions/kde

@@ -22,6 +22,7 @@
 /etc/kderc r,
 /etc/kde3/* r,
 /etc/kde4rc r,
+/etc/xdg/Trolltech.conf r,
 
 @{HOME}/.DCOPserver_* r,
 @{HOME}/.ICEauthority r,

profiles/apparmor.d/abstractions/kerberosclient

@@ -20,7 +20,7 @@
   /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
   /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
 
-  /etc/krb5.keytab            r,
+  /etc/krb5.keytab            rk,
   /etc/krb5.conf              r,
 
   # config files found via strings on libs

profiles/apparmor.d/abstractions/mysql

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2013 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -8,6 +9,7 @@
 #
 # ------------------------------------------------------------------
 
-   /var/lib/mysql/mysql.sock rw,
-   /usr/share/mysql/charsets/ r,
-   /usr/share/mysql/charsets/*.xml r,
+   /var/lib/mysql{,d}/mysql{,d}.sock rw,
+   /{var/,}run/mysql{,d}/mysql{,d}.sock rw,
+   /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
+   /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,

profiles/apparmor.d/abstractions/nameservice

@@ -21,6 +21,11 @@
   /etc/passwd             r,
   /etc/protocols          r,
 
+  # When using libnss-extrausers, the passwd and group files are merged from
+  # an alternate path
+  /var/lib/extrausers/group  r,
+  /var/lib/extrausers/passwd r,
+
   /etc/resolv.conf        r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
@@ -36,7 +41,7 @@
   # to vast speed increases when working with network-based lookups.
   /{,var/}run/.nscd_socket   rw,
   /{,var/}run/nscd/socket    rw,
-  /var/{db,cache,run}/nscd/{passwd,group,services,host}    r,
+  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
   /{,var/}run/nscd/db*  rmix,
@@ -50,7 +55,7 @@
   /etc/default/nss               r,
 
   # avahi-daemon is used for mdns4 resolution
-  /{,var/}run/avahi-daemon/socket w,
+  /{,var/}run/avahi-daemon/socket rw,
 
   # nis
   #include <abstractions/nis>

profiles/apparmor.d/abstractions/nvidia

@@ -13,3 +13,8 @@
 
   @{PROC}/interrupts r,
   @{PROC}/sys/vm/max_map_count r,
+  @{PROC}/driver/nvidia/params r,
+  @{PROC}/modules r,
+
+  owner @{HOME}/.nv/GLCache/ r,
+  owner @{HOME}/.nv/GLCache/** rwk,

profiles/apparmor.d/abstractions/openssl

@@ -10,4 +10,5 @@
 
   /etc/ssl/openssl.cnf r,
   /usr/share/ssl/openssl.cnf r,
+  @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/p11-kit

@@ -16,6 +16,9 @@
   /usr/lib{,32,64}/pkcs11/*.so mr,
   /usr/lib/@{multiarch}/pkcs11/*.so mr,
 
+  /usr/share/p11-kit/modules/  r,
+  /usr/share/p11-kit/modules/* r,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.

profiles/apparmor.d/abstractions/perl

@@ -13,8 +13,10 @@
   /usr/bin/perl                  rmix,
   /usr/bin/perl[0-9].[0-9].[0-9] rmix,
 
-  /usr/lib{,32,64}/perl5/**         r,
-  /usr/lib{,32,64}/perl{,5}/**.so*  mr,
+  /usr/lib{,32,64}/perl5/**                    r,
+  /usr/lib{,32,64}/perl{,5}/**.so*             mr,
+  /usr/lib/@{multiarch}/perl{,5}/**            r,
+  /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
 
   /usr/share/perl/**             r,
   /usr/share/perl5/**            r,

profiles/apparmor.d/abstractions/private-files

@@ -15,6 +15,8 @@
   # special attention to (potentially) executable files
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
+  audit deny @{HOME}/.config/upstart/** wl,
+  audit deny @{HOME}/.init/** wl,
   audit deny @{HOME}/.kde{,4}/Autostart/** wl,
   audit deny @{HOME}/.kde{,4}/env/** wl,
   audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

profiles/apparmor.d/abstractions/private-files-strict

@@ -8,6 +8,7 @@
   audit deny @{HOME}/.gnupg/** mrwkl,
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
+  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
   audit deny @{HOME}/.mozilla/** mrwkl,
   audit deny @{HOME}/.config/chromium/** mrwkl,
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,

profiles/apparmor.d/abstractions/python

@@ -10,28 +10,28 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/lib{,32,64}/python2.[4567]/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python2.[4567]/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python3.[234]/lib-dynload/*.so            mr,
 
-  /usr/local/lib{,32,64}/python2.[4567]/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python2.[4567]/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python2.[4567]/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2,3}.[34567]/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python3.[234]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python2.[4567]/** r,
+  /etc/python{2,3}.[34567]/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
   /{var,usr}/lib/{pyshared,pycentral,python-support}/**  r,
   /usr/lib/{pyshared,pycentral,python-support}/**.so     mr,
   /var/lib/{pyshared,pycentral,python-support}/**.pyc    mr,
+  /usr/lib/python3/dist-packages/**.so                   mr,
 
   # wx paths
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
   /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
-
-  # python setup script used by apport
-  /etc/python{2,3}.[0-7]*/sitecustomize.py r,

profiles/apparmor.d/abstractions/samba

@@ -11,9 +11,12 @@
 
   /etc/samba/* r,
   /usr/share/samba/*.dat r,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+  /var/cache/samba/ w,
   /var/lib/samba/**.tdb rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,
+  /{,var/}run/samba/ w,
   /{,var/}run/samba/*.tdb rw,
 

profiles/apparmor.d/abstractions/ssl_certs

@@ -17,3 +17,5 @@
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/ r,
   /usr/local/share/ca-certificates/** r,
+  /var/lib/ca-certificates/ r,
+  /var/lib/ca-certificates/** r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -20,6 +20,7 @@
   # File managers
   /usr/bin/nautilus Cxr -> sanitized_helper,
   /usr/bin/{t,T}hunar Cxr -> sanitized_helper,
+  /usr/bin/dolphin Cxr -> sanitized_helper,
 
   # Themes
   /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,

profiles/apparmor.d/abstractions/web-data

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -19,3 +20,6 @@
 
   /srv/www/rails/*/public/ r,
   /srv/www/rails/*/public/** r,
+
+  /var/www/html/ r,
+  /var/www/html/** r,

profiles/apparmor.d/abstractions/winbind

@@ -13,7 +13,9 @@
   /tmp/.winbindd/pipe  rw,
   /var/{lib,run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
+  /etc/samba/dhcp.conf        r,
   /usr/lib*/samba/valid.dat   r,
   /usr/lib*/samba/upcase.dat  r,
   /usr/lib*/samba/lowcase.dat r,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
 

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -28,6 +28,8 @@
   /etc/dnsmasq.d/ r,
   /etc/dnsmasq.d/* r,
   /etc/ethers r,
+  /etc/NetworkManager/dnsmasq.d/ r,
+  /etc/NetworkManager/dnsmasq.d/* r,
 
   /usr/sbin/dnsmasq mr,
 
@@ -38,14 +40,18 @@
 
   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
 
+  # access to iface mtu needed for Router Advertisement messages in IPv6
+  # Neighbor Discovery protocol (RFC 2461)
+  @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
   # for the read-only TFTP server
   @{TFTP_DIR}/ r,
   @{TFTP_DIR}/** r,
 
-  # libvirt lease and hosts files for dnsmasq
+  # libvirt config, lease and hosts files for dnsmasq
   /var/lib/libvirt/dnsmasq/            r,
+  /var/lib/libvirt/dnsmasq/*        r,
   /var/lib/libvirt/dnsmasq/*.leases rw,
-  /var/lib/libvirt/dnsmasq/*.hostsfile r,
 
   # libvirt pid files for dnsmasq
   /{,var/}run/libvirt/network/      r,
@@ -54,6 +60,8 @@
   # NetworkManager integration
   /{,var/}run/nm-dns-dnsmasq.conf r,
   /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
+  /{,var/}run/NetworkManager/dnsmasq.conf r,
+  /{,var/}run/NetworkManager/dnsmasq.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dnsmasq>

profiles/apparmor.d/usr.sbin.nmbd

@@ -11,7 +11,9 @@
 
   /usr/sbin/nmbd mr,
 
+  /var/cache/samba/gencache.tdb rwk,
   /var/{cache,lib}/samba/browse.dat* rw,
+  /var/{cache,lib}/samba/gencache.dat rw,
   /var/{cache,lib}/samba/wins.dat* rw,
   /var/{cache,lib}/samba/smb_krb5/ rw,
   /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,

profiles/apparmor.d/usr.sbin.nscd

@@ -16,6 +16,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/ssl_certs>
 
+  deny capability block_suspend,
   capability net_bind_service,
   capability setgid,
   capability setuid,
@@ -31,9 +32,9 @@
   /{,var/}run/.nscd_socket wl,
   /{,var/}run/avahi-daemon/socket w,
   /{,var/}run/nscd/ rw,
-  /{,var/}run/nscd/db* wl,
+  /{,var/}run/nscd/db* rwl,
   /{,var/}run/nscd/socket wl,
-  /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
+  /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
   /{,var/}run/{nscd/,}nscd.pid rwl,
   /var/log/nscd.log rw,
   @{PROC}/[0-9]*/fd/ r,
@@ -41,6 +42,7 @@
   @{PROC}/[0-9]*/maps r,
   @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
+  @{PROC}/sys/vm/overcommit_memory r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.nscd>

profiles/apparmor.d/usr.sbin.ntpd

@@ -14,6 +14,7 @@
 /usr/sbin/ntpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
   #include <abstractions/xad>
 
   capability dac_override,
@@ -44,6 +45,8 @@
   /usr/sbin/ntpd rmix,
   /var/lib/ntp/drift rwl,
   /var/lib/ntp/drift.TEMP rwl,
+  /var/lib/ntp/drift/driftfile rw,
+  /var/lib/ntp/drift/driftfile.TEMP rw,
   /var/lib/ntp/drift/ntp.drift rw,
   /var/lib/ntp/drift/ntp.drift.TEMP rw,
   /var/lib/ntp/etc/* r,
@@ -57,6 +60,7 @@
   /var/opt/novell/xad/rpc/xadsd rw,
   /{,var/}run/nscd/services r,
   /{,var/}run/ntpd.pid w,
+  /{,var/}run/ntp/ntpd.pid w,
   /var/tmp/ntp* rwl,
   @{PROC}/*/net/if_inet6 r,
   @{PROC}/sys/kernel/ngroups_max r,

profiles/apparmor.d/usr.sbin.smbd

@@ -29,16 +29,21 @@
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
   /usr/lib*/samba/auth/script.so mr,
-  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
+  /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/{lowercase,lowcase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
   /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
-  /var/cache/samba/printing/printers.tdb mrw,
+  /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,
   /var/lib/samba/printers/** rw,
+  /var/lib/sss/mc/passwd r,
+  /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/cups/cups.sock rw,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/samba/** rk,
+  /{,var/}run/samba/ncalrpc/ rw,
+  /{,var/}run/samba/ncalrpc/** rw,
   /{,var/}run/samba/smbd.pid rw,
   /var/log/samba/cores/smbd/ rw,
   /var/log/samba/cores/smbd/** rw,

tests/regression/apparmor/changehat_twice.c

@@ -22,7 +22,8 @@
 
 int main(int argc, char *argv[])
 {
-	int rc, magic;
+	int rc;
+	unsigned long magic;
 
 	if (argc != 5){
 		fprintf(stderr, "usage: %s profile1 profile2 goodmagic|badmagic file\n",

tests/regression/apparmor/changehat_wrapper.c

@@ -87,7 +87,7 @@ int main(int argc, char *argv[]) {
 	int filedes[2];
 	int c, o;
 	char buf[BUFSIZ];
-	unsigned int magic_token = SD_ID_MAGIC+1;
+	unsigned long magic_token = SD_ID_MAGIC+1;
 	int manual = 0;
 	int exit_hat = 0;
 	char * manual_string;

utils/Immunix/AppArmor.pm

@@ -3879,8 +3879,8 @@ sub ask_the_questions() {
                                             $newpath =~ s/\/[^\/]+$/\/\*/;
                                         }
                                     }
-                                    if ($newpath ne $selected) {
-                                        push @options, $newpath;
+                                    if (not grep { $newpath eq $_ } @options) {
+                                        push @options, $newpath;	
                                         $defaultoption = $#options + 1;
                                     }
                                 }
@@ -3896,7 +3896,7 @@ sub ask_the_questions() {
                                     } else {
                                         $newpath =~ s/\/[^\/]+(\.[^\/]+)$/\/\*$1/;
                                     }
-                                    if ($newpath ne $selected) {
+                                    if (not grep { $newpath eq $_ } @options) {
                                         push @options, $newpath;
                                         $defaultoption = $#options + 1;
                                     }
@@ -5151,7 +5151,7 @@ sub parse_profile_data($$$) {
 
             $initial_comment = "";
 
-        } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) {  # capability entry
+        } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) {  # capability entry
             if (not $profile) {
                 die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
             }
@@ -5159,7 +5159,7 @@ sub parse_profile_data($$$) {
 	    my $audit = $1 ? 1 : 0;
 	    my $allow = $2 ? 'deny' : 'allow';
 	    $allow = 'deny' if ($2);
-            my $capability = $3;
+            my $capability = $3 ? $3 : 'all';
             $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1;
             $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit;
         } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) {  # capability entry
@@ -5252,7 +5252,7 @@ sub parse_profile_data($$$) {
         } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
         } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
         } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
-        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
+        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
             if (not $profile) {
                 die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
             }
@@ -5260,7 +5260,19 @@ sub parse_profile_data($$$) {
 	    my $audit = $1 ? 1 : 0;
 	    my $allow = $2 ? 'deny' : 'allow';
 	    my $user = $3 ? 1 : 0;
-            my ($path, $mode, $nt_name) = ($4, $5, $7);
+            my ($path, $mode, $nt_name) = ($5, $6, $8);
+            my $file_keyword = 0;
+            my $use_mode = 1;
+
+            if ($4 eq "file") {
+                $path = "/{**,}";
+                $file_keyword = 1;
+                if (!$mode) {
+                    # what the parser uses, but we don't care
+                    $mode = "rwixlka";
+                    $use_mode = 0;
+                }
+            }
 
             # strip off any trailing spaces.
             $path =~ s/\s+$//;
@@ -5281,6 +5293,9 @@ sub parse_profile_data($$$) {
                 fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
             }
 
+	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
+	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
+
 	    my $tmpmode;
 	    if ($user) {
 		$tmpmode = str_to_mode("${mode}::");
@@ -5353,7 +5368,7 @@ sub parse_profile_data($$$) {
 		$profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
             } else {
                 $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1;
-                $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1;
+                $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit;
             }
         } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) {
 # just ignore and drop old style network
@@ -5675,7 +5690,13 @@ sub writecap_rules ($$$) {
 
     my @data;
     if (exists $profile_data->{$allow}{capability}) {
-        for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
+	my $audit;
+	if (exists $profile_data->{$allow}{capability}{all}) {
+	    $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : '';
+	    push @data, "${pre}${audit}${allowstr}capability,";
+	}
+	for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
+	    next if ($cap eq "all");
 	    my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : '';
 	    if ($profile_data->{$allow}{capability}{$cap}{set}) {
 		push @data, "${pre}${audit}${allowstr}capability ${cap},";
@@ -5708,7 +5729,7 @@ sub writenet_rules ($$$) {
     # dump out the netdomain entries...
     if (exists $profile_data->{$allow}{netdomain}) {
         if ( $profile_data->{$allow}{netdomain}{rule} &&
-             $profile_data->{$allow}{netdomain}{rule} eq 'all') {
+             $profile_data->{$allow}{netdomain}{rule}{all}) {
 	    $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all};
             push @data, "${pre}${audit}network,";
         } else {
@@ -5838,7 +5859,13 @@ sub writepath_rules ($$$) {
 		    }
 		    $tmpmode &= ~$tmpaudit;
 		}
-		if ($tmpmode) {
+		my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
+		my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
+		if ($kw) {
+		    my $modestr = "";
+		    $modestr = " " . mode_to_str($tmpmode) if $use_mode;
+		    push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
+		} elsif ($tmpmode) {
 		    my $modestr = mode_to_str($tmpmode);
 		    if ($path =~ /\s/) {
 			push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";

utils/Makefile

@@ -65,7 +65,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 	$(MAKE) -C vim install DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-	python ${PYSETUP} install --prefix=${PYPREFIX} --root=${DESTDIR} --version=${VERSION}
+	${PYTHON} ${PYSETUP} install --prefix=${PYPREFIX} --root=${DESTDIR} --version=${VERSION}
 
 .PHONY: clean
 ifndef VERBOSE
@@ -105,6 +105,4 @@ check: check_severity_db
 		test -s $$tmpfile && cat $$tmpfile && rm -f $$tmpfile && exit 1; \
 	done || true; \
 	rm -f $$tmpfile
-	for i in test/* ; do \
-		python $$i || exit 1; \
-	done
+	$(foreach test, $(wildcard test/test-*.py), $(call pyalldo, $(test)))

utils/aa-audit.pod

@@ -16,7 +16,7 @@ In this mode security policy is enforced and all access (successes and failures)
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-autodep.pod

@@ -42,7 +42,7 @@ recursively calling ldd(1) on the executables listed on the command line.
 This program does not perform full static analysis of executables, so
 the profiles generated are necessarily incomplete. If you find any bugs,
 please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-complain.pod

@@ -37,7 +37,7 @@ violations are logged to the system log.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-disable.pod

@@ -39,7 +39,7 @@ behavior.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-easyprof

@@ -35,7 +35,7 @@ if __name__ == "__main__":
 
     try:
         easyp = apparmor.easyprof.AppArmorEasyProfile(binary, opt)
-    except AppArmorException, e:
+    except AppArmorException as e:
         error(e.value)
     except Exception:
         raise
@@ -61,5 +61,5 @@ if __name__ == "__main__":
     # if we made it here, generate a profile
     params = apparmor.easyprof.gen_policy_params(binary, opt)
     p = easyp.gen_policy(**params)
-    print p,
+    sys.stdout.write('%s\n' % p)
 

utils/aa-enforce.pod

@@ -41,7 +41,7 @@ be run to change this behavior.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-exec.pod

@@ -87,7 +87,7 @@ aa-exec.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-genprof.pod

@@ -73,7 +73,7 @@ and any other profiles that were generated, into enforce mode and exit.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-logprof.pod

@@ -155,7 +155,7 @@ user wants to quit. See capability(7) for details.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-notify.pod

@@ -44,6 +44,11 @@ B<aa-notify> accepts the following arguments:
 poll AppArmor logs and display desktop notifications. Can be used with '-s'
 option to display a summary on startup.
 
+=item --display $DISPLAY
+
+set the DISPLAY environment variable to $DISPLAY
+(might be needed if sudo resets $DISPLAY)
+
 =item -f FILE, --file=FILE
 
 search FILE for AppArmor messages

utils/aa-status.pod

@@ -116,7 +116,7 @@ the apparmor control files.
 =back
 
 If you find any additional bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-unconfined

@@ -60,7 +60,7 @@ if ($paranoid) {
     @pids = grep { /^\d+$/ } readdir(PROC);
     closedir(PROC);
 } else {
-    if (open(NETSTAT, "/bin/netstat -nlp |")) {
+    if (open(NETSTAT, "LANG=C /bin/netstat -nlp |")) {
         while (<NETSTAT>) {
             chomp;
             push @pids, $5

utils/aa-unconfined.pod

@@ -47,7 +47,7 @@ program is unsuitable for forensics use and is provided only as an aid
 to profiling all network-accessible processes in the lab.
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/apparmor/easyprof.py

@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+from __future__ import with_statement
+
 import codecs
 import glob
 import optparse
@@ -40,7 +42,7 @@ DEBUGGING = False
 def error(out, exit_code=1, do_exit=True):
     '''Print error message and exit'''
     try:
-        print >> sys.stderr, "ERROR: %s" % (out)
+        sys.stderr.write("ERROR: %s\n" % (out))
     except IOError:
         pass
 
@@ -51,7 +53,7 @@ def error(out, exit_code=1, do_exit=True):
 def warn(out):
     '''Print warning message'''
     try:
-        print >> sys.stderr, "WARN: %s" % (out)
+        sys.stderr.write("WARN: %s\n" % (out))
     except IOError:
         pass
 
@@ -59,7 +61,7 @@ def warn(out):
 def msg(out, output=sys.stdout):
     '''Print message'''
     try:
-        print >> output, "%s" % (out)
+        sys.stdout.write("%s\n" % (out))
     except IOError:
         pass
 
@@ -70,7 +72,7 @@ def cmd(command):
     try:
         sp = subprocess.Popen(command, stdout=subprocess.PIPE,
                               stderr=subprocess.STDOUT)
-    except OSError, ex:
+    except OSError as ex:
         return [127, str(ex)]
 
     out = sp.communicate()[0]
@@ -82,7 +84,7 @@ def cmd_pipe(command1, command2):
     try:
         sp1 = subprocess.Popen(command1, stdout=subprocess.PIPE)
         sp2 = subprocess.Popen(command2, stdin=sp1.stdout)
-    except OSError, ex:
+    except OSError as ex:
         return [127, str(ex)]
 
     out = sp2.communicate()[0]
@@ -93,7 +95,7 @@ def debug(out):
     '''Print debug message'''
     if DEBUGGING:
         try:
-            print >> sys.stderr, "DEBUG: %s" % (out)
+            sys.stderr.write("DEBUG: %s\n" % (out))
         except IOError:
             pass
 
@@ -181,6 +183,8 @@ def verify_policy(policy):
         fn = policy
     else:
         f, fn = tempfile.mkstemp(prefix='aa-easyprof')
+        if not isinstance(policy, bytes):
+            policy = policy.encode('utf-8')
         os.write(f, policy)
         os.close(f)
 
@@ -219,9 +223,9 @@ class AppArmorEasyProfile:
         if opt.policy_groups_dir and os.path.isdir(opt.policy_groups_dir):
             self.dirs['policygroups'] = os.path.abspath(opt.policy_groups_dir)
 
-        if not self.dirs.has_key('templates'):
+        if not 'templates' in self.dirs:
             raise AppArmorException("Could not find templates directory")
-        if not self.dirs.has_key('policygroups'):
+        if not 'policygroups' in self.dirs:
             raise AppArmorException("Could not find policygroups directory")
 
         self.aa_topdir = "/etc/apparmor.d"
@@ -445,11 +449,12 @@ class AppArmorEasyProfile:
 
 def print_basefilenames(files):
     for i in files:
-        print "%s" % (os.path.basename(i))
+        sys.stdout.write("%s\n" % (os.path.basename(i)))
 
 def print_files(files):
     for i in files:
-        print open(i).read()
+        with open(i) as f:
+            sys.stdout.write(f.read()+"\n")
 
 def parse_args(args=None):
     '''Parse arguments'''

utils/logprof.conf

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2004-2006 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -105,6 +106,7 @@
 
   # if they use any perl modules, grant access to all
   ^/usr/lib/perl5/.+$               = /usr/lib/perl5/**
+  ^/usr/lib/[^\/]+/perl5?/.+$       = /usr/lib/@{multiarch}/perl{,5}/**
 
   # locale foo
   ^/usr/lib/locale/.+$              = /usr/lib/locale/**

utils/logprof.conf.pod

@@ -103,7 +103,7 @@ Lines starting with # are comments and are ignored.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/po/de.po

@@ -1,4 +1,5 @@
 # Copyright (C) 2006 SuSE Linux Products GmbH, Nuernberg
+# Copyright (C) 2013 Christian Boltz
 # This file is distributed under the same license as the package.
 #
 msgid ""
@@ -6,14 +7,17 @@ msgstr ""
 "Project-Id-Version: apparmor-utils\n"
 "Report-Msgid-Bugs-To: apparmor-general@forge.novell.com\n"
 "POT-Creation-Date: 2008-09-22 22:56-0700\n"
-"PO-Revision-Date: 2009-02-05 13:38\n"
-"Last-Translator: Novell Language <language@novell.com>\n"
+"PO-Revision-Date: 2013-09-13 21:05+0200\n"
+"Last-Translator: Christian Boltz <apparmor@cboltz.de>\n"
 "Language-Team: Novell Language <language@novell.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: de\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
 #: ../genprof:69
+#, fuzzy
 msgid "Please enter the program to profile: "
 msgstr "Geben Sie das Programm für das Profil ein: "
 
@@ -52,12 +56,12 @@ msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ pro
 #: ../logprof:72
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ -m \"markierng im protokoll, nach der die verarbeitung gestartet werden soll\""
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ -m \"Markierng im Protokoll, nach der die Verarbeitung gestartet werden soll\""
 
 #: ../autodep:63
 #, perl-format
 msgid "Can't find AppArmor profiles in %s."
-msgstr "In %s wurden keine Unterdomänenprofile gefunden."
+msgstr "In %s wurden keine AppArmor-Profile gefunden."
 
 #: ../autodep:71
 msgid "Please enter the program to create a profile for: "
@@ -86,7 +90,7 @@ msgstr "%s wird in Prüfmodus versetzt."
 #: ../audit:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to audit mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den prüfmodus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Prüfmodus versetzt werden soll ]"
 
 #: ../complain:64
 msgid "Please enter the program to switch to complain mode: "
@@ -100,7 +104,7 @@ msgstr "%s wird in Meldungsmodus versetzt."
 #: ../complain:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to complain mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den meldungsmodus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Meldungsmodus versetzt werden soll ]"
 
 #: ../enforce:64
 msgid "Please enter the program to switch to enforce mode: "
@@ -109,12 +113,12 @@ msgstr "Geben Sie das Programm an, das in den Erzwingen-Modus versetzt werden so
 #: ../enforce:105 ../AppArmor.pm:592
 #, perl-format
 msgid "Setting %s to enforce mode."
-msgstr "Einstellungen %s für Erwzingungsmodus"
+msgstr "%s wird in den Erwzingen-Modus versetzt."
 
 #: ../enforce:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den erzwingen-modus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Erzwingen-Modus versetzt werden soll ]"
 
 #: ../unconfined:50
 #, perl-format
@@ -193,7 +197,7 @@ msgstr "Möchten Sie die neu erstellten Profile hochladen?"
 
 #: ../AppArmor.pm:1159
 msgid "Select which of the changed profiles you would like to upload\nto the repository"
-msgstr "Wählen Sie die geänderten Profile aus, die Sie an das Repository \nhochladen möchten"
+msgstr "Wählen Sie die geänderten Profile aus, die Sie in das Repository \nhochladen möchten"
 
 #: ../AppArmor.pm:1161
 msgid "Changed profiles"
@@ -210,7 +214,7 @@ msgstr "Die folgenden Profile im Repository wurden geändert.\nMöchten Sie Ihre
 #: ../AppArmor.pm:1236 ../AppArmor.pm:1316
 #, perl-format
 msgid "WARNING: An error occured while uploading the profile %s\n%s\n"
-msgstr "ACHTUNG: Fehler beim Heraufladen von Profil %s\n%s\n"
+msgstr "ACHTUNG: Fehler beim Hochladen von Profil %s\n%s\n"
 
 #: ../AppArmor.pm:1241
 msgid "Uploaded changes to repository."
@@ -223,11 +227,11 @@ msgstr "Protokolleintrag: "
 #: ../AppArmor.pm:1311
 #, perl-format
 msgid "Uploaded %s to repository."
-msgstr "'%s' an Repository hochgeladen."
+msgstr "'%s' ins Repository hochgeladen."
 
 #: ../AppArmor.pm:1322
 msgid "Repository Error\nRegistration or Signin was unsuccessful. User login\ninformation is required to upload profiles to the\nrepository. These changes have not been sent.\n"
-msgstr "Repository-Fehler\nRegistrierung oder Anmeldung war erfolglos. Die Anmeldeinformationen\ndes Nutzers werden benötigt, um Profile in das Repository\n heraufzuladen. Diese Änderungen wurden nicht gesendet.\n"
+msgstr "Repository-Fehler\nRegistrierung oder Anmeldung war erfolglos. Die Anmeldeinformationen\ndes Nutzers werden benötigt, um Profile in das Repository\n hochzuladen. Diese Änderungen wurden nicht gesendet.\n"
 
 #: ../AppArmor.pm:1379 ../AppArmor.pm:1419
 msgid "(Y)es"
@@ -251,7 +255,7 @@ msgstr "Möchten Sie diese Gruppe von Profiländerungen wirklich verwerfen und d
 
 #: ../AppArmor.pm:1748
 msgid "Abandoning all changes."
-msgstr "Alle Änderungen verwerfen?"
+msgstr "Alle Änderungen verworfen."
 
 #: ../AppArmor.pm:1854
 msgid "Default Hat"
@@ -259,7 +263,7 @@ msgstr "Standard-Hat"
 
 #: ../AppArmor.pm:1856
 msgid "Requested Hat"
-msgstr "Hat angefordert"
+msgstr "Angeforderter Hat"
 
 #: ../AppArmor.pm:2142
 msgid "Program"
@@ -387,16 +391,17 @@ msgstr "Änderungen im Erzwingen-Modus:"
 #: ../AppArmor.pm:3250
 #, perl-format
 msgid "Invalid mode found: %s"
-msgstr "Ungültige Option: %s"
+msgstr "Ungültiger Modus gefunden: %s"
 
 #: ../AppArmor.pm:3301 ../AppArmor.pm:3334
+#, fuzzy
 msgid "Capability"
 msgstr "Funktion"
 
 #: ../AppArmor.pm:3354 ../AppArmor.pm:3628 ../AppArmor.pm:3875
 #, perl-format
 msgid "Adding #include <%s> to profile."
-msgstr "#include <%s> zum Profil hinzufügen."
+msgstr "#include <%s> zum Profil hinzugefügt."
 
 #: ../AppArmor.pm:3357 ../AppArmor.pm:3629 ../AppArmor.pm:3669
 #: ../AppArmor.pm:3879
@@ -405,12 +410,12 @@ msgid "Deleted %s previous matching profile entries."
 msgstr "%s vorherige übereinstimmende Profileinträge wurden gelöscht."
 
 #: ../AppArmor.pm:3368
-#, perl-format
+#, fuzzy, perl-format
 msgid "Adding capability %s to profile."
 msgstr "Funktion %s wird dem Profil hinzugefügt."
 
 #: ../AppArmor.pm:3373
-#, perl-format
+#, fuzzy, perl-format
 msgid "Denying capability %s to profile."
 msgstr "Funktion %s wird dem Profil verweigert."
 
@@ -457,7 +462,7 @@ msgstr "Neuen Pfad eingeben: "
 
 #: ../AppArmor.pm:3687
 msgid "The specified path does not match this log entry:"
-msgstr "Der angegebene Pfad stimmt nicht mit dem Protokolleintrag überein."
+msgstr "Der angegebene Pfad stimmt nicht mit dem Protokolleintrag überein:"
 
 #: ../AppArmor.pm:3688
 msgid "Log Entry"
@@ -482,17 +487,17 @@ msgstr "Socket-Typ"
 #: ../AppArmor.pm:3905
 #, perl-format
 msgid "Adding network access %s %s to profile."
-msgstr "Netzwerkzugriff '%s' '%s' wird zu Profil hinzugefügt."
+msgstr "Netzwerkzugriff '%s' '%s' wird zum Profil hinzugefügt."
 
 #: ../AppArmor.pm:3924
 #, perl-format
 msgid "Denying network access %s %s to profile."
-msgstr "Netzwerkzugriff '%s' '%s' auf Profil wird verweigert."
+msgstr "Netzwerkzugriff '%s' '%s' wird dem Profil verweigert."
 
 #: ../AppArmor.pm:4132
 #, perl-format
 msgid "Reading log entries from %s."
-msgstr "%s Mailserver-Domains werden eingelesen..."
+msgstr "Protokolleinträge von %s werden eingelesen."
 
 #: ../AppArmor.pm:4133
 #, perl-format
@@ -572,6 +577,7 @@ msgid "Invalid hotkey in default item"
 msgstr "Ungültige Tastenkombination in Standardelement"
 
 #: ../AppArmor.pm:6392
+#, fuzzy
 msgid "Invalid default"
 msgstr "Ungültiger Standard"
 

utils/po/hu.po

@@ -333,11 +333,11 @@ msgstr ""
 
 #: ../AppArmor.pm:1379 ../AppArmor.pm:1419
 msgid "(Y)es"
-msgstr "Igen"
+msgstr "(I)gen"
 
 #: ../AppArmor.pm:1380 ../AppArmor.pm:1420
 msgid "(N)o"
-msgstr "Nem"
+msgstr "(N)em"
 
 #: ../AppArmor.pm:1383 ../AppArmor.pm:1424
 msgid "Invalid hotkey for"

utils/severity.db

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -47,6 +48,7 @@
        CAP_WAKE_ALARM 8
        CAP_BLOCK_SUSPEND 8
        CAP_DAC_READ_SEARCH 7
+       CAP_AUDIT_READ 7
 # unused
        CAP_NET_BROADCAST 0
 
@@ -230,6 +232,8 @@
 /usr/lib/lib*so*	3 8 4
 /usr/lib/iptables/*	2 8 2
 /usr/lib/perl5/**	4 10 6
+/usr/lib/*/perl/**	4 10 6
+/usr/lib/*/perl5/**	4 10 6
 /usr/lib/gconv/*	4 7 4
 /usr/lib/locale/**	4 8 0
 /usr/lib/jvm/**		5 7 5

utils/test/test-aa-easyprof.py

@@ -101,6 +101,7 @@ TEMPLATES_DIR="%s/templates"
     def tearDown(self):
         '''Teardown for tests'''
         if os.path.exists(self.tmpdir):
+            sys.stdout.write("%s\n" % self.tmpdir)
             recursive_rm(self.tmpdir)
 
 #
@@ -328,7 +329,7 @@ POLICYGROUPS_DIR="%s/templates"
     def test_binary_symlink(self):
         '''Test binary (symlink)'''
         exe = os.path.join(self.tmpdir, 'exe')
-        open(exe, 'wa').close()
+        open(exe, 'a').close()
         symlink = exe + ".lnk"
         os.symlink(exe, symlink)
 
@@ -441,7 +442,7 @@ POLICYGROUPS_DIR="%s/templates"
         self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
 
         if debugging:
-            print p
+            sys.stdout.write("%s\n" % p)
 
         return p
 
@@ -859,7 +860,7 @@ if __name__ == '__main__':
     # Create the necessary files to import aa-easyprof
     init = os.path.join(os.path.dirname(absfn), '__init__.py')
     if not os.path.exists(init):
-        open(init, 'wa').close()
+        open(init, 'a').close()
         created.append(init)
 
     symlink = os.path.join(os.path.dirname(absfn), 'easyprof.py')

utils/vim/Makefile

@@ -14,12 +14,15 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
 all: apparmor.vim
 
 apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
-	python create-apparmor.vim.py > $@
+	${PYTHON} create-apparmor.vim.py > apparmor.vim
 
 install: apparmor.vim
 	install -d $(VIM_INSTALL_PATH)
 	install -m 644 $< $(VIM_INSTALL_PATH)
 
+test: apparmor.vim.in Makefile create-apparmor.vim.py
+	#Testing with all pythons
+	$(call pyalldo, create-apparmor.vim.py > /dev/null)
 
 clean:
 	rm -f apparmor.vim common

utils/vim/create-apparmor.vim.py

@@ -10,7 +10,6 @@
 #    Christian Boltz <apparmor@cboltz.de>
 
 from __future__ import with_statement
-import os
 import re
 import subprocess
 import sys
@@ -30,9 +29,9 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P
     return a textual error if it failed.'''
 
     try:
-        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
-    except OSError, e:
-        return [127, str(e)]
+        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, universal_newlines=True)
+    except OSError as ex:
+        return [127, str(ex)]
 
     out, outerr = sp.communicate(input)
 
@@ -47,7 +46,7 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P
 # get capabilities list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
 if rc != 0:
-    print >>sys.stderr, ("make list_capabilities failed: " + output)
+    sys.stderr.write("make list_capabilities failed: " + output)
     exit(rc)
 
 capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
@@ -59,7 +58,7 @@ for cap in capabilities:
 # get network protos list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
 if rc != 0:
-    print >>sys.stderr, ("make list_af_names failed: " + output)
+    sys.stderr.write("make list_af_names failed: " + output)
     exit(rc)
 
 af_names = []
@@ -78,7 +77,7 @@ aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
 
 aa_flags=['complain',
           'audit',
-          'attach_disconnect',
+          'attach_disconnected',
           'no_attach_disconnected',
           'chroot_attach',
           'chroot_no_attach',
@@ -105,7 +104,7 @@ aa_regex_map = {
 }
 
 def my_repl(matchobj):
-    #print matchobj.group(1)
+    matchobj.group(1)
     if matchobj.group(1) in aa_regex_map:
         return aa_regex_map[matchobj.group(1)]
 
@@ -113,7 +112,7 @@ def my_repl(matchobj):
 
 regex = "@@(" + "|".join(aa_regex_map) + ")@@"
 
-with file("apparmor.vim.in") as template:
+with open("apparmor.vim.in") as template:
     for line in template:
         line = re.sub(regex, my_repl, line.rstrip())
-        print line
+        sys.stdout.write('%s\n' % line)