bump versions in preparation for release

Merged from trunk revno: 2340

This patch includes the errno in the log messages generated by two
different failed aa_change_hat() calls and the failure to open
/dev/urandom to get the random token, to further ease failure
diagnosis.

2.8 Note: did not apply cleanly, required manual adjustment.

For 2.8:
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>

README

@@ -198,3 +198,21 @@ Building and Installing AppArmor Kernel Patches
 
 TODO
 
+
+-----------------
+Required versions
+-----------------
+
+The AppArmor userspace utilities are written with some assumptions about
+installed and available versions of other tools. This is a (possibly
+incomplete) list of known version dependencies:
+
+AppArmor.pm (used by aa-audit, aa-autodep, aa-complain, aa-disable,
+aa-enforce, aa-genprof, aa-logprof, aa-unconfined) requires minimum
+Perl 5.10.1.
+
+Python scripts require minimum Python 2.7. Some utilities may require
+Python 3.3. Python 3.0, 3.1, 3.2 are largely untested.
+
+Most shell scripts are written for POSIX-compatible sh. aa-decode expects
+bash, probably version 3.2 and higher.

changehat/mod_apparmor/mod_apparmor.c

@@ -17,6 +17,7 @@
 #include "http_config.h"
 #include "http_request.h"
 #include "http_log.h"
+#include "http_main.h"
 #include "http_protocol.h"
 #include "util_filter.h"
 #include "apr.h"
@@ -35,9 +36,18 @@
 #define DEFAULT_HAT "HANDLING_UNTRUSTED_INPUT"
 #define DEFAULT_URI_HAT "DEFAULT_URI"
 
+/* Compatibility with apache 2.2 */
+#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER < 3
+  #define APLOG_TRACE1 APLOG_DEBUG
+  server_rec *ap_server_conf = NULL;
+#endif
+
+#ifdef APLOG_USE_MODULE
+  APLOG_USE_MODULE(apparmor);
+#endif
 module AP_MODULE_DECLARE_DATA apparmor_module;
 
-static unsigned int magic_token = 0;
+static unsigned long magic_token = 0;
 static int inside_default_hat = 0;
 
 typedef struct {
@@ -68,9 +78,10 @@ immunix_init (apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
     	apr_file_read (file, (void *) &magic_token, &size);
 	apr_file_close (file);
     } else {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to open /dev/urandom");
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
+			"Failed to open /dev/urandom");
     }
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "Opened /dev/urandom successfully");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "Opened /dev/urandom successfully");
 
     return OK;
 }
@@ -83,35 +94,32 @@ immunix_child_init (apr_pool_t *p, server_rec *s)
 {
     int ret;
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "init: calling change_hat");
-    ret = change_hat (DEFAULT_HAT, magic_token);
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf,
+		    "init: calling change_hat with '%s'", DEFAULT_HAT);
+    ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (ret < 0) {
-    	change_hat (NULL, magic_token);
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to change_hat to '%s'",
-			DEFAULT_HAT);
+    	aa_change_hat(NULL, magic_token);
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, ap_server_conf,
+			"Failed to change_hat to '%s'", DEFAULT_HAT);
     } else {
         inside_default_hat = 1;
     }
 }    			 
 
-#ifdef DEBUG
 static void
-debug_dump_uri (apr_uri_t * uri) 
+debug_dump_uri(request_rec *r)
 {
-    if (uri) 
-    	ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Dumping uri info "
+    apr_uri_t *uri = &r->parsed_uri;
+    if (uri)
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping uri info "
     	          "scheme='%s' host='%s' path='%s' query='%s' fragment='%s'",
     		  uri->scheme, uri->hostname, uri->path, uri->query,
 		  uri->fragment);
     else
-    	ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Asked to dump NULL uri");
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Asked to dump NULL uri");
 
 }
-#else
-static void
-debug_dump_uri (apr_uri_t * __unused uri) { }
-#endif
-    
+
 /* 
    immunix_enter_hat will attempt to change_hat in the following order:
    (1) to a hatname in a location directive
@@ -129,8 +137,8 @@ immunix_enter_hat (request_rec *r)
     immunix_srv_cfg * scfg = (immunix_srv_cfg *) 
     		ap_get_module_config (r->server->module_config, &apparmor_module);
 
-    debug_dump_uri (&r->parsed_uri);
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx", 
+    debug_dump_uri(r);
+    ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "in immunix_enter_hat (%s) n:0x%lx p:0x%lx main:0x%lx",
     	dcfg->path, (unsigned long) r->next, (unsigned long) r->prev, 
 	(unsigned long) r->main);
 
@@ -139,41 +147,48 @@ immunix_enter_hat (request_rec *r)
     	return OK;
 
     if (inside_default_hat) {
-        change_hat (NULL, magic_token);
+        aa_change_hat(NULL, magic_token);
 	inside_default_hat = 0;
     }
 
     if (dcfg != NULL && dcfg->hat_name != NULL) {
-        ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [dcfg] %s", dcfg->hat_name);
-        sd_ret = change_hat (dcfg->hat_name, magic_token);
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [dcfg] %s", dcfg->hat_name);
+        sd_ret = aa_change_hat(dcfg->hat_name, magic_token);
 	if (sd_ret < 0) {
-	    change_hat (NULL, magic_token);
+	    aa_change_hat(NULL, magic_token);
 	} else {
 	    return OK;
 	}
     }
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [uri] %s", r->uri);
-    sd_ret = change_hat (r->uri, magic_token);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [uri] %s", r->uri);
+    sd_ret = aa_change_hat(r->uri, magic_token);
     if (sd_ret < 0) {
-    	change_hat (NULL, magic_token);
+    	aa_change_hat(NULL, magic_token);
     } else {
 	    return OK;
     }
 
+    if (scfg) {
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping scfg info: "
+    	          "scfg='0x%lx' scfg->hat_name='%s'",
+    		  (unsigned long) scfg, scfg->hat_name);
+    } else {
+    	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "scfg is null");
+    }
     if (scfg != NULL && scfg->hat_name != NULL) {
-        ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat [scfg] %s", scfg->hat_name);
-        sd_ret = change_hat (scfg->hat_name, magic_token);
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat [scfg] %s", scfg->hat_name);
+        sd_ret = aa_change_hat(scfg->hat_name, magic_token);
 	if (sd_ret < 0) {
-	    change_hat (NULL, magic_token);
+	    aa_change_hat(NULL, magic_token);
 	} else {
 	    return OK;
 	}
     }
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "calling change_hat DEFAULT_URI");
-    sd_ret = change_hat (DEFAULT_URI_HAT, magic_token);
-    if (sd_ret < 0) change_hat (NULL, magic_token);
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "calling change_hat DEFAULT_URI");
+    sd_ret = aa_change_hat(DEFAULT_URI_HAT, magic_token);
+    if (sd_ret < 0) aa_change_hat(NULL, magic_token);
 
     return OK;
 }
@@ -186,14 +201,15 @@ immunix_exit_hat (request_rec *r)
     		ap_get_module_config (r->per_dir_config, &apparmor_module);
     /* immunix_srv_cfg * scfg = (immunix_srv_cfg *)
     		ap_get_module_config (r->server->module_config, &apparmor_module); */
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "exiting change_hat - dir hat %s path %s", dcfg->hat_name, dcfg->path);
-    change_hat (NULL, magic_token);
+    ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "exiting change_hat: dir hat %s dir path %s",
+		    dcfg->hat_name, dcfg->path);
+    aa_change_hat(NULL, magic_token);
 
-    sd_ret = change_hat (DEFAULT_HAT, magic_token);
+    sd_ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (sd_ret < 0) {
-    	change_hat (NULL, magic_token);
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "Failed to change_hat to '%s'",
-			DEFAULT_HAT);
+    	aa_change_hat(NULL, magic_token);
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, errno, r,
+			"Failed to change_hat to '%s'", DEFAULT_HAT);
     } else {
         inside_default_hat = 1;
     }
@@ -204,7 +220,7 @@ immunix_exit_hat (request_rec *r)
 static const char *
 aa_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "config change hat %s",
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "directory config change hat %s",
     			parm1 ? parm1 : "DEFAULT");
     immunix_dir_cfg * dcfg = mconfig;
     if (parm1 != NULL) {
@@ -221,7 +237,7 @@ static const char *
 immunix_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
     if (path_warn_once == 0) {
-    	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ImmHatName is "
+    	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmHatName is "
 		     "deprecated, please use AAHatName instead");
 	path_warn_once = 1;
     }
@@ -231,9 +247,10 @@ immunix_cmd_ch_path (cmd_parms * cmd, void * mconfig, const char * parm1)
 static const char *
 aa_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
-    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, "config change hat %s",
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, "server config change hat %s",
     			parm1 ? parm1 : "DEFAULT");
-    immunix_srv_cfg * scfg = mconfig;
+    immunix_srv_cfg * scfg = (immunix_srv_cfg *)
+	    ap_get_module_config(cmd->server->module_config, &apparmor_module);
     if (parm1 != NULL) {
     	scfg->hat_name = parm1;
     } else {
@@ -248,7 +265,7 @@ static const char *
 immunix_cmd_ch_srv (cmd_parms * cmd, void * mconfig, const char * parm1)
 {
     if (srv_warn_once == 0) {
-	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ImmDefaultHatName is "
+	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, "ImmDefaultHatName is "
 		     "deprecated, please use AADefaultHatName instead");
 	srv_warn_once = 1;
     }
@@ -260,9 +277,9 @@ immunix_create_dir_config (apr_pool_t * p, char * path)
 {
     immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_create_dir (%s)", path ? path : ":no path:");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_dir (%s)", path ? path : ":no path:");
     if (newcfg == NULL) {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "immunix_create_dir: couldn't alloc dir config");
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_dir: couldn't alloc dir config");
     	return NULL;
     }
     newcfg->path = apr_pstrdup (p, path ? path : ":no path:");
@@ -277,7 +294,7 @@ immunix_merge_dir_config (apr_pool_t * p, void * parent, void * child)
 {
     immunix_dir_cfg * newcfg = (immunix_dir_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_merge_dir ()");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_merge_dir ()");
     if (newcfg == NULL)
     	return NULL;
 
@@ -290,9 +307,9 @@ immunix_create_srv_config (apr_pool_t * p, server_rec * srv)
 {
     immunix_srv_cfg * newcfg = (immunix_srv_cfg *) apr_pcalloc(p, sizeof(* newcfg));
 
-    ap_log_error (APLOG_MARK, APLOG_DEBUG, 0, NULL, "in immunix_create_srv");
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, ap_server_conf, "in immunix_create_srv");
     if (newcfg == NULL) {
-        ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "immunix_create_srv: couldn't alloc srv config");
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "immunix_create_srv: couldn't alloc srv config");
     	return NULL;
     }
 

changehat/mod_apparmor/mod_apparmor.pod

@@ -115,7 +115,7 @@ with the prefork MPM configuration -- threaded configurations of Apache
 may not work correctly.
 
 There are likely other bugs lurking about; if you find any, please report
-them at L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+them at L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

common/Make.rules

@@ -32,6 +32,10 @@ ifndef AWK
 $(error awk utility required for build but not available)
 endif
 
+# Convenience functions
+pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH)))))
+map = $(foreach a,$(2),$(call $(1),$(a)))
+
 # OVERRIDABLE variables
 # Set these variables before including Make.rules to change its behavior
 #   SPECFILE - for packages that have a non-standard specfile name
@@ -132,6 +136,17 @@ endif
 
 endif
 
+ifndef PYTHON_VERSIONS
+PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)
+endif
+
+ifndef PYTHON
+PYTHON = $(firstword ${PYTHON_VERSIONS})
+endif
+
+#Helper function to be used with $(call pyalldo, run_test_with_all.py)
+pyalldo=set -e; $(foreach py, $(PYTHON_VERSIONS), $(py) $(1);)
+
 .PHONY: version
 .SILENT: version
 version:

common/Version

@@ -1 +1 @@
-2.8.1
+2.8.3

libraries/libapparmor/autogen.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 
 DIE=0
+package=libapparmor
 
 (autoconf --version) < /dev/null > /dev/null 2>&1 || {
         echo
@@ -19,7 +20,7 @@ DIE=0
         DIE=1
 }
 
-(libtool --version) < /dev/null > /dev/null 2>&1 || {
+(libtoolize --version) < /dev/null > /dev/null 2>&1 || {
 	echo
 	echo "You must have libtool installed to compile $package."
 	echo "Download the appropriate package for your system,"

libraries/libapparmor/doc/aa_change_hat.pod

@@ -248,7 +248,7 @@ The output when run:
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>. Note that
+L<https://bugs.launchpad.net/apparmor/+filebug>. Note that
 aa_change_hat(2) provides no memory barriers between different areas of a
 program; if address space separation is required, then separate processes
 should be used.

libraries/libapparmor/doc/aa_change_profile.pod

@@ -197,7 +197,7 @@ used (in addition to the one for 'i_cant_be_trusted_anymore', above):
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>. Note that using
+L<https://bugs.launchpad.net/apparmor/+filebug>. Note that using
 aa_change_profile(2) without execve(2) provides no memory barriers between
 different areas of a program; if address space separation is required, then
 separate processes should be used.

libraries/libapparmor/doc/aa_find_mountpoint.pod

@@ -110,7 +110,7 @@ The apparmor filesystem mount could not be found
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

libraries/libapparmor/doc/aa_getcon.pod

@@ -103,7 +103,7 @@ The confinement data is to large to fit in the supplied buffer.
 =head1 BUGS
 
 None known. If you find any, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

libraries/libapparmor/m4/ac_python_devel.m4

@@ -17,9 +17,9 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
         # Check for a version of Python >= 2.1.0
         #
         AC_MSG_CHECKING([for a version of Python >= '2.1.0'])
-        ac_supports_python_ver=`$PYTHON -c "import sys, string; \
-                ver = string.split(sys.version)[[0]]; \
-                print ver >= '2.1.0'"`
+        ac_supports_python_ver=`$PYTHON -c "import sys; \
+                ver = sys.version.split()[[0]]; \
+                sys.stdout.write(str(ver >= '2.1.0'))"`
         if test "$ac_supports_python_ver" != "True"; then
                 if test -z "$PYTHON_NOVERSIONCHECK"; then
                         AC_MSG_RESULT([no])
@@ -44,9 +44,9 @@ to something else than an empty string.
         #
         if test -n "$1"; then
                 AC_MSG_CHECKING([for a version of Python $1])
-                ac_supports_python_ver=`$PYTHON -c "import sys, string; \
-                        ver = string.split(sys.version)[[0]]; \
-                        print ver $1"`
+                ac_supports_python_ver=`$PYTHON -c "import sys; \
+                        ver = sys.version.split()[[0]]; \
+                        sys.stdout.write("%s\n" % (ver == $1))"`
                 if test "$ac_supports_python_ver" = "True"; then
                    AC_MSG_RESULT([yes])
                 else
@@ -79,9 +79,12 @@ $ac_distutils_result])
         # Check for Python include path
         #
         AC_MSG_CHECKING([for Python include path])
+        if type $PYTHON-config; then
+                PYTHON_CPPFLAGS=`$PYTHON-config --includes`
+        fi
         if test -z "$PYTHON_CPPFLAGS"; then
-                python_path=`$PYTHON -c "import distutils.sysconfig; \
-                        print distutils.sysconfig.get_python_inc();"`
+                python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
+sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
@@ -94,25 +97,26 @@ $ac_distutils_result])
         # Check for Python library path
         #
         AC_MSG_CHECKING([for Python library path])
+        if type $PYTHON-config; then
+                PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
+        fi
         if test -z "$PYTHON_LDFLAGS"; then
                 # (makes two attempts to ensure we've got a version number
                 # from the interpreter)
-                py_version=`$PYTHON -c "from distutils.sysconfig import *; \
-                        from string import join; \
-                        print join(get_config_vars('VERSION'))"`
+                py_version=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
+sys.stdout.write('%s\n' % ''.join(get_config_vars('VERSION')))"`
                 if test "$py_version" == "[None]"; then
                         if test -n "$PYTHON_VERSION"; then
                                 py_version=$PYTHON_VERSION
                         else
                                 py_version=`$PYTHON -c "import sys; \
-                                        print sys.version[[:3]]"`
+sys.stdout.write("%s\n" % sys.version[[:3]])"`
                         fi
                 fi
 
-                PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
-                        from string import join; \
-                        print '-L' + get_python_lib(0,1), \
-                        '-lpython';"`$py_version
+                PYTHON_LDFLAGS=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
+sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHON -c \
+"import sys; sys.stdout.write('%s' % getattr(sys,'abiflags',''))"`
         fi
         AC_MSG_RESULT([$PYTHON_LDFLAGS])
         AC_SUBST([PYTHON_LDFLAGS])
@@ -122,8 +126,8 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING([for Python site-packages path])
         if test -z "$PYTHON_SITE_PKG"; then
-                PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
-                        print distutils.sysconfig.get_python_lib(0,0);"`
+                PYTHON_SITE_PKG=`$PYTHON -c "import sys; import distutils.sysconfig; \
+sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
         fi
         AC_MSG_RESULT([$PYTHON_SITE_PKG])
         AC_SUBST([PYTHON_SITE_PKG])
@@ -133,9 +137,9 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING(python extra libraries)
         if test -z "$PYTHON_EXTRA_LIBS"; then
-           PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
-                conf = distutils.sysconfig.get_config_var; \
-                print conf('LOCALMODLIBS'), conf('LIBS')"`
+           PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+conf = distutils.sysconfig.get_config_var; \
+sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
         AC_SUBST(PYTHON_EXTRA_LIBS)
@@ -145,9 +149,9 @@ $ac_distutils_result])
         #
         AC_MSG_CHECKING(python extra linking flags)
         if test -z "$PYTHON_EXTRA_LDFLAGS"; then
-                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
-                        conf = distutils.sysconfig.get_config_var; \
-                        print conf('LINKFORSHARED')"`
+                PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+conf = distutils.sysconfig.get_config_var; \
+sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
         fi
         AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
         AC_SUBST(PYTHON_EXTRA_LDFLAGS)

libraries/libapparmor/src/Makefile.am

@@ -19,7 +19,7 @@ INCLUDES = $(all_includes)
 #    - set AA_LIB_AGE to 0.
 #
 AA_LIB_CURRENT = 1
-AA_LIB_REVISION = 3
+AA_LIB_REVISION = 5
 AA_LIB_AGE = 0
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/kernel_interface.c

@@ -279,7 +279,8 @@ int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)
 	if (rc == -1) {
 		free(buffer);
 		*buf = NULL;
-		*mode = NULL;
+		if (mode)
+			*mode = NULL;
 	} else
 		*buf = buffer;
 
@@ -333,7 +334,7 @@ int aa_change_hat(const char *subprofile, unsigned long token)
 	int rc = -1;
 	int len = 0;
 	char *buf = NULL;
-	const char *fmt = "changehat %016x^%s";
+	const char *fmt = "changehat %016lx^%s";
 
 	/* both may not be null */
 	if (!(token || subprofile)) {

parser/apparmor.vim.pod

@@ -48,7 +48,7 @@ but it may help you understand your profiles better.
 
 B<apparmor.vim> does not properly detect dark versus light backgrounds.
 Patches accepted. If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/apparmor_parser.pod

@@ -308,7 +308,7 @@ All other options override previously set values.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/libapparmor_re/chfa.cc

@@ -92,10 +92,10 @@ CHFA::CHFA(DFA &dfa, map<uchar, uchar> &eq, dfaflags_t flags): eq(eq)
 	default_base.push_back(make_pair(dfa.nonmatching, 0));
 	num.insert(make_pair(dfa.nonmatching, num.size()));
 
-	accept.resize(dfa.states.size());
-	accept2.resize(dfa.states.size());
-	next_check.resize(optimal);
-	free_list.resize(optimal);
+	accept.resize(max(dfa.states.size(), (size_t) 2));
+	accept2.resize(max(dfa.states.size(), (size_t) 2));
+	next_check.resize(max(optimal, (size_t) 256));
+	free_list.resize(next_check.size());
 
 	accept[0] = 0;
 	accept2[0] = 0;

parser/libapparmor_re/parse.y

@@ -57,6 +57,7 @@ static inline Chars* insert_char_range(Chars* cset, uchar a, uchar b)
 
 %pure-parser
 /* %error-verbose */
+%lex-param {YYLEX_PARAM}
 %parse-param {Node **root}
 %parse-param {const char *text}
 %name-prefix = "regex_"

parser/parser_interface.c

@@ -361,7 +361,7 @@ inline int sd_write_blob(sd_serialize *p, void *b, int buf_size, char *name)
 	return 1;
 }
 
-#define align64(X) (((size_t) (X) + (size_t) 7) & ~((size_t) 7))
+#define align64(X) (((X) + (typeof(X)) 7) & ~((typeof(X)) 7))
 inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
 				 char *name)
 {
@@ -369,6 +369,7 @@ inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
 	u32 tmp;
 	if (!sd_write_name(p, name))
 		return 0;
+
 	pad = align64((p->pos + 5) - p->buffer) - ((p->pos + 5) - p->buffer);
 	if (!sd_prepare_write(p, SD_BLOB, 4 + buf_size + pad))
 		return 0;

parser/parser_main.c

@@ -74,11 +74,12 @@ int skip_read_cache = 0;
 int write_cache = 0;
 int cond_clear_cache = 1;		/* only applies if write is set */
 int force_clear_cache = 0;		/* force clearing regargless of state */
+int create_cache_dir = 0;		/* create the cache dir if missing? */
 int preprocess_only = 0;
 int skip_mode_force = 0;
 struct timespec mru_tstamp;
 
-#define FLAGS_STRING_SIZE 1024
+#define FLAGS_STRING_SIZE 8192
 char *match_string = NULL;
 char *flags_string = NULL;
 char *cacheloc = NULL;
@@ -114,6 +115,7 @@ struct option long_options[] = {
 	{"show-cache",		0, 0, 'k'},
 	{"skip-bad-cache",	0, 0, 129},	/* no short option */
 	{"purge-cache",		0, 0, 130},	/* no short option */
+	{"create-cache-dir",	0, 0, 131},	/* no short option */
 	{"cache-loc",		1, 0, 'L'},
 	{"debug",		0, 0, 'd'},
 	{"dump",		1, 0, 'D'},
@@ -158,6 +160,7 @@ static void display_usage(char *command)
 	       "-W, --write-cache	Save cached profile (force with -T)\n"
 	       "    --skip-bad-cache	Don't clear cache if out of sync\n"
 	       "    --purge-cache	Clear cache regardless of its state\n"
+	       "    --create-cache-dir	Create the cache dir if missing\n"
 	       "-L, --cache-loc n	Set the location of the profile cache\n"
 	       "-q, --quiet		Don't emit warnings\n"
 	       "-v, --verbose		Show profile names as they load\n"
@@ -542,6 +545,9 @@ static int process_arg(int c, char *optarg)
 	case 130:
 		force_clear_cache = 1;
 		break;
+	case 131:
+		create_cache_dir = 1;
+		break;
 	case 'L':
 		cacheloc = strdup(optarg);
 		break;
@@ -1086,13 +1092,7 @@ int process_profile(int option, char *profilename)
 	 */
 	if ((profilename && option != OPTION_REMOVE) && !force_complain &&
 	    !skip_cache) {
-		if (cacheloc) {
-			cachename = strdup(cacheloc);
-			if (!cachename) {
-				PERROR(_("Memory allocation error."));
-				exit(1);
-			}
-		} else if (asprintf(&cachename, "%s/%s/%s", basedir, "cache", basename)<0) {
+		if (asprintf(&cachename, "%s/%s", cacheloc, basename)<0) {
 			PERROR(_("Memory allocation error."));
 			exit(1);
 		}
@@ -1107,7 +1107,7 @@ int process_profile(int option, char *profilename)
 		}
 		if (write_cache) {
 			/* Otherwise, set up to save a cached copy */
-			if (asprintf(&cachetemp, "%s/%s/%s-XXXXXX", basedir, "cache", basename)<0) {
+			if (asprintf(&cachetemp, "%s-XXXXXX", cachename)<0) {
 				perror("asprintf");
 				exit(1);
 			}
@@ -1165,8 +1165,11 @@ out:
 		}
 
 		if (useable_cache) {
-			rename(cachetemp, cachename);
-			if (show_cache)
+			if (rename(cachetemp, cachename) < 0) {
+				pwarn("Warning failed to write cache: %s\n", cachename);
+				unlink(cachetemp);
+			}
+			else if (show_cache)
 				PERROR("Wrote cache: %s\n", cachename);
 		}
 		else {
@@ -1258,35 +1261,47 @@ static int clear_cache_cb(const char *path, __unused struct dirent *dirent,
 
 static int clear_cache_files(const char *path)
 {
-	char *cache;
 	int error;
-
-	if (asprintf(&cache, "%s/cache", path) == -1) {
-		perror("asprintf");
-		exit(1);
-	}
-
-	error = dir_for_each(cache, clear_cache_cb);
-
-	free(cache);
-
+	error = dir_for_each(path, clear_cache_cb);
 	return error;
 }
 
-static int create_cache(const char *path, const char *features)
+static int create_cache(const char *cachedir, const char *path,
+			const char *features)
 {
+	struct stat stat_file;
 	FILE * f = NULL;
 
+	if (clear_cache_files(cacheloc) != 0)
+		goto error;
+
+create_file:
 	f = fopen(path, "w");
 	if (f) {
 		if (fwrite(features, strlen(features), 1, f) != 1 )
-			goto fail;
+			goto error;
 
 		fclose(f);
+
+
+		return 0;
+	}
+
+error:
+	/* does the dir exist? */
+	if (stat(cachedir, &stat_file) == -1 && create_cache_dir) {
+		if (mkdir(cachedir, 0700) == 0)
+			goto create_file;
+		if (show_cache)
+			PERROR(_("Can't create cache directory: %s\n"), cachedir);
+	} else if (!S_ISDIR(stat_file.st_mode)) {
+		if (show_cache)
+			PERROR(_("File in cache directory location: %s\n"), cachedir);
+	} else {
+		if (show_cache)
+			PERROR(_("Can't update cache directory: %s\n"), cachedir);
 	}
 
-	return 0;
-fail:
 	if (show_cache)
 		PERROR("Cache write disabled: cannot create %s\n", path);
 	write_cache = 0;
@@ -1324,8 +1339,8 @@ static void setup_flags(void)
          *  - If cache/.features exists, and does not match flags_string,
          *    force cache reading/writing off.
          */
-	if (asprintf(&cache_features_path, "%s/cache/.features", basedir) == -1) {
-		perror("asprintf");
+	if (asprintf(&cache_features_path, "%s/.features", cacheloc) == -1) {
+		PERROR(_("Memory allocation error."));
 		exit(1);
 	}
 
@@ -1333,11 +1348,9 @@ static void setup_flags(void)
 	if (cache_flags) {
 		if (strcmp(flags_string, cache_flags) != 0) {
 			if (write_cache && cond_clear_cache) {
-				if (clear_cache_files(basedir) ||
-				    create_cache(cache_features_path,
-						 flags_string)) {
+				if (create_cache(cacheloc, cache_features_path,
+						 flags_string))
 					skip_read_cache = 1;
-				}
 			} else {
 				if (show_cache)
 					PERROR("Cache read/write disabled: %s does not match %s\n", FLAGS_FILE, cache_features_path);
@@ -1348,7 +1361,7 @@ static void setup_flags(void)
 		free(cache_flags);
 		cache_flags = NULL;
 	} else if (write_cache) {
-		create_cache(cache_features_path, flags_string);
+		create_cache(cacheloc, cache_features_path, flags_string);
 	}
 
 	free(cache_features_path);
@@ -1378,8 +1391,16 @@ int main(int argc, char *argv[])
 		return retval;
 	}
 
+	/* create the cacheloc once and use it everywhere */
+	if (!cacheloc) {
+		if (asprintf(&cacheloc, "%s/cache", basedir) == -1) {
+			PERROR(_("Memory allocation error."));
+			exit(1);
+		}
+	}
+
 	if (force_clear_cache) {
-		clear_cache_files(basedir);
+		clear_cache_files(cacheloc);
 		exit(0);
 	}
 

parser/subdomain.conf.pod

@@ -96,7 +96,7 @@ module source is no longer installed by default. However, the module has
 been included with the SUSE kernel, so no rebuilding should be necessary.
 
 If you find any additional bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

parser/tst/caching.sh

@@ -12,7 +12,8 @@ fi
 
 # fake base directory
 basedir=$(mktemp -d -t aa-cache-XXXXXX)
-trap "rm -rf $basedir" EXIT
+altcachedir=$(mktemp -d -t aa-alt-cache-XXXXXXXX)
+trap "rm -rf $basedir $altcachedir" EXIT
 mkdir -p $basedir/cache
 
 ARGS="--base $basedir --skip-kernel-load"
@@ -158,3 +159,13 @@ echo "ok"
 echo -n "Cache reading is skipped when parser in \$PATH is newer: "
 (PATH=$basedir/parser/ /bin/sh -c "apparmor_parser $ARGS -v -r $basedir/$profile") | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
 echo "ok"
+
+echo -n "Profiles are cached in alternate location when requested: "
+../apparmor_parser $ARGS -q --write-cache --cache-loc $altcachedir -r $basedir/$profile
+[ ! -f $altcachedir/$profile ] && echo "FAIL ($altcachedir/$profile does not exist)" && exit 1
+echo "ok"
+
+echo -n "Cache is loaded from alt location when it exists and features match: "
+../apparmor_parser $ARGS -v -r $basedir/$profile --cache-loc $altcachedir | grep -q 'Cached reload succeeded' || { echo "FAIL"; exit 1; }
+echo "ok"
+

profiles/apparmor.d/abstractions/audio

@@ -55,6 +55,9 @@ owner /{run,dev}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
 owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
+owner /{,var/}run/user/*/pulse/  rw,
+owner /{,var/}run/user/*/pulse/* rwk,
+owner @{HOME}/.config/pulse/cookie rwk,
 owner /tmp/pulse-*/ rw,
 owner /tmp/pulse-*/* rw,
 

profiles/apparmor.d/abstractions/base

@@ -100,6 +100,9 @@
   # glibc statvfs
   @{PROC}/filesystems            r,
 
+  # glibc malloc (man 5 proc)
+  @{PROC}/sys/vm/overcommit_memory r,
+
   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
   # filesystems generally. This does not appreciably decrease security with
   # Ubuntu profiles because the user is expected to have access to files owned

profiles/apparmor.d/abstractions/dbus-session

@@ -10,4 +10,7 @@
 # ------------------------------------------------------------------
 
   /usr/bin/dbus-launch ix,
+
+  # unique per-machine identifier
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,

profiles/apparmor.d/abstractions/fonts

@@ -18,6 +18,7 @@
   /usr/share/fonts/**                   r,
 
   /etc/fonts/**                         r,
+  /usr/share/fontconfig/conf.avail/**   r,
 
   /opt/kde3/share/fonts/**              r,
 
@@ -30,7 +31,9 @@
   /usr/share/a2ps/fonts/**              r,
   /usr/share/xfce/fonts/**              r,
   /usr/share/ghostscript/fonts/**       r,
+  /usr/share/javascript/*/fonts/**      r,
   /usr/share/texmf/{,*/}fonts/**        r,
+  /usr/share/texlive/texmf-dist/fonts/** r,
   /var/lib/ghostscript/**               r,
 
   @{HOME}/.fonts.conf                   r,
@@ -41,6 +44,11 @@
   @{HOME}/.{,cache/}fontconfig/**     mrl,
   @{HOME}/.fonts.conf.d/                r,
   @{HOME}/.fonts.conf.d/**              r,
+  owner @{HOME}/.config/fontconfig/     r,
+  owner @{HOME}/.config/fontconfig/**   r,
 
   /usr/local/share/fonts/               r,
   /usr/local/share/fonts/**             r,
+
+  # poppler CMap tables
+  /usr/share/poppler/cMap/**            r,

profiles/apparmor.d/abstractions/gnome

@@ -83,6 +83,3 @@
   # mime-types
   /etc/gnome/defaults.list r,
   /usr/share/gnome/applications/mimeinfo.cache r,
-
-  # poppler CMap tables
-  /usr/share/poppler/cMap/** r,

profiles/apparmor.d/abstractions/kerberosclient

@@ -20,7 +20,7 @@
   /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
   /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
 
-  /etc/krb5.keytab            r,
+  /etc/krb5.keytab            rk,
   /etc/krb5.conf              r,
 
   # config files found via strings on libs

profiles/apparmor.d/abstractions/mysql

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2013 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -9,5 +10,6 @@
 # ------------------------------------------------------------------
 
    /var/lib/mysql/mysql.sock rw,
-   /usr/share/mysql/charsets/ r,
-   /usr/share/mysql/charsets/*.xml r,
+   /{var/,}run/mysql/mysql.sock rw,
+   /usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,
+   /usr/share/{mysql,mysql-community-server,mariadb}/charsets/*.xml r,

profiles/apparmor.d/abstractions/p11-kit

@@ -16,6 +16,9 @@
   /usr/lib{,32,64}/pkcs11/*.so mr,
   /usr/lib/@{multiarch}/pkcs11/*.so mr,
 
+  /usr/share/p11-kit/modules/  r,
+  /usr/share/p11-kit/modules/* r,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.

profiles/apparmor.d/abstractions/private-files

@@ -15,6 +15,8 @@
   # special attention to (potentially) executable files
   audit deny @{HOME}/bin/** wl,
   audit deny @{HOME}/.config/autostart/** wl,
+  audit deny @{HOME}/.config/upstart/** wl,
+  audit deny @{HOME}/.init/** wl,
   audit deny @{HOME}/.kde{,4}/Autostart/** wl,
   audit deny @{HOME}/.kde{,4}/env/** wl,
   audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

profiles/apparmor.d/abstractions/private-files-strict

@@ -8,6 +8,7 @@
   audit deny @{HOME}/.gnupg/** mrwkl,
   audit deny @{HOME}/.ssh/** mrwkl,
   audit deny @{HOME}/.gnome2_private/** mrwkl,
+  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
   audit deny @{HOME}/.mozilla/** mrwkl,
   audit deny @{HOME}/.config/chromium/** mrwkl,
   audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,

profiles/apparmor.d/abstractions/samba

@@ -11,9 +11,12 @@
 
   /etc/samba/* r,
   /usr/share/samba/*.dat r,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
+  /var/cache/samba/ w,
   /var/lib/samba/**.tdb rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,
+  /{,var/}run/samba/ w,
   /{,var/}run/samba/*.tdb rw,
 

profiles/apparmor.d/abstractions/ssl_certs

@@ -17,3 +17,5 @@
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/ r,
   /usr/local/share/ca-certificates/** r,
+  /var/lib/ca-certificates/ r,
+  /var/lib/ca-certificates/** r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -20,6 +20,7 @@
   # File managers
   /usr/bin/nautilus Cxr -> sanitized_helper,
   /usr/bin/{t,T}hunar Cxr -> sanitized_helper,
+  /usr/bin/dolphin Cxr -> sanitized_helper,
 
   # Themes
   /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,

profiles/apparmor.d/abstractions/winbind

@@ -13,7 +13,9 @@
   /tmp/.winbindd/pipe  rw,
   /var/{lib,run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
+  /etc/samba/dhcp.conf        r,
   /usr/lib*/samba/valid.dat   r,
   /usr/lib*/samba/upcase.dat  r,
   /usr/lib*/samba/lowcase.dat r,
+  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
 

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -42,10 +42,10 @@
   @{TFTP_DIR}/ r,
   @{TFTP_DIR}/** r,
 
-  # libvirt lease and hosts files for dnsmasq
+  # libvirt config, lease and hosts files for dnsmasq
   /var/lib/libvirt/dnsmasq/            r,
+  /var/lib/libvirt/dnsmasq/*        r,
   /var/lib/libvirt/dnsmasq/*.leases rw,
-  /var/lib/libvirt/dnsmasq/*.hostsfile r,
 
   # libvirt pid files for dnsmasq
   /{,var/}run/libvirt/network/      r,
@@ -54,6 +54,7 @@
   # NetworkManager integration
   /{,var/}run/nm-dns-dnsmasq.conf r,
   /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
+  /{,var/}run/NetworkManager/dnsmasq.conf r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dnsmasq>

profiles/apparmor.d/usr.sbin.nmbd

@@ -11,7 +11,9 @@
 
   /usr/sbin/nmbd mr,
 
+  /var/cache/samba/gencache.tdb rwk,
   /var/{cache,lib}/samba/browse.dat* rw,
+  /var/{cache,lib}/samba/gencache.dat rw,
   /var/{cache,lib}/samba/wins.dat* rw,
   /var/{cache,lib}/samba/smb_krb5/ rw,
   /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,

profiles/apparmor.d/usr.sbin.nscd

@@ -16,6 +16,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/ssl_certs>
 
+  deny capability block_suspend,
   capability net_bind_service,
   capability setgid,
   capability setuid,
@@ -31,9 +32,9 @@
   /{,var/}run/.nscd_socket wl,
   /{,var/}run/avahi-daemon/socket w,
   /{,var/}run/nscd/ rw,
-  /{,var/}run/nscd/db* wl,
+  /{,var/}run/nscd/db* rwl,
   /{,var/}run/nscd/socket wl,
-  /var/{cache,run}/nscd/{passwd,group,services,hosts} rw,
+  /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
   /{,var/}run/{nscd/,}nscd.pid rwl,
   /var/log/nscd.log rw,
   @{PROC}/[0-9]*/fd/ r,
@@ -41,6 +42,7 @@
   @{PROC}/[0-9]*/maps r,
   @{PROC}/[0-9]*/mounts r,
   @{PROC}/filesystems r,
+  @{PROC}/sys/vm/overcommit_memory r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.nscd>

profiles/apparmor.d/usr.sbin.ntpd

@@ -14,6 +14,7 @@
 /usr/sbin/ntpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
   #include <abstractions/xad>
 
   capability dac_override,
@@ -44,6 +45,8 @@
   /usr/sbin/ntpd rmix,
   /var/lib/ntp/drift rwl,
   /var/lib/ntp/drift.TEMP rwl,
+  /var/lib/ntp/drift/driftfile rw,
+  /var/lib/ntp/drift/driftfile.TEMP rw,
   /var/lib/ntp/drift/ntp.drift rw,
   /var/lib/ntp/drift/ntp.drift.TEMP rw,
   /var/lib/ntp/etc/* r,

profiles/apparmor.d/usr.sbin.smbd

@@ -29,16 +29,21 @@
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
   /usr/lib*/samba/auth/script.so mr,
-  /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
+  /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/{lowercase,lowcase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,
   /usr/sbin/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/cache/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,
   /var/lib/samba/printers/** rw,
+  /var/lib/sss/mc/passwd r,
+  /var/lib/sss/pubconf/kdcinfo.* r,
   /{,var/}run/cups/cups.sock rw,
   /{,var/}run/dbus/system_bus_socket rw,
   /{,var/}run/samba/** rk,
+  /{,var/}run/samba/ncalrpc/ rw,
+  /{,var/}run/samba/ncalrpc/** rw,
   /{,var/}run/samba/smbd.pid rw,
   /var/log/samba/cores/smbd/ rw,
   /var/log/samba/cores/smbd/** rw,

utils/Immunix/AppArmor.pm

@@ -3879,8 +3879,8 @@ sub ask_the_questions() {
                                             $newpath =~ s/\/[^\/]+$/\/\*/;
                                         }
                                     }
-                                    if ($newpath ne $selected) {
-                                        push @options, $newpath;
+                                    if (not grep { $newpath eq $_ } @options) {
+                                        push @options, $newpath;	
                                         $defaultoption = $#options + 1;
                                     }
                                 }
@@ -3896,7 +3896,7 @@ sub ask_the_questions() {
                                     } else {
                                         $newpath =~ s/\/[^\/]+(\.[^\/]+)$/\/\*$1/;
                                     }
-                                    if ($newpath ne $selected) {
+                                    if (not grep { $newpath eq $_ } @options) {
                                         push @options, $newpath;
                                         $defaultoption = $#options + 1;
                                     }

utils/Makefile

@@ -65,7 +65,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 	$(MAKE) -C vim install DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-	python ${PYSETUP} install --prefix=${PYPREFIX} --root=${DESTDIR} --version=${VERSION}
+	${PYTHON} ${PYSETUP} install --prefix=${PYPREFIX} --root=${DESTDIR} --version=${VERSION}
 
 .PHONY: clean
 ifndef VERBOSE
@@ -105,6 +105,4 @@ check: check_severity_db
 		test -s $$tmpfile && cat $$tmpfile && rm -f $$tmpfile && exit 1; \
 	done || true; \
 	rm -f $$tmpfile
-	for i in test/* ; do \
-		python $$i || exit 1; \
-	done
+	$(foreach test, $(wildcard test/test-*.py), $(call pyalldo, $(test)))

utils/aa-audit.pod

@@ -16,7 +16,7 @@ In this mode security policy is enforced and all access (successes and failures)
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-autodep.pod

@@ -42,7 +42,7 @@ recursively calling ldd(1) on the executables listed on the command line.
 This program does not perform full static analysis of executables, so
 the profiles generated are necessarily incomplete. If you find any bugs,
 please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-complain.pod

@@ -37,7 +37,7 @@ violations are logged to the system log.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-disable.pod

@@ -39,7 +39,7 @@ behavior.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-easyprof

@@ -35,7 +35,7 @@ if __name__ == "__main__":
 
     try:
         easyp = apparmor.easyprof.AppArmorEasyProfile(binary, opt)
-    except AppArmorException, e:
+    except AppArmorException as e:
         error(e.value)
     except Exception:
         raise
@@ -61,5 +61,5 @@ if __name__ == "__main__":
     # if we made it here, generate a profile
     params = apparmor.easyprof.gen_policy_params(binary, opt)
     p = easyp.gen_policy(**params)
-    print p,
+    sys.stdout.write('%s\n' % p)
 

utils/aa-enforce.pod

@@ -41,7 +41,7 @@ be run to change this behavior.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-exec.pod

@@ -87,7 +87,7 @@ aa-exec.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-genprof.pod

@@ -73,7 +73,7 @@ and any other profiles that were generated, into enforce mode and exit.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-logprof.pod

@@ -155,7 +155,7 @@ user wants to quit. See capability(7) for details.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-status.pod

@@ -116,7 +116,7 @@ the apparmor control files.
 =back
 
 If you find any additional bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/aa-unconfined

@@ -60,7 +60,7 @@ if ($paranoid) {
     @pids = grep { /^\d+$/ } readdir(PROC);
     closedir(PROC);
 } else {
-    if (open(NETSTAT, "/bin/netstat -nlp |")) {
+    if (open(NETSTAT, "LANG=C /bin/netstat -nlp |")) {
         while (<NETSTAT>) {
             chomp;
             push @pids, $5

utils/aa-unconfined.pod

@@ -47,7 +47,7 @@ program is unsuitable for forensics use and is provided only as an aid
 to profiling all network-accessible processes in the lab.
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/apparmor/easyprof.py

@@ -8,6 +8,8 @@
 #
 # ------------------------------------------------------------------
 
+from __future__ import with_statement
+
 import codecs
 import glob
 import optparse
@@ -40,7 +42,7 @@ DEBUGGING = False
 def error(out, exit_code=1, do_exit=True):
     '''Print error message and exit'''
     try:
-        print >> sys.stderr, "ERROR: %s" % (out)
+        sys.stderr.write("ERROR: %s\n" % (out))
     except IOError:
         pass
 
@@ -51,7 +53,7 @@ def error(out, exit_code=1, do_exit=True):
 def warn(out):
     '''Print warning message'''
     try:
-        print >> sys.stderr, "WARN: %s" % (out)
+        sys.stderr.write("WARN: %s\n" % (out))
     except IOError:
         pass
 
@@ -59,7 +61,7 @@ def warn(out):
 def msg(out, output=sys.stdout):
     '''Print message'''
     try:
-        print >> output, "%s" % (out)
+        sys.stdout.write("%s\n" % (out))
     except IOError:
         pass
 
@@ -70,7 +72,7 @@ def cmd(command):
     try:
         sp = subprocess.Popen(command, stdout=subprocess.PIPE,
                               stderr=subprocess.STDOUT)
-    except OSError, ex:
+    except OSError as ex:
         return [127, str(ex)]
 
     out = sp.communicate()[0]
@@ -82,7 +84,7 @@ def cmd_pipe(command1, command2):
     try:
         sp1 = subprocess.Popen(command1, stdout=subprocess.PIPE)
         sp2 = subprocess.Popen(command2, stdin=sp1.stdout)
-    except OSError, ex:
+    except OSError as ex:
         return [127, str(ex)]
 
     out = sp2.communicate()[0]
@@ -93,7 +95,7 @@ def debug(out):
     '''Print debug message'''
     if DEBUGGING:
         try:
-            print >> sys.stderr, "DEBUG: %s" % (out)
+            sys.stderr.write("DEBUG: %s\n" % (out))
         except IOError:
             pass
 
@@ -181,6 +183,8 @@ def verify_policy(policy):
         fn = policy
     else:
         f, fn = tempfile.mkstemp(prefix='aa-easyprof')
+        if not isinstance(policy, bytes):
+            policy = policy.encode('utf-8')
         os.write(f, policy)
         os.close(f)
 
@@ -219,9 +223,9 @@ class AppArmorEasyProfile:
         if opt.policy_groups_dir and os.path.isdir(opt.policy_groups_dir):
             self.dirs['policygroups'] = os.path.abspath(opt.policy_groups_dir)
 
-        if not self.dirs.has_key('templates'):
+        if not 'templates' in self.dirs:
             raise AppArmorException("Could not find templates directory")
-        if not self.dirs.has_key('policygroups'):
+        if not 'policygroups' in self.dirs:
             raise AppArmorException("Could not find policygroups directory")
 
         self.aa_topdir = "/etc/apparmor.d"
@@ -445,11 +449,12 @@ class AppArmorEasyProfile:
 
 def print_basefilenames(files):
     for i in files:
-        print "%s" % (os.path.basename(i))
+        sys.stdout.write("%s\n" % (os.path.basename(i)))
 
 def print_files(files):
     for i in files:
-        print open(i).read()
+        with open(i) as f:
+            sys.stdout.write(f.read()+"\n")
 
 def parse_args(args=None):
     '''Parse arguments'''

utils/logprof.conf.pod

@@ -103,7 +103,7 @@ Lines starting with # are comments and are ignored.
 =head1 BUGS
 
 If you find any bugs, please report them at
-L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 

utils/po/de.po

@@ -1,4 +1,5 @@
 # Copyright (C) 2006 SuSE Linux Products GmbH, Nuernberg
+# Copyright (C) 2013 Christian Boltz
 # This file is distributed under the same license as the package.
 #
 msgid ""
@@ -6,14 +7,17 @@ msgstr ""
 "Project-Id-Version: apparmor-utils\n"
 "Report-Msgid-Bugs-To: apparmor-general@forge.novell.com\n"
 "POT-Creation-Date: 2008-09-22 22:56-0700\n"
-"PO-Revision-Date: 2009-02-05 13:38\n"
-"Last-Translator: Novell Language <language@novell.com>\n"
+"PO-Revision-Date: 2013-09-13 21:05+0200\n"
+"Last-Translator: Christian Boltz <apparmor@cboltz.de>\n"
 "Language-Team: Novell Language <language@novell.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"Language: de\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
 
 #: ../genprof:69
+#, fuzzy
 msgid "Please enter the program to profile: "
 msgstr "Geben Sie das Programm für das Profil ein: "
 
@@ -52,12 +56,12 @@ msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ pro
 #: ../logprof:72
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ -f /path/to/logfile ] [ -m \"mark in log to start processing after\""
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ -m \"markierng im protokoll, nach der die verarbeitung gestartet werden soll\""
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ -f /pfad/zu/protokolldatei ] [ -m \"Markierng im Protokoll, nach der die Verarbeitung gestartet werden soll\""
 
 #: ../autodep:63
 #, perl-format
 msgid "Can't find AppArmor profiles in %s."
-msgstr "In %s wurden keine Unterdomänenprofile gefunden."
+msgstr "In %s wurden keine AppArmor-Profile gefunden."
 
 #: ../autodep:71
 msgid "Please enter the program to create a profile for: "
@@ -86,7 +90,7 @@ msgstr "%s wird in Prüfmodus versetzt."
 #: ../audit:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to audit mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den prüfmodus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Prüfmodus versetzt werden soll ]"
 
 #: ../complain:64
 msgid "Please enter the program to switch to complain mode: "
@@ -100,7 +104,7 @@ msgstr "%s wird in Meldungsmodus versetzt."
 #: ../complain:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to complain mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den meldungsmodus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Meldungsmodus versetzt werden soll ]"
 
 #: ../enforce:64
 msgid "Please enter the program to switch to enforce mode: "
@@ -109,12 +113,12 @@ msgstr "Geben Sie das Programm an, das in den Erzwingen-Modus versetzt werden so
 #: ../enforce:105 ../AppArmor.pm:592
 #, perl-format
 msgid "Setting %s to enforce mode."
-msgstr "Einstellungen %s für Erwzingungsmodus"
+msgstr "%s wird in den Erwzingen-Modus versetzt."
 
 #: ../enforce:131
 #, perl-format
 msgid "usage: %s [ -d /path/to/profiles ] [ program to switch to enforce mode ]"
-msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ programm, das in den erzwingen-modus versetzt werden soll ]"
+msgstr "Syntax: %s [ -d /pfad/zu/profilen ] [ Programm, das in den Erzwingen-Modus versetzt werden soll ]"
 
 #: ../unconfined:50
 #, perl-format
@@ -193,7 +197,7 @@ msgstr "Möchten Sie die neu erstellten Profile hochladen?"
 
 #: ../AppArmor.pm:1159
 msgid "Select which of the changed profiles you would like to upload\nto the repository"
-msgstr "Wählen Sie die geänderten Profile aus, die Sie an das Repository \nhochladen möchten"
+msgstr "Wählen Sie die geänderten Profile aus, die Sie in das Repository \nhochladen möchten"
 
 #: ../AppArmor.pm:1161
 msgid "Changed profiles"
@@ -210,7 +214,7 @@ msgstr "Die folgenden Profile im Repository wurden geändert.\nMöchten Sie Ihre
 #: ../AppArmor.pm:1236 ../AppArmor.pm:1316
 #, perl-format
 msgid "WARNING: An error occured while uploading the profile %s\n%s\n"
-msgstr "ACHTUNG: Fehler beim Heraufladen von Profil %s\n%s\n"
+msgstr "ACHTUNG: Fehler beim Hochladen von Profil %s\n%s\n"
 
 #: ../AppArmor.pm:1241
 msgid "Uploaded changes to repository."
@@ -223,11 +227,11 @@ msgstr "Protokolleintrag: "
 #: ../AppArmor.pm:1311
 #, perl-format
 msgid "Uploaded %s to repository."
-msgstr "'%s' an Repository hochgeladen."
+msgstr "'%s' ins Repository hochgeladen."
 
 #: ../AppArmor.pm:1322
 msgid "Repository Error\nRegistration or Signin was unsuccessful. User login\ninformation is required to upload profiles to the\nrepository. These changes have not been sent.\n"
-msgstr "Repository-Fehler\nRegistrierung oder Anmeldung war erfolglos. Die Anmeldeinformationen\ndes Nutzers werden benötigt, um Profile in das Repository\n heraufzuladen. Diese Änderungen wurden nicht gesendet.\n"
+msgstr "Repository-Fehler\nRegistrierung oder Anmeldung war erfolglos. Die Anmeldeinformationen\ndes Nutzers werden benötigt, um Profile in das Repository\n hochzuladen. Diese Änderungen wurden nicht gesendet.\n"
 
 #: ../AppArmor.pm:1379 ../AppArmor.pm:1419
 msgid "(Y)es"
@@ -251,7 +255,7 @@ msgstr "Möchten Sie diese Gruppe von Profiländerungen wirklich verwerfen und d
 
 #: ../AppArmor.pm:1748
 msgid "Abandoning all changes."
-msgstr "Alle Änderungen verwerfen?"
+msgstr "Alle Änderungen verworfen."
 
 #: ../AppArmor.pm:1854
 msgid "Default Hat"
@@ -259,7 +263,7 @@ msgstr "Standard-Hat"
 
 #: ../AppArmor.pm:1856
 msgid "Requested Hat"
-msgstr "Hat angefordert"
+msgstr "Angeforderter Hat"
 
 #: ../AppArmor.pm:2142
 msgid "Program"
@@ -387,16 +391,17 @@ msgstr "Änderungen im Erzwingen-Modus:"
 #: ../AppArmor.pm:3250
 #, perl-format
 msgid "Invalid mode found: %s"
-msgstr "Ungültige Option: %s"
+msgstr "Ungültiger Modus gefunden: %s"
 
 #: ../AppArmor.pm:3301 ../AppArmor.pm:3334
+#, fuzzy
 msgid "Capability"
 msgstr "Funktion"
 
 #: ../AppArmor.pm:3354 ../AppArmor.pm:3628 ../AppArmor.pm:3875
 #, perl-format
 msgid "Adding #include <%s> to profile."
-msgstr "#include <%s> zum Profil hinzufügen."
+msgstr "#include <%s> zum Profil hinzugefügt."
 
 #: ../AppArmor.pm:3357 ../AppArmor.pm:3629 ../AppArmor.pm:3669
 #: ../AppArmor.pm:3879
@@ -405,12 +410,12 @@ msgid "Deleted %s previous matching profile entries."
 msgstr "%s vorherige übereinstimmende Profileinträge wurden gelöscht."
 
 #: ../AppArmor.pm:3368
-#, perl-format
+#, fuzzy, perl-format
 msgid "Adding capability %s to profile."
 msgstr "Funktion %s wird dem Profil hinzugefügt."
 
 #: ../AppArmor.pm:3373
-#, perl-format
+#, fuzzy, perl-format
 msgid "Denying capability %s to profile."
 msgstr "Funktion %s wird dem Profil verweigert."
 
@@ -457,7 +462,7 @@ msgstr "Neuen Pfad eingeben: "
 
 #: ../AppArmor.pm:3687
 msgid "The specified path does not match this log entry:"
-msgstr "Der angegebene Pfad stimmt nicht mit dem Protokolleintrag überein."
+msgstr "Der angegebene Pfad stimmt nicht mit dem Protokolleintrag überein:"
 
 #: ../AppArmor.pm:3688
 msgid "Log Entry"
@@ -482,17 +487,17 @@ msgstr "Socket-Typ"
 #: ../AppArmor.pm:3905
 #, perl-format
 msgid "Adding network access %s %s to profile."
-msgstr "Netzwerkzugriff '%s' '%s' wird zu Profil hinzugefügt."
+msgstr "Netzwerkzugriff '%s' '%s' wird zum Profil hinzugefügt."
 
 #: ../AppArmor.pm:3924
 #, perl-format
 msgid "Denying network access %s %s to profile."
-msgstr "Netzwerkzugriff '%s' '%s' auf Profil wird verweigert."
+msgstr "Netzwerkzugriff '%s' '%s' wird dem Profil verweigert."
 
 #: ../AppArmor.pm:4132
 #, perl-format
 msgid "Reading log entries from %s."
-msgstr "%s Mailserver-Domains werden eingelesen..."
+msgstr "Protokolleinträge von %s werden eingelesen."
 
 #: ../AppArmor.pm:4133
 #, perl-format
@@ -572,6 +577,7 @@ msgid "Invalid hotkey in default item"
 msgstr "Ungültige Tastenkombination in Standardelement"
 
 #: ../AppArmor.pm:6392
+#, fuzzy
 msgid "Invalid default"
 msgstr "Ungültiger Standard"
 

utils/po/hu.po

@@ -333,11 +333,11 @@ msgstr ""
 
 #: ../AppArmor.pm:1379 ../AppArmor.pm:1419
 msgid "(Y)es"
-msgstr "Igen"
+msgstr "(I)gen"
 
 #: ../AppArmor.pm:1380 ../AppArmor.pm:1420
 msgid "(N)o"
-msgstr "Nem"
+msgstr "(N)em"
 
 #: ../AppArmor.pm:1383 ../AppArmor.pm:1424
 msgid "Invalid hotkey for"

utils/test/test-aa-easyprof.py

@@ -101,6 +101,7 @@ TEMPLATES_DIR="%s/templates"
     def tearDown(self):
         '''Teardown for tests'''
         if os.path.exists(self.tmpdir):
+            sys.stdout.write("%s\n" % self.tmpdir)
             recursive_rm(self.tmpdir)
 
 #
@@ -328,7 +329,7 @@ POLICYGROUPS_DIR="%s/templates"
     def test_binary_symlink(self):
         '''Test binary (symlink)'''
         exe = os.path.join(self.tmpdir, 'exe')
-        open(exe, 'wa').close()
+        open(exe, 'a').close()
         symlink = exe + ".lnk"
         os.symlink(exe, symlink)
 
@@ -441,7 +442,7 @@ POLICYGROUPS_DIR="%s/templates"
         self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
 
         if debugging:
-            print p
+            sys.stdout.write("%s\n" % p)
 
         return p
 
@@ -859,7 +860,7 @@ if __name__ == '__main__':
     # Create the necessary files to import aa-easyprof
     init = os.path.join(os.path.dirname(absfn), '__init__.py')
     if not os.path.exists(init):
-        open(init, 'wa').close()
+        open(init, 'a').close()
         created.append(init)
 
     symlink = os.path.join(os.path.dirname(absfn), 'easyprof.py')

utils/vim/Makefile

@@ -14,12 +14,15 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
 all: apparmor.vim
 
 apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
-	python create-apparmor.vim.py > $@
+	${PYTHON} create-apparmor.vim.py > apparmor.vim
 
 install: apparmor.vim
 	install -d $(VIM_INSTALL_PATH)
 	install -m 644 $< $(VIM_INSTALL_PATH)
 
+test: apparmor.vim.in Makefile create-apparmor.vim.py
+	#Testing with all pythons
+	$(call pyalldo, create-apparmor.vim.py > /dev/null)
 
 clean:
 	rm -f apparmor.vim common

utils/vim/create-apparmor.vim.py

@@ -10,7 +10,6 @@
 #    Christian Boltz <apparmor@cboltz.de>
 
 from __future__ import with_statement
-import os
 import re
 import subprocess
 import sys
@@ -30,9 +29,9 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P
     return a textual error if it failed.'''
 
     try:
-        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
-    except OSError, e:
-        return [127, str(e)]
+        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, universal_newlines=True)
+    except OSError as ex:
+        return [127, str(ex)]
 
     out, outerr = sp.communicate(input)
 
@@ -47,7 +46,7 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P
 # get capabilities list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
 if rc != 0:
-    print >>sys.stderr, ("make list_capabilities failed: " + output)
+    sys.stderr.write("make list_capabilities failed: " + output)
     exit(rc)
 
 capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
@@ -59,7 +58,7 @@ for cap in capabilities:
 # get network protos list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
 if rc != 0:
-    print >>sys.stderr, ("make list_af_names failed: " + output)
+    sys.stderr.write("make list_af_names failed: " + output)
     exit(rc)
 
 af_names = []
@@ -78,7 +77,7 @@ aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
 
 aa_flags=['complain',
           'audit',
-          'attach_disconnect',
+          'attach_disconnected',
           'no_attach_disconnected',
           'chroot_attach',
           'chroot_no_attach',
@@ -105,7 +104,7 @@ aa_regex_map = {
 }
 
 def my_repl(matchobj):
-    #print matchobj.group(1)
+    matchobj.group(1)
     if matchobj.group(1) in aa_regex_map:
         return aa_regex_map[matchobj.group(1)]
 
@@ -113,7 +112,7 @@ def my_repl(matchobj):
 
 regex = "@@(" + "|".join(aa_regex_map) + ")@@"
 
-with file("apparmor.vim.in") as template:
+with open("apparmor.vim.in") as template:
     for line in template:
         line = re.sub(regex, my_repl, line.rstrip())
-        print line
+        sys.stdout.write('%s\n' % line)