profiles: adjust abstractions/python for python 3.7

Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)

(cherry picked from commit 01f41fbff8)

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/139

common/Version

@@ -1 +1 @@
-2.9.3
+2.9.5

libraries/libapparmor/autogen.sh

@@ -38,6 +38,6 @@ aclocal
 echo "Running autoconf"
 autoconf --force
 echo "Running libtoolize"
-libtoolize --automake -c
+libtoolize --automake -c --force
 echo "Running automake"
 automake -ac

libraries/libapparmor/src/scanner.l

@@ -178,7 +178,7 @@ syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(
 hhmmss			{digit}{2}{colon}{digit}{2}{colon}{digit}{2}
 timezone		({plus}|{minus}){digit}{2}{colon}{digit}{2}
 syslog_time 		{hhmmss}({period}{digits})?{timezone}?
-syslog_hostname		[[:alnum:]_-]+
+syslog_hostname		[[:alnum:]._-]+
 dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 
 %x single_quoted_string

libraries/libapparmor/testsuite/test_multi/change_onexec_lp1648143.in

@@ -0,0 +1 @@
+[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"

libraries/libapparmor/testsuite/test_multi/change_onexec_lp1648143.out

@@ -0,0 +1,15 @@
+START
+File: change_onexec_lp1648143.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1481284511.494:2807
+Operation: change_onexec
+Profile: unconfined
+Name: system_tor
+Command: (tor)
+Name2: system_tor
+Namespace: root//lxd-tor_<var-lib-lxd>
+Info: no new privs
+ErrorCode: 1
+PID: 18593
+Epoch: 1481284511
+Audit subid: 2807

libraries/libapparmor/testsuite/test_multi/file_chown.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4

libraries/libapparmor/testsuite/test_multi/file_chown.out

@@ -0,0 +1,15 @@
+START
+File: file_chown.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1465133533.431:728
+Operation: chown
+Mask: w
+Denied Mask: w
+fsuid: 0
+ouid: 4
+Profile: /usr/sbin/cupsd
+Name: /run/cups/certs/
+Command: cupsd
+PID: 8515
+Epoch: 1465133533
+Audit subid: 728

libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in

@@ -0,0 +1 @@
+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110

libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out

@@ -0,0 +1,15 @@
+START
+File: syslog_hostname_with_dot.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1442256553.643:40143
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 110
+Profile: /opt/evoke/venv/bin/gunicorn
+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
+Command: gunicorn
+PID: 28943
+Epoch: 1442256553
+Audit subid: 40143

libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in

@@ -0,0 +1 @@
+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive"

libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out

@@ -0,0 +1,19 @@
+START
+File: testcase_network_send_receive.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1469785325.122:21021
+Operation: file_inherit
+Mask: send receive
+Denied Mask: send receive
+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash
+Command: sh
+PID: 18239
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.10.3
+Foreign addr: 54.153.70.241
+Local port: 50758
+Foreign port: 443
+Epoch: 1469785325
+Audit subid: 21021

libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.in

@@ -0,0 +1 @@
+Feb 21 23:22:01 mail-20170118 kernel: [1222198.459750] audit: type=1400 audit(1487719321.954:218): apparmor="ALLOWED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=19941 comm="apache2"

libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.out

@@ -0,0 +1,12 @@
+START
+File: unconfined-change_hat.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1487719321.954:218
+Operation: change_hat
+Profile: unconfined
+Command: apache2
+Info: unconfined can not change_hat
+ErrorCode: 1
+PID: 19941
+Epoch: 1487719321
+Audit subid: 218

parser/Makefile

@@ -181,7 +181,7 @@ $(LIBAPPARMOR_A):
 		echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
 		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
 		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
-		return 1; \
+		exit 1; \
 	fi
 endif
 

parser/af_unix.cc

@@ -196,16 +196,20 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 
 void unix_rule::downgrade_rule(Profile &prof) {
+	unsigned int mask = (unsigned int) -1;
+
 	if (!prof.net.allow && !prof.alloc_net_table())
 		yyerror(_("Memory allocation error."));
+	if (sock_type_n != -1)
+		mask = 1 << sock_type_n;
 	if (deny) {
-		prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.deny[AF_UNIX] |= mask;
 		if (!audit)
-			prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.quiet[AF_UNIX] |= mask;
 	} else {
-		prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.allow[AF_UNIX] |= mask;
 		if (audit)
-			prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.audit[AF_UNIX] |= mask;
 	}
 }
 

parser/apparmor.d.pod

@@ -966,7 +966,8 @@ must be made before the start of the profile.
 
 The parser will automatically expand variables to include all values
 that they have been assigned; it is an error to reference a variable
-without setting at least one value.
+without setting at least one value. You can use empty quotes ("") to
+explicitly add an empty value.
 
 At the time of this writing, the following variables are defined in the
 provided AppArmor policy:

parser/apparmor_parser.pod

@@ -46,7 +46,7 @@ program. The B<profiles> may be specified by file name or a directory
 name containing a set of profiles. If a directory is specified then the
 B<apparmor_parser> will try to do a profile load for each file in the
 directory that is not a dot file, or explicitly black listed (*.dpkg-new,
-*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.repnew, *.rpmsave, *orig, *.rej,
+*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.rpmnew, *.rpmsave, *orig, *.rej,
 *~). The B<apparmor_parser> will fall back to taking input from standard
 input if a profile or directory is not supplied.
 
@@ -282,7 +282,7 @@ it so that policy can't complete compilation due to size constraints
 take days or longer to compile).
 
 Note: The parser is set to use a balanced default set of flags, that
-will result in resonable compression but not take excessive amounts
+will result in reasonable compression but not take excessive amounts
 of time to complete.
 
 Use --help=optimize to see a full list of which optimization flags are

parser/libapparmor_re/expr-tree.h

@@ -672,7 +672,7 @@ public:
 
 	~hashedNodeVec()
 	{
-		delete nodes;
+		delete [] nodes;
 	}
 
 	unsigned long size()const { return len; }

parser/rc.apparmor.functions

@@ -451,34 +451,7 @@ __apparmor_restart() {
 
 	configure_owlsm
 	parse_profiles reload
-	# Clean out running profiles not associated with the current profile
-	# set, excluding the libvirt dynamically generated profiles.
-	# Note that we reverse sort the list of profiles to remove to
-	# ensure that child profiles (e.g. hats) are removed before the
-	# parent. We *do* need to remove the child profile and not rely
-	# on removing the parent profile when the profile has had its
-	# child profile names changed.
-	profiles_names_list | awk '
-BEGIN {
-  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {
-    str = sub(/ \((enforce|complain)\)$/, "", $0);
-    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
-      arr[$str] = $str
-  }
-}
 
-{ if (length(arr[$0]) > 0) { delete arr[$0] } }
-
-END {
-  for (key in arr)
-    if (length(arr[key]) > 0) {
-      printf("%s\n", arr[key])
-    }
-}
-' | LC_COLLATE=C sort -r | while IFS= read profile ; do
-		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
-	done
-	# will not catch all errors, but still better than nothing
 	rc=$?
 	aa_log_end_msg $rc
 	return $rc

profiles/Makefile

@@ -40,6 +40,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/
 SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
 TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
 
+# $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
+PWD=$(shell pwd)
+
 local:
 	for profile in ${TOPLEVEL_PROFILES}; do \
 		fn=$$(basename $$profile); \

profiles/apparmor.d/abstractions/X

@@ -17,13 +17,15 @@
 
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
+  owner @{HOME}/.local/share/sddm/.Xauthority r,
   owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
   owner /{,var/}run/lightdm/*/xauthority r,
   owner /{,var/}run/user/*/gdm/Xauthority r,
+  owner /{,var/}run/user/*/X11/Xauthority r,
 
   # the unix socket to use to connect to the display
-  /tmp/.X11-unix/*           w,
+  /tmp/.X11-unix/* rw,
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/.X11-unix/X[0-9]*"),

profiles/apparmor.d/abstractions/apache2-common

@@ -8,6 +8,8 @@
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
   signal (receive) peer=/usr/sbin/apache2,
+  # Allow other hats to signal by default
+  signal peer=/usr/sbin/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 
@@ -25,3 +27,8 @@
 
   /dev/urandom            r,
 
+  # sasl-auth
+  /run/saslauthd/mux rw,
+
+  # OCSP stapling
+  /var/log/apache2/stapling-cache rw,

profiles/apparmor.d/abstractions/audio

@@ -49,7 +49,7 @@ owner @{HOME}/.cache/event-sound-cache.* rwk,
 
 # pulse
 /etc/pulse/ r,
-/etc/pulse/* r,
+/etc/pulse/** r,
 /{run,dev}/shm/ r,
 owner /{run,dev}/shm/pulse-shm* rwk,
 owner @{HOME}/.pulse-cookie rwk,
@@ -57,6 +57,8 @@ owner @{HOME}/.pulse/ rw,
 owner @{HOME}/.pulse/* rwk,
 owner /{,var/}run/user/*/pulse/  rw,
 owner /{,var/}run/user/*/pulse/{native,pid} rwk,
+owner @{HOME}/.config/pulse/*.conf r,
+owner @{HOME}/.config/pulse/client.conf.d/{,*.conf} r,
 owner @{HOME}/.config/pulse/cookie rwk,
 owner /tmp/pulse-*/ rw,
 owner /tmp/pulse-*/* rw,
@@ -68,6 +70,8 @@ owner /tmp/pulse-*/* rw,
 # openal
 /etc/openal/alsoft.conf r,
 owner @{HOME}/.alsoftrc r,
+/usr/{,local/}share/openal/hrtf/{,**} r,
+owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,

profiles/apparmor.d/abstractions/base

@@ -91,7 +91,7 @@
   /sys/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/maps            r,
+  @{PROC}/@{pid}/{maps,auxv,status} r,
 
   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/*           r,

profiles/apparmor.d/abstractions/dbus-session-strict

@@ -17,6 +17,9 @@
        type=stream
        peer=(addr="@/tmp/dbus-*"),
 
+  # dbus with systemd and --enable-user-session
+  owner /run/user/[0-9]*/bus rw,
+
   dbus send
        bus=session
        path=/org/freedesktop/DBus

profiles/apparmor.d/abstractions/freedesktop.org

@@ -10,10 +10,10 @@
 # ------------------------------------------------------------------
 
   # system configuration
-  /usr/share/applications/               r,
+  /usr/{,local/}share/applications/{*/,}               r,
-  /usr/share/applications/defaults.list  r,
+  /usr/{,local/}share/applications/{*/,}defaults.list  r,
-  /usr/share/applications/mimeinfo.cache r,
+  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
-  /usr/share/applications/*.desktop      r,
+  /usr/{,local/}share/applications/{*/,}*.desktop      r,
   /usr/share/icons/               r,
   /usr/share/icons/**             r,
   /usr/share/pixmaps/             r,

profiles/apparmor.d/abstractions/gnome

@@ -21,6 +21,8 @@
   /etc/gtk/*                      r,
   /usr/lib{,32,64}/gtk/**         mr,
   /usr/lib/@{multiarch}/gtk/**    mr,
+  /usr/lib{,32,64}/gtk-[0-9]*/**  mr,
+  /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
   /usr/share/themes/              r,
   /usr/share/themes/**            r,
 

profiles/apparmor.d/abstractions/gnupg

@@ -4,6 +4,7 @@
   # user configurations
   owner @{HOME}/.gnupg/options     r,
   owner @{HOME}/.gnupg/pubring.gpg r,
+  owner @{HOME}/.gnupg/pubring.kbx r,
   owner @{HOME}/.gnupg/random_seed rw,
   owner @{HOME}/.gnupg/secring.gpg r,
   owner @{HOME}/.gnupg/so/*.x86_64 mr,

profiles/apparmor.d/abstractions/nameservice

@@ -21,6 +21,9 @@
   /etc/passwd             r,
   /etc/protocols          r,
 
+  # libtirpc (used for NIS/YP login) needs this
+  /etc/netconfig r,
+
   # When using libnss-extrausers, the passwd and group files are merged from
   # an alternate path
   /var/lib/extrausers/group  r,
@@ -29,6 +32,7 @@
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/mc/passwd  r,
   /var/lib/sss/pipes/nss  rw,
 
@@ -50,7 +54,7 @@
   # to vast speed increases when working with network-based lookups.
   /{,var/}run/.nscd_socket   rw,
   /{,var/}run/nscd/socket    rw,
-  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts}    r,
+  /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
   /{,var/}run/nscd/db*  rmix,

profiles/apparmor.d/abstractions/nvidia

@@ -16,5 +16,6 @@
   @{PROC}/driver/nvidia/params r,
   @{PROC}/modules r,
 
-  owner @{HOME}/.nv/GLCache/ r,
+  owner @{HOME}/.nv/ w,
+  owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,

profiles/apparmor.d/abstractions/php

@@ -0,0 +1,36 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2009-2010 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # shared snippets for config files
+  /etc/php{,5,7}/**/ r,
+  /etc/php{,5,7}/**.ini r,
+
+  # Xlibs
+  /usr/X11R6/lib{,32,64}/lib*.so* mr,
+  # php extensions
+  /usr/lib{64,}/php{,5,7}/*/*.so mr,
+
+  # php session mmap socket
+  /var/lib/php{,5,7}/session_mm_* rwlk,
+  # file based session handler
+  /var/lib/php{,5,7}/sess_* rwlk,
+  /var/lib/php{,5,7}/sessions/* rwlk,
+
+  # php libraries
+  /usr/share/php{,5,7}/ r,
+  /usr/share/php{,5,7}/** mr,
+
+  # MySQL extension
+  /usr/share/mysql/** r,
+
+  # Zend opcache
+  /tmp/.ZendSem.* rwlk,

profiles/apparmor.d/abstractions/php5

@@ -1,35 +1,3 @@
-# vim:syntax=apparmor
+#backwards compatibility include, actual abstraction moved from php5 to php
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2002-2006 Novell/SUSE
-#    Copyright (C) 2009-2010 Canonical Ltd.
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
 
-  # shared snippets for config files
+#include <abstractions/php>
-  /etc/php5/**/ r,
-  /etc/php5/**.ini r,
-
-  # Xlibs
-  /usr/X11R6/lib{,32,64}/lib*.so* mr,
-  # php extensions
-  /usr/lib{64,}/php5/*/*.so mr,
-
-  # php5 session mmap socket
-  /var/lib/php5/session_mm_* rwlk,
-  # file based session handler
-  /var/lib/php5/sess_* rwlk,
-
-  # php libraries
-  /usr/share/php{,5}/ r,
-  /usr/share/php{,5}/** mr,
-
-  # MySQL extension
-  /usr/share/mysql/** r,
-
-  # Zend opcache
-  /tmp/.ZendSem.* rwlk,

profiles/apparmor.d/abstractions/postfix-common

@@ -22,7 +22,7 @@
 
   /etc/mailname         r,
   /etc/postfix/*.cf     r,
-  /etc/postfix/*.db     r,
+  /etc/postfix/*.db     rk,
   @{PROC}/net/if_inet6  r,
   /usr/lib/postfix/*.so mr,
   /usr/lib{,32,64}/sasl2/*    mr,

profiles/apparmor.d/abstractions/python

@@ -10,18 +10,18 @@
 #
 # ------------------------------------------------------------------
 
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
-  /usr/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
 
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
 
   # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-5]}/** r,
+  /etc/python{2.[4-7],3.[0-9]}/** r,
 
   # shared python paths
   /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -34,4 +34,4 @@
   /usr/lib/wx/python/*.pth r,
 
   # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-5]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,

profiles/apparmor.d/abstractions/samba

@@ -10,9 +10,12 @@
 # ------------------------------------------------------------------
 
   /etc/samba/* r,
+  /usr/lib*/ldb/*.so mr,
+  /usr/lib*/samba/ldb/*.so mr,
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
+  /var/cache/samba/lck/* rwk,
   /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,

profiles/apparmor.d/apache2.d/phpsysinfo

@@ -5,7 +5,7 @@
     #include <abstractions/apache2-common>
     #include <abstractions/base>
     #include <abstractions/nameservice>
-    #include <abstractions/php5>
+    #include <abstractions/php>
     #include <abstractions/python>
 
     /{,usr/}bin/dash ixr,

profiles/apparmor.d/bin.ping

@@ -18,6 +18,7 @@
   capability net_raw,
   capability setuid,
   network inet raw,
+  network inet6 raw,
 
   /{,usr/}bin/ping mixr,
   /etc/modules.conf r,

profiles/apparmor.d/sbin.syslog-ng

@@ -38,6 +38,7 @@
   /dev/syslog w,
   /dev/tty10 rw,
   /dev/xconsole rw,
+  /dev/kmsg r,
   /etc/machine-id r,
   /etc/syslog-ng/* r,
   /etc/syslog-ng/conf.d/ r,
@@ -48,6 +49,7 @@
   /sbin/syslog-ng mr,
   /sys/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
+  /var/lib/syslog-ng/syslog-ng-?????.qf rw,
   # chrooted applications
   @{CHROOT_BASE}/var/lib/*/dev/log w,
   @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,

profiles/apparmor.d/usr.lib.dovecot.anvil

@@ -18,6 +18,7 @@
   capability setuid,
   capability sys_chroot,
 
+  /run/dovecot/anvil rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2013-2018 Christian Boltz
 #    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
@@ -22,6 +22,8 @@
   #include <abstractions/dovecot-common>
 
   capability audit_write,
+  capability dac_override,
+  capability dac_read_search,
   capability setuid,
 
   /etc/my.cnf r,
@@ -37,8 +39,15 @@
   /var/tmp/sieve_* rw,
   /var/tmp/smtp_* rw,
 
+  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-worker rw,
+  /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
-  /{var/,}run/dovecot/stats-user w,
+  /{var/,}run/dovecot/old-stats-user w,
+  /{var/,}run/dovecot/stats-user rw,
+  /{var/,}run/dovecot/anvil-auth-penalty rw,
+
+  /var/spool/postfix/private/auth w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

profiles/apparmor.d/usr.lib.dovecot.config

@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2013-2018 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -17,12 +17,15 @@
   #include <abstractions/dovecot-common>
   #include <abstractions/ssl_keys>
 
+  capability dac_read_search,
   capability dac_override,
 
   /etc/dovecot/** r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/config mr,
   /usr/lib/dovecot/managesieve Px,
+  /usr/share/dovecot/** r,
+  /var/lib/dovecot/ssl-parameters.dat r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.config>

profiles/apparmor.d/usr.lib.dovecot.dict

@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/mysql>
   #include <abstractions/nameservice>
+  #include <abstractions/openssl>
   #include <abstractions/dovecot-common>
 
   capability setuid,

profiles/apparmor.d/usr.lib.dovecot.dovecot-lda

@@ -12,7 +12,7 @@
 #include <tunables/global>
 #include <tunables/dovecot>
 
-/usr/lib/dovecot/dovecot-lda {
+/usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
@@ -26,9 +26,11 @@
   /proc/*/mounts r,
   owner /tmp/dovecot.lda.* rw,
   /{var/,}run/dovecot/mounts r,
+  /run/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
   /usr/lib/dovecot/dovecot-lda mrix,
   /usr/sbin/sendmail Cx,
+  /usr/share/dovecot/protocols.d/ r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.dovecot-lda>

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -21,11 +21,23 @@
   capability setuid,
   deny capability block_suspend,
 
+  network unix stream,
+
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,
 
   @{HOME} r, # ???
-  /usr/lib/dovecot/imap mr,
+
+  /etc/dovecot/dovecot.conf r,
+  /etc/dovecot/conf.d/ r,
+  /etc/dovecot/conf.d/** r,
+
+  owner /tmp/dovecot.imap.* rw,
+
+  /usr/bin/doveconf rix,
+  /usr/lib/dovecot/imap mrix,
+  /usr/share/dovecot/** r,
+  /run/dovecot/login/imap rw,
   /{,var/}run/dovecot/auth-master rw,
   /{,var/}run/dovecot/mounts r,
 

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -22,9 +22,11 @@
 
   network inet stream,
   network inet6 stream,
+  network unix stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/anvil rw,
+  /{,var/}run/dovecot/login-master-notify* rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -25,6 +25,8 @@
   @{DOVECOT_MAILSTORE}/ rw,
   @{DOVECOT_MAILSTORE}/** rwkl,
 
+  @{HOME}/.dovecot.svbin r,
+
   /proc/*/mounts r,
   /tmp/dovecot.lmtp.* rw,
   /usr/lib/dovecot/lmtp mr,

profiles/apparmor.d/usr.lib.dovecot.log

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/lib/dovecot/log {
+/usr/lib/dovecot/log flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -27,6 +27,7 @@
   network inet6 stream,
 
   /usr/lib/dovecot/managesieve-login mr,
+  /{,var/}run/dovecot/login-master-notify* rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -23,6 +23,7 @@
   capability sys_chroot,
 
   /usr/lib/dovecot/pop3-login mr,
+  /{,var/}run/dovecot/anvil rw,
   /{,var/}run/dovecot/login/ r,
   /{,var/}run/dovecot/login/* rw,
 

profiles/apparmor.d/usr.lib.dovecot.ssl-params

@@ -15,6 +15,7 @@
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
 
+  /run/dovecot/login/ssl-params rw,
   /usr/lib/dovecot/ssl-params mr,
   /var/lib/dovecot/ssl-parameters.dat rw,
   /var/lib/dovecot/ssl-parameters.dat.tmp rwk,

profiles/apparmor.d/usr.lib.dovecot.stats

@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2018 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+  #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+
+  capability setuid,
+  capability sys_chroot,
+
+  /usr/lib/dovecot/stats mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.stats>
+}

profiles/apparmor.d/usr.sbin.dovecot

@@ -12,7 +12,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/dovecot {
+/usr/sbin/dovecot flags=(attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
@@ -23,11 +23,15 @@
 
   capability chown,
   capability dac_override,
+  capability dac_read_search,
   capability fsetid,
   capability kill,
   capability net_bind_service,
   capability setuid,
   capability sys_chroot,
+  capability sys_resource,
+
+  signal send set=(int,quit) peer=/usr/lib/dovecot/*,
 
   /etc/dovecot/** r,
   /etc/mtab r,
@@ -35,21 +39,22 @@
   /etc/SuSE-release r,
   @{PROC}/@{pid}/mounts r,
   /usr/bin/doveconf rix,
-  /usr/lib/dovecot/anvil Px,
+  /usr/lib/dovecot/anvil mrPx,
-  /usr/lib/dovecot/auth Px,
+  /usr/lib/dovecot/auth mrPx,
-  /usr/lib/dovecot/config Px,
+  /usr/lib/dovecot/config mrPx,
-  /usr/lib/dovecot/dict Px,
+  /usr/lib/dovecot/dict mrPx,
   /usr/lib/dovecot/dovecot-auth Pxmr,
   /usr/lib/dovecot/imap Pxmr,
   /usr/lib/dovecot/imap-login Pxmr,
-  /usr/lib/dovecot/lmtp Px,
+  /usr/lib/dovecot/lmtp mrPx,
-  /usr/lib/dovecot/log Px,
+  /usr/lib/dovecot/log mrPx,
-  /usr/lib/dovecot/managesieve Px,
+  /usr/lib/dovecot/managesieve mrPx,
   /usr/lib/dovecot/managesieve-login Pxmr,
-  /usr/lib/dovecot/pop3 Px,
+  /usr/lib/dovecot/pop3 mrPx,
   /usr/lib/dovecot/pop3-login Pxmr,
   /usr/lib/dovecot/ssl-build-param rix,
-  /usr/lib/dovecot/ssl-params Px,
+  /usr/lib/dovecot/ssl-params mrPx,
+  /usr/lib/dovecot/stats Px,
   /usr/sbin/dovecot mrix,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,

profiles/apparmor.d/usr.sbin.nmbd

@@ -20,6 +20,8 @@
   /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
   /var/{cache,lib}/samba/sync.* rw,
   /var/{cache,lib}/samba/unexpected rw,
+  /var/cache/samba/msg/ rw,
+  /var/cache/samba/msg/* w,
 
   /{,var/}run/samba/** rwk,
 

profiles/apparmor.d/usr.sbin.nscd

@@ -28,8 +28,10 @@
   /{,var/}run/nscd/ rw,
   /{,var/}run/nscd/db* rwl,
   /{,var/}run/nscd/socket wl,
-  /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+  /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
   /{,var/}run/{nscd/,}nscd.pid rwl,
+  /var/lib/libvirt/dnsmasq/ r,
+  /var/lib/libvirt/dnsmasq/*.status r,
   /var/log/nscd.log rw,
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/fd/ r,

profiles/apparmor.d/usr.sbin.ntpd

@@ -27,6 +27,8 @@
   capability sys_time,
   capability sys_nice,
 
+  network unspec dgram,
+
   /drift/ntp.drift rwl,
   /drift/ntp.drift.TEMP rwl,
   /etc/ntp.conf r,
@@ -51,6 +53,7 @@
   /var/lib/ntp/{,var/}run/ntp/ntpd.pid w,
   /var/log/ntp w,
   /var/log/ntp.log w,
+  /var/log/ntpstats/clockstats* lrw,
   /var/log/ntpstats/loopstats* lrw,
   /var/log/ntpstats/peerstats* lrw,
   /var/opt/novell/xad/rpc/xadsd rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -28,8 +28,9 @@
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
   /usr/lib*/samba/vfs/*.so mr,
+  /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
-  /usr/lib*/samba/auth/script.so mr,
+  /usr/lib*/samba/gensec/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/sbin/smbd mr,

profiles/apparmor.d/usr.sbin.traceroute

@@ -15,13 +15,16 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
 
+  deny capability net_admin, # noisy setsockopt() calls
   capability net_raw,
 
   network inet raw,
   network inet6 raw,
 
-  /usr/sbin/traceroute rmix,
+  /usr/sbin/traceroute mrix,
+  /usr/bin/traceroute.db mrix,
   @{PROC}/net/route r,
+  @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.traceroute>

profiles/apparmor.d/usr.sbin.winbindd

@@ -7,6 +7,7 @@
 
   deny capability block_suspend,
 
+  capability dac_override,
   capability ipc_lock,
   capability setuid,
 
@@ -19,6 +20,7 @@
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
+  /usr/lib*/samba/gensec/krb*.so mr,
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
@@ -32,6 +34,7 @@
   /{var/,}run/samba/winbindd.pid rwk,
   /{var/,}run/samba/winbindd/ rw,
   /{var/,}run/samba/winbindd/pipe w,
+  /{var/,}run/user/*/krb5cc/* rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.winbindd>

profiles/apparmor/profiles/extras/bin.netstat

@@ -21,7 +21,9 @@
 
   capability dac_override,
   capability dac_read_search,
-  deny capability sys_ptrace,
+  capability sys_ptrace,
+
+  ptrace (read),
 
   /bin/netstat rmix,
   /etc/networks r,

profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -14,9 +15,26 @@
 /usr/bin/mlmmj-bounce {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-bounce r,
+  /usr/bin/mlmmj-bounce mr,
   /usr/bin/mlmmj-send Px,
+  /usr/bin/mlmmj-maintd Px,
+  /var/spool/mlmmj/*/subscribers.d/ r,
+  /var/spool/mlmmj/*/subscribers.d/* r,
+  /var/spool/mlmmj/*/subconf rwl, #
   /var/spool/mlmmj/*/subconf/* rwl,
+  /var/spool/mlmmj/*/queue rwl, #
   /var/spool/mlmmj/*/queue/* rwl,
+  /var/spool/mlmmj/*/bounce/ rwl,
 
+  /var/spool/mlmmj/*/nomailsubs.d/  r,
+  /var/spool/mlmmj/*/nomailsubs.d/* r,
+  /var/spool/mlmmj/*/digesters.d/  r,
+  /var/spool/mlmmj/*/digesters.d/* r,
+
+  /var/spool/mlmmj/*/bounce/* rw,
+
+  /var/spool/mlmmj/*/unsubconf/* w,
+
+  /usr/share/mlmmj/text.skel/*/* r,
+  /var/spool/mlmmj/*/control/*  r,
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -16,21 +17,36 @@
 
   capability setuid,
 
-  /usr/bin/mlmmj-maintd r,
+  /usr/bin/mlmmj-maintd mr,
   /usr/bin/mlmmj-send Px,
+  /usr/bin/mlmmj-bounce Px,
+  /usr/bin/mlmmj-unsub Px,
 
-  /var/spool/mlmmj r,
+  /var/spool/mlmmj/ r,
-  /var/spool/mlmmj/*/bounce r,
+  /var/spool/mlmmj/* r, #
+  /var/spool/mlmmj/*/bounce/ r,
+  /var/spool/mlmmj/*/bounce/* rw,
   /var/spool/mlmmj/*/index r,
-  /var/spool/mlmmj/*/lastdigest rw,
+  /var/spool/mlmmj/*/lastdigest rwk,
   /var/spool/mlmmj/*/maintdlog-* lrw,
   /var/spool/mlmmj/*/mlmmj-maintd.lastrun.log w,
-  /var/spool/mlmmj/*/moderation r,
+  /var/spool/mlmmj/*/moderation/ r,
+  /var/spool/mlmmj/*/moderation/* w,
+  /var/spool/mlmmj/*/archive/ r,
   /var/spool/mlmmj/*/archive/* r,
+  /var/spool/mlmmj/*/control/ r,
   /var/spool/mlmmj/*/control/* r,
-  /var/spool/mlmmj/*/queue r,
+  /var/spool/mlmmj/*/queue/ r,
-  /var/spool/mlmmj/*/queue/* rwl,
+  /var/spool/mlmmj/*/queue/** rwl,
-  /var/spool/mlmmj/*/requeue r,
+  /var/spool/mlmmj/*/requeue/ r,
-  /var/spool/mlmmj/*/subconf r,
+  /var/spool/mlmmj/*/requeue/* rw,
-  /var/spool/mlmmj/*/unsubconf r,
+  /var/spool/mlmmj/*/requeue/*/ rw,
+  /var/spool/mlmmj/*/subconf/ r,
+  /var/spool/mlmmj/*/subconf/* rw,
+  /var/spool/mlmmj/*/unsubconf/ r,
+  /var/spool/mlmmj/*/unsubconf/* rw,
+
+  /usr/share/mlmmj/text.skel/*/digest r,
+  /var/spool/mlmmj/*/mlmmj.operation.log rwk,
+
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-process

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -14,16 +15,32 @@
 /usr/bin/mlmmj-process {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-process r,
+  /usr/bin/mlmmj-process mr,
   /usr/bin/mlmmj-send Px,
   /usr/bin/mlmmj-sub Px,
   /usr/bin/mlmmj-unsub Px,
   /usr/bin/mlmmj-bounce Px,
+  # skeleton data
+  /usr/share/mlmmj/text.skel/ r,
+  /usr/share/mlmmj/text.skel/*/* r,
+
   /var/spool/mlmmj/*/control/* r,
   /var/spool/mlmmj/*/text/* r,
   /var/spool/mlmmj/*/incoming/* rwl,
-  /var/spool/mlmmj/*/queue/* rwl,
+  /var/spool/mlmmj/*/queue/** rwl,
   /var/spool/mlmmj/*/subconf/* rwl,
   /var/spool/mlmmj/*/unsubconf/* rwl,
-  /var/spool/mlmmj/*/mlmmj.operation.log rw,
+  /var/spool/mlmmj/*/mlmmj.operation.log rwk,
+  /var/spool/mlmmj/*/mlmmj.operation.log.rotated w,
+
+  /var/spool/mlmmj/*/nomailsubs.d/ r,
+  /var/spool/mlmmj/*/nomailsubs.d/* r,
+  /var/spool/mlmmj/*/subscribers.d/ r,
+  /var/spool/mlmmj/*/subscribers.d/* r,
+  /var/spool/mlmmj/*/digesters.d/ r,
+  /var/spool/mlmmj/*/digesters.d/* r,
+
+  /var/spool/mlmmj/*/moderation/* rw,
+  /etc/mlmmj/text/*/* r,
+
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive

@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/bin/mlmmj-receive {
+  #include <abstractions/base>
+
+  /usr/bin/mlmmj-process Px,
+  /usr/bin/mlmmj-receive mr,
+  /var/spool/mlmmj/*/incoming/ rw,
+  /var/spool/mlmmj/*/incoming/* rw,
+}

profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve

@@ -9,12 +9,17 @@
 # ------------------------------------------------------------------
 # vim:syntax=apparmor
 
+
+# mlmmj upstream renamed the (misspelled) mlmmj-recieve to mlmmj-receive,
+# so this profile is probably superfluous
+
+
 #include <tunables/global>
 
 /usr/bin/mlmmj-recieve {
   #include <abstractions/base>
 
   /usr/bin/mlmmj-process Px,
-  /usr/bin/mlmmj-recieve r,
+  /usr/bin/mlmmj-recieve mr,
   /var/spool/mlmmj/*/incoming/* w,
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-send

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -15,11 +16,16 @@
   #include <abstractions/base>
   #include <abstractions/nameservice>
 
-  /usr/bin/mlmmj-send r,
+  /usr/bin/mlmmj-send mr,
   /var/spool/mlmmj/*/archive/* w,
   /var/spool/mlmmj/*/control/* r,
-  /var/spool/mlmmj/*/index rw,
+  /var/spool/mlmmj/*/index rwk,
-  /var/spool/mlmmj/*/queue/* lrw,
+  /var/spool/mlmmj/*/queue/* klrw,
-  /var/spool/mlmmj/*/subscribers.d r,
+  /var/spool/mlmmj/*/subscribers.d/ r,
   /var/spool/mlmmj/*/subscribers.d/* r,
+
+  /var/spool/mlmmj/*/digesters.d/ r,
+
+  /var/spool/mlmmj/*/moderation/* rwk,
+
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -17,12 +18,25 @@
   capability setuid,
 
   /usr/bin/mlmmj-send Px,
-  /usr/bin/mlmmj-sub r,
+  /usr/bin/mlmmj-sub mr,
+  /var/spool/mlmmj/*/control/ r,
   /var/spool/mlmmj/*/control/* r,
-  /var/spool/mlmmj/*/queue/* w,
+  /var/spool/mlmmj/*/moderation/subscribe* rw,
-  /var/spool/mlmmj/*/subconf/* w,
+  /var/spool/mlmmj/*/queue/ rw,
-  /var/spool/mlmmj/*/subscribers.d rw,
+  /var/spool/mlmmj/*/queue/* rw,
-  /var/spool/mlmmj/*/subscribers.d/* rw,
+  /var/spool/mlmmj/*/subconf/ rw,
-  /var/spool/mlmmj/*/subscribers.d/.d.lock lw,
+  /var/spool/mlmmj/*/subconf/* rw,
+  /var/spool/mlmmj/*/subscribers.d/ rw,
+  /var/spool/mlmmj/*/subscribers.d/* rwk,
+  /var/spool/mlmmj/*/text/ r, #
   /var/spool/mlmmj/*/text/* r,
+
+  /usr/share/mlmmj/text.skel/*/* r,
+
+  /var/spool/mlmmj/*/nomailsubs.d/ rw,
+  /var/spool/mlmmj/*/nomailsubs.d/* rwk,
+
+  /var/spool/mlmmj/*/digesters.d/ rw,
+  /var/spool/mlmmj/*/digesters.d/* rwk,
+
 }

profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) Per Jessen <per@computer.org>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -14,14 +15,27 @@
 /usr/bin/mlmmj-unsub {
   #include <abstractions/base>
 
-  /usr/bin/mlmmj-unsub r,
+  /usr/bin/mlmmj-unsub mr,
   /usr/bin/mlmmj-send Px,
+  /var/spool/mlmmj/*/control/ r,
   /var/spool/mlmmj/*/control/* r,
+  /var/spool/mlmmj/*/text/ r,
   /var/spool/mlmmj/*/text/* r,
-  /var/spool/mlmmj/*/subscribers.d r,
-  /var/spool/mlmmj/*/subscribers.d/* r,
 
+  /var/spool/mlmmj/*/queue/ rwl,
   /var/spool/mlmmj/*/queue/* rwl,
+  /var/spool/mlmmj/*/unsubconf/ rwl,
   /var/spool/mlmmj/*/unsubconf/* rwl,
-  /var/spool/mlmmj/*/subscribers.d/* rwl,
+  /var/spool/mlmmj/*/subscribers.d/ rw,
+  /var/spool/mlmmj/*/subscribers.d/* rwk,
+
+  /var/spool/mlmmj/*/nomailsubs.d/ rw,
+  /var/spool/mlmmj/*/nomailsubs.d/* rwk,
+
+  /var/spool/mlmmj/*/digesters.d/ rw,
+  /var/spool/mlmmj/*/digesters.d/* rwk,
+
+  /usr/share/mlmmj/text.skel/*/* r,
+  /etc/mlmmj/text/*/finish r,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.anvil

@@ -13,7 +13,6 @@
 /usr/lib/postfix/anvil {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.bounce

@@ -13,7 +13,6 @@
 /usr/lib/postfix/bounce {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup

@@ -13,7 +13,6 @@
 /usr/lib/postfix/cleanup {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability net_bind_service,

profiles/apparmor/profiles/extras/usr.lib.postfix.error

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
 /usr/lib/postfix/error {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/error rmix,
+  @{PROC}/sys/kernel/ngroups_max r,
+  /usr/lib/postfix/error mrix,
+  owner /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.error rwk,
+  /var/spool/postfix/pid/unix.retry rwk,
+  owner /var/spool/postfix/private/defer w,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.flush

@@ -13,7 +13,6 @@
 /usr/lib/postfix/flush {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,10 @@
 /usr/lib/postfix/lmtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
-  /usr/lib/postfix/lmtp rmix,
+  /usr/lib/postfix/lmtp mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/pid/unix.lmtp rwk,
+
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.local

@@ -14,7 +14,6 @@
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/user-mail>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.master

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/master {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/nqmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pickup

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/pickup {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.pipe

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006 Novell/SUSE
+#    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,6 +13,14 @@
 
 /usr/lib/postfix/pipe {
   #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/postfix-common>
+
+  /usr/lib/postfix/pipe mrix,
+  /var/spool/postfix/active/* rwk,
+  /var/spool/postfix/private/bounce w,
+  /var/spool/postfix/private/defer w,
+  /var/spool/postfix/private/rewrite w,
+  /var/spool/postfix/private/trace w,
 
-  /usr/lib/postfix/pipe rmix,
 }

profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr

@@ -12,7 +12,6 @@
 
 /usr/lib/postfix/qmgr {
   #include <abstractions/base>
-  #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
   #include <abstractions/postfix-common>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/qmqpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/qmqpd rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.showq

@@ -13,7 +13,6 @@
 /usr/lib/postfix/showq {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/showq                       rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.smtp

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtp {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd

@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtpd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
   #include <abstractions/openssl>
 

profiles/apparmor/profiles/extras/usr.lib.postfix.spawn

@@ -13,7 +13,6 @@
 /usr/lib/postfix/spawn {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/spawn rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite

@@ -13,7 +13,6 @@
 /usr/lib/postfix/trivial-rewrite {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/trivial-rewrite            rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.verify

@@ -13,7 +13,6 @@
 /usr/lib/postfix/verify {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   /usr/lib/postfix/verify rmix,

profiles/apparmor/profiles/extras/usr.lib.postfix.virtual

@@ -13,7 +13,6 @@
 /usr/lib/postfix/virtual {
   #include <abstractions/base>
   #include <abstractions/nameservice>
-  #include <abstractions/kerberosclient>
   #include <abstractions/postfix-common>
 
   capability setgid,

tests/regression/apparmor/environ.c

@@ -63,6 +63,8 @@ int main(int argc, char *argv[])
 		if (retval == RET_CHLD_SUCCESS) {
 			printf("PASS\n");
 			retval = 0;
+		} else {
+			printf("FAIL: Child failed\n");
 		}
 
 	} else if (pid == 0) {

tests/regression/apparmor/mount.c

@@ -24,7 +24,7 @@ int main(int argc, char *argv[])
 	}
 
 	if (strcmp(argv[1], "mount") == 0) {
-		if (mount(argv[2], argv[3], "ext2", 0xc0ed0000 | MS_MANDLOCK, NULL ) == -1) {
+		if (mount(argv[2], argv[3], "ext2", 0xc0ed0000 | MS_NODEV, NULL ) == -1) {
 			fprintf(stderr, "FAIL: mount %s on %s failed - %s\n",
 				argv[2], argv[3], 
 				strerror(errno));

tests/regression/apparmor/syscall_sysctl.sh

@@ -149,8 +149,7 @@ test_sysctl_proc()
 # generally we want to encourage kernels to disable it, but if it's
 # enabled we want to test against it
 settest syscall_sysctl
-res=$(${test} ro)
+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
     echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
 else
     test_syscall_sysctl

utils/Makefile

@@ -30,7 +30,7 @@ PERLTOOLS = aa-exec aa-notify
 PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
           aa-autodep aa-audit aa-complain aa-enforce aa-disable \
 	  aa-status aa-unconfined
-TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode
+TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown
 PYSETUP = python-tools-setup.py
 PYMODULES = $(wildcard apparmor/*.py)
 

utils/aa-audit.pod

@@ -6,7 +6,7 @@ aa-audit - set an AppArmor security profile to I<audit> mode.
 
 =head1 SYNOPSIS
 
-B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 
 =head1 OPTIONS
 
@@ -15,9 +15,12 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-r --remove>
 
-   Removes the audit mode for the profile.  
+   Removes the audit mode for the profile.
 
 =head1 DESCRIPTION
 

utils/aa-cleanprof.pod

@@ -6,7 +6,7 @@ aa-cleanprof - clean an existing AppArmor security profile.
 
 =head1 SYNOPSIS
 
-B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-s>]>
+B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload]> [I<-s>]>
 
 =head1 OPTIONS
 
@@ -15,6 +15,9 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 B<-s --silent>
 
    Silently overwrites the profile without user prompt.
@@ -22,7 +25,7 @@ B<-s --silent>
 =head1 DESCRIPTION
 
 B<aa-cleanprof> is used to perform a cleanup on one or more profiles.
-The tool removes any existing superfluous rules (rules that are covered 
+The tool removes any existing superfluous rules (rules that are covered
 under an include or another rule), reorders the rules to group similar rules
 together and removes all comments from the file.
 

utils/aa-complain.pod

@@ -26,7 +26,7 @@ aa-complain - set an AppArmor security profile to I<complain> mode.
 
 =head1 SYNOPSIS
 
-B<< aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 
 =head1 OPTIONS
 
@@ -35,12 +35,17 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
+B<--no-reload>
+   Do not reload the profile after modifying it.
+
 =head1 DESCRIPTION
 
 B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.
 In this mode security policy is not enforced but rather access violations
 are logged to the system log.
 
+Note that 'deny' rules will be enforced even in complain mode.
+
 =head1 BUGS
 
 If you find any bugs, please report them at