Prepare for AppArmor 3.0.9 release

- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>

binutils/aa_status.c

@@ -534,16 +534,19 @@ static int detailed_output(FILE *json) {
 				} else {
 					fprintf(json, "%s\"%s\": [{\"profile\": \"%s\", \"pid\": \"%s\", \"status\": \"%s\"}",
 					       // first element will be a unique executable
-					       i == 0 && j == 0 ? "" : "], ",
+					       j == 0 ? "" : "], ",
 					       filtered[j].exe, filtered[j].profile, filtered[j].pid, filtered[j].mode);
 				}
 
 			}
+			if (j > 0) {
+				fprintf(json, "]");
+			}
 		}
 		free_processes(filtered, nfiltered);
 	}
 	if (json) {
-		fprintf(json, "%s}}\n", nprocesses > 0 ? "]" : "");
+		fprintf(json, "}}\n");
 	}
 
 exit:

common/Version

@@ -1 +1 @@
-3.0.4
+3.0.9

libraries/libapparmor/include/aalogparse.h

@@ -159,6 +159,8 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *class;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/Makefile.am

@@ -27,8 +27,9 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 9
-AA_LIB_REVISION = 2
+AA_LIB_REVISION = 5
 AA_LIB_AGE = 8
+EXPECTED_SO_NAME = libapparmor.so.1.8.5
 
 SUFFIXES = .pc.in .pc
 
@@ -77,4 +78,8 @@ tst_kernel_LDFLAGS = -pthread
 check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
+.PHONY: check-local
+check-local:
+	test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

libraries/libapparmor/src/features.c

@@ -194,6 +194,8 @@ static int features_dir_cb(int dirfd, const char *name, struct stat *st,
 	if (features_snprintf(fst, "%s {", name) == -1)
 		return -1;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		ssize_t len;
 		size_t remaining;

libraries/libapparmor/src/grammar.y

@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
+%token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -185,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -351,6 +354,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - fsuid username */
+	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
@@ -425,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->class = $3; }
 	;
 
 apparmor_event:

libraries/libapparmor/src/libaalogparse.c

@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->class != NULL)
+			free(record->class);
 
 		free(record);
 	}

libraries/libapparmor/src/policy_cache.c

@@ -45,6 +45,8 @@ struct aa_policy_cache {
 static int clear_cache_cb(int dirfd, const char *path, struct stat *st,
 			  void *data unused)
 {
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		/* remove regular files */
 		return unlinkat(dirfd, path, 0);

libraries/libapparmor/src/private.c

@@ -452,7 +452,8 @@ int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
  *
  * The cb function is called with the DIR in use and the name of the
  * file in that directory.  If the file is to be opened it should
- * use the openat, fstatat, and related fns.
+ * use the openat, fstatat, and related fns. If the file is a symlink
+ * _aa_dirat_for_each currently tries to traverse it for the caller
  *
  * Returns: 0 on success, else -1 and errno is set to the error code
  */
@@ -485,14 +486,34 @@ int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		autofree struct dirent *dir = namelist[i];
 		struct stat my_stat;
 
-		if (rc)
-			continue;
-
-		if (fstatat(cb_dirfd, dir->d_name, &my_stat, 0)) {
+		if (fstatat(cb_dirfd, dir->d_name, &my_stat, AT_SYMLINK_NOFOLLOW)) {
 			PDEBUG("stat failed for '%s': %m\n", dir->d_name);
 			rc = -1;
 			continue;
 		}
+		/* currently none of the callers handle symlinks, and this
+		 * same basic code was applied to each. So for this patch
+		 * just drop it here.
+		 *
+		 * Going forward we need to start handling symlinks as
+		 * they have meaning.
+		 * In the case of
+		 * cache: they act as a place holder for files that have been
+		 *        combined into a single binary. This enables the
+		 *        file based cache lookup time find that relation
+		 *        and dedup, so multiple loads aren't done.
+		 * profiles: just a profile in an alternate location, but
+		 *           should do dedup detection when doing dir reads
+		 *           so we don't double process.
+		 */
+		if (S_ISLNK(my_stat.st_mode)) {
+			/* just traverse the symlink */
+			if (fstatat(cb_dirfd, dir->d_name, &my_stat, 0)) {
+				PDEBUG("symlink target stat failed for '%s': %m\n", dir->d_name);
+				rc = -1;
+				continue;
+			}
+		}
 
 		if (cb(cb_dirfd, dir->d_name, &my_stat, data)) {
 			PDEBUG("dir_for_each callback failed for '%s'\n",

libraries/libapparmor/src/scanner.l

@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)
 
 %}
 
-ws		[ \t\r\n]
+ws		[ \t\r\n\x1d]
 
 equals		"="
 digit		[[:digit:]]
@@ -121,6 +121,8 @@ key_namespace		"namespace"
 key_mask		"mask"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
+key_denied		"denied"
+key_requested		"requested"
 key_attribute		"attribute"
 key_task		"task"
 key_parent		"parent"
@@ -138,7 +140,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
+key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -161,11 +165,13 @@ key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
 audit			"audit"
 
 /* network addrs */
@@ -307,6 +313,8 @@ yy_flex_debug = 0;
 {key_mask}		{ return(TOK_KEY_MASK); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
+{key_denied}		{ return(TOK_KEY_DENIED_MASK); }
+{key_requested}		{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 {key_task}		{ return(TOK_KEY_TASK); }
 {key_parent}		{ return(TOK_KEY_PARENT); }
@@ -324,7 +332,9 @@ yy_flex_debug = 0;
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
@@ -346,11 +356,13 @@ yy_flex_debug = 0;
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

libraries/libapparmor/swig/python/test/Makefile.am

@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_builddir)/config.status
 
 CLEANFILES = test_python.py
 
-# bah, how brittle is this?
-PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 
 TESTS	= test_python.py
 TESTS_ENVIRONMENT = \

libraries/libapparmor/swig/python/test/buildpath.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python3
+# the build path has changed in setuptools 62.1:
+# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894
+import sys
+import sysconfig
+import setuptools
+
+
+if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
+    identifier = sys.implementation.cache_tag
+else:
+    identifier = "%d.%d" % sys.version_info[:2]
+print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -34,6 +34,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -108,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         '''parse the swig created record and construct a dict from it'''
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]

libraries/libapparmor/testsuite/test_multi.c

@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Class", record->class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out

@@ -0,0 +1,15 @@
+START
+File: 0x1d-uppercase-FSUID-OUID.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1661734785.992:270
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/dolphin
+Name: /home/otis/.config/kdedefaults/kdeglobals
+Command: dolphin
+PID: 3483
+Epoch: 1661734785
+Audit subid: 270

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile

@@ -0,0 +1,4 @@
+/usr/bin/dolphin {
+  /home/otis/.config/kdedefaults/kdeglobals r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in

@@ -0,0 +1 @@
+Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out

@@ -0,0 +1,15 @@
+START
+File: testcase_dbus_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1671125537.724:209
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
+Peer profile: unconfined
+Command: /usr/local/bin/dbus-broker
+DBus bus: session
+DBus path: /org/freedesktop/DBus
+DBus interface: org.freedesktop.DBus
+DBus member: Hello
+Epoch: 1671125537
+Audit subid: 209

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor/tests/regression/apparmor/dbus_message {
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
+
+}

parser/Makefile

@@ -70,6 +70,8 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
+CFLAGS	+= -flto-partition=none
+
 EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
 
@@ -384,11 +386,11 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
 	       elif [ -f /etc/debian_version ] ; then \
 	         echo debian ;\
 	       elif which rpm > /dev/null ; then \
-	         if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
+	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
 	             echo suse ;\
-	         elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
+	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
 	            echo rhel4 ;\
-	         elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
+	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
 	            echo rhel4 ;\
 	         else \
 	            echo unknown ;\
@@ -419,6 +421,7 @@ install-indep: indep
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
+	install -m 755 profile-load $(APPARMOR_BIN_PREFIX)
 	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 

parser/af_unix.cc

@@ -111,8 +111,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
 
 unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
-	af_rule("unix"), addr(NULL), peer_addr(NULL),
-	audit(0), deny(0)
+	af_rule("unix"), addr(NULL), peer_addr(NULL)
 {
 	move_conditionals(conds);
 	move_peer_conditionals(peer_conds);
@@ -136,7 +135,7 @@ ostream &unix_rule::dump_local(ostream &os)
 {
 	af_rule::dump_local(os);
 	if (addr)
-		os << "addr='" << addr << "'";
+		os << " addr='" << addr << "'";
 	return os;
 }
 
@@ -144,7 +143,7 @@ ostream &unix_rule::dump_peer(ostream &os)
 {
 	af_rule::dump_peer(os);
 	if (peer_addr)
-		os << "addr='" << peer_addr << "'";
+		os << " addr='" << peer_addr << "'";
 	return os;
 }
 

parser/af_unix.h

@@ -36,9 +36,6 @@ class unix_rule: public af_rule {
 public:
 	char *addr;
 	char *peer_addr;
-	int mode;
-	int audit;
-	bool deny;
 
 	unix_rule(unsigned int type_p, bool audit_p, bool denied);
 	unix_rule(int mode, struct cond_entry *conds,

parser/apparmor.systemd

@@ -71,6 +71,13 @@ fi
 
 case "$1" in
 	start)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_start
 		rc=$?
 		;;
@@ -79,6 +86,13 @@ case "$1" in
 		rc=$?
 		;;
 	restart|reload|force-reload)
+		if [ -x /usr/bin/systemd-detect-virt ] && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			aa_log_daemon_msg "Not starting AppArmor in container"
+			aa_log_end_msg 0
+			exit 0
+		fi
 		apparmor_restart
 		rc=$?
 		;;

parser/capability.h

@@ -19,8 +19,25 @@
 #ifndef __AA_CAPABILITY_H
 #define __AA_CAPABILITY_H
 
+#include <cstdint>
+#include <linux/capability.h>
+
 #define NO_BACKMAP_CAP 0xff
 
+
+#ifndef CAP_AUDIT_WRITE
+#define CAP_AUDIT_WRITE 29
+#endif
+#ifndef CAP_AUDIT_CONTROL
+#define CAP_AUDIT_CONTROL 30
+#endif
+#ifndef CAP_SETFCAP
+#define CAP_SETFCAP	     31
+#endif
+#ifndef CAP_MAC_OVERRIDE
+#define CAP_MAC_OVERRIDE     32
+#endif
+
 #ifndef CAP_PERFMON
 #define CAP_PERFMON 38
 #endif

parser/libapparmor_re/chfa.cc

@@ -193,9 +193,8 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	State *default_state = dfa.nonmatching;
 	ssize_t base = 0;
 	int resize;
-
 	StateTrans &trans = from->trans;
-	ssize_t c = trans.begin()->first.c;
+	ssize_t c;
 	ssize_t prev = 0;
 	ssize_t x = first_free;
 
@@ -204,6 +203,7 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	if (trans.empty())
 		goto do_insert;
 
+	c = trans.begin()->first.c;
 repeat:
 	resize = 0;
 	/* get the first free entry that won't underflow */
@@ -251,10 +251,18 @@ repeat:
 			first_free = next;
 	}
 
-do_insert:
+	/* these flags will only be set on states that have transitions */
 	if (c < 0) {
 		base |= MATCH_FLAG_OOB_TRANSITION;
 	}
+do_insert:
+	/* While a state without transitions could have the diff encode
+	 * flag set, it would be pointless resulting in just an extra
+	 * state transition in the encoding chain, and so it should be
+	 * considered an error
+	 * TODO: add check that state without transitions isn't being
+	 * given a diffencode flag
+	 */
 	if (from->flags & DiffEncodeFlag)
 		base |= DiffEncodeBit32;
 	default_base.push_back(make_pair(default_state, base));

parser/libapparmor_re/expr-tree.h

@@ -543,9 +543,9 @@ public:
 
 	int min_match_len()
 	{
-		if (contains_oob()) {
-			return 0;
-		}
+		/* Inverse match does not match any oob char at this time
+		 * so only count characters
+		 */
 		return 1;
 	}
 

parser/parser_lex.l

@@ -141,6 +141,8 @@ static int include_dir_cb(int dirfd unused, const char *name, struct stat *st,
 		return 0;
 	}
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (S_ISREG(st->st_mode)) {
 		if (!(yyin = fopen(path,"r")))
 			yyerror(_("Could not open '%s' in '%s'"), path, d->filename);

parser/parser_main.c

@@ -1332,6 +1332,8 @@ static int profile_dir_cb(int dirfd unused, const char *name, struct stat *st,
 {
 	int rc = 0;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
@@ -1354,6 +1356,8 @@ static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
 {
 	int rc = 0;
 
+	/* Handle symlink here. See _aa_dirat_for_each in private.c */
+
 	if (!S_ISDIR(st->st_mode) && !is_blacklisted(name, NULL)) {
 		struct dir_cb_data *cb_data = (struct dir_cb_data *)data;
 		autofree char *path = NULL;
@@ -1546,7 +1550,7 @@ int main(int argc, char *argv[])
 			if ((retval = dirat_for_each(AT_FDCWD, profilename,
 						     &cb_data, cb))) {
 				last_error = errno;
-				PDEBUG("Failed loading profiles from %s\n",
+				PERROR("There was an error while loading profiles from %s\n",
 				       profilename);
 				if (abort_on_error)
 					break;

parser/parser_yacc.y

@@ -44,20 +44,6 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
-#include <linux/capability.h>
-
-#ifndef CAP_AUDIT_WRITE
-#define CAP_AUDIT_WRITE 29
-#endif
-#ifndef CAP_AUDIT_CONTROL
-#define CAP_AUDIT_CONTROL 30
-#endif
-#ifndef CAP_SETFCAP
-#define CAP_SETFCAP	     31
-#endif
-#ifndef CAP_MAC_OVERRIDE
-#define CAP_MAC_OVERRIDE     32
-#endif
 
 #define CIDR_32 htonl(0xffffffff)
 #define CIDR_24 htonl(0xffffff00)

parser/profile-load

@@ -0,0 +1,48 @@
+#!/bin/sh
+# profile-load
+#
+# ----------------------------------------------------------------------
+#    Copyright (c) 2010-2015 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Canonical, Ltd.
+# ----------------------------------------------------------------------
+#
+# Helper for loading an AppArmor profile in pre-start scripts.
+
+[ -z "$1" ]                  && exit 1 # require a profile name
+
+. /lib/apparmor/rc.apparmor.functions
+
+# do not load in a container
+[ -x /usr/bin/systemd-detect-virt ] && systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
+
+[ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load if running liveCD
+
+profile=/etc/apparmor.d/"$1"
+[ -e "$profile" ]            || exit 0 # skip when missing profile
+
+module=/sys/module/apparmor
+[ -d $module ]               || exit 0 # do not load without AppArmor in kernel
+
+[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+aafs=/sys/kernel/security/apparmor
+[ -d $aafs ]                 || exit 0 # do not load if unmounted
+[ -w $aafs/.load ]           || exit 1 # fail if cannot load profiles
+
+params=$module/parameters
+[ -r $params/enabled ]       || exit 0 # do not load if missing
+read enabled < $params/enabled || exit 1 # if this fails, something went wrong
+[ "$enabled" = "Y" ]         || exit 0 # do not load if disabled
+
+/sbin/apparmor_parser -r -W "$profile" || exit 0 # LP: #1058356

parser/tst/Makefile

@@ -17,8 +17,8 @@ endif
 
 all: tests
 
-.PHONY: tests error_output gen_dbus gen_xtrans parser_sanity caching minimize equality valgrind
-tests: error_output caching minimize equality parser_sanity
+.PHONY: tests error_output gen_dbus gen_xtrans parser_sanity caching minimize equality dirtest valgrind
+tests: error_output caching minimize equality dirtest parser_sanity
 
 GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
 
@@ -46,6 +46,9 @@ minimize: $(PARSER)
 equality: $(PARSER)
 	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./equality.sh
 
+dirtest: $(PARSER)
+	LANG=C APPARMOR_PARSER="$(PARSER) $(PARSER_ARGS)" ./dirtest.sh
+
 valgrind: $(PARSER) gen_xtrans gen_dbus
 	LANG=C ./valgrind_simple.py -p "$(PARSER) $(PARSER_ARGS)" -v simple_tests
 

parser/tst/dirtest.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+#   Copyright (c) 2022
+#   Canonical, Ltd. (All rights reserved)
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, contact Canonical Ltd.
+#
+
+# simple test to ensure dir is being iterated as expected
+# yes this needs to be improved and reworked
+
+
+# passed in by Makefile
+#APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
+
+
+do_tst() {
+	local msg="$1"
+	local expected="$2"
+	local rc=0
+	shift 2
+	#global tmpdir
+
+	${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
+	rc=$?
+	LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
+	if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
+		echo "failed: expected \"$expected\" but parser returned error"
+		return 1
+	fi
+	if [ $rc -eq 0 ] && [ "$expected" = "fail" ] ; then
+		echo "succeeded unexpectedly: expected \"$expected\" but parser returned success"
+		return 1
+	fi
+	if ! diff -q "$tmpdir/out" dirtest/dirtest.out ; then
+		echo "failed: expected \"$expected\" but output comparison failed"
+		diff -u dirtest/dirtest.out "$tmpdir/out"
+		return 1
+	fi
+
+	return 0
+}
+
+tmpdir=$(mktemp -d "$tmpdir.XXXXXXXX")
+chmod 755 "$tmpdir"
+export tmpdir
+
+rc=0
+
+# pass - no parser errors and output matches
+# error - parser error and output matches
+# fail - comparison out parser output failed
+do_tst "good dir list" pass -N dirtest/gooddir/ || rc=1
+do_tst "bad link in dir" fail -N dirtest/badlink/ || rc=1
+do_tst "bad profile in dir" fail -N dirtest/badprofile/ || rc=1
+
+rm -rf "$tmpdir"
+
+if [ $rc -eq 0 ] ; then
+	echo "PASS"
+fi
+
+exit $rc

parser/tst/dirtest/badlink/bar

@@ -0,0 +1 @@
+foo

parser/tst/dirtest/badlink/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/badlink/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/badlink/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/badprofile/bad

@@ -0,0 +1,3 @@
+profile bad_profile {
+  file
+}

parser/tst/dirtest/badprofile/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/badprofile/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/badprofile/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/dirtest.out

@@ -0,0 +1,3 @@
+a_profile
+b_profile
+good_target

parser/tst/dirtest/gooddir/good_link

@@ -0,0 +1 @@
+../goodtarget

parser/tst/dirtest/gooddir/profileA

@@ -0,0 +1,2 @@
+profile a_profile {
+}

parser/tst/dirtest/gooddir/profileB

@@ -0,0 +1,2 @@
+profile b_profile {
+}

parser/tst/dirtest/goodtarget

@@ -0,0 +1,2 @@
+profile good_target {
+}

parser/tst/testlib.py

@@ -96,7 +96,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass):
             sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr,
                                   close_fds=True, preexec_fn=subprocess_setup, universal_newlines=True)
         except OSError as e:
-            return [127, str(e)]
+            return [127, str(e), '']
 
         timeout_communicate = TimeoutFunction(sp.communicate, timeout)
         out, outerr = (None, None)

profiles/Makefile

@@ -41,7 +41,7 @@ ifdef USE_SYSTEM
     LOGPROF?=aa-logprof
 else
     # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../libraries/libapparmor/swig/python/test/buildpath.py)
     LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)

profiles/apparmor.d/abstractions/apache2-common

@@ -6,6 +6,10 @@
 
   include <abstractions/nameservice>
 
+  # Allow other processes to read our /proc entries
+  ptrace (readby),
+  # Allow other processes to trace us by default
+  ptrace (tracedby),
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default

profiles/apparmor.d/abstractions/audio

@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,
 
+# pipewire
+/usr/share/pipewire/client.conf r,
+
   # Include additions to the abstraction
   include if exists <abstractions/audio.d>

profiles/apparmor.d/abstractions/base

@@ -101,6 +101,7 @@
   @{PROC}/cpuinfo                r,
   @{sys}/devices/system/cpu/       r,
   @{sys}/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/possible r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,

profiles/apparmor.d/abstractions/crypto

@@ -13,6 +13,7 @@
 
   abi <abi/3.0>,
 
+  @{etc_ro}/gcrypt/hwf.deny r,
   @{etc_ro}/gcrypt/random.conf r,
   @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/exo-open

@@ -51,13 +51,6 @@
 
   /{,usr/}bin/which rix,
 
-  # Deny DBus
-
-  # for GTK error message dialog, not required exo-open to work.
-  deny dbus send
-    bus=session
-    path=/org/gtk/vfs/mounttracker,
-
   # System files
 
   /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,

profiles/apparmor.d/abstractions/groff

@@ -0,0 +1,67 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2023 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # Note: executing groff and nroff themself is not included in this abstraction
+  # so that you can choose to ix, Px or Cx them in your profile
+
+  # groff/nroff helpers, preprocessors, and postprocessors
+  /usr/bin/addftinfo mrix,
+  /usr/bin/afmtodit mrix,
+  /usr/bin/chem mrix,
+  /usr/bin/eqn mrix,
+  /usr/bin/eqn2graph mrix,
+  /usr/bin/gdiffmk mrix,
+  /usr/bin/geqn mrix,
+  /usr/bin/grap2graph mrix,
+  /usr/bin/grn mrix,
+  /usr/bin/grodvi mrix,
+  /usr/bin/groffer mrix,
+  /usr/bin/grog mrix,
+  /usr/bin/grolbp mrix,
+  /usr/bin/grolj4 mrix,
+  /usr/bin/gropdf mrix,
+  /usr/bin/grops mrix,
+  /usr/bin/grotty mrix,
+  /usr/bin/gtbl mrix,
+  /usr/bin/hpftodit mrix,
+  /usr/bin/indxbib mrix,
+  /usr/bin/lkbib mrix,
+  /usr/bin/lookbib mrix,
+  /usr/bin/mmroff mrix,
+  /usr/bin/neqn mrix,
+  /usr/bin/pdfmom mrix,
+  /usr/bin/pdfroff mrix,
+  /usr/bin/pfbtops mrix,
+  /usr/bin/pic mrix,
+  /usr/bin/pic2graph mrix,
+  /usr/bin/post-grohtml mrix,
+  /usr/bin/pre-grohtml mrix,
+  /usr/bin/preconv mrix,
+  /usr/bin/refer mrix,
+  /usr/bin/roff2dvi mrix,
+  /usr/bin/roff2html mrix,
+  /usr/bin/roff2pdf mrix,
+  /usr/bin/roff2ps mrix,
+  /usr/bin/roff2text mrix,
+  /usr/bin/roff2x mrix,
+  /usr/bin/soelim mrix,
+  /usr/bin/tbl mrix,
+  /usr/bin/tfmtodit mrix,
+  /usr/bin/troff mrix,
+  /usr/bin/xtotroff mrix,
+
+  # at least its macros and fonts
+  /usr/libexec/groff/** r,
+  /usr/share/groff/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/groff.d>

profiles/apparmor.d/abstractions/gtk

@@ -16,14 +16,14 @@
   /usr/share/gtk-2.0/ r,
   /usr/share/gtk-2.0/gtkrc r,
 
-  /usr/share/gtk-3.0/ r,
-  /usr/share/gtk-3.0/settings.ini r,
+  /usr/share/gtk-{3,4}.0/ r,
+  /usr/share/gtk-{3,4}.0/settings.ini r,
 
   /etc/gtk-2.0/ r,
   /etc/gtk-2.0/gtkrc r,
 
-  /etc/gtk-3.0/ r,
-  /etc/gtk-3.0/*.conf r,
+  /etc/gtk-{3,4}.0/ r,
+  /etc/gtk-{3,4}.0/*.conf r,
 
   /etc/gtk/gtkrc r,
 
@@ -36,10 +36,10 @@
   owner @{HOME}/.gtk-bookmarks r,
   owner @{HOME}/.config/gtkrc r,
   owner @{HOME}/.config/gtkrc-2.0 r,
-  owner @{HOME}/.config/gtk-3.0/ rw,
-  owner @{HOME}/.config/gtk-3.0/settings.ini r,
-  owner @{HOME}/.config/gtk-3.0/bookmarks r,
-  owner @{HOME}/.config/gtk-3.0/gtk.css r,
+  owner @{HOME}/.config/gtk-{3,4}.0/ rw,
+  owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
+  owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
+  owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
 
   # for gtk file dialog
   owner @{HOME}/.config/gtk-2.0/ rw,

profiles/apparmor.d/abstractions/ibus

@@ -16,5 +16,14 @@
   owner @{HOME}/.config/ibus/bus/ rw,
   owner @{HOME}/.config/ibus/bus/* rw,
 
+  # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+  # This should use this, but due to LP: #1856738 we cannot
+  #unix (connect, receive, send)
+  #    type=stream
+  #    peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
   # Include additions to the abstraction
   include if exists <abstractions/ibus.d>

profiles/apparmor.d/abstractions/kde

@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
+owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/trashrc r, # Used by KFileWidget
 
 /usr/share/X11/XKeysymDB r,

profiles/apparmor.d/abstractions/mesa

@@ -10,6 +10,8 @@
   # (src/intel/perf/gen_perf.c, load_oa_metrics())
   @{PROC}/sys/dev/i915/perf_stream_paranoid r,
 
+  @{sys}/devices/pci[0-9]*/**/{revision,config} r,
+
   # User files
   owner @{HOME}/.cache/ w, # if user clears all caches
   owner @{HOME}/.cache/mesa_shader_cache/ rw,

profiles/apparmor.d/abstractions/nameservice

@@ -44,6 +44,7 @@
   @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
   @{etc_ro}/resolvconf/run/resolv.conf  r,
   @{run}/systemd/resolve/stub-resolv.conf r,
+  /mnt/wsl/resolv.conf r,
 
   @{etc_ro}/samba/lmhosts  r,
   @{etc_ro}/services       r,

profiles/apparmor.d/abstractions/nss-systemd

@@ -24,6 +24,7 @@
   @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
   @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
   @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
 
   @{PROC}/sys/kernel/random/boot_id r,
 

profiles/apparmor.d/abstractions/nvidia

@@ -23,9 +23,13 @@
 
   @{sys}/devices/system/memory/block_size_bytes r,
 
+  owner @{HOME}/.cache/nvidia/ w,
+  owner @{HOME}/.cache/nvidia/GLCache/ rw,
+  owner @{HOME}/.cache/nvidia/GLCache/** rwk,
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,
+  owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
 

profiles/apparmor.d/abstractions/openssl

@@ -11,6 +11,7 @@
   abi <abi/3.0>,
 
   /etc/ssl/openssl.cnf r,
+  /etc/ssl/openssl-*.cnf r,
   /etc/ssl/{engdef,engines}.d/ r,
   /etc/ssl/{engdef,engines}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,

profiles/apparmor.d/abstractions/php

@@ -13,8 +13,7 @@
   abi <abi/3.0>,
 
   # shared snippets for config files
-  /etc/php{,5,7,8}/**/ r,
-  /etc/php{,5,7,8}/**.ini r,
+  /etc/php{,5,7,8}/** r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,

profiles/apparmor.d/abstractions/samba

@@ -25,14 +25,17 @@
   /var/log/samba/cores/** rw,
   /var/log/samba/* w,
   @{run}/{,lock/}samba/ w,
-  @{run}/{,lock/}samba/*.tdb rw,
-  @{run}/{,lock/}samba/msg.lock/ rwk,
-  @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+  @{run}/{,lock/}samba/*.tdb rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
+  /var/cache/samba/*.tdb rwk,
   /var/cache/samba/msg.lock/ rwk,
   /var/cache/samba/msg.lock/[0-9]* rwk,
 
   # required for clustering
   /var/lib/ctdb/** rwk,
 
+  deny capability net_admin, # noisy setsockopt() calls from systemd
+
   # Include additions to the abstraction
   include if exists <abstractions/samba.d>

profiles/apparmor.d/abstractions/samba-rpcd

@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+# This file contains basic permissions for samba rpcd_xyz services
+
+  abi <abi/3.0>,
+
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/samba>
+
+  capability setgid,
+  capability setuid,
+
+  signal receive set=term peer=smbd,
+
+  @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/samba-rpcd.d>
+

profiles/apparmor.d/abstractions/snap_browsers

@@ -0,0 +1,42 @@
+profile snap_browsers {
+  include if exists <abstractions/snap_browsers.d>
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  /etc/passwd r,
+  /etc/nsswitch.conf r,
+  /etc/fstab r,
+
+  # noisy
+  deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
+
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
+  /var/lib/snapd/system-key r,
+  /run/snapd.socket rw,
+
+  @{PROC}/version r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/net/core/somaxconn r,
+  @{PROC}/sys/kernel/seccomp/actions_avail r,
+  @{PROC}/sys/kernel/random/uuid r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{HOME}/.snap/auth.json r, # if exists, required
+
+  dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
+  dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
+
+  /sys/kernel/security/apparmor/features/ r,
+
+  # allow launching official browser snaps.
+  /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
+  /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
+  /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
+
+  /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  # add other browsers here
+}

profiles/apparmor.d/abstractions/ssl_certs

@@ -15,8 +15,9 @@
   /etc/{,libre}ssl/ r,
   /etc/{,libre}ssl/cert.pem r,
   /etc/{,libre}ssl/certs/{,**} r,
-  /etc/pki/trust/{,*} r,
-  /etc/pki/trust/anchors/{,**} r,
+  /{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
+  /{etc,usr/share}/pki/trust/{,*} r,
+  /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
   /usr/share/ca-certificates/{,**} r,
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/{,**} r,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -79,6 +79,7 @@ profile sanitized_helper {
   /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
 
   # Full access

profiles/apparmor.d/lsb_release

@@ -30,6 +30,8 @@ profile lsb_release {
   /{usr/,}bin/dash ixr,
   /usr/bin/basename ixr,
   /usr/bin/dpkg-query ixr,
+  /usr/bin/cat ixr,
+  /usr/bin/cut ixr,
   /usr/bin/getopt ixr,
   /usr/bin/sed ixr,
   /usr/bin/tr ixr,

profiles/apparmor.d/nvidia_modprobe

@@ -54,10 +54,10 @@ profile nvidia_modprobe {
     # System files
 
     /etc/modprobe.d/{,*.conf} r,
-    /etc/nvidia/current/*.conf r,
+    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
     @{sys}/module/ipmi_devintf/initstate r,
     @{sys}/module/ipmi_msghandler/initstate r,
-    @{sys}/module/nvidia/initstate r,
+    @{sys}/module/{drm,nvidia}/initstate r,
     @{PROC}/cmdline r,
   }
 

profiles/apparmor.d/php-fpm

@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
   # read the system certificates
   include <abstractions/ssl_certs>
 
-  /etc/php{,5,7}/** r,
-
   capability net_admin,
   # change user/group of a pool
   capability setuid,
@@ -37,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
 
   # we need to be able to create all sockets
   @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php*-fpm.pid rw,
   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
 
   # to reload

profiles/apparmor.d/samba-bgqd

@@ -2,18 +2,22 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-profile samba-bgqd /usr/lib*/samba/samba-bgqd {
+profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
   include <abstractions/base>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
   include <abstractions/samba>
 
   signal receive set=term peer=smbd,
 
   @{PROC}/sys/kernel/core_pattern r,
-  @{run}/samba/samba-bgqd.pid wk,
+  owner @{PROC}/@{pid}/fd/ r,
 
-  /usr/lib*/samba/samba-bgqd m,
+  @{run}/{,samba/}samba-bgqd.pid rwk,
+
+  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  /var/cache/samba/printing/*.tdb rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-bgqd>

profiles/apparmor.d/samba-dcerpcd

@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
+  include <abstractions/samba-rpcd>
+
+  @{run}/{,samba/}samba-dcerpcd.pid rwk,
+
+  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
+
+  /usr/lib*/samba/ r,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+  /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
+  /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-dcerpcd>
+}

profiles/apparmor.d/samba-rpcd

@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+  include <abstractions/samba-rpcd>
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+  @{run}/samba/ncalrpc/np/winreg wr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd>
+}

profiles/apparmor.d/samba-rpcd-classic

@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
+  include <abstractions/samba-rpcd>
+  include <abstractions/wutmp>
+
+  /usr/lib*/samba/{,samba/}rpcd_classic mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-classic>
+}

profiles/apparmor.d/samba-rpcd-spoolss

@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2022 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
+  include <abstractions/samba-rpcd>
+
+  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
+  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/ w,
+  /var/cache/samba/printing/*.tdb rwk,
+  @{run}/{,samba/}samba-bgqd.pid rk,
+
+  /dev/urandom rw,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/samba-rpcd-spoolss>
+}

profiles/apparmor.d/sbin.syslog-ng

@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   /{var,var/run,run}/log/journal/ r,
   /{var,var/run,run}/log/journal/*/ r,
   /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var,var/run,run}/log/journal/*.journal r,
   @{run}/syslog-ng.ctl a,
   @{run}/syslog-ng/additional-log-sockets.conf r,
 

profiles/apparmor.d/sbin.syslogd

@@ -30,12 +30,16 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
 
   /dev/log                      wl,
   /var/lib/*/dev/log            wl,
+  /proc/kmsg                    r,
 
   /dev/tty*                     w,
   /dev/xconsole                 rw,
   /etc/syslog.conf              r,
+  /etc/syslog.d/                r,
+  /etc/syslog.d/*               r,
   /{usr/,}{bin,sbin}/syslogd    rmix,
   /var/log/**                   rw,
+  @{run}/syslog.pid           krwl,
   @{run}/syslogd.pid          krwl,
   @{run}/utmp                 rw,
   /var/spool/compaq/nic/messages_fifo rw,

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -36,6 +36,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
 
   owner /tmp/dovecot.imap.* rw,
   @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+  @{PROC}/@{pid}/stat r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
 
   @{HOME}/.dovecot.svbin r,
   @{PROC}/@{pid}/attr/{apparmor/,}current rw,
+  owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/stat r,
   @{PROC}/*/mounts r,
   /tmp/dovecot.lmtp.* rw,
   /usr/lib/dovecot/lmtp mr,

profiles/apparmor.d/usr.lib.dovecot.pop3

@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
   @{DOVECOT_MAILSTORE}/** rwkl,
 
   @{HOME} r, # ???
+  @{PROC}/@{pid}/stat r,
   /usr/lib/dovecot/pop3 mr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -1,7 +1,7 @@
 abi <abi/3.0>,
 
 include <tunables/global>
-profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -111,19 +111,26 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   @{run}/containers/cni/dnsname/*/dnsmasq.conf r,
   @{run}/containers/cni/dnsname/*/addnhosts r,
   @{run}/containers/cni/dnsname/*/pidfile rw,
+  owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
+  owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
+  owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
+
+  # waydroid lxc-net pid file
+  @{run}/waydroid-lxc/dnsmasq.pid rw,
 
   profile libvirt_leaseshelper {
     include <abstractions/base>
 
     /etc/libnl-3/classid r,
 
-    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-    /usr/libexec/libvirt_leaseshelper m,
+    /usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
+    /usr/libexec/libvirt_leaseshelper mr,
 
     owner @{PROC}/@{pid}/net/psched r,
     owner @{PROC}/@{pid}/status r,
 
     @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/possible r,
     @{sys}/devices/system/node/ r,
     @{sys}/devices/system/node/*/meminfo r,
 

profiles/apparmor.d/usr.sbin.dovecot

@@ -33,8 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   capability sys_chroot,
   capability sys_resource,
 
-  signal send set=(int,quit,term,kill) peer=/usr/lib/dovecot/*,
-  signal send set=(int,quit,term,kill) peer=dovecot-*,
+  signal send peer=/usr/lib/dovecot/*,
+  signal send peer=dovecot-*,
 
   unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
   unix (receive, send) type=stream peer=(label=dovecot-anvil),

profiles/apparmor.d/usr.sbin.nscd

@@ -41,6 +41,10 @@ profile nscd /usr/{bin,sbin}/nscd {
   @{PROC}/@{pid}/fd/* r,
   @{PROC}/@{pid}/mounts r,
 
+  # systemd-userdb
+  /{etc,run,run/host,/usr/lib}/userdb/ r,
+  /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.nscd>
 }

profiles/apparmor.d/usr.sbin.smbd

@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
   include <abstractions/samba>
   include <abstractions/user-tmp>
   include <abstractions/wutmp>
@@ -37,28 +38,35 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/lib*/samba/charset/*.so mr,
   /usr/lib*/samba/gensec/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
-  /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
   /usr/lib/@{multiarch}/samba/**/ r,
   /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
+  /usr/share/samba/** r,
   /usr/{bin,sbin}/smbd mr,
   /usr/{bin,sbin}/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+  /var/lib/nscd/netgroup r,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
   @{run}/dbus/system_bus_socket rw,
-  @{run}/smbd.pid rwk,
+  @{run}/{,samba/}smbd.pid rwk,
   @{run}/samba/** rk,
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
-  @{run}/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,
 
+  # Permissions for all configured shares (file autogenerated by
+  # update-apparmor-samba-profile on service startup on Debian and openSUSE)
+  include if exists <samba/smbd-shares>
+  include if exists <local/usr.sbin.smbd-shares>
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.smbd>
 }

profiles/apparmor.d/usr.sbin.winbindd

@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
   /usr/{bin,sbin}/winbindd mr,
   /var/cache/krb5rcache/* rwk,
   /var/cache/samba/*.tdb rwk,

profiles/apparmor/profiles/extras/postfix-tlsmgr

@@ -17,6 +17,7 @@ include <tunables/global>
 profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,

profiles/apparmor/profiles/extras/sbin.rpc.statd

@@ -14,6 +14,7 @@ include <tunables/global>
 
 profile rpc.statd /{usr/,}sbin/rpc.statd {
   include <abstractions/base>
+  include <abstractions/hosts_access>
   include <abstractions/nameservice>
 
   # needed to sanely drop privileges
@@ -32,6 +33,9 @@ profile rpc.statd /{usr/,}sbin/rpc.statd {
   @{PROC}/sys/fs/nfs/nsm_local_state w,
 
   /etc/netconfig                   r,
+  /etc/nfs.conf                    rk,
+  /etc/nfs.conf.d/                 r,
+  /etc/nfs.conf.d/*                rk,
   /etc/rpc                         r,
   /{usr/,}sbin/rpc.statd           mrix,
   /{usr/,}sbin/sm-notify           mrix,
@@ -46,7 +50,7 @@ profile rpc.statd /{usr/,}sbin/rpc.statd {
   /var/lib/nfs/statd/sm.bak/*      rwl,
   /var/lib/nfs/state               rwk,
   /var/lib/nfs/state.new           rwl,
-  /{,var/}run/rpc.statd.pid        w,
-  /{,var/}run/rpcbind.sock         rw,
-  /{,var/}run/sm-notify.pid        w,
+  @{run}/rpc.statd.pid             w,
+  @{run}/rpcbind.sock              rw,
+  @{run}/sm-notify.pid             w,
 }

tests/regression/apparmor/Makefile

@@ -67,8 +67,8 @@ system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
   LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
 endif # USE_SYSTEM
 
-+SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
-+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
+SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
 
 CFLAGS += -g -O0 $(EXTRA_WARNINGS)
 

utils/aa-notify.desktop

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Type=Application
+Name=AppArmor Notify
+Comment=Receive on screen notifications of AppArmor denials
+TryExec=/usr/bin/aa-notify
+Exec=/usr/bin/aa-notify -p -s 1 -w 60
+StartupNotify=false
+NoDisplay=true
+X-Ubuntu-Gettext-Domain=aa-notify

utils/aa-remove-unknown

@@ -78,7 +78,14 @@ fi
 # parent. We *do* need to remove the child profile and not rely
 # on removing the parent profile when the profile has had its
 # child profile names changed.
-profiles_names_list | awk '
+
+LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || {
+	ret=$?
+	echo 'apparmor_parser exited with failure, aborting.' >&2
+	exit $ret
+}
+
+echo "$LOADED_PROFILES" | awk '
 BEGIN {
   while (getline < "'${PROFILES}'" ) {
     str = sub(/ \((enforce|complain)\)$/, "", $0);

utils/apparmor/aa.py

@@ -1642,7 +1642,7 @@ def collapse_log(hashlog, ignore_null_profiles=True):
                                             elif access == 'eavesdrop':
                                                 dbus_event = DbusRule(access, bus, DbusRule.ALL,    DbusRule.ALL,   DbusRule.ALL, DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
                                             else:
-                                                raise AppArmorBug('unexpected dbus access: %s')
+                                                raise AppArmorBug('unexpected dbus access: {}'.format(access))
 
                                             if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
                                                 log_dict[aamode][profile][hat]['dbus'].add(dbus_event)

utils/apparmor/common.py

@@ -10,7 +10,6 @@
 # ------------------------------------------------------------------
 
 from __future__ import print_function
-import codecs
 import collections
 import glob
 import logging
@@ -207,7 +206,7 @@ def open_file_anymode(mode, path, encoding='UTF-8'):
     if sys.version_info[0] < 3:
         errorhandling = 'replace'
 
-    orig = codecs.open(path, mode, encoding, errors=errorhandling)
+    orig = open(path, mode, encoding=encoding, errors=errorhandling)
 
     return orig
 

utils/apparmor/logparser.py

@@ -104,6 +104,7 @@ class ReadLog:
         ev['family'] = event.net_family
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
+        ev['class'] = event._class
 
         if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
             ev['fsuid'] = event.fsuid
@@ -250,7 +251,7 @@ class ReadLog:
             self.hashlog[aamode][full_profile]['signal'][e['peer']][e['denied_mask']][e['signal']]= True
             return None
 
-        elif e['operation'].startswith('dbus_'):
+        elif e['operation'] and e['operation'].startswith('dbus_'):
             self.hashlog[aamode][full_profile]['dbus'][e['denied_mask']][e['bus']][e['path']][e['name']][e['interface']][e['member']][e['peer_profile']] = True
             return None
 
@@ -336,7 +337,9 @@ class ReadLog:
     def op_type(self, event):
         """Returns the operation type if known, unkown otherwise"""
 
-        if ( event['operation'].startswith('file_') or event['operation'].startswith('inode_') or event['operation'] in self.OP_TYPE_FILE_OR_NET ):
+        if event['operation'] and (event['operation'].startswith('file_') or
+                                   event['operation'].startswith('inode_') or
+                                   event['operation'] in self.OP_TYPE_FILE_OR_NET):
             # file or network event?
             if event['family'] and event['protocol'] and event['sock_type']:
                 # 'unix' events also use keywords like 'connect', but protocol is 0 and should therefore be filtered out

utils/apparmor/notify.py

@@ -1,4 +1,3 @@
-#! /usr/bin/python3
 # ----------------------------------------------------------------------
 #    Copyright (C) 2018–2019 Otto Kekäläinen <otto@kekalainen.net>
 #    Copyright (C) 2021 Christian Boltz

utils/apparmor/severity.py

@@ -168,9 +168,9 @@ class Severity(object):
             leading = True
         if resource.find(variable + "/") != -1 and resource.find(variable + "//") == -1:
             trailing = True
-        if replacement[0] == '/' and replacement[:2] != '//' and leading:  # finds if the replacement has leading / or not
+        if replacement.startswith('/') and not replacement.startswith('//') and leading:  # finds if the replacement has leading / or not
             replacement = replacement[1:]
-        if replacement[-1] == '/' and replacement[-2:] != '//' and trailing:
+        if replacement.endswith('/') and not replacement.endswith('//') and trailing:
             replacement = replacement[:-1]
         return resource.replace(variable, replacement)
 

utils/test/Makefile

@@ -27,8 +27,7 @@ ifdef USE_SYSTEM
     BASEDIR=
     PARSER=
 else
-    # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-    PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+    PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../../libraries/libapparmor/swig/python/test/buildpath.py)
     LIBAPPARMOR_PATH=../../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=..:$(PYTHON_DIST_BUILD_PATH)