Prepare for AppArmor 3.0.9 release

- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>

binutils/aa_status.c

@@ -534,16 +534,19 @@ static int detailed_output(FILE *json) {
 				} else {
 					fprintf(json, "%s\"%s\": [{\"profile\": \"%s\", \"pid\": \"%s\", \"status\": \"%s\"}",
 					       // first element will be a unique executable
-					       i == 0 && j == 0 ? "" : "], ",
+					       j == 0 ? "" : "], ",
 					       filtered[j].exe, filtered[j].profile, filtered[j].pid, filtered[j].mode);
 				}
 
 			}
+			if (j > 0) {
+				fprintf(json, "]");
+			}
 		}
 		free_processes(filtered, nfiltered);
 	}
 	if (json) {
-		fprintf(json, "%s}}\n", nprocesses > 0 ? "]" : "");
+		fprintf(json, "}}\n");
 	}
 
 exit:

common/Version

@@ -1 +1 @@
-3.0.5
+3.0.9

libraries/libapparmor/include/aalogparse.h

@@ -159,6 +159,8 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *class;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/Makefile.am

@@ -27,8 +27,9 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 9
-AA_LIB_REVISION = 3
+AA_LIB_REVISION = 5
 AA_LIB_AGE = 8
+EXPECTED_SO_NAME = libapparmor.so.1.8.5
 
 SUFFIXES = .pc.in .pc
 
@@ -77,4 +78,8 @@ tst_kernel_LDFLAGS = -pthread
 check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
+.PHONY: check-local
+check-local:
+	test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

libraries/libapparmor/src/grammar.y

@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
+%token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -185,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -351,6 +354,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - fsuid username */
+	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
@@ -425,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->class = $3; }
 	;
 
 apparmor_event:

libraries/libapparmor/src/libaalogparse.c

@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->class != NULL)
+			free(record->class);
 
 		free(record);
 	}

libraries/libapparmor/src/scanner.l

@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)
 
 %}
 
-ws		[ \t\r\n]
+ws		[ \t\r\n\x1d]
 
 equals		"="
 digit		[[:digit:]]
@@ -121,6 +121,8 @@ key_namespace		"namespace"
 key_mask		"mask"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
+key_denied		"denied"
+key_requested		"requested"
 key_attribute		"attribute"
 key_task		"task"
 key_parent		"parent"
@@ -138,7 +140,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
+key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -161,11 +165,13 @@ key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
+key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
 audit			"audit"
 
 /* network addrs */
@@ -307,6 +313,8 @@ yy_flex_debug = 0;
 {key_mask}		{ return(TOK_KEY_MASK); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
+{key_denied}		{ return(TOK_KEY_DENIED_MASK); }
+{key_requested}		{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 {key_task}		{ return(TOK_KEY_TASK); }
 {key_parent}		{ return(TOK_KEY_PARENT); }
@@ -324,7 +332,9 @@ yy_flex_debug = 0;
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
@@ -346,11 +356,13 @@ yy_flex_debug = 0;
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
+{key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

libraries/libapparmor/swig/python/test/buildpath.py

@@ -1,9 +1,12 @@
 #!/usr/bin/python3
-# the build path has changed in setuptools 61.2
+# the build path has changed in setuptools 62.1:
+# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894
 import sys
 import sysconfig
 import setuptools
-if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2):
+
+
+if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):
     identifier = sys.implementation.cache_tag
 else:
     identifier = "%d.%d" % sys.version_info[:2]

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -34,6 +34,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -108,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         '''parse the swig created record and construct a dict from it'''
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]

libraries/libapparmor/testsuite/test_multi.c

@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Class", record->class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out

@@ -0,0 +1,15 @@
+START
+File: 0x1d-uppercase-FSUID-OUID.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1661734785.992:270
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/dolphin
+Name: /home/otis/.config/kdedefaults/kdeglobals
+Command: dolphin
+PID: 3483
+Epoch: 1661734785
+Audit subid: 270

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile

@@ -0,0 +1,4 @@
+/usr/bin/dolphin {
+  /home/otis/.config/kdedefaults/kdeglobals r,
+
+}

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in

@@ -0,0 +1 @@
+Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out

@@ -0,0 +1,15 @@
+START
+File: testcase_dbus_11.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1671125537.724:209
+Operation: dbus_method_call
+Denied Mask: send
+Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
+Peer profile: unconfined
+Command: /usr/local/bin/dbus-broker
+DBus bus: session
+DBus path: /org/freedesktop/DBus
+DBus interface: org.freedesktop.DBus
+DBus member: Hello
+Epoch: 1671125537
+Audit subid: 209

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile

@@ -0,0 +1,4 @@
+/tmp/apparmor/tests/regression/apparmor/dbus_message {
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
+
+}

parser/Makefile

@@ -60,7 +60,7 @@ WARNINGS = -Wall
 CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
 CPP_WARNINGS =
 ifndef CFLAGS
-CFLAGS	= -g -O2 -pipe -flto-partition=none
+CFLAGS	= -g -O2 -pipe
 
 ifdef DEBUG
 CFLAGS += -pg -D DEBUG
@@ -70,6 +70,8 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
+CFLAGS	+= -flto-partition=none
+
 EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
 
@@ -384,11 +386,11 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
 	       elif [ -f /etc/debian_version ] ; then \
 	         echo debian ;\
 	       elif which rpm > /dev/null ; then \
-	         if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
+	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
 	             echo suse ;\
-	         elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
+	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
 	            echo rhel4 ;\
-	         elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
+	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
 	            echo rhel4 ;\
 	         else \
 	            echo unknown ;\

parser/af_unix.cc

@@ -111,8 +111,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
 
 unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
-	af_rule("unix"), addr(NULL), peer_addr(NULL),
-	audit(0), deny(0)
+	af_rule("unix"), addr(NULL), peer_addr(NULL)
 {
 	move_conditionals(conds);
 	move_peer_conditionals(peer_conds);
@@ -136,7 +135,7 @@ ostream &unix_rule::dump_local(ostream &os)
 {
 	af_rule::dump_local(os);
 	if (addr)
-		os << "addr='" << addr << "'";
+		os << " addr='" << addr << "'";
 	return os;
 }
 
@@ -144,7 +143,7 @@ ostream &unix_rule::dump_peer(ostream &os)
 {
 	af_rule::dump_peer(os);
 	if (peer_addr)
-		os << "addr='" << peer_addr << "'";
+		os << " addr='" << peer_addr << "'";
 	return os;
 }
 

parser/af_unix.h

@@ -36,9 +36,6 @@ class unix_rule: public af_rule {
 public:
 	char *addr;
 	char *peer_addr;
-	int mode;
-	int audit;
-	bool deny;
 
 	unix_rule(unsigned int type_p, bool audit_p, bool denied);
 	unix_rule(int mode, struct cond_entry *conds,

parser/libapparmor_re/chfa.cc

@@ -193,9 +193,8 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	State *default_state = dfa.nonmatching;
 	ssize_t base = 0;
 	int resize;
-
 	StateTrans &trans = from->trans;
-	ssize_t c = trans.begin()->first.c;
+	ssize_t c;
 	ssize_t prev = 0;
 	ssize_t x = first_free;
 
@@ -204,6 +203,7 @@ void CHFA::insert_state(vector<pair<size_t, size_t> > &free_list,
 	if (trans.empty())
 		goto do_insert;
 
+	c = trans.begin()->first.c;
 repeat:
 	resize = 0;
 	/* get the first free entry that won't underflow */
@@ -251,10 +251,18 @@ repeat:
 			first_free = next;
 	}
 
-do_insert:
+	/* these flags will only be set on states that have transitions */
 	if (c < 0) {
 		base |= MATCH_FLAG_OOB_TRANSITION;
 	}
+do_insert:
+	/* While a state without transitions could have the diff encode
+	 * flag set, it would be pointless resulting in just an extra
+	 * state transition in the encoding chain, and so it should be
+	 * considered an error
+	 * TODO: add check that state without transitions isn't being
+	 * given a diffencode flag
+	 */
 	if (from->flags & DiffEncodeFlag)
 		base |= DiffEncodeBit32;
 	default_base.push_back(make_pair(default_state, base));

parser/tst/dirtest.sh

@@ -31,8 +31,9 @@ do_tst() {
 	shift 2
 	#global tmpdir
 
-	${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null
+	${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
 	rc=$?
+	LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
 	if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
 		echo "failed: expected \"$expected\" but parser returned error"
 		return 1

parser/tst/dirtest/dirtest.out

@@ -1,3 +1,3 @@
-good_target
 a_profile
 b_profile
+good_target

profiles/Makefile

@@ -41,7 +41,7 @@ ifdef USE_SYSTEM
     LOGPROF?=aa-logprof
 else
     # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
-    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../libraries/libapparmor/swig/python/test/buildpath.py)
     LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)

profiles/apparmor.d/abstractions/audio

@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
 # wildmidi
 /etc/wildmidi/wildmidi.cfg r,
 
+# pipewire
+/usr/share/pipewire/client.conf r,
+
   # Include additions to the abstraction
   include if exists <abstractions/audio.d>

profiles/apparmor.d/abstractions/base

@@ -101,6 +101,7 @@
   @{PROC}/cpuinfo                r,
   @{sys}/devices/system/cpu/       r,
   @{sys}/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/possible r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,

profiles/apparmor.d/abstractions/crypto

@@ -13,6 +13,7 @@
 
   abi <abi/3.0>,
 
+  @{etc_ro}/gcrypt/hwf.deny r,
   @{etc_ro}/gcrypt/random.conf r,
   @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/exo-open

@@ -51,13 +51,6 @@
 
   /{,usr/}bin/which rix,
 
-  # Deny DBus
-
-  # for GTK error message dialog, not required exo-open to work.
-  deny dbus send
-    bus=session
-    path=/org/gtk/vfs/mounttracker,
-
   # System files
 
   /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,

profiles/apparmor.d/abstractions/groff

@@ -0,0 +1,67 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2009 Novell/SUSE
+#    Copyright (C) 2009 Canonical Ltd.
+#    Copyright (C) 2023 SUSE LLC
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # Note: executing groff and nroff themself is not included in this abstraction
+  # so that you can choose to ix, Px or Cx them in your profile
+
+  # groff/nroff helpers, preprocessors, and postprocessors
+  /usr/bin/addftinfo mrix,
+  /usr/bin/afmtodit mrix,
+  /usr/bin/chem mrix,
+  /usr/bin/eqn mrix,
+  /usr/bin/eqn2graph mrix,
+  /usr/bin/gdiffmk mrix,
+  /usr/bin/geqn mrix,
+  /usr/bin/grap2graph mrix,
+  /usr/bin/grn mrix,
+  /usr/bin/grodvi mrix,
+  /usr/bin/groffer mrix,
+  /usr/bin/grog mrix,
+  /usr/bin/grolbp mrix,
+  /usr/bin/grolj4 mrix,
+  /usr/bin/gropdf mrix,
+  /usr/bin/grops mrix,
+  /usr/bin/grotty mrix,
+  /usr/bin/gtbl mrix,
+  /usr/bin/hpftodit mrix,
+  /usr/bin/indxbib mrix,
+  /usr/bin/lkbib mrix,
+  /usr/bin/lookbib mrix,
+  /usr/bin/mmroff mrix,
+  /usr/bin/neqn mrix,
+  /usr/bin/pdfmom mrix,
+  /usr/bin/pdfroff mrix,
+  /usr/bin/pfbtops mrix,
+  /usr/bin/pic mrix,
+  /usr/bin/pic2graph mrix,
+  /usr/bin/post-grohtml mrix,
+  /usr/bin/pre-grohtml mrix,
+  /usr/bin/preconv mrix,
+  /usr/bin/refer mrix,
+  /usr/bin/roff2dvi mrix,
+  /usr/bin/roff2html mrix,
+  /usr/bin/roff2pdf mrix,
+  /usr/bin/roff2ps mrix,
+  /usr/bin/roff2text mrix,
+  /usr/bin/roff2x mrix,
+  /usr/bin/soelim mrix,
+  /usr/bin/tbl mrix,
+  /usr/bin/tfmtodit mrix,
+  /usr/bin/troff mrix,
+  /usr/bin/xtotroff mrix,
+
+  # at least its macros and fonts
+  /usr/libexec/groff/** r,
+  /usr/share/groff/** r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/groff.d>

profiles/apparmor.d/abstractions/kde

@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
+owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/trashrc r, # Used by KFileWidget
 
 /usr/share/X11/XKeysymDB r,

profiles/apparmor.d/abstractions/nameservice

@@ -44,6 +44,7 @@
   @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
   @{etc_ro}/resolvconf/run/resolv.conf  r,
   @{run}/systemd/resolve/stub-resolv.conf r,
+  /mnt/wsl/resolv.conf r,
 
   @{etc_ro}/samba/lmhosts  r,
   @{etc_ro}/services       r,

profiles/apparmor.d/abstractions/nvidia

@@ -23,9 +23,13 @@
 
   @{sys}/devices/system/memory/block_size_bytes r,
 
+  owner @{HOME}/.cache/nvidia/ w,
+  owner @{HOME}/.cache/nvidia/GLCache/ rw,
+  owner @{HOME}/.cache/nvidia/GLCache/** rwk,
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,
+  owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
 

profiles/apparmor.d/abstractions/openssl

@@ -11,6 +11,7 @@
   abi <abi/3.0>,
 
   /etc/ssl/openssl.cnf r,
+  /etc/ssl/openssl-*.cnf r,
   /etc/ssl/{engdef,engines}.d/ r,
   /etc/ssl/{engdef,engines}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,

profiles/apparmor.d/abstractions/samba

@@ -25,9 +25,10 @@
   /var/log/samba/cores/** rw,
   /var/log/samba/* w,
   @{run}/{,lock/}samba/ w,
-  @{run}/{,lock/}samba/*.tdb rw,
-  @{run}/{,lock/}samba/msg.lock/ rwk,
-  @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+  @{run}/{,lock/}samba/*.tdb rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
+  /var/cache/samba/*.tdb rwk,
   /var/cache/samba/msg.lock/ rwk,
   /var/cache/samba/msg.lock/[0-9]* rwk,
 

profiles/apparmor.d/abstractions/ssl_certs

@@ -17,7 +17,7 @@
   /etc/{,libre}ssl/certs/{,**} r,
   /{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
   /{etc,usr/share}/pki/trust/{,*} r,
-  /{etc,usr/share}/pki/trust/anchors/{,**} r,
+  /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
   /usr/share/ca-certificates/{,**} r,
   /usr/share/ssl/certs/ca-bundle.crt          r,
   /usr/local/share/ca-certificates/{,**} r,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -79,6 +79,7 @@ profile sanitized_helper {
   /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
   /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
 
   # Full access

profiles/apparmor.d/lsb_release

@@ -30,6 +30,8 @@ profile lsb_release {
   /{usr/,}bin/dash ixr,
   /usr/bin/basename ixr,
   /usr/bin/dpkg-query ixr,
+  /usr/bin/cat ixr,
+  /usr/bin/cut ixr,
   /usr/bin/getopt ixr,
   /usr/bin/sed ixr,
   /usr/bin/tr ixr,

profiles/apparmor.d/nvidia_modprobe

@@ -54,10 +54,10 @@ profile nvidia_modprobe {
     # System files
 
     /etc/modprobe.d/{,*.conf} r,
-    /etc/nvidia/current/*.conf r,
+    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
     @{sys}/module/ipmi_devintf/initstate r,
     @{sys}/module/ipmi_msghandler/initstate r,
-    @{sys}/module/nvidia/initstate r,
+    @{sys}/module/{drm,nvidia}/initstate r,
     @{PROC}/cmdline r,
   }
 

profiles/apparmor.d/php-fpm

@@ -35,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
 
   # we need to be able to create all sockets
   @{run}/php{,-fpm}/php*-fpm.pid rw,
+  @{run}/php*-fpm.pid rw,
   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
 
   # to reload

profiles/apparmor.d/samba-bgqd

@@ -14,9 +14,10 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
   @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/fd/ r,
 
-  @{run}/samba/samba-bgqd.pid wk,
+  @{run}/{,samba/}samba-bgqd.pid rwk,
 
-  /usr/lib*/samba/{,samba/}samba-bgqd m,
+  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  /var/cache/samba/printing/*.tdb rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-bgqd>

profiles/apparmor.d/samba-dcerpcd

@@ -16,10 +16,11 @@ include <tunables/global>
 profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
   include <abstractions/samba-rpcd>
 
-  @{run}/samba/samba-dcerpcd.pid wk,
+  @{run}/{,samba/}samba-dcerpcd.pid rwk,
 
-  /usr/lib*/samba/{,samba/}samba-dcerpcd m,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
 
+  /usr/lib*/samba/ r,
   /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
   /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
   /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,

profiles/apparmor.d/samba-rpcd

@@ -15,7 +15,10 @@ include <tunables/global>
 
 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
   include <abstractions/samba-rpcd>
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+  @{run}/samba/ncalrpc/np/winreg wr,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd>
 }

profiles/apparmor.d/samba-rpcd-classic

@@ -17,7 +17,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
   include <abstractions/samba-rpcd>
   include <abstractions/wutmp>
 
-  /usr/lib*/samba/{,samba/}rpcd_classic m,
+  /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-classic>

profiles/apparmor.d/samba-rpcd-spoolss

@@ -16,8 +16,16 @@ include <tunables/global>
 profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
   include <abstractions/samba-rpcd>
 
-  /usr/lib*/samba/{,samba/}rpcd_spoolss m,
+  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
   /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/ w,
+  /var/cache/samba/printing/*.tdb rwk,
+  @{run}/{,samba/}samba-bgqd.pid rk,
+
+  /dev/urandom rw,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-spoolss>

profiles/apparmor.d/sbin.syslog-ng

@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   /{var,var/run,run}/log/journal/ r,
   /{var,var/run,run}/log/journal/*/ r,
   /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var,var/run,run}/log/journal/*.journal r,
   @{run}/syslog-ng.ctl a,
   @{run}/syslog-ng/additional-log-sockets.conf r,
 

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -1,7 +1,7 @@
 abi <abi/3.0>,
 
 include <tunables/global>
-profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -111,19 +111,26 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   @{run}/containers/cni/dnsname/*/dnsmasq.conf r,
   @{run}/containers/cni/dnsname/*/addnhosts r,
   @{run}/containers/cni/dnsname/*/pidfile rw,
+  owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
+  owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
+  owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
+
+  # waydroid lxc-net pid file
+  @{run}/waydroid-lxc/dnsmasq.pid rw,
 
   profile libvirt_leaseshelper {
     include <abstractions/base>
 
     /etc/libnl-3/classid r,
 
-    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-    /usr/libexec/libvirt_leaseshelper m,
+    /usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
+    /usr/libexec/libvirt_leaseshelper mr,
 
     owner @{PROC}/@{pid}/net/psched r,
     owner @{PROC}/@{pid}/status r,
 
     @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/possible r,
     @{sys}/devices/system/node/ r,
     @{sys}/devices/system/node/*/meminfo r,
 

profiles/apparmor.d/usr.sbin.nscd

@@ -41,6 +41,10 @@ profile nscd /usr/{bin,sbin}/nscd {
   @{PROC}/@{pid}/fd/* r,
   @{PROC}/@{pid}/mounts r,
 
+  # systemd-userdb
+  /{etc,run,run/host,/usr/lib}/userdb/ r,
+  /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.nscd>
 }

profiles/apparmor.d/usr.sbin.smbd

@@ -49,14 +49,14 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/{bin,sbin}/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+  /var/lib/nscd/netgroup r,
   /var/lib/samba/** rwk,
   /var/lib/sss/pubconf/kdcinfo.* r,
   @{run}/dbus/system_bus_socket rw,
-  @{run}/smbd.pid rwk,
+  @{run}/{,samba/}smbd.pid rwk,
   @{run}/samba/** rk,
   @{run}/samba/ncalrpc/ rw,
   @{run}/samba/ncalrpc/** rw,
-  @{run}/samba/smbd.pid rw,
   /var/spool/samba/** rw,
 
   @{HOMEDIRS}/** lrwk,

profiles/apparmor/profiles/extras/postfix-tlsmgr

@@ -17,6 +17,7 @@ include <tunables/global>
 profile postfix-tlsmgr /usr/lib/postfix/{bin/,sbin/,}tlsmgr {
   include <abstractions/base>
   include <abstractions/nameservice>
+  include <abstractions/openssl>
   include <abstractions/postfix-common>
 
   /usr/lib/postfix/{bin/,sbin/,}tlsmgr mrix,

tests/regression/apparmor/Makefile

@@ -67,8 +67,8 @@ system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
   LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
 endif # USE_SYSTEM
 
-+SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
-+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
+SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
 
 CFLAGS += -g -O0 $(EXTRA_WARNINGS)
 

utils/apparmor/aa.py

@@ -1642,7 +1642,7 @@ def collapse_log(hashlog, ignore_null_profiles=True):
                                             elif access == 'eavesdrop':
                                                 dbus_event = DbusRule(access, bus, DbusRule.ALL,    DbusRule.ALL,   DbusRule.ALL, DbusRule.ALL, DbusRule.ALL,   DbusRule.ALL, log_event=True)
                                             else:
-                                                raise AppArmorBug('unexpected dbus access: %s')
+                                                raise AppArmorBug('unexpected dbus access: {}'.format(access))
 
                                             if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
                                                 log_dict[aamode][profile][hat]['dbus'].add(dbus_event)

utils/apparmor/common.py

@@ -10,7 +10,6 @@
 # ------------------------------------------------------------------
 
 from __future__ import print_function
-import codecs
 import collections
 import glob
 import logging
@@ -207,7 +206,7 @@ def open_file_anymode(mode, path, encoding='UTF-8'):
     if sys.version_info[0] < 3:
         errorhandling = 'replace'
 
-    orig = codecs.open(path, mode, encoding, errors=errorhandling)
+    orig = open(path, mode, encoding=encoding, errors=errorhandling)
 
     return orig
 

utils/apparmor/logparser.py

@@ -104,6 +104,7 @@ class ReadLog:
         ev['family'] = event.net_family
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
+        ev['class'] = event._class
 
         if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
             ev['fsuid'] = event.fsuid
@@ -250,7 +251,7 @@ class ReadLog:
             self.hashlog[aamode][full_profile]['signal'][e['peer']][e['denied_mask']][e['signal']]= True
             return None
 
-        elif e['operation'].startswith('dbus_'):
+        elif e['operation'] and e['operation'].startswith('dbus_'):
             self.hashlog[aamode][full_profile]['dbus'][e['denied_mask']][e['bus']][e['path']][e['name']][e['interface']][e['member']][e['peer_profile']] = True
             return None
 
@@ -336,7 +337,9 @@ class ReadLog:
     def op_type(self, event):
         """Returns the operation type if known, unkown otherwise"""
 
-        if ( event['operation'].startswith('file_') or event['operation'].startswith('inode_') or event['operation'] in self.OP_TYPE_FILE_OR_NET ):
+        if event['operation'] and (event['operation'].startswith('file_') or
+                                   event['operation'].startswith('inode_') or
+                                   event['operation'] in self.OP_TYPE_FILE_OR_NET):
             # file or network event?
             if event['family'] and event['protocol'] and event['sock_type']:
                 # 'unix' events also use keywords like 'connect', but protocol is 0 and should therefore be filtered out

utils/apparmor/severity.py

@@ -168,9 +168,9 @@ class Severity(object):
             leading = True
         if resource.find(variable + "/") != -1 and resource.find(variable + "//") == -1:
             trailing = True
-        if replacement[0] == '/' and replacement[:2] != '//' and leading:  # finds if the replacement has leading / or not
+        if replacement.startswith('/') and not replacement.startswith('//') and leading:  # finds if the replacement has leading / or not
             replacement = replacement[1:]
-        if replacement[-1] == '/' and replacement[-2:] != '//' and trailing:
+        if replacement.endswith('/') and not replacement.endswith('//') and trailing:
             replacement = replacement[:-1]
         return resource.replace(variable, replacement)
 

utils/test/test-capability.py

@@ -122,6 +122,7 @@ class CapabilityTest(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)

utils/test/test-change_profile.py

@@ -123,6 +123,7 @@ class ChangeProfileTestParseFromLog(ChangeProfileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = ChangeProfileRule(None, ChangeProfileRule.ALL, parsed_event['name2'], log_event=parsed_event)

utils/test/test-dbus.py

@@ -154,6 +154,7 @@ class DbusTestParseFromLog(DbusTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
 # XXX send rules must not contain name conditional, but the log event includes it - how should we handle this in logparser.py?

utils/test/test-file.py

@@ -169,6 +169,7 @@ class FileTestParseFromLog(FileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         #FileRule#     path,                 perms,                         exec_perms, target,         owner,  file_keyword,   leading_perms

utils/test/test-logparser.py

@@ -95,6 +95,7 @@ class TestParseEvent(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event))

utils/test/test-network.py

@@ -122,6 +122,7 @@ class NetworkTestParseFromLog(NetworkTest):
             'attr': None,
             'name2': None,
             'name': None,
+            'class': None,
         })
 
         obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event)

utils/test/test-parser-simple-tests.py

@@ -458,7 +458,7 @@ def parse_test_profiles(file_with_path):
         if line.startswith('#=EXRESULT '):
             exresult = line.split()[1]
             if exresult == 'PASS':
-                exresult == True
+                exresult = True
                 exresult_found = True
             elif exresult == 'FAIL':
                 exresult = False

utils/test/test-ptrace.py

@@ -112,6 +112,7 @@ class PtraceTestParseFromLog(PtraceTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = PtraceRule(parsed_event['denied_mask'], parsed_event['peer'], log_event=parsed_event)

utils/test/test-signal.py

@@ -117,6 +117,7 @@ class SignalTestParseFromLog(SignalTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event)